This Privacy Policy explains how Propera ("we", "us", "our") collects, uses, stores, and protects personal information when you use our website at properahq.com and the Propera application (collectively, the "Service"). This policy is written to meet our obligations under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR — Regulation (EU) 2016/679), and the UK Data Protection Act 2018.
1. Who we are (Data Controller)
Propera is the data controller of the personal information processed through the Service. Our registered address is:
71-75 Shelton Street
Covent Garden
London, United Kingdom
WC2H 9JQ
For any privacy questions or to exercise your rights, contact us at .
2. What personal data we collect
2.1 Information you provide
- Account information: name, email address, phone number, country of residence, password (stored hashed using industry-standard bcrypt).
- Developer information: company name, registration number, years in business, project documents.
- KYC / verification documents: government-issued ID and proof of address (where verification is required).
- Communications: messages exchanged through our platform with developers or investors.
- Form submissions: details you submit via our contact form (name, email, phone, message).
2.2 Information collected automatically
- Device and browser information (browser type, operating system, screen size, IP address).
- Usage data (pages visited, features used, time spent, referring URL).
- Cookies and similar technologies — see our Cookie Policy for details.
2.3 Special category data
We do not intentionally collect special category data (e.g. health, religion, ethnicity, political opinions) under Article 9 UK/EU GDPR. Please do not submit any such data through the Service. If verification documents contain incidental personal characteristics (e.g. a photograph on an ID document) we process them only for identity verification.
3. How we use your personal data & the lawful bases we rely on
We process your personal data under one or more of the lawful bases set out in Article 6 of the UK/EU GDPR:
| Purpose | Lawful basis |
|---|---|
| Create and operate your account, authenticate you, deliver the Service | Performance of a contract (Art 6(1)(b)) |
| Verify developer profiles and project documents | Performance of a contract; legitimate interests (Art 6(1)(b), (f)) |
| Facilitate messages between investors and developers | Performance of a contract (Art 6(1)(b)) |
| Send transactional emails (e.g. payment reminders, project updates) | Performance of a contract (Art 6(1)(b)) |
| Respond to enquiries you submit via the contact form | Legitimate interests / pre-contract steps (Art 6(1)(b), (f)) |
| Improve, secure, and protect the Service (analytics, fraud prevention) | Legitimate interests (Art 6(1)(f)) |
| Send marketing emails (where applicable) | Consent (Art 6(1)(a)) — you can withdraw at any time |
| Comply with legal, regulatory, or AML/KYC obligations | Legal obligation (Art 6(1)(c)) |
| KYC / verification documents containing identifiers | Performance of a contract + legal obligation |
Where we rely on legitimate interests, we have balanced our interests against your rights and freedoms. You may object to processing on this basis at any time (see Section 8).
4. Who we share your data with
We share personal data only with parties that need it to deliver the Service:
- Verified developers — when you express interest in a project. We share the minimum necessary (e.g. name, email, message).
- Service providers (processors) we rely on, including:
- Hosting and database providers (located in the UK, EU, and/or US under appropriate safeguards)
- Email delivery providers
- Analytics providers
- CDN, security, and bot-mitigation providers (e.g. Cloudflare)
- Professional advisers (e.g. lawyers, accountants) where strictly necessary.
- Competent authorities, regulators, or courts where we are required to by law or to defend our legal rights.
- Buyers or successors in the event of a business transfer, merger, or acquisition (with the same protections as in this policy).
We do not sell your personal data and we do not use it for cross-site advertising or behavioural ad-tracking.
5. International transfers
Because Propera operates across multiple countries, your personal data may be transferred to and processed outside the UK or European Economic Area (EEA). Where we transfer personal data internationally, we rely on one of the following safeguards required under Chapter V of the UK/EU GDPR:
- An adequacy decision issued by the UK government or the European Commission;
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses (SCCs); or
- Other legally recognised mechanisms (e.g. binding corporate rules).
You can request a copy of the safeguards in place by emailing .
6. How long we keep your data
| Category | Retention period |
|---|---|
| Active account data | For as long as your account is active |
| Account data after closure | Up to 12 months, then deleted or anonymised, unless retention is required by law |
| KYC / verification documents | 5 years from end of business relationship (UK AML rules) |
| Contact-form submissions | Up to 24 months from your last interaction |
| Backups | Routinely overwritten within 90 days |
| Server / security logs | Up to 12 months |
7. Security
We apply appropriate technical and organisational measures under Article 32 UK/EU GDPR, including:
- Encryption in transit (HTTPS / TLS)
- Hashed passwords (bcrypt) — we never store passwords in plain text
- Role-based access control and audit logging for admin actions
- Regular review of access permissions
- Vetting of sub-processors
No system is 100% secure. If we ever become aware of a personal data breach affecting your rights and freedoms, we will notify the ICO within 72 hours and inform you without undue delay where required by Article 34.
8. Your rights under UK / EU GDPR
You have the following rights in relation to your personal data:
- Right of access (Art 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art 16) — request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") (Art 17) — request deletion in certain circumstances.
- Right to restriction (Art 18) — ask us to limit how we use your data.
- Right to data portability (Art 20) — receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art 21) — object to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making (Art 22) — we do not currently use solely automated decision-making with legal or similarly significant effect.
- Right to withdraw consent (Art 7(3)) — where consent is the lawful basis, you may withdraw at any time.
To exercise any of these rights, email . We will respond within one month (Art 12(3)) and the service is free of charge unless your request is manifestly unfounded or excessive.
9. Cookies and similar technologies
We use a limited number of cookies and similar technologies. Where required by law, we will obtain your consent before placing non-essential cookies on your device. Full details are in our Cookie Policy.
10. Marketing communications
We will only send you marketing emails where you have given consent or where we are otherwise permitted to do so under PECR (Privacy and Electronic Communications Regulations). You can unsubscribe at any time using the link in any marketing email or by emailing .
11. Children
The Service is not intended for users under the age of 18 and we do not knowingly collect personal information from children. If you believe a child has provided personal data to us, please contact us so we can delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified via the Service or by email at least 30 days before they take effect. The "Last updated" date at the top reflects the latest version.
13. Contact us
For any questions, requests, or concerns about this Privacy Policy or how we process your personal data, contact us at:
Email:
71-75 Shelton Street, Covent Garden
London, United Kingdom, WC2H 9JQ