Privacy Policy

Who We Are

Refurb Genius is an AI-assisted property refurbishment analysis platform for UK property investors. Refurb Genius is operated by Rissolol Ltd ("we," "us," or "our"), a company registered in England and Wales (company number: [to be completed]), with its registered office at [registered office address — to be completed].

For the purposes of UK data protection law — the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025 — we are the "data controller" responsible for your personal data. We are registered with the Information Commissioner's Office (ICO) under registration number [to be completed].

You can contact us about anything in this policy at support@refurbgenius.co.uk (please mark privacy queries "Privacy Request").

Overview

This privacy policy explains what personal data we collect, why we collect it, the legal bases we rely on, how long we keep it, who we share it with (including the AI providers that help power the service), and the rights you have over your data. By using Refurb Genius you confirm you have read and understood this policy.

Information We Collect

Authentication & Account Data

When you create an account, we collect:

• • Email address (used for login and communication)
• • Authentication tokens (OAuth2 PKCE flow via Supabase)
• • Basic profile information you provide (such as your name)

Project & Property Data

When you create projects or properties, we collect:

• • Property address and location data (to determine region multipliers)
• • Property condition assessments and refurbishment scope
• • Estimated budgets, purchase prices, and financial projections
• • Deal metrics and investment analysis you input
• • Notes and personal comments about properties or deals

Uploaded Photos & Images

When you upload photos for AI analysis:

• • Photos are processed by our AI provider (OpenAI) to generate analysis
• • Photos are stored in our secure storage so you can revisit your projects
• • AI-generated analysis results (descriptions, room types, condition assessments) are stored against your project
• • See the "Third-Party Processors" section for how OpenAI handles data

Please do not upload photographs that identify other people, or that contain special category data (see "Special Category & Sensitive Data" below). Where photos may show third parties (for example, tenants or neighbours), you are responsible for ensuring you have a lawful basis to share them with us.

Usage & Analytics Data

We collect limited operational data:

• • Features you access and their usage patterns
• • Error logs and system diagnostics (for debugging and security)
• • Approximate location data (derived from IP address)
• • Device type and browser information

Our Lawful Bases for Processing

Under the UK GDPR we must have a lawful basis for processing your personal data. We rely on the following:

• Performance of a contract (Art. 6(1)(b)): to create and manage your account, run analyses you request, and deliver the service to you.
• Legitimate interests (Art. 6(1)(f)): to keep the platform secure, prevent fraud and abuse, debug and improve features, and understand how the service is used. We balance these interests against your rights and freedoms.
• Consent (Art. 6(1)(a)): for any non-essential cookies and for any optional marketing communications. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): to comply with our legal and regulatory duties, including responding to lawful requests.

How We Use Your Data

• Account Management: to maintain your account, handle authentication, and provide customer support.
• Service Delivery: to calculate refurbishment estimates, ROI projections, and property analysis.
• Operational Improvements: to fix bugs, optimise performance, and improve feature reliability.
• Communication: to send service-related updates and policy changes. Marketing messages are only sent where you have opted in.
• Security & Compliance: to detect fraud, prevent abuse, and comply with legal obligations.

AI Processing & Automated Decision-Making

Refurb Genius uses artificial intelligence to help interpret your photos and to generate refurbishment scopes, design suggestions, cost estimates, and indicative investment metrics. We want to be transparent about how this works:

• AI is decision-support, not a decision-maker. The estimates, scores, and suggestions the platform produces are advisory tools to help you. They do not, by themselves, produce a legal or similarly significant decision about you. You remain in control of every investment or refurbishment decision.
• No solely automated decisions with legal effect. We do not use your data to make solely automated decisions that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 UK GDPR. If this ever changes, we will tell you in advance and provide the safeguards the law requires, including the right to obtain human review, to express your point of view, and to contest the outcome.
• Human review on request. If you believe an AI-generated output is wrong or unfair, you can contact us for a human review at support@refurbgenius.co.uk.
• Accuracy limits. AI outputs can be incomplete or incorrect. They must be verified by qualified professionals before you rely on them. See our Terms of Service for the full AI and estimate disclaimers.
• Training. We do not permit your photos, project data, or analysis results to be used to train our AI providers' models, and we do not opt in to model training by default. We will not use your content to train models without your explicit, separate consent.

