Pre-launch placeholder
Bedrock is in development. This policy is a stand-in describing the data flows that are actually wired today, but it has not been reviewed by qualified data-protection counsel. It must be replaced with reviewed policy before any production launch.
Legal

Privacy Policy

Last updated: 2026-05-23. UK GDPR, Data Protection Act 2018, and laws of England and Wales.

1. Who we are

This policy explains how Bedrock (operating at bedrock.estate) handles personal data. For UK GDPR purposes, Bedrock is the controller of the personal data it processes about its account holders (professional users and the clients they invite onto the platform). Where a professional user uses Bedrock to handle data about their own clients on the user's instructions, Bedrock acts as a processor in respect of that data on behalf of the professional user as controller.

2. Personal data we collect

2.1 Account data (professional users)

  • name, email address, mobile number;
  • your firm's name, registered company number, registered address, regulator and authorisation reference (where applicable);
  • your role within the firm;
  • authentication data (encrypted password hash, two-factor seed if you enable it, recovery codes);
  • billing data needed to operate your Stripe Connect account (held by Stripe, not by us — see section 5).

2.2 Account data (clients)

  • name, email address, mobile number;
  • authentication data as above;
  • the property transactions you are party to on the Service, and any documents or messages you upload to those transactions.

2.3 Transaction data we hold for professional users

  • property addresses and identifiers;
  • quotes, fee scales, and payment records;
  • KYC / source-of-funds information that the professional user records about each client party (currently entered manually by the firm; structured into identity, address, sanctions/PEP, and source-of-funds sections);
  • documents uploaded by either side of a transaction;
  • case messages exchanged between the firm and the client.

2.4 Technical data

  • IP address, browser user-agent, and timestamps of significant actions (sign-in, document upload, payment attempt, two-factor toggle, etc.) recorded in our audit log;
  • cookies strictly necessary for the Service to function (session, CSRF). We do not currently use marketing or analytics cookies.

3. How we use your data

We process personal data for the following purposes and on the following lawful bases:

  • Providing the Service (running your account, delivering case data, sending transactional email and SMS, processing payments) — contract performance;
  • Verifying company information at signup via Companies House (UK public register lookup) — legitimate interests (preventing fraud and ensuring firms are who they say they are);
  • Security and abuse prevention (rate limits, suspicious-activity alerts, audit log, two-factor authentication) — legitimate interests + legal obligation;
  • Service improvement (limited aggregate usage analysis) — legitimate interests;
  • Communication about service issues (outage notices, security advisories) — legitimate interests;
  • Compliance with law (responding to lawful requests from regulators, courts, or law enforcement) — legal obligation.

We do not sell personal data, and we do not share it for cross-context behavioural advertising. We do not use personal data to train large-language models or other machine-learning systems.

4. Who can see your data inside the Service

Bedrock applies role-based access controls. As a rough guide:

  • professional users at a firm see the cases and clients belonging to that firm;
  • clients see only the cases and documents that the firm has marked client-visible to them;
  • Bedrock platform administrators have read access to all data on the platform for operational support, and write access when a user explicitly asks for support intervention or when a security incident requires it. All such access is logged.

5. Third-party processors

We use the following sub-processors to deliver the Service. Each processes only the personal data needed to perform its specific role, and is bound by data-protection terms equivalent to or stronger than this policy.

  • Cloudflare, Inc. — hosts the application and stores files (R2). Data may be processed in the EU and US; Cloudflare is certified under the EU-US Data Privacy Framework.
  • Supabase, Inc. — hosted PostgreSQL database. Our project is hosted in AWS US-East-2 (Ohio, USA) on Supabase's infrastructure; data transferred to the US relies on standard contractual clauses.
  • Stripe Payments UK, Ltd. — payment processing, Stripe Connect Express onboarding, and related identity checks for connected accounts. Stripe holds payment-card data; Bedrock does not see card numbers.
  • Mailtrap — transactional email delivery (account verification, invitations, payment notifications, etc.).
  • Telnyx LLC — SMS delivery (e.g. invite-by-SMS for clients).
  • Companies House (UK Government) — public UK company register lookup when a firm sets up their account. The data returned (company name, number, registered address, officers, filing history) is already in the public domain; we record what was returned so the firm doesn't have to re-type it.
  • Anthropic, PBC — large-language-model inference for the in-product AI assistant when it is configured for your account. When Anthropic is not configured, AI features instead run on Cloudflare Workers AI (operated by Cloudflare) and Anthropic receives no data. Anthropic does not train its models on data passed through its API.

This list will be updated when we add or remove processors. If you would like a copy of the current list at any time, email hello@bedrock.estate.

6. International transfers

Some processors above are based outside the UK (notably Stripe, Cloudflare and Supabase, which operate in the US and EU). Where personal data is transferred outside the UK, we rely on (a) the UK Government's adequacy decisions where in force, (b) the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, and (c) where applicable, the processor's certification under the UK-US Data Bridge / EU-US Data Privacy Framework.

7. How long we keep your data

  • Account data: while your account is active, plus 12 months after you close it for recovery purposes (or longer if law requires).
  • Transaction data (legal records): where the data forms part of a regulated conveyancing file, the professional user's firm controls retention in line with Money Laundering Regulations 2017 (typically five years from the end of the business relationship or the date of the transaction). The firm, as controller for that data, sets the retention period; Bedrock retains the data on the firm's behalf for that period unless instructed otherwise.
  • Payment records: retained for at least six years to satisfy UK accounting law.
  • Audit log: retained for at least two years for security and incident-response purposes.
  • Backups: deleted data persists in encrypted backups for up to 35 days before being overwritten in the normal rotation.

8. Your rights

Under UK GDPR you have the right to:

  • request access to a copy of the personal data we hold about you;
  • ask us to correct inaccurate or incomplete data;
  • ask us to erase data we hold about you, subject to overriding legal or regulatory retention obligations;
  • object to or restrict certain processing, including processing based on legitimate interests;
  • ask us to provide your data in a portable format and / or transmit it directly to another controller;
  • withdraw consent at any time where we rely on consent;
  • complain to the UK Information Commissioner's Office (ico.org.uk), without prejudice to any other remedy.

Where you ask us to exercise a right in relation to data we hold on behalf of a professional user (as that firm's processor), we will direct your request to the firm and assist them in responding.

9. Security

We protect personal data using a combination of technical and organisational measures: encrypted transport (TLS 1.2+), encrypted storage at rest, role-based access control, row-level security on the database, encrypted secrets, optional two-factor authentication on every account, an append-only audit log of security-sensitive actions, automated alerting on suspicious activity, and routine backups. No system is ever perfectly secure; we will tell affected users and the ICO as required by law if a breach occurs.

10. Cookies

We use only cookies that are strictly necessary for the Service to function (your sign-in session and a CSRF token). We do not use marketing, analytics, or cross-site tracking cookies, and we do not display a consent banner because none is required for strictly-necessary cookies under the UK Privacy and Electronic Communications Regulations.

11. Children

The Service is intended for adults using or providing regulated property services. We do not knowingly collect personal data from children under 18; if we learn we have, we will delete it.

12. Changes to this policy

Material changes will be notified to you by email or via the Service before they take effect. The current version is always available at bedrock.estate/privacy.

13. Contact

Privacy questions or requests to exercise your rights: hello@bedrock.estate. We will respond within one month of receipt; complex requests may take up to three months, in which case we will tell you within the first month and explain why.