Privacy Policy
https://www.sphinx.versacarte.com/privacy
1. Introduction
Resphinx ("we", "us", or "our") is a property management application operated by Versacarte, accessible at https://www.sphinx.versacarte.com. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Resphinx mobile application ("App").
By using Resphinx, you agree to the collection and use of your information as described in this Privacy Policy.
2. Information We Collect
2.1 Information You Provide Directly
When you create an account or use the App, we collect the following information:
- Full name (first and last name) — used for your profile and payment metadata
- Email address — used for account creation, login, and payment receipts
- Phone number — used for your profile, SMS two-factor authentication (2FA), and M-Pesa payment processing
- Password — stored securely in hashed form by Supabase Auth; never stored in plain text
- Profile information — including display name, bio, and country/currency preferences
- Property and unit information — including property names, addresses, unit details, and lease dates (for property owners)
- Transaction information — including rent amounts, payment categories, due dates, and payment status
- Chat messages — text messages and file attachments exchanged between property owners and tenants
- Maintenance requests — titles, descriptions, priorities, and status updates
2.2 Information Collected Automatically
When you use the App, we may collect:
- Device and session identifiers — minimal session tokens for authentication purposes
- App interaction data — including ledger activity, maintenance submissions, and session events stored in Supabase
- Crash logs — if enabled through Expo/EAS, used for stability and debugging purposes
2.3 Information from Third Parties
When you sign in using a third-party OAuth provider (Google, Microsoft, Facebook, or Twitch), we receive your name and email address from that provider to create or link your Resphinx account.
3. Information We Do NOT Collect
Resphinx does not collect the following:
- Payment card details — all card information is handled exclusively by Pesapal on their hosted checkout page
- M-Pesa PIN — never entered or processed within our App
- Banking credentials — not collected at any point
- Location data — we do not access your device's GPS or location
- Contacts — we do not access your device contact list
- Microphone or audio recordings — not collected
- SMS messages — we do not read your SMS messages
4. How We Use Your Information
We use the information we collect for the following purposes:
- Account management — creating and managing your account, verifying your identity, and enabling login
- Service delivery — enabling property management, rent tracking, tenant-owner communication, and maintenance requests
- Payments — processing rent and other charges through Pesapal, Google Pay, and PayPal
- Two-factor authentication — sending SMS verification codes through Twilio to secure your account
- Communication — sending payment receipts, rent reminders, and important account notifications
- App improvement — using crash logs and interaction data to fix bugs and improve performance
- Compliance — meeting our legal obligations and enforcing our Terms of Service
5. How We Share Your Information
We do not sell your personal data to any third party.
We share your information only with the following trusted service providers who help us operate the App:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Backend database, authentication, file storage | All account and app data |
| Pesapal | Rent payment processing (M-Pesa, card, bank) | Name, email, phone number |
| Google Pay | Android payment processing | Payment transaction data |
| PayPal | Online payment processing | Payment transaction data |
| Twilio | SMS one-time passwords for 2FA | Phone number |
| OAuth login and Google Wallet rent receipts | Name, email | |
| Microsoft (Azure) | OAuth login | Name, email |
| OAuth login | Name, email | |
| Twitch | OAuth login | Name, email |
All data shared with these providers is transmitted over encrypted TLS connections. Each provider operates under their own privacy policies and data protection terms.
We may also disclose your information if required to do so by law or in response to valid legal requests from government authorities.
6. Data Storage and Security
Your data is stored securely on Supabase infrastructure with the following protections in place:
- Encryption in transit — all data is transmitted over TLS (HTTPS)
- Row Level Security (RLS) — Supabase Postgres RLS policies ensure that each user can only access data they are authorized to view
- Authentication tokens — Supabase JWT tokens are used to manage sessions securely
- Payment secrets — all payment API keys and merchant secrets are stored only in Supabase Edge Function environment variables and are never included in the app bundle
- Hashed passwords — passwords are hashed server-side by Supabase Auth and never stored in plain text
- No card or PIN data on our servers — payment card details and M-Pesa PINs are never transmitted to or stored on Resphinx servers
7. Photos and File Attachments
When you send photos or file attachments in chat or maintenance requests, these files are stored securely in Supabase Storage. They are accessible only to the sender and recipient of the conversation. Property cover images uploaded by owners are also stored in Supabase Storage.
8. Camera and Media Access
The App requests access to your camera and photo library only when you choose to attach an image in chat or a maintenance request. These permissions are requested at the point of use and are not accessed in the background.
You may revoke camera or media permissions at any time through your device settings. Revoking these permissions will disable photo attachment features but will not affect other App functionality.
9. Two-Factor Authentication (2FA)
If you enable SMS-based 2FA, your phone number is shared with Twilio solely for the purpose of sending a one-time verification code. Resphinx does not use your phone number for marketing purposes. You may also use an authenticator app (TOTP) as an alternative to SMS 2FA.
10. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you with the App's services. If you request account deletion, we will delete your account and associated data within 30 days of verifying your identity.
Some data may be retained for longer periods where required by law or for legitimate business purposes such as resolving disputes and enforcing our agreements.
11. Your Rights and Choices
You have the following rights regarding your personal data:
- Access — you may request a copy of the personal data we hold about you
- Correction — you may update your profile information directly within the App at any time
- Deletion — you may request deletion of your account and data by emailing support@versacarte.com from your registered email address
- Withdrawal of consent — you may revoke camera or media permissions through your device settings at any time
- Data portability — you may request an export of your transaction data using the CSV export feature within the App
To exercise any of these rights, please contact us at support@versacarte.com. We will respond to your request within 30 days.
12. Children's Privacy
Resphinx is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If you believe a child under 18 has provided us with personal information, please contact us at support@versacarte.com and we will take steps to delete that information.
13. Third-Party Links and Services
The App may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through the App.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will update the "Last Updated" date at the top of this document.
We encourage you to review this Privacy Policy periodically. Continued use of the App after changes are posted constitutes your acceptance of the updated Privacy Policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
- Email: support@versacarte.com
- Website: https://www.sphinx.versacarte.com
- Terms of Service: https://www.sphinx.versacarte.com/terms