Privacy Policy
RentalApplication.ai — A Lotly Software LLC Service
This Privacy Policy describes how Lotly Software LLC, a Nevada limited liability company doing business as RentalApplication.ai ("Lotly," "RentalApplication.ai," "we," "us," or "our"), collects, uses, discloses, and protects personal information when you visit rentalapplication.ai, use our applications and screening services, or interact with us in any other way (collectively, the "Services"). It also explains the rights you have and the choices you can make regarding your personal information.
This Policy applies to information we collect from three primary types of individuals: (i) Subscribers (landlords, property owners, property managers, real-estate professionals, and other authorized users who order Consumer Reports through the Services); (ii) Applicants (individuals whose information is submitted for tenant-screening purposes); and (iii) Website Visitors (anyone who browses our public website without registering for an account). Where a section applies only to one of these audiences, we say so.
This Policy is part of, and should be read together with, our Terms of Service, our Landlord Subscriber Agreement (for Subscribers), and our Applicant Terms and FCRA Disclosure and Authorization (for Applicants).
1. Summary of Key Points
- We are a consumer reporting reseller. We assemble Consumer Reports under the federal Fair Credit Reporting Act ("FCRA") for tenant-screening purposes; we do not originate, score, or modify the underlying data.
- We use third-party consumer reporting agencies (TransUnion, Asurint, Pinwheel) to source credit, criminal, eviction, identity, and income data, and a separate service provider (Vosy) to place AI-assisted reference calls to prior landlords on the Subscriber's behalf. Vosy is a telephony and AI vendor; it is not a consumer reporting agency.
- Purpose limitation. We collect Personal Information solely for tenant screening, identity verification, fraud prevention, FCRA and reseller-agreement compliance, billing, support, and directly-related security and service-improvement purposes. We do not use it for advertising, profiling outside screening, or training broadly-deployed AI models on identifiable Applicant data.
- We do not sell personal information and we do not share personal information for cross-context behavioral advertising.
- We comply with FCRA, GLBA, CCPA/CPRA, and other applicable federal and state privacy laws.
- Applicants have rights under the FCRA to access, dispute, and correct information in Consumer Reports about them.
- You may exercise privacy rights such as access, deletion, correction, and opt-out as described in Sections 15–17, depending on your state of residence.
- Geographic restrictions apply. The Services are not available in Vermont, Massachusetts, or New York, and per-applicant fees are capped in Wisconsin, Virginia, Philadelphia (PA), and the District of Columbia.
2. Key Definitions
"Applicant" means a natural person whose information is submitted to the Services for tenant-screening purposes.
"Consumer Report" has the meaning given in FCRA § 603(d), 15 U.S.C. § 1681a(d), and refers to the categories of CRA-furnished consumer information delivered through the Services that are subject to the FCRA, including credit reports, credit scores, criminal-history reports, eviction-history reports, identity-verification results returned by a CRA, and income or employment verification results returned by a CRA. The scope of "Consumer Report" is set by the FCRA and analogous state law; nothing in this Policy is intended to expand the FCRA's own definition. For clarity, Derived Data (Section 4.4) — including AI-generated transcripts, summaries, sentiment characterizations, fraud-risk flags, and AI reference-call output — is not within this definition and is not furnished by us as a Consumer Report. The contractual definition of, and obligations regarding, Consumer Reports are set forth in our Terms of Service and Landlord Subscriber Agreement.
"CRAs" means the third-party consumer reporting agencies and authorized data providers from which we procure Consumer Report data, currently TransUnion LLC, One Source Technology, LLC d/b/a Asurint, and Pinwheel CRA Co. (a consumer reporting agency affiliate of Underdog Technologies, Inc. d/b/a Pinwheel).
"Reference-Call Service Provider" means the third-party telephony and AI vendor that places outbound landlord-reference calls on the Subscriber's behalf, currently Vosy. The Reference-Call Service Provider is a tooling vendor — it is not a consumer reporting agency, does not furnish Consumer Reports, and does not maintain consumer files. The recording, transcript, and AI-generated summary produced through this Service are Derived Data (Section 4.4), not Consumer Reports.
"Investigative Consumer Report" has the meaning given in FCRA § 603(e), 15 U.S.C. § 1681a(e), and California Civil Code § 1786.2. The reference-call output produced through our AI Reference-Call Tool is not an Investigative Consumer Report furnished by us; it is data the Subscriber collects, with the Applicant's consent, using a tool we and the Reference-Call Service Provider make available. Subscribers remain responsible for any state-specific disclosure requirements that apply to their own collection of reference information.
"NPI" or "Nonpublic Personal Information" has the meaning given in the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6809(4).
"Personal Information" means information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information does not include de-identified or aggregated information that cannot reasonably be associated with a particular individual.
"Sensitive Personal Information" means the subset of Personal Information defined as "sensitive" under the California Consumer Privacy Act and analogous state laws, including without limitation Social Security numbers, driver's license and government-issued ID numbers, financial account numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, the contents of email and text communications, biometric information processed for the purpose of uniquely identifying an individual, and information concerning health, sex life, or sexual orientation.
"Subscriber" means a landlord, property owner, property manager, or other authorized user that registers an account on the Services to order Consumer Reports.
3. Our Role; FCRA Alignment; Data Roles
3.1 Reseller Status (Consolidated FCRA Alignment Statement)
RentalApplication.ai operates as a "reseller" of consumer reports as that term is defined in FCRA § 603(u), 15 U.S.C. § 1681a(u). We assemble and merchandise Consumer Reports procured from independent third-party CRAs for delivery to a Subscriber that has certified an FCRA-permissible purpose. As a reseller, our role is bounded as follows:
- No original data furnishing. We do not generate, compile, or originate the substantive consumer information that appears in any Consumer Report. The credit, criminal, housing-court, identity, and income data that populate a Consumer Report are furnished by an independent originating CRA or public-record source.
