Privacy Policy

This Privacy Policy explains how PropFlow handles personal data when you visit our site, create an account, and use the Service. It applies to data about you as our customer and to personal data you store in PropFlow about other people, such as your tenants.

Where you store personal data about your tenants in PropFlow, you are the data controller for that data and we act as your processor. For the data we collect to run your account and the Service, we are the controller. This policy covers both roles, and makes clear which applies.

PropFlow is the controller of the account and usage data described below. You can contact us about privacy at any time at privacy@propflow.app.

If you are in the EU or UK and have a concern we cannot resolve, you have the right to lodge a complaint with your local data-protection authority — in Spain, the Agencia Española de Protección de Datos (AEPD).

We collect the following categories of personal data:

• Account data — your name, email address, password (stored only as a secure hash), language, and plan.
• Content you enter — the properties, leases, tenants, financial records, and documents you add to the Service. Some of this may be personal data about third parties, such as tenant names and contact details.
• Billing data — when you subscribe to Pro, our payment processor handles your card details; we receive only limited information such as the last four digits, card type, and billing status. We never see or store full card numbers.
• Usage and technical data — log data such as your IP address, browser type, pages viewed, and timestamps, used to keep the Service secure and working.
• Cookies — a small number of essential cookies described in our Cookie Policy.

We use personal data to:

• provide, maintain, and secure the Service and your account;
• process subscriptions and payments;
• respond to your support requests and send service-related messages, such as security and billing notices;
• generate the reports, calculations, and analytics you ask the Service to produce from your own data;
• detect, prevent, and address abuse, fraud, and technical problems;
• comply with our legal obligations.

We do not sell your personal data, and we do not use your content to train machine-learning models.

Where the GDPR applies, we rely on these legal bases:

• Contract — to provide the Service you signed up for and to process your subscription.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve the product, balanced against your rights.
• Legal obligation — to meet accounting, tax, and other legal requirements.
• Consent — where we ask for it, for example for any non-essential communications; you can withdraw consent at any time.

For the tenant data you store as controller, you are responsible for having a lawful basis to process it.

PropFlow uses only the cookies it needs to function — to keep you signed in and to remember your language and theme. We do not use advertising cookies.

Our Cookie Policy describes each cookie and how to manage them in your browser.

We do not sell personal data. We share it only with service providers (sub-processors) who help us run PropFlow, under contracts that require them to protect it and use it only on our instructions. These include:

• cloud hosting and database providers that run the application and store data;
• a payment processor that handles Pro subscriptions;
• an email provider that sends transactional messages such as verification and reset emails.

We may also disclose data where required by law, to enforce our Terms, or to protect the rights, safety, and property of PropFlow, our users, or the public. If PropFlow is involved in a merger or acquisition, data may be transferred as part of that transaction, subject to this policy.

We keep your account and content data for as long as your account is active. When you close your account, we delete or anonymise your content within 30 days, except where we must keep certain records longer to meet legal, accounting, or tax obligations.

Backups are kept on a short rolling cycle and overwritten in the ordinary course. Aggregated or anonymised data that can no longer identify you may be kept for analysis.

We use technical and organisational measures to protect personal data, including encryption in transit, hashed passwords, access controls, and isolation of each portfolio's data.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to put your rights at risk, we will notify you and the relevant authority as the law requires.

We aim to process and store data within the European Economic Area. Where a provider processes data outside the EEA, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses or an adequacy decision — so that your data keeps an equivalent level of protection.

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• correct inaccurate or incomplete data;
• erase your data ("right to be forgotten"), where applicable;
• restrict or object to certain processing;
• receive your data in a portable format;
• withdraw consent where processing is based on consent.

To exercise any of these rights, email privacy@propflow.app. You can also access and export most of your data directly from within the Service. We will respond within the time the law allows, normally within one month.

The Service is intended for businesses and adults. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will delete it.

We may update this Privacy Policy as the Service and the law evolve. When we make material changes, we will update the effective date above and, where appropriate, notify you in the app or by email. We encourage you to review this page periodically.