Privacy Policy

Product: LeaseLens (neolain.com/leaselens) Operator: NeoLain Trading Co. Limited, Hong Kong HK Business Registration No.: [BR number placeholder] Registered office: [registered address placeholder] Contact: legal@neolain.com Last updated: [last-updated date placeholder]

Plain-English summary. We are a Hong Kong company that turns commercial lease PDFs into structured data. To do that, your uploaded documents pass through Google Vertex AI (Gemini 2.5 Pro), which Google's terms bind to a no-training / no-retention policy, are stored in Cloudflare R2 (AP-East) and Supabase Postgres (Tokyo region), and are auto-deleted after 90 days unless you delete them sooner. We never use your data to train models. This page explains each of those steps in detail.

This Privacy Policy is informational. It is not legal advice. If you need advice on how LeaseLens fits into your regulatory obligations, please consult qualified counsel.

---

1. Who we are

LeaseLens is operated by NeoLain Trading Co. Limited ("NeoLain", "we", "us"), a private company limited by shares incorporated in Hong Kong SAR.

• Business Registration Number: [BR number placeholder]
• Registered office: [registered address placeholder]
• General contact: support@neolain.com
• Privacy and legal contact: legal@neolain.com

For the purposes of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), NeoLain is the data user. For the purposes of the EU General Data Protection Regulation ("GDPR") and the UK GDPR, NeoLain is a data controller of account data and a data processor of lease content uploaded by you. For the purposes of Japan's Act on the Protection of Personal Information ("APPI"), NeoLain is a Personal Information Handling Business Operator.

2. Scope of this policy

This policy applies to:

• The public LeaseLens website at neolain.com/leaselens.
• The LeaseLens web application (dashboard, uploads, API).
• Marketing communications we send you.
• Support interactions by email.

It does not cover third-party websites we link to, or third-party tools you separately connect.

3. What we collect

Plain-English summary. Account basics (email, company), the lease PDFs you upload, the structured data we extract, billing information handled by Stripe, and standard product telemetry. Nothing more than we need.

3.1 Account and identity data

• Full name
• Work email address
• Company or firm name
• Hashed password (we never see your password in plaintext) or OAuth identity token
• Role and team membership within your LeaseLens workspace

3.2 Content you upload

• Lease PDFs, DOCX files, and images you upload for extraction
• Any notes, tags, or corrections you add to an extracted record
• API requests you submit (on paid tiers with API access)

Your lease documents may contain personal data about third parties (for example, tenant contact names, guarantor details, signatories). You are responsible for ensuring that you have a lawful basis to upload such documents and to have them processed by our service. See Section 8 on your role as controller.

3.3 Derived data

• The structured JSON output from extraction (the 40 to 60 field schema)
• Per-field confidence scores and page-level citations
• Processing metadata (timestamp, model version, schema version)

3.4 Billing data

• Plan and tier
• Payment method metadata returned to us by Stripe (last four digits, card brand, expiry month). We do not store full card numbers.
• Invoice history
• Billing address, VAT or GST number where you provide one

3.5 Usage and telemetry

• IP address (truncated where feasible)
• Browser and device type
• Pages visited, features used, timestamps
• Session identifiers and cookies (see Section 10)
• Crash and error reports

3.6 Support correspondence

• Emails and support tickets you send us
• Any screenshots or logs you attach

4. How we use it

Plain-English summary. To run the product, to bill you, to improve accuracy in the aggregate, to keep the service secure, and to talk to you about the service. Not to profile you or sell data.

We use the categories above to:

1. Deliver the service. Process your uploaded leases, return structured data, store outputs, let you export them.
2. Authenticate and authorize. Create and secure your account and team.
3. Bill you. Issue invoices, collect payment via Stripe, manage renewals and dunning.
4. Support you. Respond to questions, debug issues, process your deletion requests.
5. Improve the platform. Review aggregated, anonymized accuracy signals (e.g., which fields are commonly corrected) to refine our schema and prompt design. This does not involve using your lease content to train any model.
6. Protect the service. Detect abuse, rate-limit, investigate suspected fraud or security incidents.
7. Comply with law. Keep records required by Hong Kong tax and corporate law, respond to lawful requests from regulators.

Legal bases (GDPR / UK GDPR)

Where GDPR applies, our legal bases are:

• Contract performance (Art. 6(1)(b)): running the service you subscribed to.
• Legitimate interests (Art. 6(1)(f)): securing the service, preventing fraud, improving product quality at the aggregate level. We balance these interests against your rights; you may object at any time (see Section 7).
• Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory records.
• Consent (Art. 6(1)(a)): optional marketing emails and non-essential cookies. You can withdraw consent at any time.

