Skip to main content

Legal

Privacy Policy

Last updated · April 2026

This Privacy Policy explains how keel, operated by ONKEEL LIMITED (“we”, “us”, “our”), collects, uses, stores, and protects your personal information when you use our property management platform at onkeel.co.nz (the “Service”).

We are committed to protecting your privacy in accordance with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs) it establishes. Where our users are based in Australia, we also comply with the Australian Privacy Act 1988.

1. Overview

keel is a property management platform that helps landlords manage their rental properties, tenants, maintenance, compliance, and finances. In the course of providing this service, we process personal information about property owners, tenants, and contractors.

2. Information We Collect

Account information

  • Name, email address, phone number
  • Password (stored as a secure hash — we never see your password)
  • Billing information (processed by Stripe — we do not store card details)

Property and tenancy data

  • Property addresses, details, and documents
  • Tenant names, contact information, employment details, and references
  • Tenancy agreements, lease terms, rent amounts, and bond information
  • Maintenance requests, photos, and communications
  • Compliance records and inspection reports
  • Financial records including rent payments and arrears

Usage data

  • Pages visited, features used, and time spent in the application
  • Browser type, device information, and IP address
  • Error logs and performance data

Communications

  • Messages sent through the keel platform between owners, tenants, and contractors
  • Email correspondence with our support team

3. How We Use Your Information

In accordance with IPP 10 (Limits on Use of Personal Information), we use your information to:

  • Provide the Service — manage properties, tenancies, maintenance, compliance, and finances
  • Communicate with you — send notifications, updates, and support responses
  • Process payments — manage subscriptions and billing through Stripe
  • Improve the Service — analyse usage patterns to enhance features and fix issues
  • Ensure security — detect and prevent fraud, abuse, or unauthorised access
  • Comply with law — meet legal obligations including the Residential Tenancies Act 1986

We do not sell your personal information. We do not use your data for advertising.

4. AI Data Processing

keel uses artificial intelligence (currently powered by OpenAI) to provide features such as maintenance triage, message drafting, compliance information, and a general chat assistant. When you use these features:

  • Relevant context (such as maintenance descriptions or property details) is sent to OpenAI’s API for processing
  • We use OpenAI’s API endpoints that do not retain or use your data for model training
  • AI responses are generated in real-time and returned to you — they are not stored by OpenAI
  • We log AI usage (tokens used, timestamps) for cost management but do not log the content of AI conversations on third-party servers

For more details, see our AI Disclaimer.

5. Open Banking & Bank Data

keel offers an optional bank connection feature that lets landlords link their bank account so we can automatically match incoming rent deposits to the right tenancy. This feature is powered by Akahu, New Zealand’s accredited open banking intermediary, regulated under the Customer and Product Data Right (CDR) framework administered by the Ministry of Business, Innovation & Employment (MBIE).

What we access

When you connect your bank account, we request the following scopes through Akahu’s OAuth consent flow:

  • Account information — your account name, number, and balance, used to identify which account is connected
  • Transaction data — transaction descriptions, amounts, dates, and NZ bank reference fields (particulars, code, reference), used to match incoming deposits to tenancies
  • Enduring consent — ongoing read-only access so we can continue to reconcile rent as it arrives, without you needing to re-authorise each time

We access your bank data in read-only mode. We cannot move money, create payments, or modify your account in any way through this connection.

Consent type and duration

keel requests enduring consentthrough Akahu’s OAuth flow. This means the connection remains active until you explicitly revoke it — you do not need to re-authorise periodically. We request up to 365 days of transaction history on first connection in order to provide accurate tax-year income summaries and establish an honest arrears baseline. After the initial backfill, we poll for new transactions at regular intervals (currently every six hours) and receive real-time webhook notifications for new activity.

How we use your bank data

  • Rent reconciliation — automatically matching incoming credits to the correct tenancy based on amount, timing, and reference fields
  • Arrears detection — identifying when expected rent payments are late so we can alert you, while respecting bank clearing times for pending transactions
  • Tax summaries — generating annual income reports from verified bank data

We do not use your bank data for marketing, advertising, credit assessment, or any purpose other than the property management features described above.

Data retention

Bank transaction data is retained for the duration of your keel account, or until you disconnect your bank. On disconnection, transaction data is retained for up to 90 days to allow for end-of-period reconciliation, after which it is deleted. You can request immediate deletion at any time by contacting sam@onkeel.co.nz.

Revoking access

You can disconnect your bank account at any time through any of these methods:

  • From keel — go to Finances → Bank connections and click Disconnect
  • From Akahu — visit my.akahu.nz and revoke keel’s access
  • From your bank — manage third-party access through your bank’s online banking portal

Revocation is immediate and we will stop receiving any further data from your account.