- No independent verification of CRA data. We do not independently verify, audit, recompute, or re-source the substantive data furnished by a CRA. Substantive accuracy is the originating CRA's responsibility under FCRA § 1681e(b).
- No editorial judgment over CRA data. We do not edit, redact (except as compelled by law), score, augment, or otherwise impose editorial judgment over the substantive data furnished by a CRA. We deliver the data as received, with formatting and presentation metadata of the kind described in Terms §2.4.
Where an Applicant disputes the accuracy or completeness of CRA-furnished data, we route the dispute back to the originating CRA under FCRA § 1681i(f)(2) and deliver any updated information returned by the CRA, but we do not adjudicate the dispute or modify the underlying record. The full statement of our reseller obligations is set forth in our Terms of Service §§ 2.1 through 2.7.
3.2 Data Roles
Different data flows through the Services involve different privacy roles. We characterize our role per data flow based on who, in operational reality, determines the purposes and means of processing. The state-privacy-law term that maps to that role (for example, "controller," "business," "processor," or "service provider") may vary by jurisdiction, but the operational characterization below is deterministic:
- Applicant Data submitted directly to us — we determine the purposes and means of processing this data for the screening flow. Under state comprehensive privacy laws this corresponds to the "controller" / "business" role (CCPA/CPRA, VCDPA, CPA, CTDPA, and analogous statutes). Under FCRA, we hold this data as a reseller for the limited purpose of assembling and delivering Consumer Reports to the requesting Subscriber.
- Information we receive from CRAs — the originating CRA is the originator of the underlying record and bears FCRA accuracy duties under § 1681e(b). We hold and forward this data as a downstream reseller subject to our reseller agreements and FCRA §§ 1681e(a), 1681e(e), and 1681i(f).
- Subscriber-provided data about Applicants (for example, a property address or rent amount the Subscriber enters when initiating a screening) — we process this data on behalf of, and subject to the documented instructions of, the Subscriber. Under state comprehensive privacy laws this corresponds to the "processor" / "service provider" role.
- Subscriber's own account data (login credentials, billing, business credentialing) — we determine the purposes and means of processing this data in the ordinary course of operating a SaaS service. This corresponds to the "controller" / "business" role under state comprehensive privacy laws.
- Derived Data we generate (transcripts, AI summaries, fraud-risk flags) — we determine the purposes and means of generating the derivative artifact for delivery to the Subscriber that initiated the screening. This corresponds to the "controller" / "business" role under state comprehensive privacy laws. The artifact's relationship to a Consumer Report is addressed in Section 4.4 and Terms §2.4.
3.3 Data-Flow Documentation
A description of our data flows — including the lifecycle of each category of Personal Information from collection through delivery to deletion, the systems involved, and the safeguards applied — is maintained in our internal technical and security documentation. A summary description is available to qualified parties (regulators, CRAs under our reseller agreements, security-audit firms, and Subscribers under enterprise agreements) upon written request to Contact@RentalApplication.ai.
4. Data Classification
We segment Personal Information into four conceptually distinct buckets that are processed under different controls, retention periods, and contractual obligations. The bucket determines who is responsible for accuracy, who can request access or deletion, and which legal regime governs the data.
4.1 Applicant Data
Personal Information submitted by, or about, an Applicant for the purpose of rental screening — including identifiers, government-ID images, address history, employment history, references, and screening-application content. Held under FCRA, GLBA (where applicable), and state-law obligations. Retention per Section 13. Applicant rights are described in Section 15.
4.2 Subscriber Data
Personal Information about a Subscriber — including account holders, employees of the Subscriber, business credentialing data, and payment data — collected to operate the SaaS account. Subscriber Data is not a Consumer Report and is not subject to FCRA accuracy duties; it is governed by ordinary state comprehensive privacy laws and our contractual commitments.
4.3 CRA Data
Consumer-report data furnished by third-party CRAs (TransUnion, Asurint, Pinwheel). Substantive accuracy of CRA Data is the originating CRA's responsibility under FCRA § 1681e(b); we transmit it without modification, with formatting and presentation metadata as described in Terms §2.4. Disputes about the accuracy of CRA Data are handled under Section 20 and routed to the originating CRA. Reference-call output generated using our Reference-Call Service Provider (Vosy) is not CRA Data; it is Derived Data (Section 4.4) collected by the Subscriber using a tool we make available.
4.4 Derived / AI-Generated Data
Transcripts, summaries, sentiment indicators, fraud-risk flags, and other artifacts produced by our AI agents or automated systems. As stated in our Terms of Service §2.4 and §8.4, Derived Data is not furnished as a Consumer Report and is not provided as a substitute for Consumer Report information; it is a separate analytical layer that may be used to assist Subscribers in reviewing information and does not originate from a consumer reporting agency. Derived Data is interpretive only and does not constitute factual determinations about any underlying fact regarding an Applicant.
Subscriber-side restrictions on Derived Data. By using the Services, each Subscriber agrees that Derived Data:
- is not furnished by us, and may not be used by the Subscriber, for the purpose of making, communicating, or supporting an adverse-action decision under FCRA § 615 — adverse-action decisions must be based on the underlying Consumer Report furnished by an originating CRA, with the adverse-action notice referring to that CRA;
- may not be used as a substitute for, or in lieu of, a Consumer Report procured under an FCRA permissible purpose; the Subscriber must procure and rely on the underlying Consumer Report for any tenancy decision that is influenced by Consumer-Report content; and
- must be evaluated by the Subscriber together with — and not in place of — the underlying Consumer Report, the underlying call recording or transcript (where applicable), and the Subscriber's written, objective screening criteria.
We acknowledge that the FCRA is functional in nature: the classification of a particular Derived Data artifact under federal or state law may depend on how the Subscriber uses it, what underlying source data it was generated from, and how the artifact is interpreted in a particular case. The Subscriber-side restrictions above are intended to keep Derived Data outside the FCRA-Consumer-Report channel in actual practice, and not merely by contractual recital. Derived Data is held under the safeguards described in Section 14 and is retained per Section 13.
