Legal
Privacy Policy
Effective: June 11, 2026 · Last updated: June 28, 2026
This policy explains what personal information Rezi collects, why we collect it, how we use and protect it, and what rights you have over it. Please read it carefully before using the Service.
Jump to section
1. Overview and Scope
Rezi LLC ("Rezi," "we," "us," or "our") provides an AI-powered property management platform accessible at rezihost.com and related subdomains (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard personal information in connection with the Service.
This policy applies to: (a) property managers and their staff who create and use Rezi accounts ("Account Holders"); and (b) tenants, guests, leads, and prospects whose information is stored in, or who communicate through, the Rezi platform ("End Users"). If you are an End User, your property manager, not Rezi, is primarily responsible for how your personal information is handled. Rezi processes that information on the property manager's behalf as a data processor.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
In plain language
Rezi is a tool that property managers use to run their buildings. If you are a property manager, you control the data in your account. If you are a tenant or guest, the manager of your building, not Rezi, decides how your information is used; Rezi handles it on their behalf.
We never use tenant, guest, account, or other platform data for advertising, and we never use your messages or documents to train AI models. On our public marketing website, we use analytics and advertising cookies (including PostHog and advertising pixels) subject to your consent, which you can decline or withdraw at any time through our cookie banner. Inside the Rezi app, we also use first-party product analytics (PostHog) to understand how Account Holders use the product so we can improve it; this measures Account Holder activity only and is configured so that tenant and guest personal information is not collected by analytics. We do not sell platform data, and we share it only with the service providers that make the platform run (Section 7).
2. Who This Policy Covers
Account Holders (Property Managers and Staff)
Individuals and business entities that register for a Rezi account to manage properties, buildings, and tenant communications. Account Holders have a direct relationship with Rezi and control most data within their account.
End Users (Tenants, Guests, and Leads)
Individuals whose contact information is added to Rezi by an Account Holder, or who initiate communication with a Rezi-powered building phone number. End Users typically do not have a direct account with Rezi. Their data is processed on behalf of the Account Holder who manages their building. If you are an End User with privacy concerns, you should contact your property manager directly or reach us at privacy@rezi-ai.com.
Visitors
Individuals who visit rezihost.com without creating an account. We collect limited information from visitors, such as IP addresses and browser data, to operate and improve the website.
3. Information We Collect
Information You Provide Directly
When you create an account or use the Service, we collect:
- Identity data: first name, last name, display name.
- Contact data: email address, phone number (for account notifications and escalation alerts).
- Authentication data: password (hashed; managed via Clerk), multi-factor authentication credentials.
- Property and operational data: building addresses, unit labels, unit types, occupancy and rent information, check-in and check-out times, building timezones, lease and reservation records.
- Uploaded documents: lease agreements, house rules, floor plans, Wi-Fi instructions, HOA rules, and any other files you upload to the platform. When you upload a file, we extract its text, divide that text into short segments, and generate vector embeddings so the AI can search the content. The extracted text segments and their embeddings are stored in our database. We do not retain a copy of the original uploaded file after processing completes.
- Configuration and preference data: qualification questions, emergency keywords, AI persona names, calendar integration credentials, notification preferences.
- Payment information: billing details submitted when activating a building subscription, processed directly by Stripe. Rezi does not store raw payment card numbers. We retain Stripe customer and subscription IDs for billing management.
- Communications: messages you send to Rezi support or via the dashboard's human-in-the-loop relay feature.
Information About End Users (Collected on Behalf of Account Holders)
- Identity: name, phone number, email address.
- Lease and reservation data: unit assignment, lease dates, booking source (direct, Airbnb, VRBO), reservation status.
- Communication history: all inbound and outbound SMS messages, email content, and voice call transcripts and recordings associated with a building number.
- Language preference: the language an End User selects during their first interaction with the AI.
- Issue reports: descriptions of property issues a guest submits via text or voice.
- Payment status: invoice amounts, payment status, and payment method (e.g., online payment via Stripe, cash/check noted manually).
- Qualification responses: answers provided by prospective tenants during AI-led screening conversations.
- Opt-out status: whether an End User has replied STOP to opt out of SMS.
