1. Introduction

Welcome to Dwellytics. We are committed to protecting your privacy and handling your personal data with transparency, fairness, and care. This Privacy Policy explains how Dwellytics ("we," "us," "our," or "the Company") collects, uses, discloses, stores, transfers, and otherwise processes personal data when you access or use our website at https://www.dwellytics.com, our application at https://app.dwellytics.com (the "App"), and any related services, features, content, or applications we offer (collectively, the "Services").

Dwellytics provides an AI-powered real estate portfolio analytics platform serving property investors globally, including in the United States, United Kingdom, United Arab Emirates, the European Economic Area, and other jurisdictions worldwide. Because our user base is international, this Privacy Policy is designed to comply with major global data protection frameworks, including but not limited to the General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), other US state privacy laws, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL), the DIFC Data Protection Law No. 5 of 2020, the ADGM Data Protection Regulations 2021, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil's Lei Geral de Proteção de Dados (LGPD), Australia's Privacy Act 1988, Singapore's Personal Data Protection Act (PDPA), and other applicable data protection laws.

By accessing or using our Services, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please do not use the Services. This Privacy Policy should be read together with our Terms of Service and any other notices we provide at the point of data collection.

2. Data Controller and Contact Information

For the purposes of EU GDPR, UK GDPR, and other applicable laws, the data controller responsible for your personal data is Dwellytics. You can contact us at hello@dwellytics.com for general enquiries or privacy@dwellytics.com for privacy-related matters.

2.1 Data Protection Officer / Privacy Contact

If you have any questions about this Privacy Policy or our data practices, or wish to exercise any of your rights, please contact our Privacy Team at privacy@dwellytics.com. Where required by law, we will appoint a Data Protection Officer (DPO) and publish their contact details here.

2.2 EU / UK Representative

Where required under Article 27 of the EU GDPR or UK GDPR, we have appointed a representative who can be contacted at [INSERT REPRESENTATIVE NAME AND CONTACT DETAILS]. You may contact our representative for any matter relating to the processing of your personal data.

3. Scope of This Policy

This Privacy Policy applies to all personal data collected through the Services regardless of the country from which you access them. It applies to:

• Visitors to our website and marketing pages;
• Registered users of the App, including free-trial users and paying subscribers;
• Prospective customers who request a demo, contact us, or sign up for marketing communications;
• Representatives of business customers, partners, suppliers, and service providers;
• Job applicants and candidates who interact with us through our careers channels.

This Privacy Policy does not apply to third-party websites, products, or services we do not own or control, even if you access them through our Services. We encourage you to read the privacy policies of any third parties you interact with.

4. Information We Collect

We collect personal data that you provide directly, that we collect automatically through your use of the Services, and that we obtain from third-party sources. The categories below describe the types of personal data we may collect.

4.1 Information You Provide to Us

(a) Account and Identity Information

• Full name, email address, password (stored in hashed form), and phone number;
• Job title, employer or business name, country and city of residence or business operation;
• Profile photograph or avatar (if you choose to upload one);
• Account preferences, language, and time zone settings.

(b) Property and Portfolio Information

To deliver our core AI portfolio analytics, you may provide us with detailed information about your real estate holdings and investment activity, which may include:

• Property addresses, postcodes, geolocations, property type (residential, commercial, development), tenure, and size;
• Purchase price, current valuation, mortgage / loan-to-value details, interest rates, refinance amounts, equity, and yields;
• Rental income, occupancy, tenancy details (excluding tenant personal data unless lawfully provided), service charges, and operating costs;
• CSV files, spreadsheets, and other portfolio data you upload to the Services;
• Investment goals, risk appetite, target ROI, and preferred geographies.

(c) Payment and Billing Information

When you subscribe to a paid plan, our third-party payment processors (such as Stripe) collect billing information including cardholder name, billing address, card number, expiry date, and security code. We do not store full payment card numbers on our own servers. We receive limited transaction information such as the last four digits of the card, card brand, transaction amount, and billing country.

