1. Who we are
Moveazy ("we", "us", "our") is a property-rental platform that connects renters ("hunters") with landlords and estate agents ("providers") in the United Kingdom. We operate the Moveazy mobile application and the website at moveazy.app.
For the purposes of UK GDPR and the Data Protection Act 2018, Moveazy is the data controller for the personal data described in this policy. If you have questions about how we handle your data, see section 13.
2. What we collect
We only collect what we need to provide the service. The exact data depends on whether you're a hunter or a provider.
Account data (everyone)
- Email address
- Full name
- Hashed password (we never store the original — Supabase Auth hashes it before it touches our database)
- Account type (hunter / landlord / agency)
- Account creation date
Profile data — hunters
- Profile photo (optional)
- Phone number (optional)
- Short bio
- Employment status (e.g. employed, self-employed, student)
- Annual income range (banded — we never see exact figures)
- Document uploads you choose to share with prospective landlords (ID, proof of employment, references)
Profile data — providers (landlords / estate agents)
- Profile photo (optional)
- Phone number
- Business name (for agencies)
- Verification documents (uploaded to prove you're entitled to list properties — only the admin team can view these)
- Listed properties: address, price, photos, description, availability
Communication & activity data
- Messages you send and receive within the app
- Rental applications you submit
- Property viewings you book or host
- Properties you save for later
Technical data we collect automatically
- Device type and operating system (e.g. iPhone 15 Pro, iOS 18.2)
- App version
- Crash reports and error logs (via Sentry — see section 5)
- IP address (only retained for rate-limiting and security; not linked to your account)
What we do not collect: we do not track your location in the background. We do not use advertising IDs (IDFA / Google AAID). We do not buy or sell personal data. We do not use third-party analytics that profile users across apps.
3. How we use your data
Under UK GDPR, every use of your personal data has a "lawful basis." Here's a plain-English summary:
| What we do | Lawful basis |
|---|---|
| Create your account and authenticate you | Contract — necessary to provide the service you signed up for |
| Show your profile and listings to other users in matching contexts | Contract — that's the core feature you signed up for |
| Send transactional emails (verification, password reset, booking confirmations) | Contract |
| Verify landlord / agent accounts before allowing listings | Legal obligation (anti-fraud, tenant protection) + legitimate interest |
| Log audit events and crash reports for debugging | Legitimate interest — keeping the app stable and secure |
| Apply rate limits and abuse detection (using your IP) | Legitimate interest — protecting the service from abuse |
| Respond to legal requests from law enforcement | Legal obligation |
5. Third-party processors
These are the only third parties that ever see your personal data:
| Service | What it does | Where it stores data |
|---|---|---|
| Supabase | Database, authentication, file storage, real-time messaging | EU (Frankfurt, AWS) |
| Resend | Sends transactional emails (verification, password reset) | EU + US |
| Sentry | Crash reports and error monitoring (stripped of headers / cookies) | EU (Frankfurt) |
| Upstash | Rate-limiting counters (your IP only, expires within minutes) | EU (Ireland) |
| Apple / Google | App distribution and push notifications | Global |
| Mapbox | Property location maps (your interaction is not linked to your account) | US |
Each processor has been chosen for their privacy posture and EU data residency where possible. We have data processing agreements (DPAs) in place with all of them.
6. How long we keep data
- Active accounts
- For as long as you keep your account open.
- Deleted accounts
- If you delete your account, we mark it for deletion immediately. We permanently erase your data after a 30-day grace period (in case you change your mind and want to recover the account). After 30 days the data is unrecoverable.
- Messages
- Retained for as long as both parties keep their accounts. If you delete your account, your messages are removed from the counterparty's view.
- Verification documents (landlords/agents)
- Retained for the duration of the account, then deleted with the rest of the account data.
- Audit logs and crash reports
- Audit logs are kept for 90 days. Sentry crash reports follow Sentry's default retention (90 days on the plan we use).
- Rate-limiting counters
- IP-based counters expire within 1 hour. We never link them to user accounts.
- Email delivery logs (Resend)
- Retained by Resend per their own retention policy (typically 30 days).
7. Security
We take security seriously and apply industry-standard controls:
- Encryption in transit: all traffic uses TLS 1.2+.
- Encryption at rest: all stored data is encrypted on Supabase's infrastructure.
- Row-level security (RLS): every database table is locked down so users can only access their own data — enforced at the database, not just the app.
- Secure session storage: auth tokens live in the iOS Keychain / Android Keystore — never in plain text.
- Password requirements: minimum 12 characters; rejected against the HaveIBeenPwned breach corpus.
- Rate limiting: authentication and email endpoints are rate-limited per IP and per email to prevent abuse.
- Crash reports stripped: we strip authorisation headers and cookies from breadcrumbs before they reach Sentry.
Despite all this, no system is ever 100% secure. If we ever discover a breach that puts your data at risk, we'll notify you and the Information Commissioner's Office (ICO) within 72 hours as the law requires.
8. Your rights
Under UK GDPR you have the following rights. You can exercise any of them by emailing privacy@moveazy.app:
- Right to access
- Request a copy of the personal data we hold about you.
- Right to rectification
- Have inaccurate data corrected. You can edit most of your profile from inside the app directly.
- Right to erasure ("right to be forgotten")
- Have your data deleted. The fastest way is to delete your account from Settings → Account → Delete account inside the app.
- Right to data portability
- Receive a machine-readable copy of your data (JSON) to take elsewhere.
- Right to restrict processing
- Ask us to pause certain uses of your data while a dispute is resolved.
- Right to object
- Object to processing based on legitimate interests (we'll stop unless we can show a compelling overriding reason).
- Right to withdraw consent
- Where we rely on consent (e.g. optional profile fields), you can withdraw it at any time.
- Right to complain
- You can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint/. We'd prefer you contact us first so we can try to resolve any concern directly.
We'll respond to any rights request within one month, free of charge.
9. Tracking & cookies
In the mobile app
We do not use cookies inside the app. We do not use Apple's
IDFA, Google's Advertising ID, or any third-party advertising tracker.
Our iOS privacy manifest declares
NSPrivacyTracking: false.
On the website (moveazy.app)
Our marketing website uses only strictly-necessary cookies (e.g. remembering you've dismissed the cookie banner). We do not use Google Analytics, Facebook Pixel, or similar trackers.
10. Children's privacy
Moveazy is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please email privacy@moveazy.app and we'll delete the account immediately.
11. International data transfers
We aim to keep your data in the European Economic Area (EEA) wherever possible. Supabase, Sentry, and Upstash all process your data in EU regions (Frankfurt or Ireland). Resend delivers some emails via US infrastructure, and Apple / Google distribute the app globally.
When data is transferred outside the UK / EEA, we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, whichever is appropriate, to ensure your data is protected to the same standard.
12. Changes to this policy
We may update this policy from time to time — for example, when we add a new feature or change a provider. If we make material changes, we'll notify you by email and within the app at least 14 days before the changes take effect.
The current version is dated at the top of this page.
13. Contact us
If you have questions about this policy, your data, or want to exercise any of your rights:
- Email: privacy@moveazy.app
- General support: info@moveazy.app
- Website: moveazy.app
Postal address and registered company details: add once registered.