- MMS attachments: photos or files sent via text message to a building number. We store the message record and the attachment link hosted by our messaging provider (Telnyx); these links are accessible to the Account Holder from the conversation history.
Information Collected Automatically
- Log data: IP address, browser type and version, operating system, referring URL, pages viewed, and timestamps.
- Device data: device type, screen resolution, language settings.
- Usage data: features used, dashboard navigation patterns, session duration, and interaction events within the platform.
- Cookies and similar technologies: session tokens, authentication state, and user preferences. See Section 9 for full details.
Information from Third Parties
- Booking platforms: reservation dates and availability synced via Airbnb or VRBO iCal feeds when configured by an Account Holder.
- Clerk: authentication status and MFA verification results.
- Stripe: payment confirmation events and subscription status updates via webhook.
4. How We Use Your Information
We use the information we collect for the following purposes:
Service Delivery
- Routing inbound SMS and voice messages to the correct building and triggering AI responses.
- Running AI-led lead qualification flows using the questions configured by the Account Holder.
- Generating AI responses to tenant and guest queries using document embeddings and conversation context.
- Detecting emergency keywords and triggering escalation chains (SMS alerts and Retell AI calls to the property manager).
- Processing and sending tenant invoices and Stripe Checkout payment links.
- Syncing iCal calendars for Airbnb and VRBO reservations.
- Creating and managing calendar events (tours, check-ins, check-outs) on Google Calendar or Cal.com.
AI Processing
- Message content and document chunks are sent to Anthropic (Claude) to generate responses. Anthropic processes this data under our enterprise agreement and does not use it to train their models.
- Document text is sent to OpenAI to generate vector embeddings for semantic search. OpenAI processes this data as a service provider and does not use it for model training under our agreement.
Communications
- Sending SMS messages to tenants and guests on behalf of Account Holders via Telnyx.
- Placing and receiving voice calls via Retell AI on behalf of Account Holders.
- Sending transactional emails (invoice notifications, overdue alerts, manager notifications) via Resend.
- Sending account and security notifications to Account Holders (e.g., MFA prompts, billing alerts).
Authentication and Security
- Verifying account holder identity and managing sessions via Clerk.
- Enforcing mandatory multi-factor authentication.
- Detecting and preventing unauthorized access, fraud, and abuse.
Billing and Payments
- Creating and managing Stripe subscriptions for building activations.
- Generating and tracking tenant invoices.
- Processing tenant rent payments via Stripe Checkout.
Analytics and Improvement
- Monitoring platform uptime and error rates.
- Analyzing aggregate usage patterns to improve features and performance.
- Debugging errors and investigating reported issues.
Product Analytics and Advertising
- On our public marketing website (rezihost.com), we use product analytics (PostHog) to understand how visitors navigate the site, which pages and features draw interest, and where visitors encounter friction, so we can improve the site.
- Inside the authenticated Rezi app, we use the same first-party product analytics (PostHog) to understand how Account Holders use the product, including pages viewed and actions taken (such as buttons and links clicked), so we can fix problems and improve the Service. This is limited to Account Holder usage. We configure our analytics so that End User (tenant, guest, and lead) personal information, message content, and documents are not collected by analytics, and we do not use session recording. We do capture scroll depth and click positions (heatmaps), which record positions only, never page content.
- We also use advertising and conversion-tracking pixels from advertising partners (such as Meta and Google) to measure the effectiveness of our marketing campaigns and to show our ads to relevant audiences. These advertising technologies run only on our public website and only where you have given consent (where consent is required).
- Advertising technologies are never applied to tenant, guest, lead, message, document, or other platform data, and our product analytics never collects End User personal data.
We never use tenant, guest, account, or other platform data for behavioral or cross-context advertising, and we do not sell platform data. Marketing-website analytics and advertising are subject to the cookie controls described in Section 9; in-app product analytics is carried out on the basis of our legitimate interest in maintaining and improving the Service (see Section 5). You can control these technologies and exercise your rights through the mechanisms described in Sections 9 and 13.
5. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, our processing of your personal data is based on the following legal grounds under the General Data Protection Regulation (GDPR) or equivalent legislation:
- Contract performance: Processing necessary to provide the Service under our Terms of Service, including account management, billing, and core platform functionality.
