Privacy Policy
Last updated: 17 June 2026
1. Who we are
LandX Deal is operated by [LEGAL ENTITY NAME], registered at [REGISTERED ADDRESS] ("we", "us"). We are the controller of personal data we process about you in connection with the Service. Contact us at privacy@[your-domain].
2. Scope
This policy explains how we collect, use and protect personal data when you use the LandX Deal web application (the "Service"). It does not cover third-party websites or services we link to.
3. Personal data we collect
- Account data: full name, email address, hashed password, and, if you sign in with Google, the Google profile information you authorise (name, email, profile image, account identifier).
- Customer Content: deals, sources, contacts, notes and documents you upload. This may contain personal data about third parties (e.g. brokers, owners) for which you are the controller and we are the processor.
- Technical data: IP address, user-agent, device/browser metadata, session tokens, timestamps.
- Service usage: features used, error and diagnostic logs.
We do not collect special-category personal data, biometric data, or precise location.
4. Legal bases (UK / EU GDPR)
- Performance of a contract: to provide the Service to you under our Terms.
- Legitimate interests: to keep the Service secure, prevent abuse, debug, analyse aggregate usage, and improve the product.
- Legal obligation: to comply with law, court orders, and regulatory requests.
- Consent: where required (e.g. certain marketing communications), withdrawable at any time.
5. How we use personal data
To create and operate your account; to host, display and process Customer Content so you can use the Service; to provide AI-assisted extraction on content you submit; to send service notices; to provide support; to detect and prevent fraud, abuse and security incidents; to comply with law; and to improve the Service.
6. AI processing
When you upload a document or run an AI feature, the relevant content is transmitted to third-party AI model providers acting as our subprocessors solely to generate the requested output. We do not permit those providers to use your Customer Content to train their models, and we configure available no-training and short-retention options.
7. Sharing and subprocessors
We do not sell or rent personal data. We share it only with the following categories of recipients, under appropriate contractual safeguards:
- Cloud hosting and database (application, Postgres, object storage)
- Authentication (Google sign-in, if you use it)
- AI model providers (document extraction and summarisation)
- Professional advisers (auditors, lawyers) where necessary
- Authorities where required by law
- A successor entity in connection with a merger, acquisition, or asset sale, under equivalent protections
A current list of subprocessors is available on request. We will give reasonable notice of material changes.
8. International transfers
Some recipients are located outside the UK / EEA, including the United States. Where required, we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU SCCs, together with supplementary measures (encryption in transit and at rest, access controls).
9. Retention
We retain Account data and Customer Content for as long as your account is active. After account deletion, we delete or anonymise your data within 30 days, except for encrypted backups which roll off within 90 days, and records we are required to keep by law. Server logs are retained for up to 90 days.
10. Security
We apply technical and organisational measures appropriate to the risk, including: encryption in transit (HTTPS) and at rest; per-user data isolation enforced by row-level security in the database; private document storage with short-lived signed URLs; least-privilege access controls for staff; audit logging; and routine dependency and security review. No system is perfectly secure; please report suspected vulnerabilities to security@[your-domain].
11. Your rights
If you are in the UK, EU or EEA, you have the rights of access, rectification, erasure, restriction, portability and objection, and to withdraw consent at any time. You may lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
If you are a California resident, you have the rights, under the CCPA/CPRA, to know, access, correct, delete, and limit the use of your personal information, to opt out of "sale" or "sharing" (we do not sell or share for cross-context behavioural advertising), and to non-discrimination for exercising your rights. You may also designate an authorised agent.
To exercise any right, email privacy@[your-domain] from the address associated with your account. We may need additional information to verify your identity. We will respond within the time required by applicable law (typically within one month).
12. Children
The Service is not directed to, and we do not knowingly collect personal data from, anyone under 18. If you believe a child has provided personal data to us, contact privacy@[your-domain].
13. Cookies and local storage
We use strictly-necessary browser storage to keep you signed in and to operate the Service. We do not use advertising or cross-site tracking cookies. If we add analytics or other non-essential cookies in future, we will update this policy and present a cookie banner.
14. Changes
We will post updates to this policy on this page and, for material changes, give reasonable notice by email or in-product notice.
15. Contact
Privacy questions and data-subject requests: privacy@[your-domain]. Postal: [REGISTERED ADDRESS].