← Back to BTLDeals

Privacy Policy

Last updated: 27 May 2026

1. Who we are

BTLDeals ("we", "us", "our") operates the website btldeals.co.uk and provides an AI-powered UK property deal alert service.

We are the data controller for the personal data you provide when using our service. This means we determine the purposes and means of processing your personal data.

If you have any questions about this policy or your data, contact us at privacy@btldeals.co.uk.

2. Data we collect and why

We only collect data that is necessary to provide the service.

Account data

  • Name and email address — provided when you create an account. Used to identify you, send your digest emails, and communicate with you about your subscription.
  • Password — stored as a secure hash by Supabase. We never store or see your plain-text password.
Legal basisContract performance (Article 6(1)(b) UK GDPR) — necessary to create and manage your account.

Subscription and billing data

  • Subscription tier and status — which plan you're on (Weekly, Three Day, or Daily) and whether it is active, trialling, or cancelled.
  • Trial expiry date — so we know when to begin billing.
  • Lemon Squeezy customer and subscription IDs — references to your billing account. We do not store your card number or full payment details; those remain with Lemon Squeezy.
Legal basisContract performance (Article 6(1)(b)) — necessary to manage your subscription and billing.

Search preferences

  • Target locations, price range, property types, minimum yield, minimum AI score, include/exclude keywords.
Legal basisContract performance (Article 6(1)(b)) — necessary to match and send you relevant property deals.

Email digest logs

  • A record of each digest email sent to you, including the date, tier, and which listing IDs were included. Used to prevent you receiving duplicate listings in future digests.
Legal basisLegitimate interests (Article 6(1)(f)) — to improve service quality and prevent duplicate sends.

Technical and usage data

  • Server logs (IP address, browser type, pages visited) retained for up to 30 days for security and debugging. We do not currently use any analytics platform.
Legal basisLegitimate interests (Article 6(1)(f)) — to maintain system security and diagnose faults.

3. Cookies

We use a minimal number of cookies. We do not use advertising cookies, social media tracking pixels, or third-party analytics cookies.

Cookie namePurposeDurationCategory
sb-*-auth-tokenKeeps you signed in to your BTLDeals account (set by Supabase).Session / up to 7 daysStrictly necessary
admin_secretAuthenticates admin panel access.8 hoursStrictly necessary
cookie_consentRemembers whether you have acknowledged this cookie notice.1 yearStrictly necessary

Because we only use strictly necessary cookies, we do not require your prior consent to set them under the UK Privacy and Electronic Communications Regulations (PECR). However, we still inform you of their existence via our cookie notice.

You can delete cookies at any time in your browser settings. Deleting the authentication cookie will sign you out of BTLDeals.

4. Who we share your data with

We do not sell your personal data. We share data only with the sub-processors listed below, each of whom is bound by a data processing agreement:

Supabase, Inc.Privacy policy →
Role: Database and authentication
Location: United States (with EU Standard Contractual Clauses)
Data shared: Your email, hashed password, subscription data, preferences, and email logs.
Lemon Squeezy (LLC)Privacy policy →
Role: Subscription billing and payment processing
Location: United States
Data shared: Your name, email, and subscription details. Payment card details are handled directly by Lemon Squeezy and are not passed to us.
Brevo (Sendinblue SAS)Privacy policy →
Role: Transactional email delivery
Location: France (EU)
Data shared: Your email address and the content of digest emails sent to you.
Anthropic, PBCPrivacy policy →
Role: AI deal scoring via the Claude API
Location: United States
Data shared: Property listing data (address, price, description) scraped from Rightmove. We do not send your personal data (email, name) to Anthropic.

5. International transfers

Some of our sub-processors (Supabase, Lemon Squeezy, Anthropic) are based in the United States. Where we transfer your personal data outside the UK, we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreements (IDTAs), or
  • EU Standard Contractual Clauses (SCCs) which have been adopted for UK use, or
  • Adequacy decisions issued by the UK Secretary of State.

6. How long we keep your data

Data typeRetention periodReason
Account dataUntil you delete your account, then 30 daysTo fulfil the contract and allow for account recovery.
Subscription records7 years after cancellationUK legal requirement for financial records.
Search preferencesUntil you delete them or close your accountNeeded to operate the service.
Email logs2 yearsTo prevent duplicate sends and for service quality.
Server logs30 daysSecurity monitoring.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

Right of access: Request a copy of all personal data we hold about you (Subject Access Request).
Right to rectification: Ask us to correct inaccurate data.
Right to erasure: Ask us to delete your personal data ("right to be forgotten"). We will comply unless we have a legal obligation to retain it (e.g. financial records).
Right to restrict processing: Ask us to pause processing your data in certain circumstances.
Right to data portability: Receive your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests.
Right to withdraw consent: Where we rely on consent (currently we do not for our core processing), withdraw it at any time.

To exercise any of these rights, email us at privacy@btldeals.co.uk. We will respond within 30 days. We may need to verify your identity before fulfilling the request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully. ICO helpline: 0303 123 1113.

8. Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • HTTPS encryption for all data in transit.
  • Row-level security (RLS) on our Supabase database — users can only access their own data.
  • Passwords are hashed using bcrypt via Supabase Auth; we never see plain-text passwords.
  • Service-role database credentials are never exposed to the browser.
  • Admin panel is protected by a separate secret not linked to user accounts.

No system is completely secure. If you believe your account has been compromised, contact us immediately at privacy@btldeals.co.uk.

9. Children

BTLDeals is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and update the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact us

For any privacy-related queries, subject access requests, or complaints:

BTLDeals
Email: privacy@btldeals.co.uk
Website: btldeals.co.uk
Governing law: England and Wales