- Legitimate interests: Processing necessary for our legitimate business interests, including security monitoring, fraud prevention, analytics, and service improvement, where those interests are not overridden by your rights.
- Consent: Where you have provided explicit consent, such as for optional communications and for analytics and advertising cookies on our marketing website. You may withdraw consent at any time, including through our cookie banner.
- Legal obligation: Processing required to comply with applicable law, such as retaining billing records for tax purposes.
For End Users whose data is processed on behalf of an Account Holder, the Account Holder is the data controller and Rezi is the data processor. Account Holders are responsible for identifying their own legal basis for processing their tenants' and guests' personal data.
To submit a GDPR-related request or for questions about our Data Processing Agreement (DPA), contact us at privacy@rezi-ai.com.
7. Sub-Processors
The following third-party providers process personal data on our behalf. We maintain Data Processing Agreements (or equivalent contractual protections) with each. We will notify Account Holders at least 30 days before adding a new sub-processor by updating this section. The Meta/Google entry operates only on our public marketing website and only with consent where required. PostHog operates on our marketing website (consent-based) and within the authenticated app for first-party product analytics of Account Holder usage. None of these three process tenant, guest, or other End User personal data.
| Provider | Purpose | Data transferred |
|---|---|---|
| Clerk | Authentication, session management, MFA | Email address, name, session tokens, MFA credentials |
| Supabase | Database, file/document text and embedding storage, realtime | All structured platform data including tenant records, messages, leases, invoices, and extracted document text and embeddings |
| Telnyx | SMS messaging, voice call handling, and phone number provisioning | Phone numbers, SMS message content, message metadata, attachment links, and voice call audio (calls are bridged to Retell AI for the AI voice assistant) |
| Retell AI | AI voice calls (inbound and emergency outbound) | Call audio streams, call transcripts, recording files |
| Resend | Transactional email delivery | Email addresses, email body content |
| Stripe | Subscription billing, tenant payment processing | Billing details, subscription amounts, payment events |
| Anthropic | AI text response generation | Tenant/guest message content, retrieved document text, conversation context |
| OpenAI | Document and query vector embeddings | Text extracted from uploaded property documents and inbound message text |
| Vercel | Web hosting, serverless functions, CDN | Request logs, IP addresses, response metadata |
| PostHog | Product analytics on the marketing website (consent-based) and first-party product analytics of Account Holder usage in the app | Cookie/device identifiers, pages viewed, in-app events (e.g. buttons clicked), scroll depth and click/tap positions (heatmaps, no page content), and (marketing website only, after consent) anonymized session replays of page interactions with all typed input masked; Account Holder email/name and account attributes; no session replays inside the app, and no tenant, guest, or other End User personal data |
| Meta, Google | Advertising and conversion measurement on the marketing website (consent-based) | Cookie/device identifiers, ad-click and conversion events, pages viewed |
8. SMS and Voice Communications
Automated Messaging
Rezi sends automated SMS messages and places automated voice calls to tenants, guests, and prospects on behalf of Account Holders. This includes AI-generated responses, invoice payment links, emergency notifications, appointment reminders, and check-in instructions.
By texting or calling a Rezi-powered building phone number, you consent to receiving automated SMS messages and automated or prerecorded voice calls related to your tenancy, reservation, or inquiry. Standard message and data rates from your carrier may apply. Message frequency varies based on your interactions with the building. Reply HELP for help or STOP to opt out at any time.
Opting Out of SMS
You may opt out of automated SMS at any time by replying STOP to any message sent by a Rezi-powered number. After opting out, the platform will suppress all automated SMS to your number until re-enabled. Opting out will not affect your lease or reservation, but your property manager may need to contact you directly by phone or email. You may re-enable SMS by texting START to the building number. Reply HELP at any time to receive program information and these opt-out instructions.
Call Recording
Voice calls handled through the Rezi platform may be recorded and transcribed. Recordings are used to provide the Service (including generating call summaries and maintaining interaction logs), to investigate disputes, and for quality and safety purposes. Recordings are accessible only to the Account Holder and Rezi, and are retained for 12 months unless deleted earlier by the Account Holder.
