PortfolioX

Privacy Policy

Your privacy matters. Here is how we handle your data.

Last updated: February 24, 2026

1. Introduction

RaiderX, LLC dba PortfolioX ("we," "us," or "our") operates the PortfolioX platform available at portfolio.raiderx.net (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service, including when you connect your financial accounts through our third-party partners, submit rental applications, undergo tenant screening and identity verification, use the property owner portal, browse public property listings, or interact with the Service in any other capacity. Please read this policy carefully. If you do not agree with the terms of this policy, please do not access or use the Service.

This Privacy Policy applies to all users of the Service, including landlords, property managers, organization team members, tenants, rental applicants and co-applicants, property owners, and visitors to our public listing pages.

2. Information We Collect

We collect the following categories of information:

2.1 Account Information

Name, email address, and password when you create an account. We store passwords as irreversible cryptographic hashes—we never store or have access to your plaintext password. If you enable multi-factor authentication (MFA), we store your encrypted TOTP secret and hashed backup recovery codes.

2.2 Organization and Team Data

Organization name, logo, primary brand color, reply-to email address, team member information, roles and permissions, and subscription plan details. Each organization's data is isolated and inaccessible to other organizations.

2.3 Property and Financial Data

Property addresses, lease details, tenant contact information (name, email, phone), mortgage records (loan amounts, interest rates, balances), property tax records, insurance policies, home warranty details, back rent collection records, payment amounts you enter or that are generated through the platform, and trust accounting records (operating, security deposit, and reserve account ledger entries and balances). This data is used to provide the portfolio management features of the Service.

2.4 Payment Information

When tenants make rent payments, back rent payments, or screening application fee payments through the platform, payment processing is handled entirely by Stripe, our PCI-DSS Level 1 certified payment processor. We never receive, transmit, or store credit card numbers, bank account numbers, routing numbers, or other payment credentials. We only store Stripe reference identifiers, payment amounts, processing fees, platform fees, payment status, and payment method type (e.g., "card" or "ACH"—not the actual card or account details). This applies equally to payments made by primary applicants, co-applicants, and tenants.

2.5 Financial Account Data (Plaid Link)

If you choose to connect your bank accounts or credit cards for transaction matching and accounting purposes, we use Plaid, Inc. ("Plaid") to facilitate that connection. When you use Plaid to connect your financial accounts:

  • Your bank login credentials are entered directly into Plaid's secure interface and are never transmitted to or stored by PortfolioX.
  • Plaid provides us with an access token that allows us to retrieve account and transaction information on your behalf. This token is stored encrypted in our database.
  • We receive and store: institution name, account name, account type, account mask (last 4 digits only), account balances, and transaction history (date, amount, merchant name, category).
  • This data is used solely to match transactions with your property income and expenses for accounting and reporting purposes.
  • You can disconnect your financial accounts at any time through the PortfolioX settings, which will revoke the Plaid access token and stop all future data retrieval.

By connecting your financial accounts, you acknowledge and agree that Plaid's End User Privacy Policy governs Plaid's collection and use of your financial data.

2.6 Tenant Screening and Application Data

When a landlord or property manager initiates a tenant screening application, we collect the applicant's first name, last name, email address, and phone number. This information is transmitted to our screening partner, TenantScreeningX (operated by TazAPI), to initiate the background check process.

Sensitive personal information collected directly by TenantScreeningX (NOT by PortfolioX):

  • Social Security Number (SSN)
  • Date of birth
  • Address history
  • Employment history

This sensitive information is entered by the applicant directly into TenantScreeningX's secure hosted form (the "QuickApp") and is never transmitted to, received by, or stored on PortfolioX servers. PortfolioX only receives and stores screening result summaries (e.g., pass/fail/review decisions), order reference identifiers, status information, and categorized search result summaries (criminal, credit, eviction, rental history, identity verification). Full screening reports are hosted by TenantScreeningX and are accessed through their secure platform.

