Data Protection.
TurnkeyDoor maintains a Records of Processing Activities document per GDPR Art. 30 and a Data Protection Impact Assessment per GDPR Art. 35. Below is the public-safe summary.
Inquiries, data-subject requests, and processor coordination: compliance@turnkeydoor.com
Five data categories.
TurnkeyDoor is the controller for all five categories at the platform level. Landlords are independent controllers for tenant data they download.
| Category | Sensitivity | Primary purposes | Retention |
|---|---|---|---|
| Tenant data | Sensitive (incl. Art. 10) | Identity verification, lease application, FCRA-permissible-purpose screening, FCHA (N.J.S.A. 46:8-52 et seq.) two-phase criminal review, lease execution, communications, rent payment. | Identity tenancy + 7y. Bank/employment doc 90d. SSN never persisted. Criminal history 30d post-decision. Application metadata 2y. |
| Landlord data | Sensitive | Onboarding + KYC via Stripe Connect, listing publication, lease drafting, payout disbursement, tax reporting, maintenance ticket routing. | Active: indefinite (deletion 45d). Closed: 7y for tax/contract. Listing photos 90d post-delisting. |
| Exchange data | Sensitive | Tenant↔landlord matching, scheduling, contract formation, dispute audit trail, FCHA (N.J.S.A. 46:8-52 et seq.) individualized-assessment defensibility. | Messages 3y. Showing schedule 1y. Application history 2y. Signed leases lease term + 7y. |
| Visitor data | Standard | Site operation, rate-limiting, error monitoring, abuse/fraud prevention, listing-search demand analytics. | Vercel logs 30d (anonymized). Sentry 30d. Search queries 90d (anonymized). |
| AI-route data | Standard (synthetic) | Composer template generation, photo moderation, text utility. ARCHITECTURAL RULE: no PII may be sent to any AI vendor. | Inference-time only per vendor DPAs. ≤30d abuse-monitoring window. TKD-side: not persisted. |
Internal canonical doc pairs each category with full Art. 6 / 9 / 10 lawful-basis matrix, sub-processor list, cross-border SCC posture, and Art. 32 technical & organizational measures. Available under MNDA via compliance@turnkeydoor.com.
Where TKD operates.
At consumer launch (October 2026 target), only NJDPA is actively triggered. Non-NJ consumer traffic is served HTTP 412 at the edge. Vendor processing remains globally distributed; we address that through DPA + SCC coverage at the recipient layer.
NJDPA
N.J.S.A. 56:8-166.4 et seq.Active. Effective January 15, 2025. TurnkeyDoor operates as if in scope from day one as a defensive posture (statutory thresholds may not yet be met). Privacy notice + DSAR + 45-day response + sensitive-data opt-in implemented to NJDPA spec.
GDPR (EU/EEA) + UK GDPR
Reg. (EU) 2016/679 + UK DPA 2018Geo-fenced. Non-NJ traffic served HTTP 412 at Vercel edge. EU/UK GDPR not actively triggered at consumer launch. Vendor recipients have SCC + DPF coverage as fallback if EU data leaks in incidentally.
CCPA / CPRA (California)
Cal. Civ. Code §§1798.100 et seq.Geo-fenced. Threshold ($25M revenue OR 100k+ consumers/households) not met. Vendor DPAs include CCPA service-provider attestations as fallback.
Colorado CPA
C.R.S. §6-1-1301 et seq.Geo-fenced. Threshold (100k CO consumers) not met.
VCDPA (Virginia)
Va. Code §59.1-575 et seq.Geo-fenced.
Quebec Law 25
ARPPIPS as amended by S.Q. 2021, c. 25Geo-fenced. PIA template prepared in advance per ARPPIPS s. 17 (cross-border PI communication PIA), so Quebec activation is one-week effort if elected.
How to exercise your rights.
Under the New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4 et seq., effective Jan 15, 2025), consumers have rights to access, correct, delete, and port their personal data, plus rights to opt out of sale, targeted advertising, and profiling-with-significant-effects. TurnkeyDoor does not engage in any of those opt-out-triggering activities.
To exercise rights, email compliance@turnkeydoor.com with the subject line “Data Subject Request.” We respond within 45 days (extendable by an additional 45 days for complex requests, with notice).
- Privacy notice: /legal/privacy
- Vendor posture (sub-processors): /admt-pack/vendor-posture
- SOC 2 readiness posture: /admt-pack/soc2-readiness
- Deployer ADMT pack: /admt-pack
- This page is reviewed annually and on material change. Next scheduled review: 2026-11-09.