Guide7 min read

Is It Safe to Use AI for Property Management? (Tenant Data & Screening)

Yes for drafting and summarising, no with tenant identifiers. Keep ID documents out of the prompt, and keep a human on any tenancy decision.

By Pierre de ONYRI

Yes, with limits. AI can draft a rent notice or summarise a repair thread. It should never see your tenant's ID document. A tenancy file holds identifiers, income, guarantors and sometimes health notes. Under the GDPR, you are the controller of all of it (Article 4(7)). Running it through an AI tool does not move that duty to the vendor. Article 9 puts health and ethnic-origin data in a stricter tier. And a refusal decides where someone lives. So keep a human on the decision. The fix is simple: anonymise the identifiers before the prompt, and the AI still does the work.

What a tenancy file actually holds

A tenancy application is one of the fullest files a private person ever hands over. Far more than an online order. Often more than a routine bank form.

  • ID card or passport, sometimes an immigration status or a right-to-rent check.
  • Income, payslips, bank statements, employer contact details.
  • Previous landlord references, guarantor details and the guarantor's own income.
  • Benefit status, arrears history, live disputes.
  • Sometimes health, accessibility or safeguarding notes.

The relationship does not stop at signature. It runs for years. Maintenance requests arrive with photos taken inside the home. Disputes arrive with notes written in the heat of the moment. That material is private by nature.

One point deserves saying plainly, and it is reasoning rather than a rule of law. A tenant does not choose who holds their data. They cannot shop around for a landlord on that basis. The imbalance is structural. And what is at stake is housing. That raises the duty of care, whatever the statute says.

Under the GDPR, the controller is you

The GDPR defines the “controller” in Article 4(7). It is whoever determines the purposes and means of processing. A landlord, letting agent or property manager decides what tenant information to collect, and why. That makes them the controller. Sending the file through an AI tool does not shift that responsibility to the vendor.

Article 9(1) goes further for part of that data. It prohibits, as a rule, the processing of special categories. That includes data revealing racial or ethnic origin, religious or philosophical beliefs, and data concerning health. Processing is only possible where an Article 9(2) condition applies. A health note, a safeguarding record, an ID document that reveals ethnic origin: all of it sits in that higher tier. This is exactly the material that should never reach a general-purpose AI tool.

Tenant screening: the outcome is what gets judged

In the US, the regulation 24 CFR §100.500 is blunt on one point. Liability under the Fair Housing Act may be established on a practice's discriminatory effect. Even where the practice was not motivated by discriminatory intent. A practice has a discriminatory effect where it actually or predictably causes a disparate impact on a protected group. Or where it creates, reinforces or perpetuates segregated housing patterns. In short: “the algorithm decided” is not a defence.

One nuance matters, and plenty of articles miss it. Income, benefit status and criminal background are not themselves protected characteristics under the Fair Housing Act. The protected characteristics are race, colour, religion, sex, handicap, familial status and national origin. So the risk is not that scoring on income is unlawful in itself. The risk is that such a criterion produces a disparate impact on a protected group. The outcome is measured, not the intent.

Section 100.500(b) leaves a way out, and it is demanding. A practice with a discriminatory effect may still be lawful with a “legally sufficient justification”. It must be necessary to achieve a substantial, legitimate, nondiscriminatory interest. No practice with a less discriminatory effect may serve that same interest. And the justification must be supported by evidence, not hypothetical or speculative. This is the strongest practical argument there is for documenting your screening criteria and your process.

HUD, the US Department of Housing and Urban Development, published guidance on this in May 2024. It covers how the Fair Housing Act applies to tenant screening and housing advertising when algorithms and AI are used. We name it here without a link: HUD's site blocks automated verification.

On the European side, GDPR Article 22(1) grants a strong right. A person has the right not to be subject to a decision based solely on automated processing, profiling included. That applies where the decision produces legal effects or similarly significantly affects them. Where such a decision is permitted, Article 22(3) requires minimum safeguards: obtaining human intervention, expressing a point of view, contesting the decision. Article 22(4) further restricts the use of special-category data. A tenancy refusal is a strong candidate for that “similarly significant” bar. Hence the common-sense rule: a human decides.

Careful, though — the UK has diverged on this exact point. The Data (Use and Access) Act 2025 replaced the single Article 22 with UK GDPR Articles 22A to 22D. The ICO, the UK regulator, now frames automated decision-making by reference to those articles. Its definition: a decision based solely on automated processing, meaning no meaningful human involvement, with a legal or similarly significant effect. The UK GDPR calls this a “significant decision”. The ICO's guidance on the topic is a draft under consultation, updated on 31 March 2026. So do not treat the UK and EU rules as interchangeable.