Basis (PDPO)

Under PDPO, personal data is collected for purposes directly related to providing LeaseLens and communicating with you about it. We do not use personal data for any new purpose without your prescribed consent.

5. The AI pipeline — how your documents flow

Plain-English summary. When you click "Extract", the PDF is sent to Google Vertex AI (Gemini 2.5 Pro). Google's Vertex AI Generative AI terms bind it to not retain your data and not train on it. The structured output comes back and we store it in your workspace.

This section is critical and we want it to be unambiguous.

5.1 The flow

1. You upload a PDF (or DOCX / image) to LeaseLens through your browser over TLS 1.3.
2. The file is stored encrypted at rest in Cloudflare R2 (AP-East region).
3. When you trigger extraction, the document is sent from our backend to Google Vertex AI (Gemini 2.5 Pro) in the Tokyo (asia-northeast1) region — inline for PDFs under 20MB, or via a short-lived Google Cloud Storage object (24-hour lifecycle) for larger files.
4. Gemini reads the document, applies our extraction prompt and structured-output schema, and returns JSON.
5. We parse that response, attach citations and confidence scores, and write the record to Supabase Postgres (Tokyo ap-northeast-1).
6. You see the extracted fields in your dashboard and can export them.

5.2 No-retention, no-training posture with Google Vertex AI

We process your lease content through Google Vertex AI under Google's Vertex AI Generative AI Service terms and the Google Cloud Data Processing Addendum. Under those terms, by default:

• Google does not use your prompts, documents, or responses to train or fine-tune its foundation models.
• Google does not retain your prompts or responses once the API call has returned and any abuse-protection window has elapsed.
• Vertex AI-bound data is subject to Google Cloud's enterprise security controls and audit regime (ISO 27001, SOC 2, etc.).

Unlike some consumer-facing AI products, these protections are the default configuration for Vertex AI customer prompts and outputs — not an opt-in we need to negotiate.

5.3 No training on customer data

We do not use your lease content, your extracted data, or your account activity to train any model, whether ours or a third party's. Aggregated, anonymized signals about which fields are commonly corrected may inform prompt and schema updates, but no individual customer content is used for model training.

5.4 Storage and retention inside LeaseLens

• Uploaded PDFs: stored in Cloudflare R2 (AP-East), encrypted at rest (AES-256), in transit (TLS 1.3).
• Large-PDF staging for Vertex AI: Google Cloud Storage bucket in asia-northeast1 with a 24-hour auto-delete lifecycle. Used only when a single PDF exceeds the inline-request size limit.
• Extracted JSON and metadata: stored in Supabase Postgres (Tokyo ap-northeast-1), encrypted at rest.
• Default retention: 90 days from upload, after which both the PDF and the extracted JSON are auto-purged.
• One-click delete: you can delete any file and its derived data from your dashboard at any time. Deletion propagates within 24 hours, including from backups.
• Enterprise retention options: Unlimited-tier customers can request 30-day retention or immediate auto-purge after successful extraction.

6. Subprocessors

Plain-English summary. A short list of vendors we use to run the service. Each is bound by contract to handle your data appropriately.

The following subprocessors may process personal data or lease content on our behalf:

Subprocessor	Purpose	Region
Google LLC (Vertex AI)	LLM inference (Gemini 2.5 Pro) under Vertex AI Gen AI terms — no training, no retention	asia-northeast1 (Tokyo)
Google LLC (Cloud Storage)	Short-lived staging of PDFs >20MB, 24h auto-delete lifecycle	asia-northeast1 (Tokyo)
Cloudflare, Inc. (R2)	Object storage for uploaded files	AP-East
Supabase, Inc.	Postgres database and authentication	Tokyo ap-northeast-1
Stripe Payments Europe / Stripe Asia Pacific	Payment processing	As selected by Stripe
Resend	Transactional email (account, billing, notifications)	US / EU
Vercel, Inc.	Application hosting, edge delivery	Global edge
PostHog	Product analytics and usage telemetry	EU-hosted instance

We maintain a current subprocessor list at neolain.com/leaselens/subprocessors. We will update it before engaging any new subprocessor. Enterprise customers with a signed DPA may subscribe to written change notifications and object before a new subprocessor begins processing their data, subject to the terms of the DPA.

7. Your rights

Plain-English summary. You can see, fix, export, or delete your data. Email legal@neolain.com and we will respond within 30 days.

The rights below are provided to all customers as a matter of policy and, where applicable, as a matter of law under PDPO, GDPR, UK GDPR, and APPI.

