Letzen
Get Started
Security & data protection

Built to protect property, tenant, and document data

Questions about security or data protection: privacy@letzen.app

Secure access

  • All production traffic is served over HTTPS on the canonical Letzen domain.
  • Browsers receive HSTS and security headers including CSP, frame blocking, content sniffing protection, referrer policy, and permissions policy.
  • Account sessions use secure, HttpOnly cookies in production with expiry and refresh handling.
  • Passwords are hashed before storage and are never stored as plain text.

Workspace permissions

  • Letzen separates customer workspaces and scopes property, tenant, maintenance, rent, and compliance records to the correct account.
  • Role-based access controls limit what owners, admins, and staff can view or manage.
  • Platform admin areas are hidden from normal customer workspaces.
  • Pro-only workflows, including rent tracking, are gated by plan and capability checks.

Private document storage

Uploaded compliance documents and maintenance photos are stored separately from the application server in private Hetzner Object Storage. Letzen stores protected object references in the database and serves files through authorised workspace routes.

This means documents are not placed in public website folders, and users must be signed in with the right workspace permissions before private files are returned.

Payments

  • Payments and subscriptions are handled by Stripe Checkout.
  • Letzen does not store raw card details.
  • Billing events are processed through Stripe webhooks with signature verification.

Monitoring and audit trail

  • Important account, billing, invitation, compliance, rent, and operational events are recorded in audit logs.
  • Production errors are monitored through Vercel logs, with optional Sentry support available for deeper diagnostics.
  • Rate limiting is applied to sign in, signup, password reset, 2FA, maintenance reports, feedback, and private file download routes.
  • Uploads are limited by file type, count, and size before storage is attempted.

Backups and recovery

  • Neon Postgres provides managed database backups and point-in-time recovery options. Letzen keeps schema changes in Prisma migrations so database restores can be validated against the deployed application version.
  • Hetzner Object Storage keeps uploaded documents and photos outside the application runtime. Object keys are stored in the database and served through permission-checked routes.
  • Operational restore procedure: restore the Neon database to a recovery branch, verify the matching Hetzner bucket/object access, run a staging smoke test, then promote or selectively recover customer records.
  • Workspace owners can download a JSON account export from the Account page. Deletion is scheduled with an export window before final soft-deletion.

Data protection

Letzen is operated by Starling Group Enterprises Ltd, company number 11779468, with registered office at 124 City Road, London, England, EC1V 2NX. ICO registration is currently ZC147968. Once issued, the registration number will be published here and in the Privacy Policy.

Letzen generally acts as a processor for tenant, tenancy, property, compliance, and maintenance data uploaded by landlord customers, and as controller for account, billing, support, security, and marketing data.

Customers can request access, correction, export, deletion, or restriction by emailing privacy@letzen.app. Workspace export and deletion controls are also available inside the Account page for owners.