Each bucket is subject to its own access controls, retention period (Section 13), disclosure rules (Section 10), and individual-rights regime (Sections 15–17).
5. Purpose Limitation; No Secondary Use
5.1 Purpose Limitation
We collect, process, and disclose Personal Information solely for tenant-screening services requested by a Subscriber (or by an Applicant on behalf of a Subscriber's screening), including the directly-related sub-purposes of identity verification, fraud detection, FCRA and reseller-agreement compliance, billing, customer support, and the limited business-improvement and security purposes described in Section 8. We do not collect, process, or use Personal Information for any other purpose without the affected individual's affirmative opt-in consent.
5.2 No Secondary Use
We do not use Applicant Data, Subscriber Data, CRA Data, or Derived Data for:
- targeted advertising, retargeting, or any cross-context behavioral advertising;
- profiling outside of the tenant-screening services described in this Policy;
- creation of consumer profiles for sale, license, or transfer to any third party;
- marketing of unrelated products or services to Applicants;
- training of large-language models, foundation models, or other broadly-deployed or third-party AI models on identifiable Applicant Data; or
- any product development unrelated to the tenant-screening services.
5.3 De-identified and Aggregated Data
Where we use de-identified or aggregated information for service improvement, capacity planning, fraud research, or security analytics, we apply technical and organizational measures intended to prevent re-identification, contractually prohibit downstream re-identification, and we do not attempt to re-identify such data ourselves. De-identified and aggregated data is not Personal Information for purposes of this Policy.
6. Categories of Personal Information We Collect
Over the past twelve (12) months, we have collected the following categories of Personal Information:
6.1 From Subscribers (landlords)
- Identifiers: name, email address, phone number, mailing address, IP address.
- Business information: business name, DBA, entity type, EIN, business address, properties owned or managed.
- Credentialing information: government-issued identification, ownership or management documentation, licensing information, third-party business listings.
- Authentication and security data: hashed authentication credentials, one-time-code logs, device identifiers, login history, security event logs.
- Payment information: payment method tokens and transaction metadata. Full card numbers and bank account numbers are processed by our PCI-compliant payment processor and are not stored by us in plain text.
- Communications: email correspondence, support requests, in-Platform messages.
6.2 From Applicants
- Identifiers: name, prior addresses, date of birth, email address, phone number.
- Sensitive Personal Information: Social Security number (used to procure credit reports), government-issued identification (driver's license, passport, state ID), precise geolocation when authorized.
- Identity-document uploads: photographs or scans of an Applicant-uploaded government ID. RentalApplication.ai stores the uploaded image but does not perform document-image authentication, driver's license verification, selfie capture, or facial-recognition matching against the upload.
- Device and fraud-prevention signals: IP address, device fingerprint, and other technical signals collected during application submission for fraud detection.
- Income and employment information: payroll-provider connection metadata, employer name and contact, pay stubs, W-2s, 1099s, and other income-verification documents that the Applicant uploads or that are retrieved from connected payroll sources.
- Reference information: contact information for prior landlords and other references provided by the Applicant; recordings and transcripts of AI-assisted or human-conducted reference calls (where lawful and authorized).
- Information returned by CRAs: credit reports, credit scores, criminal-history records, eviction-history records, identity-mismatch alerts, fraud alerts, and other Consumer Report data.
- Application information: rental history, household composition, pets, vehicles, and other information voluntarily provided in the rental application.
- Communications: email and SMS correspondence with us, support requests.
6.3 From Website Visitors and Automatically
- Device and browser information: browser type, operating system, device type, screen size, language preferences.
- Usage data: pages visited, time on page, click events, search queries, referral source, exit page.
- Network information: IP address, ISP, approximate geographic region.
- Cookies and similar technologies: as described in Section 12.
7. Sources of Information
We collect Personal Information from the following sources:
- Directly from you, when you register, complete an application, upload documents, communicate with us, or interact with the Services.
- From our CRAs (TransUnion, Asurint, Pinwheel), when we procure Consumer Reports on Applicants whom Subscribers have authorized us to screen.
- From our Reference-Call Service Provider (Vosy), which places AI-assisted reference calls to references identified by the Subscriber or Applicant and returns the recording, transcript, and AI-generated summary to us for delivery to the Subscriber.
- From references and other third parties identified by the Applicant, such as prior landlords contacted during reference verification.
- From fraud-prevention service providers, including device-fingerprinting and IP-reputation services that help us detect suspicious application activity.
- From payroll-data providers (such as Pinwheel) when an Applicant connects a payroll account to verify income.
- From public records, including court records, government databases, and licensing authorities, where lawfully accessible.
- From cookies, analytics tools, and similar technologies embedded in the Services.
8. How We Use Personal Information
Subject to the purpose-limitation and no-secondary-use rules in Section 5, we use Personal Information for the following business and commercial purposes:
- To provide and operate the Services, including assembling and delivering Consumer Reports.
- To support fraud prevention and to run an SSN trace (on tiers that include TLO data) that returns names and addresses historically associated with the Applicant's Social Security number. We do not perform driver's license verification, document-image authentication, or selfie-to-ID matching.
- To credential Subscribers as required by our reseller agreements with the CRAs and applicable law.
- To process payments and detect or prevent payment fraud.
- To provide customer support and respond to inquiries, including support requests and dispute investigations.
- To comply with legal obligations, including the FCRA, the Gramm-Leach-Bliley Act ("GLBA"), state mini-FCRAs, fair-housing laws, anti-money-laundering laws, sanctions screening, and tax and recordkeeping requirements.
- To enforce our Terms of Service, Landlord Subscriber Agreement, and other agreements; to investigate and prevent abuse, misuse, and security incidents; and to protect our rights and the rights, safety, and property of others.
- To improve, debug, and develop the Services, primarily using aggregated or de-identified information per Section 5.3.
- To send transactional, security, and account communications.
- To send promotional communications where you have opted in (you may opt out at any time).