(d) Communications and Support Information

• Content of emails, chat messages, demo requests, support tickets, and survey responses;
• Recordings or transcripts of voice or video calls where permitted by law and where you have been notified;
• Feedback, testimonials, and product reviews you submit.

4.2 Information Collected Automatically

When you use the Services, we and our service providers automatically collect certain information, including:

(a) Device and Technical Information

• IP address, approximate location derived from IP, internet service provider, and country;
• Device type, operating system, browser type and version, screen resolution, and language settings;
• Device identifiers, advertising identifiers (where applicable), and hardware information.

(b) Usage and Analytics Information

• Pages visited, features used, clicks, scroll depth, search queries, and session duration;
• Date and time of access, referring URL, exit pages, and crash or error reports;
• Interactions with AI-driven features, recommendations clicked, and queries submitted.

(c) Cookies and Similar Technologies

We and our partners use cookies, web beacons, pixels, local storage, and similar technologies to operate, secure, and analyse the Services. See Section 12 (Cookies and Tracking Technologies) for full details.

4.3 Information from Third Parties

We may receive personal data about you from third parties, including:

• Public real estate data sources, land registries, planning portals, and government open-data feeds used to enrich our analytics;
• Identity verification, fraud-prevention, and anti-money-laundering screening providers (where applicable);
• Payment processors confirming transaction outcomes;
• Analytics, advertising, and marketing partners (e.g., Google Analytics, Meta, LinkedIn);
• Single sign-on (SSO) providers if you log in via Google, Apple, Microsoft, or similar services (in which case we receive the identity attributes you authorise);
• Business contacts who refer you to us, integration partners, and resellers.

4.4 Sensitive Personal Data

We do not intentionally collect special categories of personal data (such as racial or ethnic origin, religious beliefs, health information, genetic or biometric data, sexual orientation, or trade union membership) and we ask you not to provide such information through the Services. If you choose to disclose such data, you consent to our processing of that data to the extent permitted by applicable law.

4.5 Children's Data

The Services are intended for adults engaged in property investment and are not directed at children under the age of 18 (or the higher minimum age required by your jurisdiction). We do not knowingly collect personal data from children. If you believe we may have collected information from a child, please contact us at privacy@dwellytics.com and we will take steps to delete the information.

5. How We Use Your Information

We use personal data for the following purposes:

5.1 To Provide and Operate the Services

• Create and manage your account, authenticate you, and provide customer support;
• Deliver core platform features including AI-powered property recommendations, area analysis, land value heatmaps, portfolio analytics, and side-by-side investment comparisons;
• Process your CSV uploads, sample data interactions, and portfolio inputs to generate insights;
• Operate, maintain, secure, troubleshoot, and improve the Services.

5.2 To Train, Improve, and Develop AI Models

We use aggregated, de-identified, or anonymised data, and where lawful, your account and portfolio data, to train, evaluate, and improve our machine learning and AI models. Where applicable law requires consent or a specific lawful basis to use your data for model training, we will obtain consent or rely on a legitimate interest assessment, and you may opt out where required by law. We do not sell or share identifiable portfolio data with third parties for the purpose of training their AI models.

5.3 To Process Payments and Manage Subscriptions

• Process subscription fees and one-time purchases through our payment processors;
• Send invoices, payment receipts, and renewal notices;
• Manage refunds, chargebacks, and account collections.

5.4 To Communicate with You

• Respond to enquiries, demo requests, and support tickets;
• Send transactional emails such as password resets, security alerts, and account notifications;
• Send marketing communications about new features, offers, and content, where permitted by law and subject to your communication preferences.

5.5 To Personalise and Recommend

• Tailor recommendations, heatmaps, and area insights based on your portfolio and stated preferences;
• Personalise the user interface, suggested content, and onboarding flow.

