Privacy Policy
Effective date: 27 May 2026
1. Introduction
This Privacy Policy explains how Assesr ("Assesr", "we", "us", "our") collects, uses, stores, shares, and protects personal data when you use our website at assesr.com and the associated web application (collectively, the "Platform").
This Policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, and other applicable data protection legislation worldwide. Where we refer to "Data Protection Laws" in this Policy, we mean all applicable data protection and privacy legislation.
By using the Platform, you acknowledge that you have read and understood this Policy. This Policy should be read alongside our Terms of Service.
2. Data Controller
Assesr is the data controller for the personal data processed through the Platform. For any data protection enquiries, contact us at:
Assesr
Email: deakidj93@gmail.com / jeremy.church@icloud.com
3. What Data We Collect
We collect the following categories of personal data:
3.1 Account and identity data
- Full name
- Email address
- Company name
- Authentication identifiers provided by OAuth providers (Google, Apple) or email-based magic link
- User role (borrower, broker, lender)
- Language/locale preference
3.2 Deal and scheme data
- Scheme details: name, description, location, address, postcode, property type, construction costs, gross development value, equity, exit strategy, loan request details
- Client details (Brokers only): client name, email address, company name
- Commission information (Brokers only): commission percentage, final loan amounts
- Enrichment data sourced from public registries: Companies House records, HM Land Registry comparables, planning data, flood risk assessments, EPC ratings, demographic data
3.3 Documents and uploaded files
- Documents you upload including title documents, planning permissions, QS reports, valuations, sponsor CVs, build programmes, surveys, and other supporting materials
- Text extracted from uploaded documents via automated processing (PDF extraction, document parsing, OCR)
- File metadata: original filename, file type, upload date
3.4 Platform interaction data
- Deal status history: all transitions, timestamps, and associated notes
- Lender actions: shortlisting, declining, and information requests on deals
- Lender preferences: loan amount ranges, preferred scheme types, regions, risk grade thresholds
- Notifications: in-app notification records (type, content, read status)
- Contact form submissions: name, email, role, message
3.5 Financial and payment data
- Stripe Connect account identifiers (for Brokers receiving commission payments)
- We do not directly collect or store credit card numbers, bank account numbers, or other payment instrument details — these are processed and stored exclusively by our payment processor, Stripe
3.6 Technical data
- Data automatically collected during your use of the Platform: IP address, browser type, device type, operating system, referral URL, pages visited, timestamps
3.7 E-signature data
- Signature method (drawn or typed), typed name (if applicable), signer company name
- Tamper-evidence metadata: timestamp, IP address at time of signing, browser user agent, SHA-256 hashes of the signed content and signature
- Document type signed (e.g. fee agreement, terms acceptance, review consent)
3.8 Lender application data
- Company number, contact telephone number, FCA reference (if applicable), website URL
- Lending preferences: types, geographic regions, minimum and maximum loan amounts
- Application description and supporting information
- Admin review metadata: reviewer identity, review timestamp, approval/rejection status, rejection reason (if applicable)
3.9 Deal review and reputation data
- Star ratings (1–5), category ratings, written review text, tags, "would work again" indicator
- Marketplace tier scores calculated from verified deal completions, response times, rejection rates, and completion speed
- Aggregate review counts and average ratings displayed on marketplace profiles
3.10 Service-level and velocity data
- Response timestamps against indicative SLA deadlines (initial response, document request, term sheet, final response)
- SLA breach flags and automated follow-up records
- Deal velocity metrics: time-to-response, time-to-completion
3.11 Audit logs
- Security audit records: event type (sign-in, sign-out, document access, deal actions), user identifier, event metadata, timestamp
- Retained for 12 months then automatically purged
3.12 Data we do not collect
We do not knowingly collect special category data (racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, sexual orientation). If you upload documents that contain such data, you do so at your own discretion and risk.
