Effective Date: April 28, 2026  |  Last Updated: April 28, 2026

---

1. Introduction

The Kayla Acacia Company Limited ("we", "us", or "the Company") is committed to protecting the privacy and personal information of all individuals whose data is processed through the KPM Pro Administration Portal (the "Admin Portal"). This Privacy Policy explains how we collect, use, store, share, and protect personal data when authorised staff members access and use the Admin Portal.

This policy applies to all staff, administrators, and authorised users of the Admin Portal. By accessing and using the Admin Portal, you acknowledge that you have read and understood this Privacy Policy and that you are responsible for handling all personal data you access in accordance with applicable data protection laws and this policy.

The Admin Portal processes personal data relating to tenants, properties, financial transactions, and staff activities. All such data must be handled with care, confidentiality, and in accordance with the Company's data protection obligations.

---

2. Who We Are (Data Controller)

The Kayla Acacia Company Limited is the data controller responsible for all personal information processed through this Admin Portal. As an authorised user of this system, you act as a data processor on behalf of the Company and must comply with all applicable data protection requirements.

If you have any questions or concerns about how data is handled within this system, please contact the system administrator or the designated data privacy contact.

---

3. Personal Data Processed Through This Portal

The Admin Portal processes the following categories of personal data:

3.1 Tenant Personal Data

• Full name, email address, telephone number
• Date of birth and Tax Registration Number (TRN)
• Occupation and employer name
• Former / previous address
• Tenancy details (property, lease dates, rent amount, status)
• Financial records (invoices, payments, balances, statements, discounts)
• Complaints, maintenance requests, and related correspondence
• Uploaded documents and attachments (e.g., identification, proof of payment)
• Lease agreements and property documents
• Notification and communication history

3.2 Staff & User Account Data

• Staff full name and email address
• User roles and access permissions
• Login credentials (passwords stored in hashed form; never readable)
• Session and authentication tokens
• Audit log entries recording actions performed within the system

3.3 Financial & Operational Data

• Rent invoices, payment records, and bank transaction data
• Expense records and petty cash transactions
• Requisitions and requisition payments
• Property income and profitability reports
• Bank statement uploads and AI-assisted payment reconciliation data

3.4 Technical & System Data

• IP addresses and browser information of users accessing the Admin Portal
• Application event logs and error logs
• Email message logs and delivery records
• System configuration and audit trail data

---

4. How Personal Data Is Collected

Personal data is collected and entered into the Admin Portal through the following means:

• Direct data entry by staff — when creating or updating tenant records, tenancy agreements, invoices, payments, complaints, maintenance records, and other operational data.
• Tenant-submitted data — information submitted by tenants through the Tenant Client Portal is accessible and manageable through the Admin Portal.
• Automated system processes — invoice generation, payment reconciliation, email logging, and event scheduling may automatically create or update records.
• Bank statement uploads — bank transaction data uploaded for reconciliation purposes.
• AI-assisted processing — Azure OpenAI services may be used to assist with payment reconciliation and other administrative tasks. Data processed by AI services is handled under applicable data processing agreements.
• System-generated logs — the system automatically records audit logs, event logs, and email delivery logs.

---

5. Purposes of Processing

Personal data processed through the Admin Portal is used for the following purposes:

---

6. How We Share Personal Data

We do not sell, rent, or trade personal data to any third party. Data may be shared only in the following limited circumstances:

6.1 Technology & Service Providers

• Microsoft Azure — cloud hosting, Azure SQL database, and Azure Blob Storage for all system data and uploaded files.
• Email service providers — SMTP providers used to send tenant and staff email notifications.
• SMS messaging providers — for sending text message notifications to tenants, where applicable.
• Azure OpenAI — for AI-assisted administrative tasks such as payment reconciliation. Data is processed under applicable data processing agreements and is not used to train external AI models.

All service providers are contractually required to protect personal data and may only use it for the specific purposes for which it was shared.

6.2 Legal & Regulatory Disclosure

We may disclose personal data if required to do so by law, court order, or government authority, or where necessary to protect our legal rights, prevent fraud, or ensure the safety of individuals.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of the business, personal data may be transferred to the successor entity with appropriate safeguards in place.

---

7. Data Storage & Security

7.1 Where Data Is Stored

All data is stored on secure servers hosted on Microsoft Azure. Database records are stored in Azure SQL Server, and uploaded files and documents are stored in Azure Blob Storage. Data may be stored in data centres located outside your country of residence; appropriate safeguards are in place for any international data transfers.

7.2 Security Measures

We implement appropriate technical and organisational security measures, including:

• Encrypted HTTPS connections for all Admin Portal communications (TLS/SSL)
• Secure, hashed storage of all user passwords
• Cookie-based authentication sessions with automatic expiration
• Role-based access controls (RBAC) ensuring staff can only access data relevant to their role
• Comprehensive audit logging of all significant actions within the system
• Azure platform security controls including network isolation and identity management
• Regular security reviews and software updates

7.3 Staff Responsibilities

---

8. Data Retention

Personal data is retained for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations:

• Active tenancy records: Retained for the full duration of the tenancy.
• Ended tenancy records: Financial records, tenancy records, and communications are retained for a minimum of seven (7) years after the tenancy ends, in accordance with applicable legal and tax obligations.
• Financial records: Invoices, payments, expenses, and bank transaction records are retained for a minimum of seven (7) years.
• Audit logs: System audit logs are retained for a minimum of three (3) years.
• Application event logs: Retained for 90 days unless required for an ongoing investigation or legal matter.
• Staff user accounts: Deactivated upon termination of employment or removal of access; records retained as required by law.
• Uploaded documents: Retained for the applicable retention period of the associated tenancy or transaction.

When data is no longer required, it will be securely deleted or anonymised.

---

9. Cookies & Session Management

The Admin Portal uses cookies and session management technologies to operate securely:

• Authentication cookies — to maintain your logged-in session. Sessions expire automatically after a period of inactivity.
• Anti-forgery tokens — to protect against cross-site request forgery (CSRF) attacks on all form submissions.
• Session state cookies — to maintain your session preferences and state.

These cookies are essential for the Admin Portal to function securely and cannot be disabled. Clearing your browser cookies will log you out of the system.

---

10. Tenant Data Subject Rights & Staff Obligations

Tenants whose data is processed through this system have the following rights under applicable data protection law:

All data subject requests received from tenants must be escalated to the system administrator or designated data privacy contact. We are required to respond to all legitimate requests within 30 days.

---

11. Data Breach Reporting

A data breach includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:

• Sending tenant personal data to the wrong recipient
• Unauthorised access to the Admin Portal by a third party
• Loss or theft of a device containing personal data
• Accidental deletion of records
• Ransomware or other cyber attacks affecting the system

---

12. Third-Party Links & Integrations

The Admin Portal integrates with third-party services (Microsoft Azure, email providers, SMS providers, OpenAI). These integrations are governed by separate data processing agreements. The Admin Portal may also contain links to external resources; we are not responsible for the privacy practices of those external sites.

---

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this page and notify authorised users through the system or by email. Continued use of the Admin Portal after any changes constitutes acceptance of the updated policy.

---

14. Contact & Data Privacy Enquiries

For questions, concerns, or data subject requests relating to this Privacy Policy or the handling of personal data within this system, please contact:

If you are not satisfied with our response, you may have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.