Legal

Privacy Policy

Last updated: 7 June 2026  ·  Data Controller: CortexaProp Ltd

1. Who we are

CortexaProp Ltd (“CortexaProp”, “we”, “us”) is the data controller for personal data collected through this website and our compliance-monitoring platform. We are registered in England and Wales.

Contact us on privacy matters at privacy@cortexaprop.com.

2. What personal data we collect and why

Free Risk Scan emailEmail addressConsent (UK GDPR Art. 6(1)(a))To send your Owner Net Position™ risk report and occasional compliance updates. You can withdraw consent at any time by unsubscribing.
Account registrationName, email, password (hashed)Contract (Art. 6(1)(b))To create and maintain your account, authenticate you, and provide the monitoring service.
Property dataProperty address, postcode, borough, tenure typeContract (Art. 6(1)(b))To run compliance checks, identify applicable licensing schemes, and calculate your Owner Net Position™.
Document uploadsDocuments you upload (EPC, EICR, lease agreements, etc.)Contract (Art. 6(1)(b))Stored in private Cloudflare R2 storage. Never publicly accessible. Used to assess document validity and expiry.
Residency / tax statusNon-Resident Landlord status, jurisdictionContract (Art. 6(1)(b))To identify cross-border obligations (NRL scheme, ROE, CGT). Treated as sensitive financial data.
Usage dataIP address, browser type, pages visitedLegitimate interests (Art. 6(1)(f))To maintain platform security, diagnose errors, and improve the service. Retained for 90 days.

3. Risk Scan — specific consent record

When you enter your email on the free Risk Scan page, we record:

  • The exact wording of the consent sentence displayed to you at that moment
  • The precise UTC timestamp when you submitted your email

This record is kept for as long as you remain on our marketing list, and for 12 months after unsubscribing, to demonstrate compliance with UK GDPR Article 7(1).

You can withdraw consent at any time by clicking “unsubscribe” in any email we send, or by emailing privacy@cortexaprop.com. Withdrawal does not affect the lawfulness of processing before withdrawal.

4. Document storage

Documents you upload are stored in a private Cloudflare R2 bucket (“evidence-vault”) in Cloudflare’s European network. No document is ever stored in our database — only a reference path is stored. Documents are accessible only:

  • By you (the account holder)
  • By agents you have explicitly assigned to the property
  • By accountants you have explicitly granted financial read access
  • By CortexaProp staff acting on a legitimate support or legal basis

We never generate publicly accessible URLs for your documents. Every access is via a time-limited authenticated link generated server-side.

5. Who we share data with

We do not sell your personal data. We share it only with the following processors, each bound by a Data Processing Agreement:

ProcessorPurposeLocation
Supabase Inc.Database and authenticationUS (EU-region database, SCCs in place)
Cloudflare Inc.Document storage (R2)US (European data centres used)
Vercel Inc.Website hosting and edge functionsUS (European region deployments)
Postmark / transactional email providerSending risk reports and account emailsUS (SCCs in place)

We may also disclose data where required by law, court order, or to protect the rights, property, or safety of CortexaProp, our users, or others.

6. How long we keep your data

Data typeRetention
Account dataUntil you request deletion + 30 days
Property and compliance dataUntil you request deletion + 30 days
Uploaded documentsUntil you delete them or request erasure
Scan email + consent record12 months after unsubscribing (Art. 7(1) record)
Usage / access logs90 days rolling
Legal correspondenceUp to 6 years (limitation period)

7. Your rights under UK GDPR

You have the right to:

  • Access — request a copy of all personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (“right to be forgotten”). Authenticated users can trigger this directly from account settings. For scan-only contacts, email us.
  • Portability — receive your data in a machine-readable format
  • Restriction — ask us to pause processing while a dispute is resolved
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, for processing based on consent

To exercise any right, email privacy@cortexaprop.com. We will respond within 30 days. There is no charge for reasonable requests.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

8. Cookies and tracking

We use only the following cookies:

CookiePurposeDurationCategory
supabase-auth-tokenAuthentication sessionSessionStrictly necessary
__Host-next-auth.*Next.js server sessionSessionStrictly necessary

We do not use advertising cookies, third-party trackers, or analytics pixels. No consent banner is required for strictly necessary cookies.

9. Security

We apply the following measures to protect your data:

  • Row-Level Security (RLS) enforced at the database layer — every query is scoped to the authenticated user
  • Service-role credentials used only server-side; never exposed to the browser
  • All data in transit encrypted via TLS 1.2+
  • Documents stored in a private R2 bucket; accessible only via server-generated authenticated paths
  • Passwords are never stored — Supabase Auth handles authentication with bcrypt hashing

10. Changes to this policy

We will post any material changes to this page and update the “Last updated” date. For significant changes affecting your rights, we will notify you by email if we have your address.

11. Contact

Data Controller: CortexaProp Ltd
Privacy enquiries: privacy@cortexaprop.com

For erasure requests from account holders, the fastest route is Account Settings → Delete account, which triggers immediate automated deletion of all your data.

← HomeTerms of UseFree Risk Scan