HostPalInvest← Home
Legal

Privacy policy

Last updated: 7 June 2026

HostPal Invest is operated from the United Kingdom. This policy explains what data we collect, why we collect it, and how we keep it safe. It's written to be honest and short — not to bury you in lawyer-speak.

What we collect

Account data. When you sign up, we store your name, email address, and a salted hash of your password. We never store passwords in plain text.

Report inputs. When you generate a report, we store the address or polygon you submitted, the property type, your budget range, and the resulting report content. This lets you return to previously-generated reports without paying again.

Payment data. Card details are handled exclusively by Stripe. We never see your card number. We store the Stripe customer ID and the high-level outcome (paid amount, tier, timestamp) so we can match payments to reports and issue refunds.

Analytics.We use PostHog (EU-hosted) to understand which features work and which don't. We do not use third-party advertising cookies. PostHog is configured to anonymise IP addresses before storage.

Error tracking. When something on the site breaks, we capture the error message and a stack trace via Sentry so we can fix it. Sentry strips obvious personal data (cookies, request bodies) before storage.

What we do with it

The data above is used only to:

  • Deliver and improve the product you signed up for
  • Process payments and handle refunds
  • Send transactional emails (e.g. "your report is ready")
  • Comply with UK and EU legal obligations

We do not sell, rent, or share your data with advertisers. Full stop.

Where it lives

Your account + report data lives on a MongoDB instance hosted in Frankfurt (EU). Backups run nightly and are retained for 7 days. We do not transfer personal data outside the EEA except where strictly necessary for the subprocessors listed below.

Subprocessors

  • Stripe (payment processing) — Ireland / United States, contractually GDPR-compliant
  • Resend (transactional email) — United States, EU Standard Contractual Clauses
  • Cloudflare (CDN + DDoS protection) — global edge, EU Standard Contractual Clauses
  • PostHog EU (product analytics) — Frankfurt, Germany
  • Sentry (error tracking) — Frankfurt, Germany
  • OpenRouter / Anthropic (LLM inference for report narratives) — United States, standard contractual clauses

Your rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you
  • Correct data that's inaccurate
  • Delete your account and all associated data
  • Export your data in a machine-readable format
  • Object to processing for any reason

To exercise any of these rights, email [email protected]. We'll respond within 30 days.

Cookies

We use three cookies, all strictly necessary:

  • hp_session — your logged-in session, expires after 30 days
  • A PostHog cookie for analytics (no cross-site tracking)
  • A Cloudflare cookie for DDoS protection

We do not use advertising or third-party tracking cookies, so we don't show a cookie banner. We figure cookie-banner fatigue is its own dark pattern.

How long we keep it

  • Account data: until you delete your account, then 30 days for backup purposes
  • Generated reports: indefinitely (you paid for them; we keep them so you can re-access)
  • Payment records: 6 years (UK tax law)
  • Server logs: 30 days
  • Sentry error traces: 90 days

Changes to this policy

We'll update this page if our practices change, and update the "last updated" date at the top. For material changes (new subprocessor, broadened data use) we'll also email registered users.

Contact

Questions, complaints, or right-of-access requests: [email protected]. You also have the right to complain to the UK Information Commissioner's Office (ico.org.uk).