Special Category & Sensitive Data

The service is designed for property and financial information, not for sensitive personal data. Please do not upload or enter "special category data" as defined by the UK GDPR (for example, data revealing health, racial or ethnic origin, religious beliefs, or biometric data), and avoid including identifiable images of other people. We do not ask for this data and have no lawful basis to process it as part of the service.

Data Storage, Security & Retention

Where We Store Data

Your account, project data, and uploaded photos are stored using Supabase (PostgreSQL and object storage) hosted on cloud infrastructure located in the United Kingdom / European Economic Area. This supports compliance with UK data protection standards.

Security Measures

• • Encryption in transit (TLS/SSL for all communications)
• • Authentication via OAuth2 PKCE flow (industry standard)
• • Row-level security so each user can only access their own data
• • Session tokens stored securely; no plaintext passwords stored
• • Automated backups of critical data

No system can be guaranteed to be completely secure, but we take appropriate technical and organisational measures to protect your data as required by the UK GDPR.

How Long We Keep Data

• • Account & project data: kept for as long as your account is active, then deleted following account closure (see "Account Deletion").
• • Uploaded photos & AI results: kept with the related project until you delete the project or your account.
• • Operational logs & diagnostics: typically retained for up to 12 months, then deleted or anonymised.
• • Records we must keep by law: retained only for as long as the relevant legal or regulatory obligation requires.

International Data Transfers

Some of our processors — in particular our AI provider, OpenAI — process data outside the UK, including in the United States. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place as required by the UK GDPR, such as:

• • transfers to providers certified under the UK Extension to the EU–US Data Privacy Framework; and/or
• • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment.

You can request more information about the specific safeguards in place by contacting us.

Third-Party Processors

OpenAI (Vision & Text APIs)

• • Photos and related prompts you submit for analysis are sent to OpenAI
• • OpenAI processes them to generate condition assessments and design recommendations
• • We do not opt in to OpenAI model training
• • OpenAI privacy policy: openai.com/policies/privacy-policy

Supabase

• • Authentication, session management, database, and file storage
• • Supabase privacy policy: supabase.com/privacy

Other Services

We use a limited number of additional processors for hosting, error monitoring, and product analytics, each under a data processing agreement. We will update this policy to reflect any material changes to our processors.

Your Data Rights

Under the UK GDPR and the Data Protection Act 2018, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct inaccurate or incomplete data.
• Erasure: request deletion of your account and associated data (see "Account Deletion").
• Restriction: ask us to limit how we process your data in certain circumstances.
• Portability: receive your data in a structured, commonly used, machine-readable format.
• Objection: object to processing based on our legitimate interests, and to any direct marketing.
• Withdraw consent: where we rely on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email support@refurbgenius.co.uk with "Privacy Request" in the subject line. We will respond within one month, as required by law. There is normally no charge.

Right to complain: if you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO), the UK supervisory authority, at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first.

Account Deletion

You can request account deletion at any time through your Settings. When you delete your account:

• • Your profile and authentication credentials are deleted
• • Your projects, properties, and analysis history are deleted
• • Uploaded photos and AI-generated analysis results are deleted
• • We may retain anonymised, non-identifying usage data for operational diagnostics
• • Deletion is processed within 30 days

If you have shared projects with other users, deleting your account may affect their access to shared analyses.

Cookies

In line with the Privacy and Electronic Communications Regulations (PECR), we use the following cookies and similar technologies:

• Strictly necessary cookies: authentication and session cookies (Supabase session) and security cookies. These are required for the service to function and do not need consent.
• Preference cookies: remember choices such as your light/dark theme selection.
• Analytics cookies: where used, these help us understand usage. Non-essential cookies are only set with your consent, which you can withdraw at any time.

Children's Privacy

Refurb Genius is intended for use by property professionals and investors and is not directed at children. The service is not intended for anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

Data Breaches

We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required, and will inform you without undue delay where the breach is likely to result in a high risk to you.

Changes to This Policy

We may update this privacy policy from time to time as the platform and applicable law evolve. We will update the "Last updated" date above and, where changes are material, notify you by email or in-app notification. Your continued use of the service after an update constitutes acceptance of the revised policy.

Contact & Support

For data requests, privacy concerns, or account deletion inquiries, contact: