Privacy Policy

Investment Health Checks ('we', 'us', 'our', or 'Company') is the data controller responsible for your personal data. We are committed to protecting your privacy. This Privacy Policy explains our practices regarding the collection, use, and disclosure of information when you visit our website, use our services, or interact with us in any other way.

This Privacy Policy applies to all visitors and users of our website and services, whether or not you have created an account or made a payment.

We collect information in several ways:

• Account Information: When you create an account, we collect your full name and email address.

• Submission Data: Investment details, holdings information, account statements, and supporting documents you voluntarily provide for analysis.

• Payment Information: Payment method details are processed securely through Stripe and are not stored directly on our servers.

• Usage Data: Information about how you interact with our website, including IP address, browser type, pages visited, and timestamps.

• Cookies: We use cookies and similar technologies to enhance your experience and track usage patterns.

We use your information for the following purposes:

• Providing Services: To deliver investment health checks, generate reports, and process submissions.

• Communication: To send confirmation emails, service updates, and respond to your inquiries.

• Payment Processing: To process transactions and manage billing.

• Improvement: To analyse usage patterns and improve our platform and services.

• Security: To prevent fraud, detect abuse, and ensure compliance with our terms.

• Legal Compliance: To comply with applicable laws and regulations.

Under UK and EU GDPR, we process your data on the following legal bases:

• Contractual Necessity: Processing is necessary to fulfill our service agreement with you.

• Legitimate Interests: Our legitimate interests include maintaining platform security, improving our services, and preventing fraud.

• Legal Obligation: We process data to comply with applicable laws and regulations.

• Consent: For certain marketing communications, we rely on your explicit consent.

You have the right to withdraw consent at any time by unsubscribing from communications.

Your data is stored securely using industry-standard encryption and security practices. Our system uses Supabase (ISO 27001-certified) for database and authentication, and AWS S3 for highly durable and secure file storage.

We implement multiple layers of protection, including:

• Encrypted storage for all uploaded files on AWS S3 using secure, access-controlled buckets.

• Presigned URLs to ensure files can only be uploaded or downloaded with time-limited, permission-scoped links.

• Role-based access controls restricting file access to the account owner and authorised administrators. All administrative access to user data is restricted to personnel with strict access controls.

• End-to-end encryption for sensitive data in transit.

• Regular security audits and vulnerability assessments.

While we take security seriously, no system is completely immune to attacks. We will notify you promptly of any data breaches affecting your information.

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Account Information: Retained while your account is active and for 3 years after deletion for legal and accounting purposes.

• Submission Data: Retained for 7 years from the date of submission to comply with UK financial regulations.

• Payment Information: Not retained on our servers; only transaction records are kept for tax compliance.

• Usage Data: Retained for 12 months for analytics and security purposes.

You may request deletion of your data at any time, subject to legal retention requirements. When deletion is requested, personal data that is not subject to mandatory retention laws will be deleted within 30 days.

We do not sell or rent your personal information to third parties. However, we may disclose your information in the following circumstances:

• Service Providers: We share information with trusted service providers (e.g., Stripe for payments, Resend for emails) who assist in delivering our services.

• Legal Requirements: We may disclose information if required by law or to protect our legal rights.

• Business Transfers: If Investment Health Checks is acquired or merged, your information may be transferred as part of that transaction.

• Your Consent: We will disclose information with your explicit permission.

Under UK and EU GDPR, you have the following rights regarding your personal data:

• Right to Access: You can request a copy of your personal information.

• Right to Rectification: You can request correction of inaccurate or incomplete data.

• Right to Erasure: You can request deletion of your data (subject to legal retention requirements).

• Right to Restrict Processing: You can request limitation of how your data is processed.

• Right to Data Portability: You can request your data in a structured, machine-readable format.

• Right to Object: You can object to certain types of processing, including marketing.

To exercise these rights, contact us at support@investmenthealthchecks.com with your request. You have the right to lodge a complaint with the ICO or your local data protection authority.

We use cookies and similar technologies to operate our platform, enhance your experience, and understand how our website is used. Cookies are small text files stored on your device that help us recognise your browser and remember certain information. Types of cookies we use:

• Essential Cookies: Required for core functionality such as authentication, login sessions, secure access to your account, and page navigation. These cookies cannot be disabled as the platform would not function correctly without them.

• Performance Cookies: Used to collect anonymous data about how visitors use our website (for example, page routes, load times, and error logs). This helps us monitor system health and improve the platform's reliability and performance.

We only use non-essential cookies where we have a lawful basis to do so, including your consent where required. You can manage or delete cookies at any time through your browser settings. Please note that disabling essential cookies may prevent parts of the platform from functioning properly.

Our platform integrates with the following third-party services:

• Supabase: Database hosting, authentication, and user management. See Supabase's Privacy Policy for details.

• AWS S3: Encrypted file storage for documents you upload. See Amazon Web Services' Privacy Policy for details.

• Stripe: Secure payment processing. See Stripe's Privacy Policy for details.

• Resend: Transactional email delivery for notifications and confirmations. See Resend's Privacy Policy for details.

Our service providers are contractually prohibited from using your personal data for their own marketing or unrelated purposes. These services operate independently under their own privacy policies. We recommend reviewing their terms before using our platform.

Investment Health Checks uses Supabase for authentication and data storage. Supabase handles your authentication securely and encrypts data in transit and at rest.

Your login credentials are managed by Supabase and are protected by industry-standard security practices. We do not have direct access to your password.

Supabase complies with GDPR and other international data protection regulations. For more information about Supabase's data handling practices, visit supabase.com/privacy.

Investment Health Checks uses Amazon Web Services (AWS) S3 to securely store documents that you upload, including investment statements, cost disclosures, and other supporting files.

All files stored in AWS S3 are encrypted at rest and in transit. We use secure, access-controlled storage buckets, and files can only be accessed using time-limited, permission-restricted presigned URLs.

Access to your documents is strictly limited to you and authorised administrators who are reviewing your investment information. Files are never shared with third parties without your explicit consent.

AWS complies with GDPR, ISO 27001, SOC 2, and other international security and data protection standards. For more information about AWS's data handling practices, visit aws.amazon.com/compliance.

Payment processing is handled securely through Stripe, a PCI-DSS Level 1 compliant payment processor. We do not directly store your credit card information on our servers.

Stripe handles all payment information according to their Privacy Policy and security standards. When you submit payment details, they are encrypted and processed securely by Stripe.

You will receive a receipt for your transaction, and payment records are retained for accounting and tax compliance purposes.

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If we become aware that we have collected information from a child under 18, we will take steps to delete such information promptly.

If you believe we have collected information from a child under 18, please contact us at contact@investmenthealthchecks.com.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on our website with a new 'Last Updated' date.

Your continued use of our services after changes are posted constitutes your acceptance of the updated Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at support@investmenthealthchecks.com.

We aim to resolve privacy inquiries within 30 days.