Introduction
This Privacy Policy explains how Acreonix Ltd ("Acreonix", "we", "us") collects, uses, stores and protects personal data when you use the Acreonix property management platform.
By creating an account or using our platform, you agree to the terms of this Privacy Policy. If you do not agree, please do not use Acreonix.
1. Who we are
Acreonix Ltd is a company registered in England and Wales. We provide a property management platform for landlords, letting agencies and property managers in the UK, UAE, USA and other markets.
- Registered office: London, United Kingdom
- Platform URL: platform.acreonix.co.uk
- Website: acreonix.co.uk
- Privacy contact: privacy@acreonix.co.uk
2. Data we collect
2.1 Account data (you provide directly)
When you create an account, we collect:
- Identity: your name, email address, password (hashed), and the agency name you represent.
- Contact: phone number (optional), business address.
- Billing: if you subscribe to a paid plan, payment is handled by Stripe. We store a Stripe customer ID and the country and currency of your subscription. We do not see or store your full card details.
- Preferences: workspace settings, default currency, notification preferences.
2.2 Platform usage (collected automatically)
To run the service and improve it, we automatically log:
- Login timestamps and IP address (kept for security and audit purposes).
- The features and screens you interact with, and the actions you take (creating a property, sending a message, running a report).
- Browser type, device type, screen size and language (for compatibility and bug diagnosis).
- AI usage: which AI features are run, the credit cost, and a coarse-grained breakdown by action type. We do not retain the body of AI prompts or responses beyond what is needed to deliver the feature.
2.3 Property data (you upload or generate)
When you operate your business in Acreonix, you upload or create:
- Properties: addresses, descriptions, photos, owner relationships, financial records.
- Tenants: names, contact details, lease history, payment records, ID documents (if uploaded).
- Leads and buyers: names, contact details, conversation history, qualification status.
- Landlords: contact details, statements, fees, communication history.
- Documents: leases, contracts, invoices, statements, anything you upload to the document store.
- WhatsApp conversations (Professional plan and above): messages exchanged through the Lead Agent are stored as part of the lead record.
For all of this data, you are the Data Controller, and Acreonix is the Data Processor under a DPA included in your terms of service.
3. How we use your data
We process the data described above under the following lawful bases:
| Purpose | Lawful basis | Data used |
|---|---|---|
| Running the platform you signed up for | Contract | Account data, usage data, property data |
| Sending you transactional emails (signup confirmation, billing, security alerts) | Contract | Account data |
| Detecting fraud, abuse and security incidents | Legitimate interest | IP, login timestamps, usage |
| Improving the platform (anonymous, aggregated) | Legitimate interest | Aggregated usage |
| Sending marketing emails about new features | Consent (opt-in, withdrawable) | Email, preferences |
| Meeting legal and regulatory obligations | Legal obligation | Whatever is required |
4. Article 13, lead and tenant data
When your agency uses Acreonix to capture leads (for example, through the WhatsApp Lead Agent) or to manage tenants, you become the Data Controller for those individuals. You must:
- Have a lawful basis for collecting their data (most commonly consent or contract).
- Provide them with privacy information at the point of collection (Article 13 UK GDPR).
- Respect their rights (access, rectification, erasure, portability).
Acreonix provides tooling to help you meet these obligations, including data export, deletion-on-request, and audit logs. You remain responsible for compliance in your own business.
5. Who we share data with
We share data only with the following categories of recipients, and only as needed to deliver the service:
| Sub-processor | What they do | Data location |
|---|---|---|
| Supabase | Database and authentication | EU (AWS Frankfurt) |
| Vercel | Web application hosting | EU and US (CDN) |
| Stripe | Payments and billing | UK and US |
| Anthropic | AI model inference (Claude) | US |
| Twilio | WhatsApp Business API (current) | US and Ireland |
| Meta (planned) | WhatsApp Business Cloud API (replacing Twilio) | US and Ireland |
| Resend | Transactional email delivery | US |
| Calendar synchronisation (Pro+, optional) | US and EU |
We do not sell your data, and we do not share it with advertising networks or data brokers. We may disclose data when required by law, by court order, or to protect our legal interests, the safety of users, or the integrity of the platform.
6. Data retention
- Account data: kept for as long as your account is active, then 12 months after closure (in case you reactivate), then deleted.
- Property and tenant data: kept for as long as your subscription is active. On cancellation, you have 90 days to export or migrate. After 90 days, we delete or permanently anonymise.
- Backups: retained for up to 30 days for disaster recovery, then overwritten.
- Audit logs: 7 days (Free), 30 days (Starter), 90 days (Professional), unlimited (Enterprise).
- Billing records: retained for 7 years to meet HMRC and equivalent tax obligations.
7. Cookies and local storage
We use only essential cookies and a small amount of browser local storage. We do not use third-party advertising or tracking cookies. The items we set are:
- Session token: keeps you signed in (essential).
- Workspace preferences: remembers the last workspace and module you used (essential for the platform to load consistently).
- Anonymous analytics: page views, performance metrics, no cross-site tracking (Vercel Analytics).
8. Your rights under UK GDPR
If we hold personal data about you, you have the right to:
- Access the data we hold about you and receive a copy.
- Correct data that is inaccurate or incomplete.
- Delete your data (with some exceptions, such as billing records we must keep by law).
- Restrict or object to certain types of processing.
- Port your data to another provider in a structured, machine-readable format.
- Withdraw consent for any processing we do based on consent (such as marketing emails).
To exercise any of these rights, email privacy@acreonix.co.uk. We respond within 30 days.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113.
9. Security
We take security seriously. Our measures include:
- All data in transit is encrypted with TLS 1.3.
- All data at rest is encrypted using AES-256.
- Passwords are hashed with industry-standard algorithms (bcrypt, scrypt).
- Access to production data is restricted to a small number of named engineers and audited.
- Row-level security policies enforce that one agency cannot see another's data.
- Regular backups and tested restore procedures.
- Vulnerability disclosure: email security@acreonix.co.uk. We acknowledge reports within 48 hours.
10. International transfers
Some of our sub-processors (notably Anthropic, Stripe, Vercel and Resend) are based in the US. When we transfer data outside the UK or EEA, we rely on:
- The UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).
- Sub-processors certified under the EU-US Data Privacy Framework where applicable.
- Additional technical and organisational measures, including encryption and access controls.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) at least 30 days before the changes take effect. The "Last updated" date at the top of this policy always reflects the most recent revision.
12. Contact us
For any privacy questions, data requests, or concerns:
Privacy enquiries: privacy@acreonix.co.uk
Security disclosures: security@acreonix.co.uk
General enquiries: hello@acreonix.co.uk
Acreonix Ltd, London, United Kingdom