5.6 For Security, Fraud Prevention, and Legal Compliance

• Detect, investigate, and prevent fraudulent, unauthorised, or illegal activity;
• Enforce our Terms of Service and other agreements;
• Comply with applicable laws, regulations, court orders, and lawful requests by public authorities;
• Conduct anti-money laundering (AML), sanctions screening, and know-your-customer (KYC) checks where applicable.

5.7 For Analytics, Research, and Business Operations

• Measure usage and performance, generate aggregated market insights, and conduct internal research;
• Plan and manage business operations, including reporting, accounting, and audits;
• Evaluate, plan, and complete corporate transactions such as mergers, acquisitions, financings, and reorganisations.

6. Legal Bases for Processing (EEA, UK, and Similar Regimes)

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction that requires a lawful basis for processing, we rely on the following bases under the EU GDPR and UK GDPR:

6.1 Performance of a Contract

We process personal data to provide the Services you request, to create and manage your account, to enable platform features, and to fulfil our obligations under our Terms of Service.

6.2 Legitimate Interests

We rely on our legitimate interests (or those of a third party) to operate, secure, and improve the Services; analyse usage; prevent fraud; conduct direct marketing to existing customers; develop new features; and pursue business analytics. Where we rely on legitimate interests, we have carried out a balancing test to ensure your rights and freedoms are not overridden. You may object at any time by contacting privacy@dwellytics.com.

6.3 Consent

We rely on your consent for certain processing activities, including some marketing communications, optional cookies, and any processing of special categories of data you voluntarily provide. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6.4 Legal Obligation

We process personal data to comply with legal obligations under applicable laws, including tax, accounting, anti-money-laundering, and regulatory reporting requirements.

6.5 Vital Interests / Public Interest

In limited circumstances, we may process personal data where necessary to protect the vital interests of a person, or to perform a task in the public interest.

7. How We Share Your Information

We do not sell your personal data in the conventional sense. We share personal data only in the following circumstances:

7.1 Service Providers and Processors

We share data with vetted third-party service providers acting as data processors on our behalf, under contractual obligations to protect your data and use it only for the purposes we authorise. These include providers of:

• Cloud hosting and infrastructure (e.g., Amazon Web Services, Google Cloud, Microsoft Azure);
• Data storage and content delivery networks (CDNs);
• AI/ML inference and large language model APIs;
• Authentication, identity, and single sign-on services;
• Payment processing (e.g., Stripe);
• Customer relationship management, email delivery, and support tooling;
• Analytics, product analytics, and error monitoring;
• Marketing automation and advertising platforms;
• Professional advisers such as lawyers, accountants, and auditors.

7.2 Business Customers and Authorised Users

If you use the Services as part of a team, organisation, or business account, certain information may be visible to other authorised users within that account, including the account administrator who may have access to your usage data, content, and account settings.

7.3 Corporate Transactions

If we are involved in a merger, acquisition, financing, sale of assets, reorganisation, bankruptcy, or similar transaction, personal data may be disclosed or transferred as part of due diligence and ongoing operations. We will notify you of any such transaction where required by law.

7.4 Legal, Safety, and Regulatory Disclosures

We may disclose personal data when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or governmental requests;
• Enforce our Terms of Service or other agreements;
• Detect, prevent, or otherwise address fraud, security, or technical issues;
• Protect the rights, property, or safety of Dwellytics, our users, or others.

7.5 With Your Consent or at Your Direction

We share personal data with third parties when you direct us to do so (for example, when you connect a third-party integration) or when you have otherwise consented.

7.6 Aggregated or De-identified Data

We may share aggregated, anonymised, or de-identified information that cannot reasonably be used to identify you, for any purpose, including market analysis, benchmarks, research, and marketing.

8. International Data Transfers

Dwellytics operates globally and uses service providers in multiple countries. Your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, the United Kingdom, the European Economic Area, the United Arab Emirates, and other jurisdictions. The data protection laws in these countries may differ from those in your jurisdiction.