Types of background checks that may be performed:

  • Criminal records (national, county, state, federal, sex offender registry, global security watch)
  • Credit reports and tenant scorecards
  • Eviction and civil records (county, federal, liens, judgments, bankruptcy)
  • Rental history (national and state rental record databases)
  • Identity verification (SSN trace, person search)
  • Verification services (employment, education, residence, professional license)

All screening is conducted with FCRA (Fair Credit Reporting Act) permissible purpose certification. By submitting an application, applicants consent to the background check being performed by TenantScreeningX on behalf of the requesting landlord or property manager.

2.7 Co-Applicant Data

When co-applicants (such as spouses, roommates, co-signers, or guarantors) are added to a screening application, we collect their first name, last name, email address, phone number, and relationship to the primary applicant. Co-applicants undergo the same screening process described in Section 2.6, including a separate payment for screening fees and an independent background check through TenantScreeningX. The same data handling practices apply: sensitive personal information (SSN, date of birth, address history) is collected directly by TenantScreeningX and never touches PortfolioX servers.

2.8 Identity Verification Data (Plaid IDV)

As part of the tenant screening process, applicants and co-applicants may be required to complete identity verification through Plaid's Identity Verification ("IDV") service. This is a separate service from the Plaid financial account linking described in Section 2.5. During identity verification, Plaid may collect and process:

  • Government-issued identification documents (driver's license, passport, or state ID card)
  • Selfie photographs for facial recognition and liveness detection
  • KYC (Know Your Customer) data: name, date of birth, address, phone number, and identification numbers
  • SMS-based phone verification

All sensitive identity verification data—including government ID images, selfie photographs, biometric facial recognition data, and raw KYC data—is collected and processed directly by Plaid and is never transmitted to or stored on PortfolioX servers. PortfolioX only receives and stores the verification session identifier, overall verification status (e.g., success, failed, pending), and match result summaries (e.g., "match," "partial match," or "no match" for name, address, date of birth, and phone—not the actual values). Document type (e.g., driver's license) and step completion statuses are also stored.

Biometric Data Notice: The identity verification process involves the collection of biometric identifiers (facial geometry from selfie photographs) by Plaid. This biometric data is collected, processed, and stored exclusively by Plaid in accordance with their privacy policy and applicable biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA) where applicable. PortfolioX does not collect, receive, store, or have access to any biometric data. By proceeding with identity verification, you consent to Plaid's collection and processing of your biometric data as described in Plaid's End User Privacy Policy.

2.9 Property Owner Data

For organizations using our property management company (PMC) features, we collect property owner information including name, email address, phone number, company name, and mailing address. Property owners access the Service through a dedicated owner portal using magic link email authentication. When property owners set up direct deposit for distributions, their bank account details are collected and held exclusively by Stripe through Stripe Connect Express—PortfolioX only stores the Stripe Connect account identifier.

2.10 Public Listing and Inquiry Data

When prospective tenants browse our public property listings or submit inquiries, we collect information they voluntarily provide, including name, email address, phone number (optional), message content, and desired move-in date. When prospective tenants submit rental applications from a listing page, we collect their first name, last name, email address, and phone number to initiate the screening process described in Section 2.6. No account registration is required to submit an inquiry or apply from a listing page.

2.11 Vendor and Service Provider Data

When organizations use our vendor directory integration with the RaiderX Preferred Partner Vendor Network, user names, email addresses, phone numbers, and property location data (city, state, county) may be shared with the vendor network to facilitate contact requests and geographic vendor matching. Organizations may also upload vendor W-9 documents, which are stored securely in DigitalOcean Spaces.

2.12 Uploaded Files

Documents and images you upload, such as insurance documents, lease agreements, maintenance request photos, property listing images, organization logos, and vendor W-9 forms. Files are stored with private access controls and are only accessible to authorized members of your organization via time-limited signed URLs, except for organization logos on public listing pages, which are accessible via time-limited signed URLs without authentication for display purposes.

2.13 Usage and Technical Data

Information about how you access and use the Service, including your IP address, browser type, pages visited, and timestamps. This data is used for security monitoring, error diagnosis, and service improvement. Error data and associated request context (which may include IP addresses and session information) may be transmitted to our error monitoring service (Sentry) for debugging and reliability purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service Delivery: Provide, operate, and maintain the portfolio management platform, including property management, tenant screening, owner management, trust accounting, and public listing features.
  • Payment Processing: Process rent payments, back rent payments, screening application fees, and subscription billing through Stripe, as well as owner distributions through Stripe Connect.
  • Tenant Screening: Initiate and manage background check applications through TenantScreeningX and identity verification through Plaid IDV on behalf of landlords and property managers with FCRA permissible purpose.
  • Identity Verification: Verify the identity of rental applicants and co-applicants through Plaid's IDV service to support the tenant screening process.
  • Financial Account Linking: Connect your bank accounts and credit cards via Plaid to retrieve transaction data for matching against your property income and expenses.
  • Accounting and Reporting: Generate profit and loss statements, balance sheets, owner statements, trust account reports, and other financial reports using your property data and linked transaction data.
  • Property Owner Management: Manage property owner relationships, calculate management fees, generate owner statements, process owner distributions, manage owner approvals for work orders, and maintain trust account ledgers.
  • Public Listings: Display property listings on public-facing pages, process listing inquiries from prospective tenants, and facilitate rental applications.
  • Vendor Services: Connect organizations with local service vendors through the RaiderX Preferred Partner Vendor Network for maintenance, repairs, and other property-related services.
  • Market Data: Retrieve publicly available mortgage rate data from the Federal Reserve (FRED API) to identify refinance opportunities. No user personal information is shared with this service.
  • Notifications: Send automated notifications such as payment reminders, tax due date alerts, insurance renewal notices, late payment notifications, payment confirmations, screening application invitations, co-applicant invitations, identity verification requests, owner statement notifications, distribution confirmations, and approval requests.
  • Support: Respond to your comments, questions, and support requests.
  • Security: Detect, prevent, and address technical issues, security threats, and unauthorized access.
  • Error Monitoring: Diagnose and resolve application errors and performance issues to maintain service reliability.
  • Improvement: Monitor and analyze usage trends to improve the Service.

4. How We Do NOT Use Your Information

We want to be clear about what we will never do with your data:

  • We do not sell your personal information or financial data to any third party.
  • We do not use your financial account data for marketing or advertising purposes.
  • We do not share your financial data with unrelated third parties except as described in this policy or with your explicit consent.
  • We do not access your bank login credentials. When you connect financial accounts, your credentials go directly to Plaid and are never transmitted to our servers.
  • We do not collect, receive, or store Social Security Numbers, dates of birth, government ID images, selfie photographs, or biometric data. All such sensitive data is collected directly by our third-party screening and identity verification partners (TenantScreeningX and Plaid) and never passes through our servers.
  • We do not use tenant screening data for any purpose other than evaluating rental applications on behalf of the requesting landlord or property manager.
  • We do not use consumer report information in violation of the FCRA. Screening data is obtained solely for permissible purposes under federal and state law.

5. Data Storage and Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party services, is encrypted using TLS 1.2 or higher. HTTPS is enforced on all connections with HSTS (HTTP Strict Transport Security).
  • Encryption at Rest: Your data is stored in Neon (PostgreSQL database) with AES-256 encryption at rest. Uploaded files are stored in DigitalOcean Spaces with AES-256 server-side encryption.
  • Password Security: Passwords are hashed using bcrypt before storage. We never store or have access to plaintext passwords.
  • Multi-Factor Authentication: TOTP-based multi-factor authentication is available for all organization user accounts, adding a second layer of protection beyond passwords.
  • Multi-Tenant Isolation: All data is scoped to your organization. Our architecture enforces data isolation at the application layer, ensuring no organization can access another's data.
  • Access Controls: Role-based access control (RBAC) with four permission levels (Owner, Admin, Member, Viewer) ensures team members only access data appropriate to their role.
  • Sensitive Data Segregation: Highly sensitive applicant information (SSN, date of birth, government ID images, biometric data) is never stored on our servers. This data is collected, processed, and stored exclusively by our third-party partners (TenantScreeningX and Plaid) in their own secure, certified environments.
  • Webhook Authentication: All inbound webhooks from third-party services (Stripe, TenantScreeningX) are authenticated and verified before processing.
  • Audit Logging: Security-relevant actions are logged with timestamps, user identification, and IP addresses.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.

