Plain English

The privacy bit

Last updated: March 2026

At Dwellio, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

Dwellio is the data controller responsible for your personal data. If you have any questions about how we handle your data, you can contact us at [email protected].

2. Information We Collect

We collect the following types of information:

  • Account information: Email address and password (hashed) when you register, or your name and email via Google OAuth if you choose to sign in with Google.
  • Search preferences: Location, price range, number of bedrooms, and property type preferences you set for property alerts.
  • Subscription data: Your subscription plan and billing status (managed by Stripe — we do not store payment card details).
  • Usage data: Pages visited, features used, and interaction patterns to help us improve the Service.
  • Device tokens: If you opt in to push notifications, we store your device token to deliver alerts.

Third-party property data: Dwellio collects publicly available property listing data from leading UK property portals using automated means on your behalf. We do not store any personal data belonging to third parties obtained in this way — only property details (price, location, listing URL) needed to match your search preferences.

3. How and Why We Use Your Information

We process your personal data on the following lawful bases:

  • Contract performance: To provide the Dwellio service — sending property alerts matching your preferences, managing your account and subscription.
  • Legitimate interest: To improve and maintain the Service, analyse usage patterns, and prevent abuse.
  • Consent: To send you optional marketing or engagement emails. You can withdraw consent at any time via your email preferences.
  • Legal obligation: To comply with applicable laws and regulations.

We do not sell your personal data to third parties.

4. Third-Party Services

We use the following third-party services to operate Dwellio:

  • Stripe — payment processing. Stripe handles all payment card data directly; we never see or store your card details. See Stripe's Privacy Policy.
  • Postmark — transactional email delivery (alerts, account emails).
  • Google — OAuth sign-in (if you choose this method) and location autocomplete. We receive your name and email from Google; we do not access any other Google account data.
  • Expo — push notification delivery for mobile app users.
  • PostHog — product analytics (page views and feature usage) to help us improve the Service. Loaded only after you accept analytics in our cookie banner. See PostHog's Privacy Policy.

5. Cookies and Similar Technologies

Strictly necessary — always on, no consent required:

  • Authentication cookie: A secure, httpOnly cookie containing your session token. Keeps you signed in and expires when you log out or after a set period.

Analytics — only loaded if you opt in via our cookie banner:

  • PostHog: stores a pseudonymous identifier and event data in your browser's localStorage to record page views and feature usage. No data is collected until you accept.

You can change your choice at any time using the Cookie preferences link in the footer. We do not use advertising cookies, third-party tracking pixels, or cross-site behavioural advertising.

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account:

  • Your account information, search preferences, and matched listings are deleted.
  • Anonymised usage data may be retained for analytics purposes.
  • We may retain certain data where required by law (e.g., payment records for tax purposes).

Inactive accounts with no active subscription may be deleted after 12 months of inactivity, with prior notice sent to your registered email.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using industry-standard algorithms (never stored in plain text).
  • All data is transmitted over HTTPS.
  • Authentication tokens are stored in secure, httpOnly cookies to prevent cross-site scripting attacks.
  • Access to production systems is restricted and secured.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data (account deletion).
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Data portability: Request your data in a structured, commonly used format.
  • Objection: Object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within one month.

9. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related queries, contact us at [email protected].