ReAerate

Privacy Policy

Last updated: 6 February 2026

1. Introduction

ReAerate (“we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the ReAerate platform (“Service”).

This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679). Where we refer to “GDPR” in this policy, we mean both the UK GDPR and EU GDPR as applicable.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should not use the Service.

2. Data Controller

ReAerate is the data controller responsible for your personal data under applicable data protection laws. This means we determine the purposes and means of processing your personal data.

If you have questions about this policy, wish to exercise your data rights, or have any concerns about how your data is processed, contact us at:

Data Protection Contact

Email: privacy@reaerate.com

General enquiries: support@reaerate.com

3. What Data We Collect

We collect and process the following categories of personal data. We adhere to the principle of data minimisation and only collect data that is necessary for the purposes described in this policy.

3.1 Account Information

  • Full name
  • Email address
  • Password (stored only as a cryptographically hashed value — we never store your plaintext password)
  • Account preferences and settings

3.2 Inventory & Business Data

  • Inventory item details (names, descriptions, conditions, costs, selling prices, barcodes, status)
  • Purchase and sale records
  • Expense records and categories
  • Profit calculations and financial summaries
  • Platform and marketplace information (e.g. eBay, Amazon, Vinted listing details)
  • Supplier information
  • Business goals and targets

3.3 Images & Files

  • Product images and any other files you upload to the Service
  • File metadata (file name, size, upload date, file type)

3.4 Activity & Usage Data

  • Activity logs (actions performed within the Service, such as creating, editing, or deleting items)
  • Item history and status changes
  • Timestamps of actions performed

3.5 Technical Data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on the Service
  • Referring URL
  • Approximate geographic location (derived from IP address)

3.6 Team & Workspace Data

  • Team name and workspace settings
  • Team membership and roles (owner, member)
  • Invitation records (email addresses of invited team members)

3.7 Payment Data (Future)

When paid plans are introduced, payment processing will be handled exclusively by Stripe as an independent data controller. We will store only a Stripe customer ID and subscription status. We will never store your full card number, CVV, or other sensitive payment details. Stripe’s privacy policy governs how they handle your payment information.

4. Legal Basis for Processing

Under the GDPR, we must have a valid legal basis for processing your personal data. The table below sets out the legal basis we rely on for each processing activity:

Processing ActivityLegal Basis
Account creation and managementContract performance (Art. 6(1)(b))
Storing and processing your inventory, expenses, and business dataContract performance (Art. 6(1)(b))
Generating reports and analytics for your businessContract performance (Art. 6(1)(b))
Service announcements, security alerts, and support communicationsContract performance (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))
Maintaining security, preventing fraud, and rate limitingLegitimate interests (Art. 6(1)(f))
Analytics to understand usage patterns and improve the ServiceLegitimate interests (Art. 6(1)(f)) / Consent (Art. 6(1)(a))
Non-essential (analytics) cookiesConsent (Art. 6(1)(a))
Marketing communications (if any)Consent (Art. 6(1)(a))
Responding to lawful requests from authoritiesLegal obligation (Art. 6(1)(c))
Processing payment data (future, via Stripe)Contract performance (Art. 6(1)(b))

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at privacy@reaerate.com.

5. How We Use Your Data

We use your personal data to:

  • Provide, operate, and maintain the Service
  • Create and manage your account and team workspaces
  • Process, store, and display your inventory and business data
  • Generate reports, analytics, and summaries for your business
  • Communicate service updates, security alerts, and support messages
  • Improve, develop, and optimise the Service
  • Detect, prevent, and address technical issues, fraud, or abuse
  • Process payments (when paid plans are introduced)
  • Comply with legal obligations

We will never sell your personal data to third parties. We do not use your data for profiling or automated decision-making that produces legal or similarly significant effects.

6. Data Sharing & Sub-Processors

We only share your personal data with third parties where strictly necessary to provide the Service. All third-party processors are bound by data processing agreements (DPAs) that require them to handle your data in compliance with GDPR.

Sub-ProcessorPurposeData Location
VercelApplication hosting, serverless functions, and edge networkUS / EU (edge network)
Vercel BlobCloud storage for uploaded images and filesUS
Vercel AnalyticsPrivacy-friendly, aggregated usage analyticsUS
PostgreSQL (Neon / hosted)Primary database for all account, inventory, and business dataUS / EU
Upstash (Redis)Rate limiting and abuse prevention (stores IP-based rate limit counters)US / EU
Stripe (future)Payment processing (acts as independent data controller for payment data)US / EU

We may also disclose your data if required to do so by law, court order, or regulatory request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Team Workspaces & Data Sharing Between Users

When you create or join a team workspace, certain data is shared with other workspace members:

  • Your name and email address are visible to other members of the same workspace
  • All inventory items, expenses, categories, suppliers, and reports within a workspace are shared with all members of that workspace
  • Activity logs within a workspace may be visible to other workspace members

Workspace owners are responsible for ensuring they have appropriate authority and consent to invite members and share workspace data. If you are invited to a workspace, your acceptance constitutes consent to sharing your data within that workspace context.