AI and machine-learning use. We use artificial intelligence to assist the Subscriber with prior-landlord reference calls — telephony and AI conversational technology for these calls is provided by our Reference-Call Service Provider (Vosy), which is a service-provider vendor and not a consumer reporting agency. We may also use AI for fraud detection and Service improvement. AI processes individual transactions in real time using identifiable information. We do not train large-language models or other broad AI models on identifiable Applicant data (see Section 5.2). Where we use de-identified or aggregated information for model improvement, we apply technical and organizational measures intended to prevent re-identification.
Third-party AI providers. Where Personal Information is processed by a third-party AI service provider on our behalf (including our reference-verification partner and any general-purpose AI inference provider used to assist with our Services), that provider is bound by written contract to (a) process Personal Information only to provide services to us under our documented instructions; (b) not use Personal Information, prompts, completions, transcripts, intermediate states, or telemetry to train, fine-tune, evaluate, validate, or otherwise improve any generalized model offered to other customers or to the public; (c) not retain Personal Information beyond the period necessary to provide the service and as described in Section 13; and (d) maintain administrative, technical, and physical safeguards consistent with Section 14. Where a third-party AI provider's standard terms would otherwise permit such uses, we have negotiated, or rely on, contractual zero-retention or no-training overrides before sending Personal Information to the provider.
9. Sensitive Personal Information
We collect and use Sensitive Personal Information for the following limited purposes only: (a) to perform the Services that the Subscriber or Applicant has requested (specifically, to procure Consumer Reports for tenancy decisions); (b) to verify Applicant identity and prevent fraud; (c) to comply with federal, state, and local law; and (d) to protect against malicious, deceptive, fraudulent, or illegal activity. We do not use or disclose Sensitive Personal Information for purposes of inferring characteristics about an individual, for cross-context behavioral advertising, or for any purpose other than those listed above. California residents have the right to limit our use of Sensitive Personal Information; see Section 16.
9.1 Biometric Information
What we do not currently do. RentalApplication.ai does not currently use facial-recognition technology, selfie-to-ID matching, document-image authentication, voice biometrics, voice recognition, or voice-printing technology. We do not generate, derive, or store facial templates, voice prints, voice templates, vocal-characteristic signatures, or other biometric identifiers as that term is used under the Illinois Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/, the Texas Capture or Use of Biometric Identifier Act, the Washington biometric-privacy statute, or analogous laws. We do not use Applicant-submitted ID images or audio recordings to uniquely identify or authenticate any individual based on biological or physiological characteristics.
What we do. Where Applicants choose to upload a photograph of a government-issued identification document during the application, the upload is stored as ordinary document media under Section 13 — it is not analyzed by facial-recognition or document-image authentication technology, it is not compared against a selfie, and no biometric identifier is derived from it. We also conduct content-level analysis of reference-call transcripts to support the AI summary, sentiment characterization, and Q&A-extraction features described in our Terms §8 and in Section 19 of this Policy. That analysis is performed on the linguistic content of the transcript (what was said), not on biometric voice characteristics (who is speaking), and the resulting summaries and characterizations are Derived Data under Section 4.4, not biometric identifiers. On tiers that include TLO data, we run a non-biometric SSN trace that returns historical names and addresses associated with an Applicant's Social Security number; the SSN trace does not capture, derive, or store any biometric identifier.
Safety valve for future biometric processing. If we later decide to introduce facial recognition, selfie-to-ID matching, voice biometrics, voice-printing, or any other processing that creates a biometric identifier under applicable law, we will not begin doing so unless and until: (a) we publish an updated version of this Policy that expressly discloses the planned processing, the categories of biometric data involved, the retention period, and the rights available; (b) the update takes effect at least thirty (30) days after notice to affected Users; and (c) where required by applicable biometric-privacy law, we obtain separate, written, opt-in consent from each affected individual. Until all three conditions are met for a given individual, the "what we do not currently do" commitment above continues to apply to that individual.
10. How We Share Personal Information
We disclose Personal Information to the following categories of recipients, for the purposes described:
- CRAs (TransUnion, Asurint, Pinwheel): to procure Consumer Reports about Applicants and to comply with our reseller obligations.
- Reference-Call Service Provider (Vosy): to place AI-assisted reference calls and produce recordings, transcripts, and summaries the Subscriber has configured. Vosy is bound by written contract to use Personal Information only to provide reference-call services on our behalf.
- Subscribers: we deliver Consumer Reports and identity-verification results to the Subscriber that initiated the screening, in accordance with the Applicant's authorization and the FCRA.
- Service providers and processors that help us operate the Services, including cloud hosting, data security, payment processing, identity verification, fraud detection, email and SMS delivery, telephony, customer support, analytics, and AI services. These providers are bound by written contracts limiting their use of Personal Information to providing services to us.
- Professional advisors such as attorneys, accountants, and auditors, under confidentiality obligations.
- Government authorities and others as required by law, including in response to subpoenas, court orders, regulatory requests, or to enforce our rights, protect against fraud, or protect public safety.
- In connection with corporate transactions — see Section 10.1.
- With your consent, for any purpose disclosed at the time of consent.
We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act and similar laws. We disclose Personal Information only for the limited operational purposes described in this Policy and to the categories of recipients identified above. Any incidental disclosure to a service provider, processor, or vendor that is necessary for the operational provision of the Services and is governed by a written contract limiting the recipient's use to providing services to us, is not a "sale" or "share" for purposes of the CCPA or analogous state laws.
10.1 Corporate Transactions; Treatment of Consumer Reports
If we are involved in a merger, acquisition, financing, reorganization, asset sale, or similar corporate transaction (a "Corporate Transaction"), Personal Information may be transferred to the successor entity. In any such transaction:
- The successor entity must agree in writing to be bound by this Policy as it stood at the time of the transaction (or by terms at least as protective) with respect to Personal Information transferred.