When we transfer personal data internationally, we implement appropriate safeguards as required by applicable law, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Agreement (IDTA) or UK Addendum;
• Adequacy decisions, where the receiving country has been recognised as providing an adequate level of protection;
• Binding Corporate Rules, where applicable;
• Supplementary technical and organisational measures, such as encryption in transit and at rest;
• For UAE PDPL transfers, compliance with cross-border transfer requirements under the law and applicable implementing regulations.

You may request a copy of the safeguards we use for international transfers by contacting us at privacy@dwellytics.com.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which we collected it, including to satisfy any legal, accounting, tax, regulatory, or reporting obligations, to enforce our agreements, to resolve disputes, and to protect our legitimate business interests.

In particular:

• Account data is retained while your account is active and for a reasonable period thereafter to allow reactivation and to meet legal requirements;
• Portfolio data and uploaded files are retained while your account is active; you may delete specific data within the App at any time;
• Billing and transactional records are retained for the periods required by applicable tax and accounting laws (typically 6-10 years depending on jurisdiction);
• Marketing data is retained until you unsubscribe or object, subject to limited record-keeping for suppression lists;
• Aggregated or anonymised data may be retained indefinitely as it no longer identifies you;
• Log, security, and fraud-prevention data is retained for periods consistent with our security obligations.

When personal data is no longer needed, we will delete it, anonymise it, or place it beyond use in accordance with applicable law.

10. Data Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include:

• Encryption of data in transit using TLS and encryption of data at rest using industry-standard algorithms;
• Access controls, role-based permissions, and the principle of least privilege;
• Secure software development practices, code review, and dependency management;
• Network security controls including firewalls, intrusion detection, and monitoring;
• Regular vulnerability assessments and security testing;
• Staff training, confidentiality obligations, and background checks where appropriate;
• Vendor due diligence and contractual data protection commitments;
• Incident response and breach notification procedures.

Despite our safeguards, no method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for protecting your account credentials and for any activity that occurs under your account. Please notify us immediately at privacy@dwellytics.com if you suspect any unauthorised access or breach affecting your account.

11. Your Privacy Rights

Subject to the laws applicable in your jurisdiction, you may have the following rights in relation to your personal data. We will respond to your request within the timeframes required by applicable law.

11.1 Rights for All Users (Where Applicable)

• Right of access: to obtain a copy of the personal data we hold about you;
• Right to rectification: to request correction of inaccurate or incomplete data;
• Right to erasure ("right to be forgotten"): to request deletion of your personal data;
• Right to restriction: to request that we limit how we process your data;
• Right to data portability: to receive your data in a structured, commonly used, machine-readable format;
• Right to object: to object to processing based on legitimate interests or for direct marketing;
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time;
• Rights related to automated decision-making: to obtain information about, and in some cases not be subject to, decisions based solely on automated processing that produce legal or similarly significant effects.

11.2 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following additional rights:

• Right to know what personal information we collect, use, disclose, and sell or share;
• Right to delete personal information we have collected;
• Right to correct inaccurate personal information;
• Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising;
• Right to limit the use or disclosure of sensitive personal information;
• Right to non-discrimination for exercising your rights.

Dwellytics does not sell personal information for monetary consideration. We may "share" personal information for cross-context behavioural advertising as defined under the CPRA via certain advertising cookies; you may opt out via our cookie banner, the Global Privacy Control (GPC) signal, or by contacting us at privacy@dwellytics.com. We do not knowingly sell or share the personal information of minors under 16.

11.3 Rights for Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have rights similar to those above, including rights to access, correct, delete, port, and opt out of targeted advertising, sales, and certain profiling activities. You may exercise these rights by contacting privacy@dwellytics.com. You also have a right to appeal a denial of your request; appeals may be submitted to the same address.

11.4 Rights for UK and EEA Residents

In addition to the rights listed in Section 11.1, you have the right to lodge a complaint with a supervisory authority:

• UK: Information Commissioner's Office (ICO) - ico.org.uk;
• EEA: Your national data protection authority. A list is available on the European Data Protection Board website (edpb.europa.eu).

