Data Privacy and Security Policy
PPM collects, stores, and processes sensitive personal and financial information about tenants, owners, vendors, and staff. Every team member is responsible for handling this data securely and in compliance with applicable law.
Systems involved: Buildium, Supabase (ppm-db), Google Drive, JustCall, Slack, n8n
Data We Hold
Tenant data: Full name, address, SSN or ITIN (for credit screening), date of birth, income documentation, bank account info, payment history, maintenance history, communication records
Owner data: Full name, address, SSN or EIN (for 1099), banking/ACH details, property ownership records, financial statements
Vendor data: Business name, contact info, EIN or SSN, insurance certificates, W-9, payment history
Staff data: Name, address, SSN, banking/direct deposit info, employment records
Data Handling Rules
Access Control
Only access data you need to perform your job function
Never share Buildium, Supabase, or Google Drive credentials with anyone outside PPM
All system access is individual β no shared logins
Report any suspected unauthorized access to Dan immediately
Storage
Tenant SSNs and financial data live exclusively in Buildium and Google Drive (under restricted folders)
Do not copy sensitive PII to personal devices, personal email, or consumer cloud storage
AI OS operational data (Supabase ppm-db) contains operational records only β no SSNs or banking details
Sharing
Never discuss one tenant's personal or financial situation with another tenant
Do not send tenant or owner SSNs, banking details, or financial documents via SMS or unencrypted email
Do not post PII (SSN, DOB, bank account numbers) in Slack channels β Slack is not a secure data store
When sharing documents externally (with attorneys, accountants), use Google Drive secure sharing or encrypted email
Retention
Tenant records: retain for 7 years after tenancy ends (NJ statute of limitations)
Vendor records and W-9s: retain for 7 years after last payment
Financial records: retain for 7 years
When disposing of physical documents containing PII, use cross-cut shredding
Suspected Data Breach
If you suspect that PPM data has been accessed, stolen, or disclosed without authorization:
Notify Dan immediately β same day, by phone if urgent
Do not attempt to investigate or remediate independently
Document what you observed: what data, which system, when, and how you became aware
Dan will engage legal counsel to assess notification obligations under NJ law
NJ has data breach notification requirements (NJ Identity Theft Prevention Act). Depending on the breach, affected individuals may need to be notified. Time is critical.
Tenant Privacy Rights
Tenants have the right to:
Know what data PPM holds about them (on request)
Request correction of inaccurate data
Have their data handled confidentially and not disclosed to third parties without their consent (except as required by law, court order, or the lease)
Direct any tenant data requests to Dan.
AI OS Data Governance
The PPM AI OS (n8n workflows + Claude) processes operational data including work orders, lease events, and financial summaries. Key principles:
No SSNs or banking credentials are passed to AI workflows β these stay in Buildium and Drive only
Claude (Anthropic) processes data per Anthropic's enterprise data handling policies
Supabase (ppm-db) holds operational AI memory, proposal data, and audit logs β not PII
All AI-generated decisions that affect tenants or owners require human review before action