Data Processing
How your data is processed, stored, and shared · Last updated April 2026
This Data Processing page describes what categories of personal data Estaty processes, the purposes for which it is processed, how long it is retained, and which sub-processors are involved. This document supplements our Privacy Policy and GDPR page.
1. Categories of Data We Process
| Category | Examples | Who it relates to |
|---|---|---|
| Account data | Name, email, password hash, profile photo | You (the agent) |
| Profile data | Display name, job title, bio, phone, WhatsApp link | You (the agent) |
| Listing data | Property details, photos, price, location, AI descriptions | Your property listings |
| Lead data | Enquirer name, email, phone, message, listing reference | Your clients / prospects |
| Billing data | Billing name, address, subscription status, invoice history | You (the agent) |
| Usage data | Pages visited, features used, session duration, IP address | You (the agent) |
| Analytics data | Listing views, profile views, lead conversion rate (aggregated) | Aggregated — not individual |
| AI usage data | Number of AI description generations, credit balance | You (the agent) |
| Communication data | Support tickets and messages sent to hello@estaty.io | You (the agent) |
2. Purposes of Processing
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the platform (auth, listings, leads) | Account, listing, lead data | Contract |
| Processing payments | Billing data | Contract + Legal obligation |
| Sending transactional emails | Email address | Contract |
| Sending optional notifications | Email address | Consent |
| AI description generation | Listing details (no personal data) | Contract |
| Platform analytics and improvement | Usage and analytics data | Legitimate interests |
| Security and fraud prevention | Usage data, IP address | Legitimate interests |
| Legal compliance | Billing records | Legal obligation |
| Customer support | Communication data | Contract |
3. Data Retention Schedule
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of account + 30 days | Service provision |
| Listing data | Duration of account + 30 days | Service provision |
| Lead data | Until deleted by agent or account closure + 30 days | Service provision |
| Billing records | 7 years | Financial and legal compliance |
| Server and access logs | 90 days | Security and debugging |
| Email delivery logs | 30 days | Deliverability monitoring |
| Backup snapshots | 30 days rolling | Disaster recovery |
| Support communications | 3 years | Dispute resolution |
4. Sub-Processors
We rely on the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements.
| Sub-processor | Role | Data processed | Location |
|---|---|---|---|
| Supabase | Database, auth, file storage | All categories except billing | EU (West) |
| Vercel | Application hosting and edge functions | Usage data, IP address | EU / Global CDN |
| Lemon Squeezy | Payment processing | Billing data | USA (SCCs in place) |
| Resend | Transactional email delivery | Email address, email content | USA (SCCs in place) |
| Anthropic | AI description generation | Listing details only (no PII) | USA (SCCs in place) |
We review our sub-processor list regularly. If we add or replace a sub-processor, we will update this page and notify you by email at least 14 days in advance if the change materially affects how your data is processed.
5. Data Processing Agreement (DPA)
If you require a formal Data Processing Agreement for your own GDPR compliance (e.g., because you are a data controller processing your clients' lead data through Estaty), please email hello@estaty.io with the subject 'DPA Request'. We will provide a signed DPA within 5 business days.
6. Data Transfers Outside the EU/EEA
Where sub-processors are located outside the EU/EEA (Lemon Squeezy, Resend, Anthropic — all based in the USA), we have implemented Standard Contractual Clauses (SCCs) as the transfer mechanism, in accordance with GDPR Article 46(2)(c) and European Commission Decision 2021/914.
7. Automated Decision-Making
Estaty does not make solely automated decisions that produce legal or similarly significant effects on individuals. The AI description generation feature creates property listing text but does not make any decisions about individuals.
8. Contact
For questions about data processing or to request a DPA, contact us at hello@estaty.io.