Privacy Policy
This Privacy Policy explains how Investrello collects, uses, shares and protects your personal data when you use our property investment and management platform (the "Service"), and the rights you have over your data.
We process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For the purposes of that law, Investrello is the data controller of the personal data described here.
1Who we are
Investrello ("we", "us", "our") operates the Service. For any privacy question, or to exercise your rights, contact us at privacy@investrello.com.
2Data we collect
- Account data: your name, email address and password (stored only as a secure hash) when you register.
- Profile data: preferences such as your stated goal and report settings.
- Property & portfolio data you enter: property details, valuations, mortgages, rents, costs, analyses and projections.
- Management data you enter: tenancy, maintenance, compliance and document records, which may include personal data about your tenants and any files you upload.
- Billing data: handled by our payment processor (Paddle). We receive your subscription status and limited transaction details, not your full card number.
- Technical & usage data: log data such as IP address, device/browser type, and actions taken in the Service, used to operate, secure and improve it.
3How we use your data & our legal bases
| Purpose | Legal basis |
|---|---|
| Create and run your account and provide the Service | Performance of a contract |
| Process subscriptions, trials and payments | Performance of a contract |
| Secure the Service, prevent fraud and abuse, and keep records | Legitimate interests; legal obligation |
| Provide support and respond to your requests | Performance of a contract; legitimate interests |
| Improve and develop features and fix problems | Legitimate interests |
| Send service and account emails (e.g. confirmation, password reset) | Performance of a contract; legitimate interests |
| Send optional product or marketing updates, where offered | Consent (you can withdraw at any time) |
| Comply with legal and accounting obligations | Legal obligation |
4Who we share data with
We do not sell your personal data. We share it only with service providers ("processors") who help us run the Service, under contracts that require them to protect it:
- Hosting & database: our cloud database and storage provider (Supabase), which stores your account and app data in a data centre in the European Union (London/EU region).
- Payments: Paddle, our Merchant of Record, which processes subscriptions and payments.
- Authentication: where you choose to sign in with Google, Google processes the sign-in.
- Email delivery: providers that send transactional emails on our behalf.
We may also disclose data where required by law, to enforce our terms, or in connection with a business transfer (e.g. a merger or acquisition), subject to this policy.
5International transfers
Your core data is hosted in the EU/UK region. Where any provider processes data outside the UK or EEA, we rely on appropriate safeguards such as UK adequacy decisions or the International Data Transfer Agreement / Standard Contractual Clauses.
6How long we keep data
We keep your personal data for as long as your account is active and as needed to provide the Service. If you delete your account, we delete your account and app data, except where we must retain limited records to meet legal, tax or accounting obligations or to resolve disputes. Backups are cycled out on a rolling basis.
7Your rights
Under UK data protection law you have the right to:
- access a copy of the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased ("right to be forgotten");
- restrict or object to certain processing;
- data portability (receive your data in a structured, machine-readable format);
- withdraw consent at any time where we rely on consent.
You can exercise the main rights yourself from Settings → Data & privacy in the app, where you can export a copy of your data or permanently delete your account. For anything else, email privacy@investrello.com and we will respond within one month.
8Security
We take security seriously. Measures include encryption in transit, hashed passwords, strict per-user access controls (row-level security so you can only ever access your own data), private file storage with signed, time-limited access, server-side validation and rate limiting. No system is perfectly secure, but we work to protect your data and to notify you and the regulator of any breach where the law requires.
9Cookies & local storage
Investrello uses only the storage needed to run the Service, for example to keep you signed in during a session and to cache data on your device so the app works smoothly and offline. We do not use third-party advertising cookies. Your browser settings let you clear this storage at any time.
10Children
The Service is not directed at children and is intended for users aged 18 and over. We do not knowingly collect personal data from children.
11Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes we will take reasonable steps to notify you, for example by email or an in-app notice. The "last updated" date above shows when it last changed.
12Contact & complaints
To exercise your rights or ask a question, contact privacy@investrello.com. If you are unhappy with how we have handled your data, you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, though we'd appreciate the chance to put things right first.