Privacy Policy

Important: This document is a working template. We recommend a privacy lawyer review it against your specific data flows before you rely on it as your live policy.

1. Who we are

Valuxe (the “Service”) is operated by Valuxe Ltd, a company registered in England and Wales. For the purposes of UK GDPR and the Data Protection Act 2018, Valuxe Ltd is the data controller for personal data about visitors to our marketing site and about administrators of customer tenants. For personal data about end-users uploaded into the Service by our customers, the customer is the data controller and Valuxe is the data processor.

2. What data we collect

From visitors and registered users

• Name, email address, role, and tenant affiliation when you create an account or accept an invitation.
• Authentication metadata (password hashes, session tokens, last-login timestamp, IP address).
• Tenant administrators may upload company logos and branding settings.

From the use of the Service

• Financial documents you upload (P&Ls, balance sheets, cap tables, contracts, and any other source material you choose to attach to a valuation).
• Valuation outputs the AI engine generates from your inputs.
• Usage analytics — pages visited, features used, errors encountered. We use this to improve the Service.

What we do not collect

• We do not use tracking cookies for advertising. We do not sell or rent your data to anyone, ever.
• We do not use Your Content to train AI models, and we contractually prohibit AWS Bedrock from doing so on our behalf.

3. Why we use it (lawful bases)

• Contract performance — to provide the Service you signed up for (running valuations, generating reports, sending notification emails).
• Legitimate interests — to monitor service health, detect abuse, and improve the product.
• Legal obligation — to respond to lawful subject-access requests, tax records, and similar.
• Consent — where we ask separately (e.g. opting into product update emails).

4. Who we share it with

We share personal data with a small number of carefully selected processors:

• Amazon Web Services (AWS) — hosting, object storage, message queues, and the Bedrock AI engine. AWS does not train on customer data.
• Stripe — payment processing for paid subscriptions (when applicable).
• Postmark / SES — transactional email delivery (account invitations, notifications).

We have data-processing agreements in place with each processor. We do not share personal data with anyone else except where required by law.

5. International transfers

Our primary infrastructure is hosted in AWS eu-west-2 (London). Where data leaves the UK, we rely on the UK International Data Transfer Agreement and the EU Standard Contractual Clauses with appropriate supplementary measures.

6. How long we keep it

• Account data — for the lifetime of your subscription plus 60 days after cancellation.
• Financial documents and valuation outputs — for as long as your tenant retains them. Deleting a valuation deletes its documents within 30 days; backups roll off within 90 days.
• Authentication logs — 12 months.
• Billing records — 7 years (legal obligation in the UK).

7. Security

We follow industry-standard security practices. See our Security overview for specifics on encryption, access control, and incident response.

8. Your rights

Under UK and EU data protection law you have the right to:

• Access the personal data we hold about you;
• Rectify inaccurate or incomplete data;
• Erase your data (subject to legal-retention obligations);
• Restrict or object to certain processing;
• Receive a portable copy of your data;
• Withdraw consent at any time (where consent is the lawful basis);
• Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email privacy@valuxe.example. We respond within 30 days.

9. Cookies

We use a small number of strictly-necessary cookies for authentication (your JWT session) and to remember UI preferences (collapsed sidebar state, theme). We do not use advertising or third-party tracking cookies. No cookie banner is shown because we do not set any non-essential cookies that would require consent.

10. Children

The Service is intended for business use and is not directed at children under 16. We do not knowingly collect data from children.

11. Changes to this policy

We will notify registered administrators at the email on file if we make material changes. Minor edits (typos, clarifications) are made with the “Last updated” date refreshed.

12. Contact

Privacy questions or requests: privacy@valuxe.example.