4. How We Use Your Data
| Purpose | Legal basis (UK/EU GDPR) |
|---|---|
| Provide the Platform services: account creation, deal intake, credit paper generation, lender matching, document management | Performance of a contract (Art. 6(1)(b)) |
| Process AI-generated outputs: passing your data and documents to AI models to generate credit papers, risk grades, autofill suggestions, and chat assistance | Performance of a contract (Art. 6(1)(b)); Legitimate interest in providing the core service (Art. 6(1)(f)) |
| Enrich deal data from public registries (Companies House, Land Registry, planning data, flood risk, EPC, demographics) | Legitimate interest in providing accurate, comprehensive credit papers (Art. 6(1)(f)) |
| Match deals to lenders and share deal information with matched lenders | Performance of a contract (Art. 6(1)(b)); Consent via submission action (Art. 6(1)(a)) |
| Process commission payments and Stripe Connect integration | Performance of a contract (Art. 6(1)(b)) |
| Send transactional emails: deal notifications, status updates, account communications | Performance of a contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) |
| Verify deal completion through public registries (HM Land Registry charge data, Companies House filings) | Legitimate interest in enforcing contractual terms and preventing fee avoidance (Art. 6(1)(f)) |
| Improve and develop the Platform, including analytics, debugging, and feature development | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations, respond to legal processes, enforce our Terms | Legal obligation (Art. 6(1)(c)); Legitimate interest (Art. 6(1)(f)) |
| Capture and store e-signatures for fee agreements, terms acceptance, and other documents, including tamper-evidence metadata | Performance of a contract (Art. 6(1)(b)) |
| Track service-level response times and calculate marketplace reputation tiers and deal review scores | Legitimate interest in maintaining marketplace quality (Art. 6(1)(f)) |
| Redact contact details from deal communications and log redaction events for compliance | Legitimate interest in preventing off-platform circumvention (Art. 6(1)(f)) |
| Process lender applications and perform approval reviews | Performance of a contract (Art. 6(1)(b)); Legitimate interest (Art. 6(1)(f)) |
| Deliver webhook notifications to Lender-configured endpoints | Performance of a contract (Art. 6(1)(b)) |
| Maintain security audit logs of platform activity | Legitimate interest in security and fraud prevention (Art. 6(1)(f)) |
| Prevent fraud, abuse, and security threats | Legitimate interest (Art. 6(1)(f)) |
5. AI and Automated Processing
5.1 How AI is used
The Platform uses artificial intelligence, including third-party large language models (currently Google Gemini models accessed via the Lovable AI Gateway), to:
- Generate credit papers from your deal data and uploaded documents
- Suggest autofill values for intake forms based on extracted document text
- Provide chat-based assistance on development finance concepts
- Generate match insight explanations describing why a Lender's preferences align with a Deal
5.2 Data sent to AI providers
When AI features are invoked, the following data may be sent to third-party AI model providers via the Lovable AI Gateway (an API intermediary operated by Lovable Inc.): deal intake data, extracted text from uploaded documents, lender profile data (for match insights), and relevant contextual prompts. Data passes through Lovable's infrastructure before reaching the underlying model provider (Google). We use API-based access (not consumer-facing AI products) to ensure your data is processed under commercial data processing terms, not used for model training by third-party providers.
5.3 Automated decision-making
The Platform generates automated outputs including risk grades (A–E), financial appraisals, and lender matching scores. These outputs are informational aids — they are not automated decisions that produce legal effects or similarly significant effects on individuals within the meaning of Article 22 of the UK/EU GDPR. All lending decisions are made independently by human decision-makers at Lender organisations. You have the right to query any automated output by contacting us.
6. Document Processing and Text Extraction
When you upload documents, the Platform extracts text using automated tools (PDF parsers, document converters, OCR for images). Extracted text is stored alongside the document record and used to generate credit papers and autofill suggestions. The extraction process is performed on our servers — documents are not sent to external extraction services. Extracted text is limited to 60,000 characters per document.
7. Who We Share Your Data With
7.1 Other Platform users
When you submit a Deal to the marketplace, the following personal data is shared with matched Lenders: all information provided through the Deal intake form (including borrower names, roles, scheme details, loan requirements, site specifics, planning data, build details, financial appraisals, and equity and security information); all uploaded documents (including identity documents, proof of address, title documents, planning permissions, QS reports, valuations, sponsor CVs, build programmes, surveys, and any other supporting materials); the AI-generated Credit Paper; and area enrichment data. Lenders can only access Deals matched to them through the Platform's matching system. Competing lenders cannot see each other's loan amounts or actions.