Call recording laws vary by state. Some states require all parties to a call to consent to recording ("two-party consent" states). Account Holders are responsible for ensuring their use of Rezi's voice recording features complies with applicable state law. Rezi's AI voice assistant announces itself as an AI at the start of calls.
A2P 10DLC Registration
SMS sent through the platform are transmitted over carrier networks subject to A2P 10DLC regulations. Account Holders are the registered sender of record for their building phone numbers. By activating a building, you consent to Rezi registering your brand and campaign with Telnyx for A2P compliance on your behalf.
10. Data Retention
We retain personal information for as long as necessary to provide the Service and comply with our legal obligations. The following schedules apply:
- Active account data: retained for the duration of your subscription.
- Deactivated buildings: building data (units, tenants, messages, invoices) retained for 90 days after deactivation, then permanently deleted.
- Closed accounts: all personal data deleted within 30 days of account closure, except where law requires longer retention.
- Financial records: billing and payment records retained for 7 years to comply with tax and accounting obligations.
- Call recordings: retained for 12 months unless deleted earlier by the Account Holder.
- Document text and embeddings: the original uploaded file is discarded after processing; the extracted text segments and embeddings are retained until the Account Holder deletes the document or the associated building. Data tied to a deleted building is removed within 30 days of building deletion.
- Message history (SMS/email): retained for the duration of the active building subscription, plus 90 days following deactivation.
- Opt-out records: retained indefinitely to prevent inadvertent re-contact with opted-out numbers.
- Security and abuse logs: retained for 12 months for fraud investigation and platform security purposes.
When data is deleted, it is removed from active databases. Residual copies in backups are purged within 90 days of the scheduled deletion date.
11. Data Security
We implement technical and organizational measures to protect personal information against unauthorized access, loss, destruction, or alteration:
- Encryption in transit: all data transmitted between your browser, our servers, and our sub-processors is encrypted using TLS 1.2 or higher.
- Encryption at rest: database data, extracted document text, and embeddings (Supabase/PostgreSQL) are encrypted at rest using AES-256.
- Authentication: mandatory multi-factor authentication (MFA) is required for all Account Holder logins. MFA is enforced at the application layer and cannot be disabled.
- Access controls: staff sub-accounts are scoped to specific buildings through role-based access controls. No staff member can access buildings they are not assigned to.
- Webhook validation: all inbound webhooks (Telnyx, Stripe, Retell) are validated using signature verification to prevent spoofing.
- Idempotency: duplicate message and call event processing is prevented through unique identifier deduplication.
- Sub-processor security: all sub-processors are evaluated for security practices and are bound by data protection agreements.
Despite these measures, no system is completely secure. We cannot guarantee that unauthorized third parties will never be able to defeat our security measures. If you become aware of a security vulnerability in the Service, please report it to security@rezi-ai.com.
In the event of a data breach that affects your personal information and creates a risk of harm, we will notify you and applicable regulatory authorities as required by applicable law. We will provide notification without undue delay and, in any event, within the timeframes required by applicable law (e.g., 72 hours under GDPR, as soon as practicable under most US state breach notification laws).
12. Your Privacy Rights
Depending on your location, you may have some or all of the following rights regarding your personal information. To exercise any of these rights, contact us at privacy@rezi-ai.com. We will respond within 45 days (and, for GDPR requests, within one month, extendable where permitted), or as otherwise required by applicable law.
- Right to access: request a copy of the personal information we hold about you, including what categories of data we have and how it is used.
- Right to correction: request correction of inaccurate or incomplete personal information.
- Right to deletion: request deletion of your personal information, subject to our legal retention obligations (e.g., billing records).
- Right to data portability: receive your data in a structured, commonly used, machine-readable format where technically feasible.
- Right to restriction: request that we restrict processing of your data in certain circumstances (e.g., while a correction is pending).
- Right to object: object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
- Right to opt out of SMS: reply STOP to any automated message at any time.
We will verify your identity before fulfilling any request. If you are an End User (tenant or guest), we may need to involve your property manager to fulfill your request, as they are the data controller for your records. We will respond to all verifiable requests within 45 days or as required by applicable law.