6. Third-Party Services

We use the following third-party services to operate the platform. Each service has its own privacy policy governing how they handle data:

  • Stripe (Privacy Policy): Payment processing for rent payments, back rent collection, screening application fees, subscription billing, and property owner distributions. PCI-DSS Level 1 certified. Stripe receives and stores payment credentials; PortfolioX only receives reference IDs and payment status. Property owners who receive distributions onboard their bank accounts directly through Stripe Connect Express—their banking details are held exclusively by Stripe.
  • Plaid (Financial Account Linking) (Privacy Policy): Bank account linking and transaction data retrieval for accounting purposes. SOC 2 Type II and ISO 27001 certified. Plaid receives and secures your bank credentials; PortfolioX only receives account metadata and transaction data.
  • Plaid (Identity Verification) (Privacy Policy): Identity verification for rental applicants and co-applicants, including government ID verification, selfie and facial recognition (biometric data), KYC checks, and phone verification. Plaid collects, processes, and stores all identity documents, biometric data, and raw verification data; PortfolioX only receives verification status and match result summaries.
  • TenantScreeningX (TazAPI): Tenant background screening services including criminal records, credit reports, eviction records, rental history, identity checks, and verification services. TenantScreeningX collects sensitive applicant information (SSN, date of birth, address history) directly from applicants via their secure hosted form. PortfolioX only receives screening result summaries and order status. All screening is conducted in compliance with the Fair Credit Reporting Act (FCRA).
  • RaiderX Vendor Network: Preferred partner vendor directory for connecting property managers with local service providers. User contact information and property location data may be shared to facilitate vendor contact requests.
  • FRED API (Federal Reserve): Publicly available mortgage rate data from the Federal Reserve Bank of St. Louis. No user personal information is transmitted to this service.
  • Sentry: Application error monitoring and performance tracking. Error reports may include technical context such as request headers, IP addresses, and session information for debugging purposes.
  • Neon: PostgreSQL database hosting with encryption at rest and in transit. SOC 2 Type II certified.
  • DigitalOcean Spaces: Secure file and document storage with encryption at rest. SOC 2 Type II and ISO 27001 certified.
  • Vercel: Application hosting and deployment with automatic TLS and DDoS protection. SOC 2 Type II and ISO 27001 certified.
  • Resend: Sending transactional emails such as payment reminders, confirmations, magic link login emails, screening invitations, co-applicant invitations, identity verification requests, owner statement notifications, and distribution confirmations.

7. Data Sharing

We may share your information only in the following circumstances:

  • With Service Providers: We share data with the third-party services listed in Section 6 solely to provide the Service. These providers are contractually obligated to protect your data.
  • Within Your Organization: Data you enter is accessible to other authorized members of your organization based on their assigned role and permissions.
  • With Property Owners: Property owners using the owner portal can view financial data related to their specific properties, including statements, distributions, trust account balances, and tenant payment information. Property owners only have access to data for properties they own.
  • With Landlords and Property Managers (Screening): Tenant screening result summaries are shared with the landlord or property manager who initiated the screening application. This sharing is conducted under FCRA permissible purpose.
  • With Vendors (Contact Requests): When you submit a contact request through the RaiderX Preferred Partner Vendor Network, your name, email, phone number, and property location may be shared with the selected vendor to facilitate the service request.
  • Public Listing Information: Property listing details (description, photos, pricing, amenities) that you choose to publish are displayed on our public-facing listing pages. Organization logos may be displayed on public listings for eligible plan tiers.
  • With Your Consent: We may share your information with other parties when you explicitly request or authorize it.
  • Legal Compliance: We may disclose your information if required by law, regulation, legal process, or enforceable governmental request.
  • Protection of Rights: We may share information to protect the rights, property, or safety of PortfolioX, our users, or the public.

8. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data, subject to legal retention obligations (including FCRA record retention requirements for screening data).
  • Right to Export: Request your data in a commonly used, machine-readable format.
  • Right to Revoke Consent: Withdraw consent for data processing where consent is the legal basis (e.g., disconnect linked financial accounts).
  • Right to Disconnect Financial Accounts: Revoke Plaid access to your bank accounts at any time through the PortfolioX settings. This immediately stops all future data retrieval from the disconnected accounts.
  • FCRA Rights (Screening Applicants): If you are a rental applicant, you have the right under the FCRA to request a copy of your screening report from TenantScreeningX, dispute inaccurate information, and be notified if adverse action is taken based on the screening report. These rights are exercised through TenantScreeningX as the consumer reporting agency.

To exercise any of these rights, please contact us at the address below. We will respond to your request within 30 days.

9. Data Retention

We retain your information according to the following schedule:

  • Account Data: Retained while your account is active. Deleted upon account closure at your request.
  • Financial and Property Data: Retained while your account is active or as required by applicable law (e.g., tax recordkeeping requirements).
  • Transaction Data: Plaid transaction data is retained while the financial account is connected. Upon disconnection, previously retrieved transaction data may be retained for accounting records unless you request deletion.
  • Screening Application Data: Screening result summaries, order identifiers, and application metadata are retained for the duration of your account and for a minimum of 5 years after the screening decision, as required by FCRA record retention obligations. Sensitive applicant data (SSN, date of birth, etc.) is retained solely by TenantScreeningX in accordance with their own retention policies and applicable law.
  • Identity Verification Data: Verification session identifiers and match result summaries are retained for the same period as the associated screening application. Government ID images, selfie photographs, and biometric data are retained solely by Plaid in accordance with their retention policies and applicable biometric data laws.
  • Owner and Trust Data: Property owner information, statements, distribution records, and trust ledger entries are retained while the managing organization's account is active or as required by applicable property management and financial regulations.
  • Listing Inquiry Data: Prospective tenant inquiries are retained for the duration of the organization's account.
  • Uploaded Files: Retained until you delete them or your account is terminated.
  • Audit Logs: Retained for a minimum of 1 year for security and compliance purposes.
  • Authentication Tokens: Magic link tokens expire after 15 minutes. Session tokens expire after 30 days. Expired tokens are automatically cleaned up.

10. Fair Credit Reporting Act (FCRA) Compliance

To the extent the Service facilitates access to consumer reports (including tenant background checks and credit reports) through TenantScreeningX, we act as an intermediary between the landlord or property manager (the end user) and the consumer reporting agency (TenantScreeningX). Landlords and property managers who use the screening features certify that they have a permissible purpose under the FCRA for obtaining consumer reports. We do not act as a consumer reporting agency. Consumer report data is not used for any purpose other than evaluating rental applications. Applicants have the right to dispute inaccurate information in their screening reports directly with TenantScreeningX.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which that information is collected, the business purpose for collecting the information, and the categories of third parties with whom we share that information. You also have the right to request deletion of your personal information and the right to opt out of the sale or sharing of your personal information. We do not sell or share personal information as defined by the CCPA/CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA. To make a request, please contact us using the information in Section 15.

12. Illinois Biometric Information Privacy Act (BIPA)

If you are an Illinois resident undergoing identity verification, please be aware that the Plaid Identity Verification process involves the collection of biometric identifiers (facial geometry data) from selfie photographs. This biometric data is collected, used, and stored exclusively by Plaid, Inc. PortfolioX does not collect, capture, receive, store, or possess any biometric data. By proceeding with the identity verification process, you acknowledge and consent to Plaid's collection and use of your biometric identifiers and biometric information as described in Plaid's End User Privacy Policy. Plaid's retention and destruction of biometric data is governed by their privacy policy and applicable law.

13. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to remove that information.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page, updating the "Last updated" date, and sending a notification to your account email address. You are advised to review this Privacy Policy periodically for any changes.

15. Contact Information

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us:

RaiderX, LLC dba PortfolioX

Email: support@portfolio.raiderx.net