For more detail on how we handle your bank data, see our dedicated Bank Data (Akahu) Information page.

6. Data Sharing & Third Parties

In accordance with IPP 11 (Limits on Disclosure), we share your information only with:

ProviderPurposeData shared
SupabaseDatabase & authenticationAll application data (hosted in Sydney, Australia)
StripePayment processingEmail, name, billing details
ResendTransactional emailsEmail addresses, email content
TwilioSMS notificationsPhone numbers, SMS content
OpenAIAI featuresContextual data for AI processing (no retention)
AkahuOpen banking (bank connection)Bank account info, transaction data (read-only, via OAuth consent)
VercelApplication hostingRequest logs, IP addresses
Meta (Facebook)Advertising measurementPage view events for ad campaign attribution
Google AdsAdvertising measurementPage view and conversion events (loaded only with your consent)

We do not sell, rent, or trade your personal information to any third party.

7. Data Storage & Security

Your data is stored in Supabase’s Sydney (Australia) region. We implement the following security measures:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row-Level Security (RLS) ensuring users can only access their own data
  • Secure password hashing via Supabase Auth
  • Service role keys stored securely as environment variables, never exposed to clients
  • Dependency updates and periodic security reviews

While we take reasonable steps to protect your information, no method of electronic storage is 100% secure. We cannot guarantee absolute security.

8. Cookies & Tracking

  • Authentication — maintaining your login session (essential, cannot be disabled)
  • Preferences — remembering your settings (essential)
  • First-touch attribution — a first-party keel_first_touch cookie stores UTM campaign fields and landing-page URL for up to 30 days so Keel can attribute signups to the marketing source that brought you in
  • Meta Pixel — a page view event is sent to Meta to measure ad campaign performance. This is loaded on all visits to the marketing site for advertising attribution
  • Google Ads — conversion tracking cookies are loaded only after you accept cookies via our consent banner

You can decline non-essential cookies via the consent banner that appears on your first visit. Declining will prevent Google Ads cookies from loading. The Meta Pixel sends a single PageView event for ad attribution and does not set persistent advertising cookies on decline. Keel's first-touch attribution cookie is first-party, limited to campaign measurement, and used only to stamp signup attribution on a newly created account.

9. Data Retention

In accordance with IPP 9 (Retention of Personal Information):

  • Active accounts — data is retained for the duration of your account
  • Closed accounts — on account closure, your data is marked for removal and retained for a limited period to allow recovery, after which it is scheduled for deletion. You can request immediate deletion at any time by contacting sam@onkeel.co.nz
  • Audit logs — retained for security, compliance, and incident investigation purposes, and reviewed periodically
  • Database backups — retained per our database provider’s standard retention (currently 7 days on our Supabase plan)

10. Your Rights

Under the NZ Privacy Act 2020, you have the right to:

  • Access (IPP 6) — request a copy of the personal information we hold about you
  • Correction (IPP 7) — request correction of inaccurate or incomplete information
  • Deletion — request deletion of your account and associated data
  • Data portability — export your data in a standard format
  • Complaint — lodge a complaint with the NZ Privacy Commissioner if you believe your privacy has been breached

To exercise any of these rights, contact us at sam@onkeel.co.nz. We will respond within 20 working days as required by the Privacy Act.

11. Children’s Privacy

keel is designed for use by adults aged 18 and over. We do not knowingly collect, use, or disclose personal information from anyone under 18 years of age. If we become aware that we have collected personal information from a person under 18, we will take immediate steps to delete that information. If you believe a child has provided us with personal information, please contact us immediately at sam@onkeel.co.nz.

12. International Transfers

Your data is primarily stored in Australia (Sydney region). Some data is processed by services based in the United States (Stripe, OpenAI, Resend, Twilio, Vercel). These transfers are conducted in accordance with IPP 12 (Disclosure of Personal Information Outside New Zealand) and we ensure that adequate safeguards are in place through our agreements with these providers.

We only use providers that offer comparable privacy protections to those required under the Privacy Act 2020, through our agreements with these providers and their published privacy commitments.

13. Data Breaches

In the event of a data breach that poses a risk of serious harm, we will:

  • Notify affected individuals as soon as practicable
  • Notify the NZ Privacy Commissioner as required by the Privacy Act 2020
  • Where Australian users are affected, comply with the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988
  • Take reasonable steps to contain and remediate the breach

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before they take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact & Privacy Officer

For privacy-related enquiries or to exercise your rights:

  • Privacy Officer: Samuel Sadler
  • Email: sam@onkeel.co.nz
  • Address: ONKEEL LIMITED, New Zealand

You may also contact the Office of the Privacy Commissioner if you are not satisfied with our response.