← Back

Privacy Policy

Last updated: [Date this is first published, e.g. 1 June 2026]

This privacy policy explains how [Legal entity name, e.g. Aivio Ltd] ("we", "us", "our") collects, uses, and protects personal information when you use the Aivio property compliance platform ("the Service").

We are the data controller for the personal data we collect from managers, tenants, and contractors using the Service. We are registered with the UK Information Commissioner's Office under registration number [ICO registration number, or delete this sentence if not yet registered].

1. Who we are

[Legal entity name]
[Registered office address, including postcode]

Contact: [privacy@yourdomain.co.uk]

2. What data we collect

We collect different types of data depending on how you use the Service:

If you're a managing agent or staff member:

  • Account: name, email address, role, organisation
  • Activity: actions taken in the platform (audit log)

If you're a tenant:

  • Account: name, email, phone, property address, unit
  • Compliance documents: certificates and evidence files you upload — these may contain personal details printed on the certificates
  • Service activity: repair requests, photos, in-app communications

If you're a contractor:

  • Account: company name, contact name, email, phone, address
  • Trade certifications: certificates you upload (may include personal details like Gas Safe registration numbers)
  • Service activity: job allocations, completion notes, certificates issued

General:

  • Authentication cookies (strictly necessary for login security)

We do not collect special category data (health, biometrics, etc.) and the Service is intended for adult use.

3. Why we collect it (lawful basis)

PurposeLawful basis
Providing the Service to managing agentsContract
Tracking property compliance obligationsLegitimate interest (property safety) and legal obligation
Operational emails (repair updates, reminders, invitations)Legitimate interest (service operation)
Account security and fraud preventionLegitimate interest
Responding to your data subject requestsLegal obligation

4. How we use it

We use your data to:

  • Provide the Service you've requested (or that's been provided to you by your managing agent / contractor relationship)
  • Schedule and track property compliance work
  • Notify you of repair updates, appointments, and required actions
  • Allow contractors to upload certifications and managers to approve them
  • Generate an audit trail of compliance activity
  • Detect and prevent misuse of the Service

We do not use your data for marketing, profiling, or automated decision-making with legal effects.

5. Who we share it with

Other users of the same organisation — your managing agent's staff can see tenants and contractors associated with their portfolio. Tenants see only their own data. Contractors see only jobs allocated to them.

Service providers (data processors) acting on our instructions:

  • Supabase — database, authentication and file storage. Data stored in the [eu-west-2 London / other Supabase region you selected] region.
  • Resend — email delivery
  • Vercel — application hosting (data in transit; no persistent storage)
  • Anthropic — AI assistant for repair triage (only the repair description text is sent — no personal identifiers)

Each processor is bound by a data processing agreement that meets UK GDPR requirements.

Legal authorities — if we receive a valid legal request (court order, regulator).

We do not sell your data or share it with advertising networks.

6. How long we keep it

DataRetention
Active account dataWhilst your account is active
Compliance certificates and documents[Specify per document type — e.g. gas safety 2 years, EICR 5 years, etc. — or "until your managing agent deletes them"]
Audit log entries7 years (typical UK record-keeping period)
Email delivery logs90 days
BackupsUp to 30 days after deletion

When you request erasure (see Section 8), we delete personal data within 30 days unless we're legally required to retain it — in which case we tell you what we're keeping and why.

7. International transfers

Your data is primarily stored in the UK / EU. Some of our service providers may transfer data to other regions:

  • Resend is US-based; transfers covered by Standard Contractual Clauses (SCCs)
  • Anthropic processes data in the US under SCCs

We've assessed each transfer under the UK transfer rules and consider the safeguards adequate.

8. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your data (subject to legal retention exceptions)
  • Restriction — ask us to stop using your data in specific ways
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — where we rely on consent (we don't currently, but if that changes)
  • Complain to the ICO — at ico.org.uk/make-a-complaint

9. How to exercise your rights

Email us at [privacy@yourdomain.co.uk] with:

  • Your name and the email address associated with your account
  • The right you're exercising
  • Any specific detail about your request

We'll respond within 30 days. If we need longer (complex requests), we'll tell you why and when to expect a response.

10. Cookies

We use only strictly necessary cookies:

  • Authentication cookies (Supabase) — keep you logged in securely. Required for the Service to function.

We do not use analytics, marketing, or tracking cookies.

Because all our cookies are strictly necessary, no consent is required to set them under UK PECR rules. We still inform you about them via this policy and the cookie notice shown on first visit.

11. Security

We protect your data using:

  • TLS encryption for all data in transit
  • Encryption at rest for files and database
  • Row-level security to enforce per-organisation isolation
  • Audit logging of administrative actions
  • Regular security reviews

If we discover a breach affecting your personal data, we'll notify you and the ICO within 72 hours where legally required.

12. Changes to this policy

If we make material changes, we'll notify you by email and post the updated policy here. Continued use of the Service after notification means you accept the updated policy.

13. Contact

For any questions about this policy or your data:

[Legal entity name]
[Registered office address]
Email: [privacy@yourdomain.co.uk]

Yellow-highlighted fields above are template placeholders — they MUST be replaced before this policy is treated as published. Search the source file for Placeholder to find them all.