Privacy Policy

1. Who is responsible for your data

For the purposes of UK data protection law, we are the data controller for personal data processed through Deedty AI property management as described here. Some processing is carried out by processors on our instructions (see section 6).

2. Data we collect

2.1 Account and profile

• Identity and sign-in — name, email address, and authentication data are handled by our identity provider, Clerk. We store a linked application profile (for example internal profile id, Clerk user id, email, and subscription tier) synced via secure webhooks.
• In-app preferences — timestamps and settings used for the notification centre (for example which release notes or portfolio reminders you have acknowledged or dismissed).

2.2 Property, portfolio, and financial records

• Property and appraisal data — addresses, postcodes, purchase and rent figures, mortgage details, yields and projections, void assumptions, compliance certificate dates, notes, and similar fields you enter in the calculator or portfolio.
• Organisations and tax-oriented records — company or structure names, registered addresses, organisation-level income and expenses, ledger-style entries, snapshots, and exports you generate for reporting.
• Tenancy information — current and historical tenant names, contact details (such as phone and email), rent amounts, tenancy dates, and notes you record against properties.
• Linked documents — URLs or references you attach (for example to cloud storage) are stored as you provide them; opening those links may be governed by the third-party service you use.

2.3 Receipt and invoice capture (AI-assisted)

• Files you upload — images or PDFs of receipts and invoices (up to the limits shown in the product), file type, size, and a technical checksum to avoid duplicate processing.
• Optional notes — short free-text you add when uploading, to help classify the expense.
• Model outputs — suggested categories, amounts, dates, and related metadata produced by our AI pipeline, plus operational fields (model name, confidence, schema version) stored with the receipt record.
• Context sent to the model — to match receipts to the right property or entity, we send the model a structured summary that can include property names, addresses, postcodes, and current tenant names (used only as matching hints), together with allowed category lists. The uploaded file itself is sent to the AI provider for analysis (see section 5).

2.4 Technical and usage data

• Server and infrastructure logs — IP address, request metadata, error diagnostics, and similar information collected by our hosting environment. We aim to avoid logging sensitive free-text content from your portfolio in routine logs.
• Rate limiting — coarse identifiers (such as account or IP-derived keys) used to prevent abuse on specific endpoints (for example calculator or growth lookups).
• Cookies — essential session and security cookies from Clerk (see section 9).

3. How and why we use your data (lawful bases)

We process personal data where necessary to:

• Provide the service (contract) — authenticate you, save portfolio and appraisal data, run calculations, show compliance reminders, process receipts, and deliver exports you request.
• Look up public registers on your behalf (contract) — for example EPC data via the government Open Data Communities API when you trigger a lookup, and growth or area statistics using postcode resolution and Land Registry open data when you use those features.
• Secure and run the platform (legitimate interests) — fraud and abuse prevention, rate limiting, debugging, and maintaining backups and infrastructure integrity, balanced against your rights.
• Improve the product (legitimate interests) — training, testing, and evaluation of features using anonymised or aggregated information as described below, balanced against your rights.
• Comply with law (legal obligation) — where we must retain or disclose information to regulators or courts.

Anonymised use for improvement. Your account, portfolio, and tenant records remain private in the sense above: we do not sell personal data and do not use those identifiable records for unsolicited marketing. We may, however, use information in anonymised or aggregated form — so it cannot reasonably be linked back to you, your tenants, or individual properties — to measure quality, fix problems, and train or evaluate machine-learning models. Where we do this, we apply technical and organisational measures aimed at preventing re-identification. Data that has been anonymised so it is no longer personal data falls outside UK GDPR; aggregated statistics that do not identify individuals are treated accordingly.

We do not use your portfolio or tenant data for unsolicited direct marketing. We do not sell personal data.

4. Automated decision-making and AI

Expense capture uses automated analysis of uploaded files to suggest how transactions should be categorised and linked. You review and confirm suggestions before they affect your records where the product requires it. The underlying models may be wrong; you remain responsible for the accuracy of your tax and accounting records.

Processing involves sending receipt content and the context described in section 2.3 to an external AI API (for example Google's Gemini or Microsoft Azure OpenAI, depending on configuration). That provider acts as a processor under our instructions for that step.