11.5 Rights for UAE Residents

Under the UAE PDPL and applicable free zone data protection laws (DIFC, ADGM), you have rights of access, rectification, erasure, restriction, objection, and data portability, as well as the right to lodge complaints with the UAE Data Office or the relevant free zone regulator.

11.6 Rights for Other Jurisdictions

Residents of Canada, Brazil, Australia, Singapore, South Africa, Japan, South Korea, and other jurisdictions have rights under their respective data protection laws (PIPEDA, LGPD, Privacy Act, PDPA, POPIA, APPI, PIPA, etc.). We honour those rights to the extent required by law.

11.7 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@dwellytics.com with sufficient information for us to verify your identity. We may need to request additional information to confirm your identity before fulfilling your request. We will not charge a fee for handling reasonable requests, but we reserve the right to charge a reasonable fee or refuse requests that are manifestly unfounded or excessive, as permitted by law. You may also designate an authorised agent to make a request on your behalf, where permitted by law.

12. Cookies and Tracking Technologies

We and our service providers use cookies, pixels, software development kits (SDKs), and similar technologies (collectively, "cookies") to operate the Services, remember your preferences, analyse usage, and deliver relevant marketing.

12.1 Categories of Cookies We Use

• Strictly necessary cookies: required for the Services to function (e.g., authentication, session management, security). These cannot be disabled.
• Functional cookies: enable enhanced features and personalisation (e.g., remembering preferences).
• Performance and analytics cookies: help us understand how visitors interact with the Services (e.g., Google Analytics).
• Marketing and advertising cookies: used to deliver targeted advertising on our site and on third-party sites.

12.2 Managing Cookies

Where required by law (e.g., in the EEA and UK), we will request your consent for non-essential cookies through our cookie banner. You can change your preferences at any time via our cookie preferences tool. You can also configure your browser to block or delete cookies; however, doing so may affect the functionality of the Services.

12.3 Do Not Track and Global Privacy Control

Some browsers transmit "Do Not Track" signals. We currently do not respond to "Do Not Track" signals due to the lack of a universal standard. We do honour the Global Privacy Control (GPC) signal where required by applicable US state law as an opt-out of sale/sharing.

13. Automated Decision-Making and AI

Dwellytics provides AI-driven analytics, including portfolio recommendations, valuation estimates, area analyses, and risk metrics. These outputs are tools intended to support, not replace, your investment decisions. We do not use solely automated decision-making to produce legal or similarly significant effects on you within the meaning of Article 22 of the EU/UK GDPR.

Where you provide feedback or interact with AI features, we may use that information to evaluate and improve model performance, as described in Section 5.2. Where required by law, you may request meaningful information about the logic involved, the significance, and the envisaged consequences of automated processing.

14. Marketing Communications

We may send you marketing communications about our Services where permitted by law and where you have not opted out. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email;
• Updating your communication preferences in your account settings;
• Contacting us at privacy@dwellytics.com.

Even if you opt out of marketing communications, we will continue to send you transactional and service-related communications (such as security alerts, account notices, and billing information) that are necessary for the use of the Services.

15. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services, and may integrate with third-party tools. We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any personal data.

16. Social Media Features

Our Services may include social media features (e.g., links to our profiles on X, Instagram, Facebook, LinkedIn, and TikTok). These features may collect information about your IP address, the page you visit, and may set cookies. Your interactions with these features are governed by the privacy policies of the companies that provide them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (where we have your email address) or by posting a prominent notice on the Services prior to the changes taking effect. The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date of the updated Policy constitutes your acceptance of the changes, to the extent permitted by law.

18. How to Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction, as described in Section 11.

19. Jurisdiction-Specific Disclosures Summary

The following table summarises key regulators and references by jurisdiction. This is provided for convenience only and does not limit your rights under applicable law.