8. International Data Transfers

Some of our sub-processors process data outside the UK and the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place as required by GDPR, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK Information Commissioner’s Office (ICO)
  • Adequacy decisions where the destination country has been deemed to provide adequate data protection
  • Data processing agreements that contractually require equivalent levels of data protection
  • EU-US Data Privacy Framework certification where applicable

You may request a copy of the safeguards we have in place by contacting us at privacy@reaerate.com.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, in accordance with the principle of storage limitation. Our retention periods are as follows:

  • Account data: Retained while your account is active. Upon account deletion, data is retained for up to 30 days to allow recovery, after which it is permanently and irreversibly deleted.
  • Inventory, business, and financial data: Retained while your account is active. Permanently deleted within 30 days of account closure.
  • Uploaded images and files: Deleted within 30 days of account closure or upon individual deletion by the user.
  • Activity logs: Retained while your account is active for accountability and audit purposes. Deleted within 30 days of account closure.
  • Technical and security logs: Retained for up to 90 days for security monitoring and debugging, then automatically purged.
  • Rate limiting data: Temporary data retained for short durations (typically minutes to hours) and automatically expires.
  • Payment records (future): Retained as required by applicable financial and tax regulations (typically up to 7 years in the UK).

When data is deleted, it is removed from active systems. Residual copies in encrypted backups may persist for a limited period in accordance with our backup retention schedule, but these are not actively accessible and are overwritten in due course.

10. Your Rights Under GDPR

Under the UK GDPR and EU GDPR, you have the following rights regarding your personal data. These rights are not absolute and may be subject to certain conditions and exceptions as provided by law:

  • Right of access (Article 15): You can request a copy of the personal data we hold about you. You can do this directly through your Privacy & Data settings or by contacting us.
  • Right to rectification (Article 16): You can request correction of inaccurate or incomplete data. You can update most data directly in your account settings.
  • Right to erasure (Article 17): You can request deletion of your personal data (“right to be forgotten”). You can delete your account through your Privacy & Data settings.
  • Right to restrict processing (Article 18): You can request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of your data.
  • Right to data portability (Article 20): You can request your data in a structured, commonly used, machine-readable format (JSON). This is available through your Privacy & Data settings.
  • Right to object (Article 21): You can object to processing based on legitimate interests or for direct marketing purposes. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Article 7(3)): Where we process data based on your consent (e.g. analytics cookies), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Rights related to automated decision-making (Article 22): We do not currently use automated decision-making or profiling that produces legal or similarly significant effects on you.

How to Exercise Your Rights

Many rights can be exercised directly through the Service via your Privacy & Data settings (data export and account deletion). For all other requests, contact us at privacy@reaerate.com.

We will respond to your request within one calendar month of receiving it, as required by law. In complex cases or where we receive a high volume of requests, this may be extended by a further two months, in which case we will inform you of the extension and the reasons within the first month.

We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

11. Cookies & Similar Technologies

We use the following types of cookies and similar technologies:

Cookie TypePurposeConsent Required
Essential / Strictly NecessaryAuthentication session tokens, cookie consent preferences, security tokens. Required for the Service to function.No
AnalyticsPrivacy-friendly usage analytics (via Vercel Analytics) to understand how the Service is used and to improve it. Data is aggregated and does not personally identify you.Yes

You can manage your cookie preferences at any time through:

  • The cookie consent banner displayed when you first visit the Service
  • Your browser settings (to block or delete cookies)

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or behavioural advertising.

Local Storage: We use browser local storage to persist your cookie consent preference. This data is stored locally on your device and is not transmitted to our servers.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data in accordance with GDPR Article 32, including:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
  • Encrypted database storage: Data at rest is encrypted using industry-standard encryption
  • Secure password hashing: Passwords are hashed using bcrypt with appropriate salt rounds
  • Access controls: Role-based access controls and authentication mechanisms
  • Rate limiting: Automated abuse prevention to protect against brute-force attacks
  • Security headers: HTTP security headers including X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and strict Referrer-Policy
  • Regular security reviews: Ongoing assessment of security measures and practices
  • Principle of least privilege: Access to personal data is restricted to those who need it

While we take all reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (the ICO for UK users, and the relevant EU Data Protection Authority for EU users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
  • Document all breaches, including their effects and the remedial actions taken, regardless of whether notification is required

14. Data Protection Impact Assessments

Where any new processing activity is likely to result in a high risk to the rights and freedoms of individuals, we will conduct a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35 before commencing that processing. This ensures we identify and minimise data protection risks.

15. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a person under 18, we will take immediate steps to delete that data and close the associated account. If you believe a child has provided us with personal data, please contact us at privacy@reaerate.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by email or through a prominent notice on the Service at least 14 days before the changes take effect.

We encourage you to review this policy periodically. The “Last updated” date at the top of this page indicates when this policy was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

17. Complaints & Supervisory Authorities

If you are unhappy with how we handle your personal data, we would appreciate the opportunity to address your concerns first. Please contact us at privacy@reaerate.com.

You also have the right to lodge a complaint with your relevant data protection supervisory authority:

UK Users

  • Information Commissioner’s Office (ICO)
  • Website: ico.org.uk
  • Telephone: 0303 123 1113

EU Users

If you are located in the European Union, you have the right to lodge a complaint with the data protection authority in your country of residence, place of work, or the place of the alleged infringement. A list of EU data protection authorities can be found on the European Data Protection Board (EDPB) website.

18. Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data, please contact us:

Privacy & Data Protection: privacy@reaerate.com

General Support: support@reaerate.com

Summary of Your Rights

Under UK and EU GDPR, you can at any time:

Access your personal data
Correct inaccurate data
Request deletion of your data
Restrict processing of your data
Export your data (portability)
Object to data processing
Withdraw consent at any time
Lodge a complaint with the ICO or your EU DPA

Many of these rights can be exercised directly through your Privacy & Data settings in the dashboard.

Important Notice

This Privacy Policy is provided to fulfil our transparency obligations under GDPR and does not constitute legal advice. ReAerate is an inventory management tool, not a legal or advisory service. The information, calculations, reports, and figures generated by the Service are for informational purposes only. You should consult a qualified professional for specific legal, tax, or financial questions.

This privacy policy should be read alongside our Terms & Conditions.