Once Deal data has been made available to a Lender, that Lender becomes an independent data controller in respect of any personal data received. Assesr has no control over the Lender's subsequent handling, storage, or security of that data. Our Terms of Service require Lenders to permanently delete all Borrower personal data within 30 days if a Deal is cancelled, withdrawn, or declined, but enforcement of this obligation rests with the Lender as an independent data controller. If you have concerns about a Lender's handling of your data, you should contact the Lender directly and/or the relevant supervisory authority (see Section 10.2).
7.2 Sub-processors and service providers
We use the following categories of service providers:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase (database and authentication) | Data storage, user authentication, file storage | All Platform data | EU/US (AWS infrastructure) |
| Google/Apple (OAuth) | User authentication | Authentication tokens, email | US |
| Lovable AI Gateway (lovable.dev) | API intermediary for AI model access | Deal data, extracted document text, lender profile data | US |
| Google (Gemini AI models) | Credit paper generation, autofill, chat, match insights | Deal data, extracted document text (via Lovable gateway) | US |
| Stripe | Payment processing, broker commissions | Stripe account IDs, transaction amounts | US |
| Resend | Transactional email delivery | Email addresses, notification content | US |
| Cloudflare | Hosting, CDN, edge compute | Technical/request data | Global |
Each sub-processor processes data only on our instructions and under appropriate contractual safeguards.
7.3 Deal communication and contact redaction
The Platform facilitates structured information requests between Lenders and Borrowers/Brokers. To protect contact details during early-stage engagement, the Platform automatically scans and redacts contact information (telephone numbers, email addresses, physical addresses) from information request messages. Redaction events are logged for compliance purposes, including the original text, redacted text, and matching patterns. This logging is necessary for our legitimate interest in preventing off-platform circumvention and protecting all parties.
7.4 Webhook delivery
Lenders may configure webhook endpoints to receive automated Deal event notifications. When a webhook fires, Deal data (event type, deal identifier, structured payload) is transmitted to the Lender-specified endpoint, authenticated with HMAC-SHA256 signatures. Assesr is not responsible for the security or data handling practices of Lender-controlled webhook endpoints.
7.5 Public data sources
We query UK government APIs (Companies House, HM Land Registry, Environment Agency, Planning Data, EPC register, ONS) using data you provide (postcodes, company numbers, site addresses). These queries are subject to those services' own privacy policies and terms. Data retrieved is stored as part of deal enrichment.
7.6 Legal and regulatory disclosure
We may disclose your personal data where required by law, regulation, legal process, or governmental request, or where disclosure is necessary to: (a) protect our legal rights; (b) prevent fraud or security threats; (c) enforce our Terms; or (d) protect the rights, property, or safety of any person.
7.7 Business transfers
In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or part of our assets, your personal data may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.
8. International Data Transfers
Your data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office or the European Commission;
- The UK's International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs;
- Adequacy decisions where the relevant country has been deemed to provide an adequate level of data protection;
- Binding corporate rules or other approved transfer mechanisms.
You may request details of the specific safeguards applied to transfers of your data by contacting us.
9. Data Retention
9.1 General retention periods
| Data category | Retention period |
|---|---|
| Account data | Duration of your account plus 2 years after closure or last activity |
| Deal and scheme data | 7 years from deal completion or last activity (whichever is later), to align with UK financial record retention obligations |
| Uploaded documents and extracted text | Duration of the associated deal plus 7 years after completion |
| Credit papers | Same as associated deal data |
| Lender action logs and deal status history | 7 years from creation |
| Payment/commission records | 7 years (UK tax and accounting requirements) |
| E-signature records | Duration of associated agreement plus 7 years |
| Lender application data | Account duration plus 2 years after closure or rejection |
| Deal reviews and reputation data | Duration of associated deal plus 7 years |
| SLA and velocity metrics | Same as associated deal data |
| Audit logs | 12 months then automatically purged |
| Contact redaction logs | Same as associated deal data |
| Contact form submissions | 2 years |
| Technical/server logs | 90 days |
9.2 Extended retention
We may retain data for longer periods where required by law, regulation, or ongoing legal proceedings, or where necessary to establish, exercise, or defend legal claims.