- Consumer Reports and FCRA-regulated data may be transferred only to a successor that (i) agrees in writing to comply with all FCRA reseller obligations applicable to the transferred reports — including the dispute-handling, retention, accuracy-procedure, and Subscriber-credentialing obligations under FCRA §§ 1681e(a), 1681e(e), and 1681i(f) — and (ii) holds, or before assuming reseller operations obtains, the contractual entitlements with the originating CRAs necessary to do so.
- We will provide notice to affected Applicants and Subscribers of any Corporate Transaction involving the transfer of their Personal Information by email or in-Service notification, in advance where reasonably practicable and otherwise promptly thereafter, consistent with applicable law.
- Where required by applicable state privacy law, we will offer affected individuals the opportunity to delete their Personal Information before the transaction closes; deletion will be honored subject to the FCRA, GLBA, and reseller-agreement retention exceptions described in Section 13.
11. Consumer Reporting Agencies and Data Providers
To provide Consumer Reports, we work with the following third-party consumer reporting agencies. Each is an independent company subject to its own privacy practices and the FCRA:
- TransUnion LLC – credit reports, credit scores, identity-mismatch alerts, OFAC screening, fraud alerts.
- One Source Technology, LLC d/b/a Asurint – criminal-history reports and eviction-history reports.
- Pinwheel CRA Co. (a consumer reporting agency affiliate of Underdog Technologies, Inc. d/b/a Pinwheel) – income and employment verification, identity verification (legal name, date of birth, last four of SSN, and address/phone/email history matched against payroll-source records), and document authentication.
We work with one additional third-party tooling vendor to support reference-call telephony — not a consumer reporting agency:
- Vosy — Reference-Call Service Provider. Provides telephony and AI conversational technology for the prior-landlord reference-call tool described in our Terms of Service §8. Vosy places calls, records and transcribes them (where lawful), and returns the recording, transcript, and AI-generated summary to us for delivery to the Subscriber. Vosy does not furnish Consumer Reports, does not maintain consumer files, and does not act as a consumer reporting agency in providing this service.
We may add or replace data providers from time to time. The most current list will be maintained on the Services. The CRAs are independent consumer reporting agencies whose own dispute and accuracy procedures govern the data they furnish; see Section 20 for information about disputes. Consumer Reports — including the contractual definition, scope, and FCRA-specific obligations — are governed by our Terms of Service and our Landlord Subscriber Agreement; please refer to those documents for the FCRA-specific contractual framework.
No warranty of CRA-data accuracy; disputes are routed to the originating CRA. The substantive contents of every Consumer Report are furnished by independent third-party CRAs and public-record sources. We do not guarantee or warrant the accuracy, completeness, or currency of any data furnished by a CRA. Substantive disputes about the accuracy or completeness of CRA data are governed by FCRA § 1681i and are resolved by the originating CRA, which conducts the reinvestigation and determines whether the data should be corrected, deleted, or left unchanged. We forward your dispute to the originating CRA promptly under FCRA § 1681i(f)(2) and deliver any updated information returned by the CRA, but we do not adjudicate the dispute or modify the underlying record. See Section 20.3 for the dispute-submission procedure and the originating-CRA contact information.
12. Cookies, Analytics, and Tracking Technologies
We use cookies, web beacons, pixels, local storage, and similar technologies (collectively, "Cookies") to operate the Services and to understand and improve how Users interact with them. The categories of Cookies we use include:
- Strictly Necessary: required for authentication, security, fraud prevention, and core functionality. These cannot be disabled.
- Functional: remember preferences such as language and display settings.
- Analytics: help us understand traffic patterns and how Users interact with the Services.
- Advertising: we currently do not use advertising or cross-context-behavioral-advertising Cookies.
12.1 Global Privacy Control
We honor the Global Privacy Control ("GPC") browser signal as an opt-out preference signal under the California Consumer Privacy Act and applicable state laws. When we detect a GPC signal from your browser, we will treat it as an opt-out of any sale or sharing of Personal Information for cross-context behavioral advertising for that browsing session and, where you have an account, for that account.
12.2 Do Not Track
We do not respond to "Do Not Track" headers because there is no industry consensus on how to interpret them. We do, however, honor the GPC signal as described above.
12.3 Cookie Management
You can manage Cookie preferences through your browser settings or, where available, through the Cookie banner displayed in the Services. Disabling Strictly Necessary Cookies may impair the operation of the Services.
13. Data Retention
We retain Personal Information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention practices are set forth in the table below. Where a category of data is subject to multiple retention obligations, the longer applicable period controls.
Conflict hierarchy (to the extent permitted by law). Where retention requirements applicable to a particular record category conflict with one another, and to the extent permitted by applicable law, the following order of precedence applies, with each higher-ranked source overriding a lower-ranked source to the extent of the conflict: (1) applicable federal law, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Federal Trade Commission Disposal Rule; (2) contractual obligations imposed on us by the originating consumer reporting agency under our reseller agreements, to the extent those obligations are themselves consistent with applicable law; (3) applicable state law, including state mini-FCRA, state privacy, and state consumer-protection statutes; (4) applicable local or municipal law; and (5) our internal retention policy as reflected in this Section. Where a deletion request, opt-out, or other privacy-rights request would conflict with a higher-ranked retention obligation, and to the extent the retention obligation is not itself overridden by a non-waivable right under applicable law, the retention obligation controls and we will so inform the requesting party in our response under Section 15.5.
