Legal

Privacy Policy

Last updated: 5 June 2026  ·  This policy explains what personal data we collect and how we use it.

Summary: We collect only what we need to run the service — your email address and a securely hashed password (managed by Supabase), plus a record of the property URLs you analyse. We never sell your data. We use Stripe to handle payments so we never see your card details.

1. Who Is Responsible for Your Data

RenoVision is the data controller for the personal information collected through this Service. Our contact email is [email protected].

If you are in the UK or European Economic Area, your rights are protected under the UK GDPR / Data Protection Act 2018.

2. What Data We Collect

Account data

When you create an account we collect your email address. Your password is never stored in plain text — it is hashed by Supabase before being stored. We never see or have access to your raw password.

Usage data

Each time you run a property analysis, we record:

  • The property listing URL you submitted.
  • A timestamp of when the analysis was run.
  • Your user ID (so we can enforce the monthly free-tier limit).

Subscription data

If you upgrade to Pro, Stripe passes us a Stripe Customer ID and Subscription ID so we know your plan status. We do not store any payment card details — these are held exclusively by Stripe.

Technical data

Like all web services, our hosting provider (Railway) may collect standard server log data including your IP address, browser type, and pages visited. This data is used for security and to diagnose technical problems and is not used to identify you individually.

3. Why We Process Your Data (Legal Basis)

Purpose Legal basis (UK GDPR Art. 6)
Providing the analysis service Performance of a contract (Art. 6(1)(b))
Enforcing free-tier usage limits Performance of a contract (Art. 6(1)(b))
Processing your subscription payment Performance of a contract (Art. 6(1)(b))
Sending transactional emails (e.g. password reset) Performance of a contract (Art. 6(1)(b))
Preventing abuse and ensuring security Legitimate interests (Art. 6(1)(f))
Complying with legal obligations Legal obligation (Art. 6(1)(c))

We do not send marketing emails unless you have explicitly opted in. We do not use your data to build advertising profiles or sell it to third parties.

4. Third-Party Data Processors

We use the following sub-processors to deliver the Service. Each is bound by appropriate data processing terms.

Provider Role Data shared
Supabase Authentication & database (hosted in EU) Email, hashed password, usage records
Stripe Payment processing Email, subscription status
Anthropic AI analysis (Claude API) Property listing text & images
Railway Web hosting & infrastructure Server logs (IP address, request data)

Property listing content sent to Anthropic's API is used solely to generate your analysis and is subject to Anthropic's privacy policy.

5. Data Retention

  • Account data: Retained for as long as your account is active. If you delete your account, we will delete your email and account record within 30 days.
  • Usage records: Kept for up to 13 months to support billing and usage-limit enforcement, then deleted.
  • Server logs: Retained by Railway for up to 30 days.

6. Your Rights

Under the UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — ask us to restrict how we process your data in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

We use only essential cookies required to operate the Service (for example, authentication session tokens set by Supabase). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

8. Security

We take appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS), password hashing, and restricted access to production databases. No method of transmission over the internet is 100% secure, but we follow industry best practices.

9. International Transfers

Supabase stores data within the EU (Ireland region). Anthropic and Railway are US-based services; data transferred to them is protected under appropriate safeguards (Standard Contractual Clauses or equivalent). Stripe operates globally and is certified under applicable data transfer frameworks.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or via a notice on the Service. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact Us

For any privacy-related questions or to exercise your rights, please contact:

RenoVision
Email: [email protected]