Improvement of our own models may use anonymised or aggregated data only, as described in section 3. Third-party model providers apply their own terms to whether they retain or use content sent to their APIs for their own training.

5. Where data is stored

Application data is held in a PostgreSQL database managed as part of our infrastructure (for example on Microsoft Azure alongside the app). Uploaded receipt files are stored in Azure Blob Storage when that integration is enabled. The web application may be hosted on Vercel and/or Azure depending on environment.

Clerk and Google may process data in the UK, EEA, US, or other regions according to their own infrastructure and terms. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK extension to the EU-US Data Privacy Framework, standard contractual clauses, or equivalent mechanisms offered by our suppliers.

6. Third-party services (processors and APIs)

We share personal data only as needed to operate the product. Key categories of recipient include:

• Clerk — authentication, sessions, optional multi-factor authentication for portfolio areas, and webhook delivery (verified via Svix signatures).
• Microsoft Azure — hosting, database, blob storage, and related platform logging where used.
• Vercel — application hosting and edge routing where used.
• Google (Gemini / Generative Language API) — when configured, analysis of uploaded receipts and invoices as described in sections 2.3 and 4.
• Microsoft Azure OpenAI — when configured, the same receipt analysis as above using a deployment in your chosen Azure region.
• Open Data Communities (EPC) — when you request an EPC lookup, we send the postcode and/or address fragment you supply to the government register using credentials registered to our service.
• postcodes.io — when you use growth or area features that depend on it, we send the postcode you enter to resolve administrative geography.
• HM Land Registry (public SPARQL endpoint) — queries derived from that geography to return published price statistics (not your name or account details).
• Optional calculation backend — if enabled, authenticated requests may be proxied to a separate calculation service you operate or we configure; those requests contain the calculator inputs you submit, not your full portfolio by default.

Each provider has its own privacy notice; we choose subprocessors that can meet our security and data protection expectations.

7. Retention

Active accounts. We keep your data for as long as your account exists and you use the service, unless a shorter period applies to specific fields below.

Account deletion. When you delete your account through Clerk, we receive a webhook and remove your application profile and related database records (including properties, receipts, and linked rows) subject to technical propagation delays. Separate object-storage files may be deleted in line with receipt records; residual encrypted backups in our cloud providers may persist for a limited time under their standard retention. Contact us if you need help confirming deletion.

Former tenant contact details. For ended tenancies, phone numbers, email addresses, and certain notes may be retained for up to six years after the tenancy end date for legal and administrative purposes (for example disputes or tax records). During part of that period the product may mask those fields until you actively reveal them, and they are removed after the retention window. They must not be reused for unrelated purposes (such as marketing) without a separate lawful basis and consent where required.

Logs. Infrastructure and security logs are kept only as long as needed for security, troubleshooting, and legal compliance, typically weeks to months unless a longer hold is justified.

8. Security

We use industry-standard measures appropriate to a cloud-hosted SaaS product: encrypted transport (HTTPS), access control tied to your account, secrets managed outside source code, and separation of environments. No method of transmission or storage is perfectly secure; you should use a strong password and enable MFA where Clerk offers it, especially for portfolio access.

9. Cookies and similar technologies

We use essential cookies and related storage to keep you signed in and protect sessions. These are set by Clerk and are strictly necessary for the service. We do not use advertising cookies or third-party analytics trackers in the product as described in this policy.

10. Your rights

Under UK GDPR and the Data Protection Act 2018 you may have the right to access, rectify, erase, restrict, or object to certain processing, and to data portability where applicable. You can manage much of your account data in Clerk and in the app. For other requests (including questions about AI processing or exports), email [email protected]. You may lodge a complaint with the UK Information Commissioner's Office (ICO).

11. Children

The service is intended for adults running property investments. We do not knowingly collect data from anyone under 16. If you believe a child has provided us personal data, contact us and we will take steps to delete it.

12. Changes to this policy

We may update this policy as features or the law change. Material updates will be reflected by the "last updated" date above and, where appropriate, through the app or email. Continued use after changes constitutes acceptance of the updated policy where permitted by law.