Savings clause for non-waivable rights. Nothing in our reseller agreements, in this Policy, or in the conflict hierarchy above is intended to override, waive, or limit any non-waivable right or remedy that an individual has under applicable federal, state, or local law (including the FCRA's consumer-rights provisions and any non-waivable provisions of state comprehensive privacy laws). Where the conflict hierarchy above would, as applied, conflict with such a non-waivable right, the non-waivable right controls.
| Category | Retention Period |
|---|---|
| Rental applications and supporting screening records | Five (5) years from delivery, then deleted or de-identified, except where extended by an active legal hold or open dispute. |
| Consumer Reports (CRA Data) and supporting records | Five (5) years from delivery, as required by our reseller agreements with the CRAs and applicable law, then deleted or de-identified. |
| Subscriber account records | While the account is active and for up to seven (7) years after closure, to satisfy tax, audit, and regulatory obligations. |
| Applicant identity-document uploads (e.g., uploaded government ID images; not biometrically analyzed) | Up to three (3) years after the Applicant's last interaction with the Services, then deleted. |
| Reference-call recordings and transcripts | Five (5) years from creation, then deleted, except where a longer retention is required by law or by ongoing dispute or audit obligations. |
| AI-generated derivative artifacts (transcripts summaries, sentiment notes, fraud-risk flags) | Same lifecycle as the underlying source artifact (e.g., a summary of a reference call follows the call's retention period). Deleted with the source. |
| Payment records | Seven (7) years, to comply with tax and accounting requirements. |
| Marketing communications and preferences | Until you withdraw consent or unsubscribe, plus a reasonable suppression period. |
| Compliance audit logs (FCRA dispute trail, access logs, adverse-action records) | Seven (7) years, to satisfy FCRA recordkeeping and reseller-agreement audit obligations. |
| General security and audit logs | Up to two (2) years, longer where required by law or by an active investigation. |
| Cookies and analytics data | As described in Section 12; analytics records are typically retained no longer than twenty-six (26) months. |
We may retain Personal Information longer where retention is required or permitted by law, by a CRA reseller agreement, or by a legitimate business purpose such as fraud prevention, legal claims, or audit. When we no longer need Personal Information, we delete it or de-identify it using methods consistent with industry standards (such as NIST Special Publication 800-88).
14. Information Security
We maintain administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, use, disclosure, alteration, and destruction. These safeguards include encryption of Personal Information in transit (using TLS) and at rest, role-based access controls, multi-factor authentication for administrative access, network segmentation, vulnerability scanning, periodic penetration testing, employee training, and incident-response procedures. We are SOC 2 Type II audited annually.
We do not store, transmit, process, or permit access to Personal Information outside of the United States without appropriate safeguards and, where required by our reseller agreements, prior written consent of the applicable CRA.
No system, service, or transmission can be guaranteed perfectly secure. If you become aware of a security incident affecting your account or our Services, please notify us immediately at Contact@RentalApplication.ai. We comply with applicable data-breach-notification laws, including without limitation the New York SHIELD Act, Massachusetts 201 CMR 17.00, the California data-breach-notification statute, and analogous laws in other states.
14.1 Security-Incident Response
For purposes of this Policy, a "Security Incident" means a confirmed or reasonably suspected unauthorized access to, acquisition of, disclosure of, alteration of, or loss of Personal Information that we hold, in a form not authorized by this Policy or applicable law. Routine, blocked, or unsuccessful intrusion attempts that do not result in such access, acquisition, disclosure, alteration, or loss are not, by themselves, Security Incidents.
Upon becoming aware of facts indicating a possible Security Incident, we will (a) promptly initiate our incident-response procedures and assess the materiality, scope, and likely consequences of the incident without unreasonable delay; (b) take reasonable steps to contain, mitigate, and remediate the incident; (c) preserve relevant logs and forensic evidence; and (d) make notifications to affected individuals, regulators, and contractual counterparties as required by applicable law and our agreements.
14.2 Notification
Where notification is required by applicable law, we will provide it within the timeframes mandated by that law. In the absence of a shorter mandated timeframe, we will use commercially reasonable efforts to notify affected Subscribers and Applicants without unreasonable delay following our determination that a notifiable Security Incident has occurred. Individual notice will be provided to each affected individual whose Personal Information was, or is reasonably believed to have been, compromised; broader notice (such as substitute notice or general public notice) will be used only where individual notice is impracticable or where applicable law expressly authorizes it.
14.3 CRA and Reseller Coordination
Where Personal Information affected by a Security Incident includes Consumer Reports or other CRA Data, we will coordinate notification, containment, and remediation with the originating CRA in accordance with our reseller agreements, including by providing the CRA timely notice of the incident, supporting any forensic or audit response the CRA reasonably requests, and aligning consumer-facing notice content where the originating CRA also has a notification obligation.
Limitation; carveback for non-waivable duties. Nothing in this Policy is intended to disclaim, limit, or waive any liability for our gross negligence, willful misconduct, or violations of mandatory consumer-protection or data-protection laws that cannot be waived by contract or by privacy notice. The general security disclaimer in this Section 14, and any other limitation of liability that appears in our Terms of Service, applies only to the extent permitted by applicable law.
15. Your Privacy Rights
15.1 Rights Available Generally; Master Override
The privacy rights described in this Section 15 — including rights of access, correction, deletion, portability, opt-out, and limitation of Sensitive Personal Information use — are subject to legal, regulatory, contractual, and compliance obligations that may require us to retain, restrict, or limit our response to a request. Those obligations include, without limitation, the Fair Credit Reporting Act (including reseller, accuracy-procedure, dispute-handling, and recordkeeping obligations); the Gramm-Leach-Bliley Act and the Federal Trade Commission Disposal Rule; our reseller agreements with the originating CRAs; state mini-FCRA, audit, and recordkeeping requirements; tax, accounting, and anti-money-laundering recordkeeping requirements; FCRA-data exemptions in state comprehensive privacy laws; legitimate fraud-prevention and security-investigation needs; and any active legal hold, subpoena, or regulatory inquiry. Where a higher-ranked retention obligation under Section 13 conflicts with a request under this Section 15, the retention obligation controls. We will tell you in writing if we deny a request, in whole or in part, in reliance on any of these obligations, and you may appeal as described in Section 15.5.
Subject to the foregoing and to applicable law and verification of your identity, you may have the following rights with respect to your Personal Information:
- Access. Request a copy of the categories of Personal Information we have collected about you and how we use and disclose it.
- Correction. Request that we correct inaccurate Personal Information.
- Deletion. Request that we delete Personal Information about you, subject to exceptions for legal compliance, fraud prevention, security, and our reseller obligations.
- Portability. Request a copy of your Personal Information in a portable, machine-readable format.
- Opt-Out of Sale or Share. We do not sell or share Personal Information for cross-context behavioral advertising, but you may direct us to confirm this and to honor your election going forward.
- Limit Use of Sensitive Personal Information (California residents): see Section 16.
- Opt-Out of Profiling and Automated Decisioning that produces legal or similarly significant effects: see Section 19.
- Non-Discrimination. We will not discriminate against you for exercising any of these rights.
- Appeal. If we deny your request, you may appeal as described in Section 15.5.
15.2 How to Submit a Privacy Request
You may submit a privacy request through any of the following methods:
- Email: Contact@RentalApplication.ai with the subject line "Privacy Request."
- Mail: Lotly Software LLC, Attn: Privacy – RentalApplication.ai, 5754 Lonetree Blvd, Rocklin, CA 95765.
15.3 Verification
To protect your information, we will verify your identity before responding to a privacy request. We may ask you to provide information sufficient to confirm your identity (such as the email associated with your account, your name, and a recent transaction reference). For requests involving Sensitive Personal Information, we may require additional verification.
15.4 Authorized Agents
You may designate an authorized agent to submit a request on your behalf. The agent must provide written, signed authorization from you. We may require you to verify your identity directly with us before fulfilling the request.
15.5 Response Times and Appeals
We will respond to verifiable privacy requests within the timeframe required by applicable law (generally 45 days under California, Colorado, Connecticut, Virginia, and similar state laws, with a possible 45-day extension where reasonably necessary). If we deny your request, you may appeal by replying to our denial email or by contacting us at Contact@RentalApplication.ai with the subject "Privacy Appeal." We will respond to appeals within 60 days. Where required (for example, in Colorado, Connecticut, and Virginia), we will provide you information on how to submit a complaint to the relevant state Attorney General if you remain dissatisfied.
16. State-Specific Privacy Rights
16.1 California (CCPA / CPRA)
California residents have the rights described in Section 15, plus:
- Right to know the specific pieces of Personal Information we have collected about you, the categories of sources, the business or commercial purposes for collecting or sharing, and the categories of third parties to whom we disclose Personal Information.
- Right to limit use of Sensitive Personal Information. You may direct us to limit our use and disclosure of Sensitive Personal Information to those purposes set forth in Section 9.
- Right to opt out of sale or sharing. We do not sell or share Personal Information; you may confirm this election by contacting us as described in Section 15.2 or by enabling the GPC signal in your browser.
- "Shine the Light" rights (Cal. Civ. Code § 1798.83): California residents may request information about disclosures of Personal Information to third parties for those parties' direct marketing purposes. We do not make such disclosures, but you may confirm by contacting us.
- Notice of Financial Incentive: We do not currently offer financial incentives in exchange for Personal Information.
Investigative Consumer Reports (California). The Services Lotly currently provides do not furnish Investigative Consumer Reports under California Civil Code § 1786 et seq. The reference-call output produced through our AI Reference-Call Tool is not an Investigative Consumer Report furnished by us; it is data the Subscriber collects on its own behalf, with the Applicant's consent, using a tool we make available (see Section 4.4 and Terms §8). If a Subscriber separately procures an Investigative Consumer Report from any other source, the disclosure, authorization, and copy-of-report requirements of California Civil Code § 1786.16 apply to that separate procurement; we are not the investigative consumer reporting agency for those reports.
16.2 Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, Florida, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Rhode Island, and Kentucky
Residents of states with comprehensive consumer privacy laws have rights similar to those described in Section 15, including the rights to access, correct, delete, port, and (where applicable) appeal. Specific rights, exemptions, and procedures vary by state. To exercise rights under these laws, please use the contact methods in Section 15.2 and identify your state of residence in your request. Our processing of certain information may be exempt under these laws when the information is collected, processed, sold, or disclosed pursuant to the FCRA (the so-called "FCRA exemption"); we will inform you in writing if we rely on this exemption to deny a particular request.
16.3 Nevada
Nevada residents may submit a request to opt out of the sale of certain Personal Information under Nevada Revised Statutes Chapter 603A. We do not currently sell Personal Information.
17. California Notice at Collection
This Section satisfies California's "notice at collection" requirement and supplements the categories described above. The categories of Personal Information we collect, the purposes, the categories of third parties to whom we disclose, and our retention practices are described in Sections 6, 8, 10, and 13. We do not "sell" or "share" Personal Information as those terms are defined under the CCPA. We collect the categories of Sensitive Personal Information identified in Section 9 for the limited purposes described therein.
18. GLBA Privacy Notice
Because we procure and deliver Consumer Reports that include Nonpublic Personal Information ("NPI") sourced from financial institutions through our CRAs, certain of our practices are subject to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and the Federal "Privacy of Consumer Financial Information" Regulation, 12 C.F.R. Part 1016. The following is our GLBA Privacy Notice:
What We Collect: NPI we collect or receive may include credit-account information, payment history, balances, and similar financial information sourced from financial-institution data through TransUnion.
How We Use NPI: We use NPI solely to assemble and deliver Consumer Reports for the Permissible Purpose of tenant screening, to comply with law, and to enforce our agreements.
How We Disclose NPI: We disclose NPI only to the Subscriber that initiated the screening (under the Applicant's authorization), to our service providers under contractual confidentiality and use restrictions, and as required by law.
How We Protect NPI: We maintain administrative, technical, and physical safeguards as described in Section 14.
19. Automated Decisioning and AI Use
We use artificial intelligence and automated processes for the following purposes:
- AI-assisted reference verification using telephony and AI conversational technology provided by our Reference-Call Service Provider (Vosy), in which an AI agent places outbound calls to references identified by the Subscriber or Applicant and returns the recording, transcript, and AI-generated summary. Vosy is a tooling vendor and not a consumer reporting agency; the resulting output is Derived Data (Section 4.4), not a Consumer Report.