10. Your Rights
Under applicable Data Protection Laws, you have the following rights. These rights are not absolute and may be subject to exemptions under applicable law.
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Delete your account from Settings at any time. Your data enters a 30-day soft-delete period — you can restore everything with one click during this window. After 30 days, all data is permanently purged automatically |
| Restriction | Request restriction of processing in certain circumstances |
| Portability | Receive your data in a structured, commonly used, machine-readable format |
| Objection | Object to processing based on legitimate interests or for direct marketing purposes |
| Withdraw consent | Where processing is based on consent, withdraw that consent at any time (without affecting the lawfulness of prior processing) |
| Automated decisions | Not be subject to solely automated decisions that produce legal or similarly significant effects — request human review of automated outputs |
| Complaint | Lodge a complaint with a supervisory authority (see Section 10.2) |
10.1 How to exercise your rights
To exercise any of these rights, contact us at deakidj93@gmail.com / jeremy.church@icloud.com. We will respond within 30 days (or the period required by applicable law). We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests, but may charge a reasonable fee or refuse manifestly unfounded or excessive requests.
10.2 Supervisory authorities
If you are unsatisfied with our handling of your data, you have the right to lodge a complaint with the relevant supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- EU: The data protection authority of the EU Member State in which you reside
- Other jurisdictions: The applicable data protection or privacy regulator in your jurisdiction
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest (database encryption via Supabase/AWS infrastructure)
- Row-level security policies restricting data access to authorised users only
- OAuth-based and magic-link authentication (no passwords stored by Assesr)
- Principle of least privilege: lenders can only view deals they have engaged with; borrowers can only view their own data
- Secure, private file storage with access-controlled signed URLs for document downloads
- Server-side API key storage — secrets are never exposed to client-side code
- Regular review of access controls and security policies
No system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your authentication credentials.
12. Cookies and Tracking Technologies
The Platform uses essential cookies and local storage for authentication and session management. These are strictly necessary for the Platform to function and do not require consent under the UK Privacy and Electronic Communications Regulations (PECR).
We do not currently use advertising cookies, third-party tracking pixels, or behavioural analytics cookies. If we introduce non-essential cookies in the future, we will implement a consent mechanism and update this Policy accordingly.
13. Children's Privacy
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, contact us at deakidj93@gmail.com / jeremy.church@icloud.com.
14. Jurisdiction-Specific Provisions
14.1 California (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). You have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale or sharing of personal information; and (d) non-discrimination for exercising your rights. We do not sell or share your personal information for cross-context behavioural advertising.
14.2 European Economic Area
If you are located in the EEA, our processing of your data is governed by the EU GDPR. The legal bases for processing are set out in Section 4. You have all rights described in Section 10.
14.3 Brazil (LGPD)
If you are located in Brazil, you have additional rights under the Lei Geral de Proteção de Dados (LGPD), including the right to confirmation of processing, access, correction, anonymisation, portability, deletion, and information about sharing. Contact us to exercise these rights.
14.4 Australia
If you are located in Australia, your personal information is handled in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You may access and correct your personal information by contacting us. If you are unsatisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).
14.5 Other jurisdictions
If you are located in a jurisdiction with data protection laws that provide you with rights not specifically listed above, we will honour those rights to the extent required by applicable law. Contact us to exercise any such rights.
15. Broker Responsibilities
If you are a Broker submitting data on behalf of a third-party borrower or developer:
- You represent and warrant that you have obtained all necessary consents from the data subject (the borrower or developer) for the collection, use, and sharing of their personal data through the Platform, including the generation of AI-powered Credit Papers and disclosure to matched Lenders.
- You are responsible for providing the data subject with a copy of this Privacy Policy or informing them of its contents before submitting their data.
- You shall indemnify Assesr against any claims arising from your failure to obtain the necessary consents.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the email address associated with your account or through a prominent notice on the Platform, at least 14 days before the changes take effect. The "Effective date" at the top of this Policy indicates the date of the most recent revision. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Policy.
17. Contact
For any questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:
Assesr
Email: deakidj93@gmail.com / jeremy.church@icloud.com
Website: assesr.com