• Right of access. Request a copy of the personal data we hold about you.
• Right of rectification. Ask us to correct inaccurate or incomplete personal data.
• Right of erasure ("right to be forgotten"). Ask us to delete your personal data. For uploaded content, the one-click delete in your dashboard is the fastest path.
• Right to data portability. Export your account data and extraction outputs in a machine-readable format (JSON).
• Right to object. Object to processing based on our legitimate interests, including for direct marketing. Marketing objections are honored immediately.
• Right to restrict processing. Ask us to pause processing while a dispute is resolved.
• Right to withdraw consent. Where we process based on consent, you can withdraw it at any time without affecting prior lawful processing.
• Right to lodge a complaint. You may complain to the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD), or to your local supervisory authority in the EU, UK, or Japan.

To exercise any right, email legal@neolain.com from the address on your account. We respond within 30 calendar days, or sooner where law requires. We may need to verify your identity before acting.

8. Your role as controller of lease content

If your uploaded leases include personal data of third parties (tenants, guarantors, signatories), you are the controller of that personal data and we process it on your behalf as a processor. You represent that:

• You have a lawful basis to upload that content.
• You have provided any notices required to those third parties.
• You will relay data subject requests to us promptly so we can assist you in responding.

Our Data Processing Agreement (/legal/dpa) sets out the terms governing that processor relationship. It is incorporated into our Terms of Service by reference and is offered as a standalone document suitable for self-serve SMB customers.

9. International transfers

Plain-English summary. Your data stays in Asia-Pacific where possible, but some subprocessors are global. We rely on Standard Contractual Clauses and similar safeguards when data leaves the EEA or UK.

• Primary regions: Cloudflare R2 AP-East, Supabase HK (SG fallback). Lease content therefore typically remains in Asia-Pacific.
• Global or non-APAC flows: Some subprocessors (Stripe, Resend, Vercel, PostHog) may process data in other regions. For EEA or UK customers, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, plus Google Cloud's own SCC-backed Data Processing Addendum for Vertex AI. For other jurisdictions, we rely on equivalent contractual safeguards.
• PDPO transfers: Under PDPO section 33 guidance, we take reasonable steps to ensure that personal data transferred outside Hong Kong is afforded protection comparable to that under PDPO.
• APPI transfers: For personal data of Japanese data subjects, we provide the information required under Article 28 of APPI in our DPA and in this policy.

10. Cookies and similar technologies

We use a small number of cookies and similar technologies:

• Strictly necessary cookies. Session authentication, CSRF protection. Cannot be disabled without breaking the service.
• Functional cookies. Remember UI preferences (e.g., theme, default export format).
• Analytics. PostHog sets a first-party identifier to let us understand which product areas are used. We host PostHog in the EU and configure it to reduce identifiability.

We do not serve third-party advertising cookies.

Where required, you will see a cookie banner on first visit and can manage optional categories there. You can also clear cookies through your browser settings.

11. Security

Technical and organizational measures include:

• TLS 1.3 in transit; AES-256 at rest.
• Single-tenant logical isolation per workspace in Postgres row-level security.
• Least-privilege access controls for staff. Staff access to customer content requires a support ticket with explicit customer approval and is logged.
• Automated backups in-region, encrypted.
• Periodic restore tests.
• Dependency scanning on our application builds.
• SSO and 2FA planned for Professional and Unlimited tiers in line with our roadmap.

SOC 2 Type I is in progress. We are not certified yet and we do not quote a timeline. We will publish the report when it is available. We do not claim HIPAA, PCI-DSS, or ISO 27001 compliance.

12. Data breach

If we become aware of a personal data breach likely to result in risk to affected individuals, we will:

• Notify affected customers without undue delay and in any event within 72 hours of confirming the breach, where feasible.
• Provide a description of the incident, data categories affected, likely consequences, and remediation actions taken.
• Cooperate with supervisory authorities as required.

Our DPA sets out equivalent terms for your role as controller.

13. Children

LeaseLens is a B2B product for commercial real estate professionals. It is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email legal@neolain.com and we will delete the account.

14. Retention beyond 90 days

While lease content and extracted data follow the 90-day default retention (Section 5.4), the following categories have different retention windows:

• Account records: retained while your account is active, and for up to 24 months after closure for audit and dispute purposes.
• Billing and tax records: retained for 7 years to meet Hong Kong tax and company law requirements.
• Support correspondence: retained for 24 months.
• Security and access logs: retained for 12 months.

After the applicable window, records are deleted or anonymized.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email or through the dashboard at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

16. Contact

Privacy and legal: legal@neolain.com General support: support@neolain.com Postal: NeoLain Trading Co. Limited, [registered address placeholder], Hong Kong SAR

If you have a complaint we have not resolved to your satisfaction, you may contact:

• Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD), pcpd.org.hk.
• EEA / UK: your local data protection authority.
• Japan: the Personal Information Protection Commission (PPC).

---

LeaseLens output is informational. It is not legal advice. Always have qualified counsel review lease terms before relying on them for legal or financial decisions.