What the EU AI Act actually says (and doesn't)

Precision matters here. The word “housing” appears nowhere in Annex III of the AI Act. There is no standalone category for tenant screening. Annex III point 5 covers four things. Evaluating eligibility for essential public assistance benefits and services, by or on behalf of public authorities (5(a)). Evaluating creditworthiness or establishing a credit score, excluding fraud detection (5(b)). Risk assessment and pricing for life and health insurance (5(c)). And emergency call triage and dispatch (5(d)).

The housing link is real, but indirect. It runs through credit. Recital 58 explains why credit scoring is classified as high-risk. Such systems determine a person's access to financial resources. They also determine access to essential services “such as housing, electricity, and telecommunication services”. The same recital notes that people dependent on public assistance benefits, expressly including social and housing assistance, are in a vulnerable position relative to the responsible authorities.

So here is the honest sentence. A private landlord using AI to draft a notice is not thereby running a high-risk system. A credit-scoring engine inside your screening stack is a different matter, and deserves a closer look. A social-housing body assessing eligibility on behalf of a public authority should also read point 5(a) carefully.

You assumeThe reality
“The AI vendor becomes responsible for the data”You stay the controller under GDPR Article 4(7)
“Scoring on income or benefits is simply unlawful”Not directly — the risk is a disparate impact on a protected group (24 CFR §100.500)
“The algorithm decided, so we're covered”§100.500 judges the outcome; intent is not required for liability
“The EU AI Act makes tenant screening high-risk”Housing is absent from Annex III; the link runs through credit scoring (Recital 58)
“UK and EU automated-decision rules are the same”The UK applies Articles 22A-22D since the Data (Use and Access) Act 2025
The risk isn't asking an AI about a tenancy — it's the identifiers you paste and the decisions you delegate.

The fix: anonymise before you prompt

Good news: AI stays genuinely useful in property management. It drafts a formal notice. It boils a deposit dispute down to ten lines. It turns three confused messages into a clear works order. For all of that, it needs no real identifier. The shape of the problem is enough.

Two-part diagram: at top, a tenancy application file with its name, income and ID lines in the clear (amber), beside a small amber house glyph, flows to an AI card showing an amber decision gauge; at bottom, the same file anonymised shows only cobalt token chips beside a neutral house, and the AI card pairs a cobalt gauge with a checkmark and a human figure keeping the decision.
After the GDPR (Articles 4(7), 9 and 22) and the EU AI Act (Annex III point 5, Recital 58) on EUR-Lex, and 24 CFR §100.500 on the eCFR.

When a concrete case is unavoidable, anonymise it first. Each identifier becomes a token. The AI reasons about the situation, without ever seeing the real values. You restore the real values afterwards, locally. The letter still works, and the file stays with you.

  1. 1Spot the identifiers: name, address, ID number, income, employer, guarantor.
  2. 2Replace them with reversible tokens, in the browser.
  3. 3Never paste an ID document, a health note or a safeguarding record.
  4. 4Send only the anonymised text to the model.
  5. 5Restore the real values in the reply, locally.
  6. 6Keep a human decision-maker on anything affecting the tenancy, and document your criteria.

Two habits complete the picture. Pick vetted tools covered by a data processing agreement, with no-training terms on your data. And write your process down. Section 100.500(b) demands a justification backed by evidence, not by guesswork. A documented process is your best exhibit.

That's what ONYRI Sanitize is for. The engine detects sensitive data — name, address, ID number, income, bank details — and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymised text reaches the model. You keep the AI's help on drafting and summarising. Your tenant's file never leaves your machine. And the decision stays in your hands, where the GDPR and housing law put it.

Frequently asked questions

Is it safe to use AI for property management?
Yes for drafting and summarising, no with tenant identifiers. AI can write a letter or condense a dispute without seeing a real name. But never paste an ID document, a right-to-rent check or a health note: GDPR Article 9 protects those more strictly. Under Article 4(7), you remain the controller. And a human must stay the decision-maker on anything affecting the tenancy.
Can an AI tool screen tenants for me?
Better not, and the law points the same way. GDPR Article 22(1) gives people the right not to be subject to a solely automated decision with significant effects. Article 22(3) requires at minimum human intervention, the right to express a view and the right to contest. In the US, 24 CFR §100.500 judges a practice's effect, even without discriminatory intent. So keep a human decision-maker, and document your criteria.
Does the EU AI Act make tenant screening high-risk?
No, not directly. The word “housing” does not appear in Annex III of the AI Act, and no category targets tenancy as such. Point 5(b) classifies creditworthiness evaluation and credit scoring as high-risk. Recital 58 justifies that because such systems determine access to essential services “such as housing”. So drafting a notice with AI is not a high-risk system; a credit-scoring engine in your screening stack deserves a closer look.

Sources & references

Keep your sensitive data in your browser

ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.

Anonymize my prompt

Read next