Privacy Policy

Effective date: 19 June 2026 · Last updated: 19 June 2026

Plotfolio helps you track real-estate investments from land purchase to commissioning. We know that property and financial records are sensitive, and we treat them that way. This policy explains what we collect, why, how we protect it, and the choices and rights you have.

1. Who we are

Plotfolio (“Plotfolio”, “we”, “us”, or “our”) is the service operated by [Legal Entity Name], a company registered in [Jurisdiction] at [Registered Address]. For the purposes of applicable data-protection law, Plotfolio is the data controller of the personal data described in this policy. If you have questions, contact us at [email protected].

2. Scope

This policy applies to the Plotfolio website, web application, and related services (together, the “Service”). It does not apply to third-party websites or services that we do not control, even where we link to them. Your use of the Service is also governed by our Terms of Use.

3. Information we collect

3.1 Information you provide

Account information — your name, email address, and authentication credentials (a password, passkey, and/or two-factor authentication settings).
Property and financial records — the information you enter about your properties: payment plans, instalments, build phases, costs, currencies, dates, and notes.
Documents you upload— receipts, contracts, and other evidence you choose to attach to a property. These are encrypted (see “How we protect your information”).
Team and account membership — invitations you send or accept, and the role assigned to each member of a shared account.
Communications — messages you send us (for example, support requests) and your contact preferences.

3.2 Information we collect automatically

Usage data — pages and features you interact with, and aggregate, privacy-respecting product analytics used to understand and improve the Service.
Device and log data — IP address, browser type, device identifiers, timestamps, and diagnostic logs needed to operate the Service securely and to detect and prevent abuse.
Cookies and similar technologies— see “Cookies” below.

3.3 Information from third parties

Single sign-on — if you sign in with Google, we receive your name, email address, and a unique identifier from that provider, in line with the permissions you grant.

4. How we use your information

To provide, maintain, and secure the Service and your account.
To store and display the property and financial records you choose to track.
To authenticate you, prevent fraud and abuse, and protect the integrity of the Service.
To send you service and transactional messages (for example, sign-in links, security alerts, and payment-due reminders you have enabled).
To respond to your requests and provide support.
To understand usage and improve the Service, using aggregated or de-identified data wherever possible.
To comply with legal obligations and enforce our terms.

We do not sell your personal data, and we do not use the property or financial records you store for advertising.

5. Legal bases for processing

Where the GDPR or similar laws apply, we rely on the following legal bases: (a) performance of a contract — to provide the Service you sign up for; (b) legitimate interests — to secure, maintain, and improve the Service, provided these do not override your rights; (c) consent — where you opt in, for example to certain communications; and (d) legal obligation — where processing is required by law.

6. Cookies and similar technologies

We use a small number of cookies and similar technologies that are strictly necessary to run the Service — primarily to keep you signed in and to protect against cross-site request forgery. We may also use privacy- respecting analytics to measure usage in aggregate. You can control cookies through your browser settings; disabling strictly necessary cookies may prevent you from signing in.

7. How we share information

We share personal data only as described here:

Service providers (sub-processors) — vendors that process data on our behalf and under contract, such as cloud hosting, encrypted object storage, and email delivery. See the table below.
Members of your account — records are visible to the people you invite to a shared account, according to their role.
Legal and safety — where required by law, regulation, legal process, or to protect the rights, property, or safety of Plotfolio, our users, or the public.
Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this policy.

8. Sub-processors

We rely on a limited set of trusted providers to operate the Service. Each is bound by contractual data-protection obligations.

Provider	Purpose	Data categories
Cloud hosting (Microsoft Azure)	Application hosting and database	All Service data
Object storage (Wasabi)	Encrypted document storage	Uploaded documents (encrypted)
Email delivery (Amazon SES)	Transactional email (sign-in links, reminders)	Email address, message content
Google	Optional single sign-on	Name, email, account identifier

We maintain a current list of sub-processors and will update it as our providers change. To request the latest list, contact [email protected].

9. International data transfers

Plotfolio serves a global, diaspora community, so your information may be processed in countries other than the one in which you live. Where we transfer personal data across borders, we use appropriate safeguards required by applicable law, such as standard contractual clauses, to protect your information.

10. How we protect your information

Encryption in transit — traffic to and from the Service is encrypted using TLS.
Encryption at rest — uploaded documents are protected with envelope encryption, using a separate key per account, and stored in encrypted object storage.
Authentication — we support strong sign-in options including passkeys and two-factor authentication.
Access controls and isolation— each account’s data is logically isolated, and internal access is limited to what is needed to operate the Service.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. Please use a strong, unique password and keep your credentials confidential.

11. Data retention

We retain your information for as long as your account is active or as needed to provide the Service. If you delete content or close your account, we delete or de-identify the associated personal data within a reasonable period, except where we are required to retain it to comply with legal obligations, resolve disputes, or enforce our agreements. Backups are cycled out on a rolling schedule.

12. Your rights and choices

Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your personal data; to object to or restrict certain processing; and to withdraw consent. You can update much of your information directly in your account settings. To exercise any right, contact [email protected]; we will respond as required by applicable law. You also have the right to complain to your local data-protection authority.

13. Children’s privacy

The Service is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update means you accept the revised policy.

15. Contact us

Questions or requests about this policy or your personal data? Email [email protected] or write to [Legal Entity Name], [Registered Address].