Privacy Policy

Last updated: 24 February 2026

1. Introduction

Hillway Holdings Limited ("Company", "we", "us", or "our") operates the RealiQ platform ("Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy sets out your rights and our obligations regarding your personal data.

Hillway Holdings Limited is the data controller for the personal data described in this policy. Our registered address is Cubo, 38 Carver Street, Sheffield, S1 4FS.

2. Data We Collect

Account Information

When you create an account, we collect your name, email address, organisation name, and role. If you subscribe to a paid plan, our payment processor (Stripe) collects your billing information; we do not store your full payment card details.

Usage Data

We automatically collect information about how you interact with the Service, including pages visited, features used, extraction and matching activity, API usage logs, browser type, device information, IP address, and access timestamps.

Property Data

When you upload documents or use our extraction features, we process the content of those documents, including property details, financial information, tenant data, comparable evidence, and investor requirements. This data is stored in your organisation's account and is subject to your control.

Cookies and Similar Technologies

We use essential cookies to maintain your authentication session and remember your preferences. We may also use analytics cookies to understand how the Service is used. You can manage cookie preferences through your browser settings.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service to you under our Terms of Service, including account management, subscription billing, and delivering the core platform functionality.
  • Legitimate Interests: Processing necessary for our legitimate business interests, including service improvement, security monitoring, fraud prevention, and analytics. We ensure these interests do not override your fundamental rights and freedoms.
  • Consent: Where we rely on your consent (such as for marketing communications), you may withdraw that consent at any time by contacting us at hello@realiq.uk or using the unsubscribe link in any marketing email.
  • Legal Obligation: Processing necessary to comply with our legal obligations, such as tax, accounting, and regulatory requirements.

4. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the Service
  • Process your subscription payments and manage your account
  • Extract and analyse property data from your uploaded documents using AI
  • Generate investor-property matching and AI commentary
  • Send transactional emails (account confirmations, extraction results, security alerts)
  • Monitor and enforce our Terms of Service and acceptable use policies
  • Detect, prevent, and address fraud, abuse, and security issues
  • Analyse usage patterns to improve features and user experience
  • Comply with legal obligations

5. Data Sharing

We share your personal data only with the following categories of third-party service providers, each of which processes data on our behalf under appropriate contractual safeguards:

  • Supabase (Database and Authentication): Hosts our database and provides authentication services. Your account data and property data are stored on Supabase infrastructure in the EU (eu-west-2).
  • Stripe (Payment Processing): Processes subscription payments and manages billing. Stripe acts as an independent data controller for payment data under its own privacy policy.
  • Resend (Email Delivery): Delivers transactional emails on our behalf, including account notifications and extraction results.
  • Anthropic (AI Processing): Processes document content through their Claude AI models for data extraction, matching, and commentary generation. Document content is sent to Anthropic's API for processing and is subject to Anthropic's data usage policies.
  • Vercel (Hosting): Hosts and serves the Service. Access logs and request metadata may be processed by Vercel.
  • Upstash (Rate Limiting): Provides rate limiting infrastructure. Only API key identifiers and request counts are processed.

We do not sell your personal data to third parties. We may disclose your data if required to do so by law, regulation, or legal process, or if we believe in good faith that such disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained for the lifetime of your account plus 30 days after deletion
  • Property data and extractions are retained for the lifetime of your organisation's account
  • Usage logs and analytics data are retained for 24 months
  • Billing records are retained for 7 years to comply with UK tax and accounting requirements
  • Audit logs are retained for 12 months

When data is no longer needed, we securely delete or anonymise it. You may request earlier deletion of your data by contacting us (see "Your Rights" below).

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure: You can request that we delete your personal data, subject to our legal retention obligations.
  • Right to Data Portability: You can request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to Object: You can object to the processing of your personal data where we rely on legitimate interests as the legal basis.
  • Right to Restrict Processing: You can request that we restrict the processing of your personal data in certain circumstances.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@realiq.uk. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

8. Cookies

Our Service uses the following types of cookies:

  • Essential Cookies: Required for the Service to function, including authentication session cookies and CSRF protection tokens. These cannot be disabled.
  • Preference Cookies: Remember your settings and preferences, such as theme and display options.
  • Analytics Cookies: Help us understand how users interact with the Service so we can improve it. These are only set with your consent.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.

9. International Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). However, some of our service providers (including Anthropic and Vercel) may process data in the United States.

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or transfers to countries with an adequacy decision.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS/HTTPS) and at rest
  • Row-level security policies on all database tables
  • API key authentication using SHA-256 hashing
  • Rate limiting to prevent abuse
  • Regular security audits and monitoring
  • Access controls and principle of least privilege
  • Audit logging of sensitive operations

While we take security seriously, no system is completely secure. If you become aware of a security vulnerability, please report it to hello@realiq.uk.

11. Children's Privacy

The Service is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at hello@realiq.uk.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. For significant changes, we will also notify you by email.

We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

13. Contact and Complaints

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

  • Email: hello@realiq.uk
  • Address: Hillway Holdings Limited, Cubo, 38 Carver Street, Sheffield, S1 4FS

If you are not satisfied with our response to your enquiry or believe we are processing your personal data in a way that is not compliant with data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF