Privacy Policy — I am Agent
Effective date: TBD (set on publication) Last updated: 2026-05-25
This Privacy Policy explains how personal data is collected, used, shared and protected when you use I am Agent — a customer-relationship management (CRM) service for real estate rental professionals, available as an iOS app, an Android app, and a web application at https://crm.iamagent.app (together, the "Service").
We have written this Policy in plain English. Where a legal term has a specific meaning, we explain it the first time it appears. If anything is unclear, write to us at support@iamagent.app and we will rephrase it for you.
1. Who is responsible for your data (the "Controller")
The controller — the person who decides why and how your data is processed — is:
Korshunov Igor Vladimirovich, a natural person acting as an independent service provider. Email for all privacy matters, including data-subject requests: support@iamagent.app
Because the controller is an individual and not a corporate entity, we are not legally required to appoint a Data Protection Officer (DPO). All privacy requests are handled directly by the controller using the email above.
For users in Thailand, a Thai representative under section 37/1 of the PDPA is currently under review and will be appointed if required by enforcement guidance.
For users in the European Economic Area, the United Kingdom or Switzerland, you may also contact us using the same email; we do not currently have an EU representative under Article 27 GDPR because the Service does not target EEA residents as its primary market. We will appoint one if processing scope changes.
2. Scope and the two types of data we handle
I am Agent is a B2B tool. There are two categories of data inside the Service, and the legal roles differ:
- Account data — data about you as a user of the Service. Here, we (the controller named above) decide the purposes and means. The rules in this Policy apply directly.
- Customer data — data about owners, tenants and properties that you, the user, upload into your workspace to manage your rental business. Here, you (or the company you work for) are the controller, and we act only as a data processor on your instructions, governed by a separate Data Processing Agreement available on request.
This Policy describes both, but the bulk of the legal basis discussion below applies to Account data.
3. The data we collect
3.1 Data you give us when you register and use your account
- Email address and password (the password is stored only as a bcrypt hash, never in clear text).
- Your full name and, where you set one up, the name and logo of your real estate company.
- Phone number (optional).
- Language preference (English, Russian or Thai) and preferred currency (THB, USD, EUR or RUB).
- Membership in a company workspace and your role (Admin / Agent) and permission flags.
3.2 Customer data you upload to your workspace
- Property records — addresses, geographic coordinates, descriptions, prices, amenities, and up to 30 photographs per property.
- Property owners (your business contacts) — name, phone, email, scanned identification documents (e.g. passport or national ID), and any other documents you choose to attach.
- Tenants / clients — name, passport number, phone, email, country of origin, scanned identification documents.
- Bookings — check-in/out dates, rent, deposits, commission amounts, monthly breakdowns, and attached photos.
- Calendar events — personal notes you create.
You are responsible for having a lawful basis to collect this data from your owners and tenants, for informing them, and for honouring their rights. We process this data only on your instructions.
3.3 Data collected automatically
- Authentication logs generated by Supabase Auth: IP address, User-Agent, sign-in timestamps, session identifiers. We use these for security and abuse prevention.
- Device push tokens — when you enable notifications, your device's push token (issued by Apple Push Notification Service on iOS, Firebase Cloud Messaging on Android, or Expo Push as an intermediary) is stored so we can send you booking and team alerts.
- Basic diagnostic information — error reports and crash logs sufficient to keep the Service running. We do not use third-party analytics SDKs (no Google Analytics, no Mixpanel, no Facebook SDK) as of the effective date of this Policy.
3.4 What we do not collect
- We do not track you for advertising. The app does not call Apple's App Tracking Transparency framework because we do not engage in cross-app tracking.
- We do not collect background geolocation. Property coordinates are entered or selected manually.
- We do not use third-party cookies or advertising pixels.
- We do not collect special-category data under GDPR Art. 9 (race, health, biometrics, sexual orientation, religion, political opinion) about you as a user.
- We do not sell personal data.
4. Why we process your data and our legal basis
Under the GDPR (and the parallel concepts in Thailand's PDPA), we need a lawful basis for every act of processing. Here is the per-purpose table:
| Purpose | Categories of data | Legal basis (GDPR) | PDPA basis |
|---|---|---|---|
| Create and operate your account | Email, password hash, name, company info | Performance of contract — Art. 6(1)(b) | Contractual necessity |
| Provide the CRM features you use (storing properties, bookings, contacts) | Customer data you upload | Performance of contract — Art. 6(1)(b) | Contractual necessity |
| Secure the Service, detect abuse, prevent fraud | Auth logs (IP, User-Agent, timestamps) | Legitimate interests — Art. 6(1)(f); the interest is keeping accounts safe | Legitimate interests |
| Send transactional emails (sign-up confirmation, password reset, team invitations) | Email, name | Performance of contract — Art. 6(1)(b) | Contractual necessity |
| Send in-app and push notifications about your bookings and team activity | Device push token, account ID | Consent (you grant it through the OS permission prompt) — Art. 6(1)(a) | Consent |
| Bill paid plans (when Stripe / Apple In-App Purchase / Google Play Billing are enabled) | Billing identifiers issued by the payment processor; we do not store full card numbers | Performance of contract — Art. 6(1)(b); legal obligation for tax records — Art. 6(1)(c) | Contractual necessity + legal obligation |
| Comply with legal requests (court orders, tax authorities) | Whatever the request reasonably requires | Legal obligation — Art. 6(1)(c) | Legal obligation |
For Customer data uploaded by you about owners and tenants, you choose the lawful basis. We process it solely on your instructions under Art. 28 GDPR.
5. Who we share your data with (sub-processors)
We use a small number of sub-processors. We have contracts in place with each that require them to provide protection at least equal to what this Policy promises.
| Sub-processor | Function | Location of processing |
|---|---|---|
| Supabase, Inc. (USA) | Database (PostgreSQL), authentication, realtime messaging, file storage. Supabase is hosted on Amazon Web Services (AWS) infrastructure. | Northeast Asia (Tokyo, AWS ap-northeast-1) |
| Amazon Web Services, Inc. | Underlying cloud infrastructure for Supabase | Same region as above |
| Apple Inc. — Apple Push Notification Service (APNs) | Delivering iOS push notifications | Global Apple infrastructure |
| Google LLC — Firebase Cloud Messaging (FCM) | Delivering Android push notifications | Google global infrastructure |
| Expo (650 Industries, Inc.) | Optional intermediary for delivering push notifications via APNs/FCM | USA |
| Resend (Resend, Inc.) | Transactional email delivery via Supabase SMTP relay (sign-up confirmations, password resets, team invitations) | USA |
| Stripe / Apple / Google (when paid plans launch) | Payment processing | Per their own privacy policies |
| Vercel Inc. | Hosting of the web application crm.iamagent.app and the marketing website | Global edge network |
We share only the minimum data each sub-processor needs to perform its function.
This list may change. We will update it in this Policy and, where the change is material, notify you by email or in-app banner before the change takes effect.
We do not share your data with third-party advertising networks, data brokers, or AI vendors.
We may disclose data to law-enforcement or government authorities when we are legally compelled to (court order, valid subpoena, equivalent process under Thai or other applicable law). We will push back on overbroad requests and, where lawful, notify you.
6. International data transfers
Your data is stored on AWS infrastructure in the Tokyo, Japan region (ap-northeast-1). If you access the Service from outside that region — for example from Thailand or the EU — your data crosses borders.
We rely on the following transfer mechanisms:
- European Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers out of the EEA, UK and Switzerland to Japan.
- Your consent for transfers expressly required to deliver a feature you requested (e.g. push notifications routed through Apple/Google).
- Necessary-for-the-contract transfers under PDPA s.28 for Thai users where the transfer is needed to provide the Service you signed up for.
If our Supabase project region changes, we will update this Policy and, where required, notify you.
7. How long we keep your data (retention)
| Data | Retention |
|---|---|
| Account data (email, profile, company info) | Kept as long as your account is active. |
| Customer data you upload | Kept as long as your account is active. |
| Authentication logs (IP, User-Agent, session metadata) | Up to 90 days for security and abuse detection, then purged or anonymised. |
| Email delivery logs at Resend | Per Resend's policy (typically up to 30 days for content, longer for metadata). |
| Push delivery logs at APNs / FCM / Expo | Short-lived; per the relevant provider's policy. |
| Backups | Encrypted backups are kept for up to 7 days for disaster recovery, after which they are overwritten. |
| Billing records (once paid plans launch) | Up to 7 years, the period generally required by tax law in the jurisdiction of the controller, then deleted. |
When you delete your account: we begin a cascading deletion of your Account data and all Customer data linked to your workspace immediately upon your request. Backups containing the data will roll off within the backup retention window above. After that, we keep only what we are legally obliged to retain (e.g. invoice records). If a deletion takes longer for technical reasons, we will inform you on request.
If you are a company owner (Admin) with invited agents: deleting your account also deletes the accounts of every agent in your workspace — their profiles and login credentials are removed entirely, together with the workspace. Data the agents created already belongs to the company at that point and is deleted along with it.
8. Your rights
Regardless of where you live, we will honour the following rights upon request:
- Right of access — get a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate or incomplete data. You can do most of this yourself in the app's account settings.
- Right to erasure ("right to be forgotten") — delete your account and data. You can trigger this from the app's account settings; it can also be requested by email.
- Right to restrict processing — temporarily freeze how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format (we export as JSON / CSV).
- Right to object — object to processing based on our legitimate interests.
- Right to withdraw consent — where consent is the legal basis (e.g. push notifications), turn it off in the OS settings or app settings at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to lodge a complaint with a supervisory authority:
- In the EU/EEA: your national Data Protection Authority. A list is at https://edpb.europa.eu/about-edpb/about-edpb/members_en .
- In the UK: the Information Commissioner's Office (ICO) — https://ico.org.uk .
- In Thailand: the Personal Data Protection Committee (PDPC).
- Elsewhere: your local data protection authority.
To exercise any of these rights, write to support@iamagent.app. We respond within 30 days (extendable by another 60 days for complex requests, as permitted by GDPR Art. 12(3) and PDPA s.30). To prevent fraud, we may ask you to confirm your identity using the email address linked to your account.
9. How you delete your account
You can delete your account at any time:
- In the app: open the Account tab, scroll to the bottom and tap Delete account. Confirm by typing the word DELETE. This is the canonical method.
- On the web: open Account and use Delete account in the Security section.
- By email: write to support@iamagent.app from the address linked to your account.
- Without the app installed (Google Play requirement): use the deletion request page at https://iamagent.app/account-deletion .
Deletion behaviour is described in section 7 above (immediate cascading deletion).
10. Children's data
The Service is not intended for, marketed to, or designed for children. The minimum age to use it is 16 years (or the higher age set by your local law). We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe a child has created an account, write to support@iamagent.app and we will delete it.
11. Whether providing data is required
To create an account you must provide an email address and password — without these we cannot authenticate you. Everything else (phone number, company logo, properties, contacts, bookings) is optional in the sense that you can use the Service without it; but most of the value of a CRM comes from putting your business data into it.
We do not carry out any automated decision-making with legal or similarly significant effects under GDPR Art. 22. We do not profile you for advertising or scoring.
12. Security
We protect your data with industry-standard measures:
- All traffic between your device and our servers runs over TLS 1.2 or higher.
- Passwords are stored only as bcrypt hashes; we never see your password in clear text.
- The database is protected by row-level security (RLS): each row carries the company that owns it, and our database refuses queries that step outside your company.
- Files (photos, ID scans) live in Supabase Storage behind RLS policies that mirror the database rules.
- Realtime sessions are revoked when an admin removes a team member.
- We keep audit logs of administrative actions.
No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify the competent supervisory authority within 72 hours of becoming aware of it (GDPR Art. 33) and notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Art. 34; PDPA s.37(4)).
13. Cookies and similar technologies
On the web application we use a single session cookie required to keep you signed in. It is strictly necessary and does not require consent under the ePrivacy Directive. We do not use advertising or analytics cookies. If we add analytics in the future, we will update this Policy and ask for your consent where required.
The mobile apps do not use cookies but they do use the equivalent local-storage mechanisms (Expo SecureStore / AsyncStorage) for session tokens and offline data.
14. California, other US states and Brazil
We do not target California, other US states or Brazil as primary markets, but if you are a resident there, the rights in section 8 above already give you substantively equivalent protections to CCPA/CPRA and LGPD. We do not sell or "share" personal information as those terms are defined in CCPA/CPRA. You may exercise your rights using the same email at support@iamagent.app.
15. Changes to this Policy
We may update this Policy when the law changes, when we add features, or when we change sub-processors. The Last updated date at the top tells you when. For material changes, we will notify you by email and an in-app banner at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.
Previous versions can be requested at support@iamagent.app.
16. Contact
For any privacy question, including requests to access, correct, delete or port your data, write to:
Korshunov Igor Vladimirovich — Controller for I am Agent Email: support@iamagent.app
We aim to reply within 7 business days and to fully resolve requests within 30 days.
End of Privacy Policy.