← Back to XchangeHero

Privacy Policy

Last updated: 28 March 2026

1. Who we are

XchangeHero Ltd ("XchangeHero", "we", "us", "our") is a company registered in England and Wales. Our registered office is at 5 Brayford Square, London, E1 0SG, United Kingdom.

We are the data controller for the personal data described in this policy. If you have questions about how we handle your data, contact us at [email protected].

2. What data we collect

We collect the following categories of personal data:

  • Account data: your name, email address, and the name of your agency when you register.
  • Usage data: how you interact with the platform — pages visited, features used, timestamps.
  • Contact and property data: the data you enter into XchangeHero about your clients, buyers, vendors, and properties. This data belongs to you — we process it on your behalf.
  • Communications data: emails you forward or connect to the AI Inbox Agent for parsing.
  • Payment data: billing information processed by Stripe. We do not store card details — Stripe handles this directly and is PCI-DSS certified.
  • Technical data: IP address, browser type, device type, and session cookies used to authenticate your account.

3. How we use your data

We use your data to:

  • Provide and operate the XchangeHero platform under your subscription agreement.
  • Send you service-related communications (account notifications, billing receipts, product updates).
  • Investigate and resolve support queries.
  • Improve the platform through aggregate, anonymised usage analysis.
  • Meet our legal obligations.

We do not sell your data to third parties. We do not use your data for advertising.

4. Legal basis for processing

Under UK GDPR, we rely on the following legal bases:

  • Contract: processing necessary to deliver the service you have subscribed to.
  • Legitimate interests: improving the platform, preventing fraud, and ensuring security — where these interests are not overridden by your rights.
  • Legal obligation: where we are required to retain or disclose data by law.
  • Consent: for optional marketing emails. You can withdraw consent at any time.

5. Who we share data with

We share your data only with trusted sub-processors necessary to run the service:

  • Supabase Inc — database and authentication hosting (EU region).
  • Vercel Inc — application hosting and delivery.
  • Stripe Inc — payment processing.
  • Resend Inc — transactional email delivery.
  • Amazon Web Services (AWS) — encrypted backup storage (eu-west-2, London).

All sub-processors are contractually bound to protect your data and process it only on our instructions.

6. International transfers

Some of our sub-processors are headquartered in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place — either through UK adequacy decisions or Standard Contractual Clauses (SCCs) approved under UK GDPR.

7. How long we keep your data

  • Active account data is kept for as long as your subscription is active.
  • On cancellation or account closure, your data is retained for 90 days to allow recovery, then permanently deleted.
  • Billing records are kept for 7 years to meet UK financial and tax obligations.
  • Backup copies are held for up to 90 days before automatic deletion.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") where there is no lawful reason to retain it.
  • Restrict processing in certain circumstances.
  • Port your data to another service in a machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority.

9. Security

We take security seriously. Data is encrypted in transit (TLS 1.2+) and at rest. Database backups are AES-256 encrypted and stored with tamper-proof Object Lock. Access to production systems is restricted to authorised personnel only. We conduct regular security reviews.

10. Cookies

We use cookies to keep you signed in and to maintain your session. See our Cookie Policy for full details.

11. Changes to this policy

We may update this policy from time to time. When we do, we will update the "last updated" date at the top of this page and, where changes are material, notify you by email.

12. Contact

For any privacy-related questions or requests:
XchangeHero Ltd
5 Brayford Square, London, E1 0SG, United Kingdom
[email protected]