13. California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights regarding your personal information.
Categories of Personal Information Collected
In the past 12 months, we have collected the following categories of personal information:
- Identifiers (name, email, phone number, IP address)
- Commercial information (subscription records, payment history)
- Internet or other electronic network activity (usage logs, session data)
- Geolocation data (approximate location derived from IP address)
- Audio and electronic data (voice call recordings, SMS message content)
- Professional or employment-related information (property management role, company name)
- Inferences drawn from the above to create a profile for providing the Service
Your CCPA Rights
- Right to know: request disclosure of the categories and specific pieces of personal information collected about you, the sources, the business purpose, and the third parties with whom it is shared.
- Right to delete: request deletion of your personal information, subject to certain exceptions.
- Right to correct: request correction of inaccurate personal information.
- Right to opt out of sale or sharing: we do not sell personal information for money. However, our use of advertising cookies and pixels on our marketing website may constitute "sharing" of personal information for cross-context behavioral advertising under the CPRA. You can opt out by (a) declining advertising cookies in our cookie banner, (b) transmitting a Global Privacy Control (GPC) signal, which we honor automatically, or (c) emailing privacy@rezi-ai.com. We do not sell or share tenant, guest, or other platform data for advertising under any circumstances, and we do not knowingly sell or share the personal information of consumers under 16.
- Right to limit use of sensitive personal information: we do not use sensitive personal information for purposes beyond providing the Service.
- Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights. You will not receive different prices, a different quality of service, or any other adverse treatment for exercising these rights.
How to Submit a Request
To submit a verifiable consumer request, email privacy@rezi-ai.comwith the subject line "CCPA Request." You may also designate an authorized agent to submit a request on your behalf; the agent must provide written proof of authorization. We will respond within 45 days of receiving a verifiable request.
14. Children's Privacy
The Service is not directed to children under the age of 13 (or 16 in the EEA), and we do not knowingly collect personal information from children. Property management is an adult business activity, and Rezi accounts may only be created by individuals who are at least 18 years of age.
If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child's information has been submitted to Rezi, please contact us at privacy@rezi-ai.com.
15. International Data Transfers
Rezi is operated in the United States. Our servers, sub-processors, and staff are located in the United States. If you access the Service from outside the United States, including from the European Economic Area, United Kingdom, or Switzerland, your personal information will be transferred to and processed in the United States, which may have data protection laws that are different from those in your country.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms, in our agreements with sub-processors. We maintain Data Processing Agreements with all sub-processors that process EEA personal data.
By using the Service, you acknowledge and consent to the transfer of your personal information to the United States for the purposes described in this policy. If you have questions about our international data transfer mechanisms, contact us at privacy@rezi-ai.com.
16. Third-Party Links
The Service may contain links to third-party websites, services, or integrations (such as Airbnb, Google Calendar, or Cal.com). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you interact with through Rezi.
Rezi is not responsible for the privacy practices or content of third-party websites or services, even if accessed through links or integrations within the platform.
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service itself. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send an email notification to all Account Holders at least 14 days before the changes take effect.
- Where required by law, request renewed consent.
Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the Service and may close your account.
18. Contact Us
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
Rezi LLC, Privacy Team
Email: privacy@rezi-ai.com
General inquiries: hello@rezi-ai.com
Security issues: security@rezi-ai.com
Rezi is an independent service and is not affiliated with, endorsed by, or sponsored by Airbnb, Inc. or Vrbo/Expedia Group. References to those platforms describe compatibility only; all trademarks belong to their respective owners.
For GDPR-related requests or to obtain a copy of our Data Processing Agreement, email privacy@rezi-ai.comwith "DPA Request" in the subject line.
If you are an EEA resident and believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local data protection authority.
This document was last updated June 28, 2026. See also our Terms of Service.
Note: This policy is provided for informational purposes and has been drafted to be comprehensive for Rezi's specific use case. It should be reviewed by a licensed attorney before reliance in a legal context, particularly regarding TCPA compliance, Fair Housing Act exposure, and state-specific landlord-tenant data requirements in jurisdictions where you operate.