- SSN trace (on tiers that include TLO data), a non-biometric automated lookup that returns historical names and addresses associated with the Applicant's Social Security number. We do not perform driver's license verification, document-image authentication, or selfie-to-ID matching.
- Fraud detection, using rule-based and machine-learning models to detect suspicious activity.
We do not, ourselves, make tenancy decisions; final decisions are the responsibility of the Subscriber. AI-generated outputs are interpretive aids only and do not constitute factual determinations of any underlying fact about an Applicant, the Applicant's history, or any matter referenced in a Consumer Report. AI outputs may be inaccurate, incomplete, biased, hallucinated, or vary across runs as models and prompts are updated; the substantive evaluation of an Applicant remains the Subscriber's responsibility under the Subscriber's own written, objective screening criteria and applicable law.
Subscriber must not rely exclusively on AI outputs. By using the Services, each Subscriber agrees that any tenancy, deposit, or co-signer decision must be supported by the underlying source data — the Consumer Report furnished by the originating CRA and, where applicable, the underlying call recording or transcript — and not by an AI summary, sentiment characterization, fraud-risk flag, or other Derived Data alone. AI outputs may be considered as a starting point for review, but a Subscriber may not base any decision exclusively on AI outputs, and must independently evaluate the underlying source data before taking any action that affects an Applicant's housing opportunity.
We comply with applicable laws governing automated decisioning in housing decisions, including without limitation California AB 2930, the Colorado AI Act (SB 24-205), Illinois HB 3773, and analogous laws in other jurisdictions, and we make available bias-audit and transparency disclosures as required by law. Where required by law, you may request human review of an automated decision that produces legal or similarly significant effects with respect to you. To do so, please contact us as described in Section 15.2.
20. FCRA Rights and Disputes
20.1 Summary of Your Rights Under the FCRA
The federal Fair Credit Reporting Act gives consumers important rights, including the right to:
- Be told if information in your file has been used against you, such as to deny a rental application.
- Know what is in your file. You may request a free file disclosure once every 12 months from each nationwide consumer reporting agency, and additionally if adverse action was taken against you.
- Dispute incomplete or inaccurate information. The consumer reporting agency must investigate, generally within 30 days.
- Have inaccurate, incomplete, or unverifiable information corrected or deleted.
- Have outdated negative information excluded; generally, information older than seven (7) years (ten (10) for bankruptcies).
- Limit access to your file. A consumer reporting agency may not provide your information to a user without a permissible purpose.
- Limit "prescreened" offers of credit and insurance by calling 1-888-5-OPTOUT (1-888-567-8688).
- Seek damages from violators in federal or state court.
For more information, including additional rights under state law, visit the Consumer Financial Protection Bureau at consumerfinance.gov. We will also provide a copy of "A Summary of Your Rights Under the Fair Credit Reporting Act" upon request.
20.2 Adverse Action
If you are denied housing, charged a higher deposit, required to obtain a co-signer, or otherwise subjected to an adverse action based in whole or in part on a Consumer Report obtained through the Services, the Subscriber that took that action is required by the FCRA to provide you with a notice that includes the name, address, and telephone number of the consumer reporting agency that supplied the report; a statement that the agency did not make the decision; notice of your right to obtain a free copy of the report; and notice of your right to dispute the accuracy or completeness of the report. RentalApplication.ai itself does not make tenancy decisions and does not, by itself, issue adverse action notices. We may make tools and templates available to Subscribers to assist with adverse-action compliance, but the Subscriber remains the user issuing any adverse action.
20.3 Disputing a Consumer Report
If you believe information in a Consumer Report we delivered is inaccurate or incomplete, you may dispute it by contacting us at Disputes@RentalApplication.ai with the subject "FCRA Dispute" or by writing to us at the address in Section 25. Please include your full name, date of birth, the address you applied to, and a description of the disputed item with any supporting documents. We will route your dispute to the originating CRA and respond within the timeframes required by the FCRA (generally 30 days). You also have the right to dispute directly with the originating CRA: TransUnion at transunion.com/credit-disputes/dispute-your-credit, Asurint at asurint.com/contact-us/submit-a-dispute, or Pinwheel at pinwheelapi.com/fcra/dispute-form. (Vosy is not a consumer reporting agency — it conducts AI-assisted reference calls with prior landlords and does not maintain consumer files; disputes about reference-call content should be directed to us at Disputes@RentalApplication.ai.)
21. Children's Privacy
The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect Personal Information from children under thirteen. If we learn that we have collected Personal Information from a child under thirteen, we will delete it promptly. If you believe we may have collected information from a child under thirteen, please contact us at Contact@RentalApplication.ai.
For minors between the ages of thirteen (13) and sixteen (16) who are California residents, we do not "sell" or "share" Personal Information without affirmative authorization, as required by the California Consumer Privacy Act.
22. International Users
The Services are intended for use by individuals located in the United States. If you access the Services from outside the United States, you understand and consent to the transfer of your Personal Information to the United States and to its processing in the United States. The privacy laws of the United States may differ from those of your country of residence.
23. Geographic Service Restrictions
The Services are not currently available with respect to properties located in the States of Vermont, Massachusetts, or New York. In the State of Wisconsin, the State of Virginia, the City of Philadelphia, Pennsylvania, and the District of Columbia, the per-applicant fee is automatically capped in compliance with applicable law. See our Terms of Service and, where applicable, the Landlord Subscriber Agreement for additional detail.
24. Changes to This Policy
We may update this Privacy Policy from time to time. If we make a material change, we will provide notice by email or through the Services at least thirty (30) days before the change takes effect, except that changes required by law or to address a security or compliance issue may take effect immediately upon notice. The "Last Updated" date above reflects the current version. You are encouraged to review this Policy periodically.
25. How to Contact Us
You may contact us about this Privacy Policy or your privacy rights at:
Lotly Software LLC d/b/a RentalApplication.ai
Attn: Privacy – RentalApplication.ai
5754 Lonetree Blvd
Rocklin, CA 95765
Email: Contact@RentalApplication.ai
California residents may also contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs by mail at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.