Privacy Policy
Last updated: 24 March 2026 · Bilans Solutions PDOO, North Macedonia
1. Who We Are
This Privacy Policy explains how Bilans Solutions PDOO, a company registered in North Macedonia, collects, uses, stores, and protects your personal data when you use the Reapit Compliance Tracker service ("Service").
For any privacy-related inquiries, you can reach us at [email protected].
2. What Data We Collect
2.1 Account Data (from Reapit Connect SSO)
When you sign in to the Service via Reapit Connect, we receive and store the following:
- Your name
- Your email address
- Your organisation name
We do NOT store passwords. Authentication is fully delegated to Reapit Connect, and we never see or handle your credentials.
2.2 Customer Data (processed as Data Processor)
On behalf of your agency (the Data Controller), we process the following data retrieved from the Reapit API:
- Property addresses and metadata
- Tenancy dates and status
- Landlord names
- Certificate types and expiry dates (Gas Safety, EICR, EPC, Legionella)
- Compliance evaluation results and alerts
IMPORTANT: We do NOT collect or store personal data of tenants. No tenant names, email addresses, phone numbers, or identification documents are accessed, processed, or stored by our Service.
2.3 Usage Data
We automatically collect the following data for product improvement and security purposes:
- Pages visited, features used, and timestamps
- IP address, browser type, and device type
2.4 Payment Data
All payments are handled entirely by Paddle, our Merchant of Record. We do not see or store full card numbers. Paddle processes your payment information in accordance with their own privacy policy, available at www.paddle.com/legal/privacy.
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
| Data | Lawful Basis |
|---|---|
| Account data | Contractual necessity |
| Customer Data | Contractual necessity (Data Processor) |
| Usage analytics | Legitimate interest |
| Security logs | Legitimate interest |
4. Sub-processors
We engage the following sub-processors in the delivery of the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | EU (eu-west-1) |
| Fly.io | Application server | UK (London) |
| Paddle | Payment processing | UK/EU |
We notify of sub-processor changes with 30 days' notice.
Note: Your users authenticate via Reapit Connect (SSO), which is provided by Reapit Ltd as part of your AgencyCloud subscription. Reapit Connect is not our sub-processor — it is your existing identity provider.
5. Data Retention
| Data | Retention | Reason |
|---|---|---|
| Account data | Subscription + 30 days | Contract fulfilment |
| Customer Data | Subscription + 30 days, then deleted | Reapit developer requirement |
| Usage analytics | 13 months | Trend analysis |
| Security logs | 90 days | Incident response |
| Payment records | 7 years | UK tax law |
6. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation, you have the following rights:
- Right of access — request a copy of the personal data we hold about you. We will respond within 30 days.
- Right to rectification — request correction of inaccurate or incomplete personal data.
- Right to erasure — request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restrict processing — request that we limit how we use your data in certain circumstances.
- Right to data portability — receive your data in a structured, commonly used format (JSON/CSV export).
- Right to object — object to our processing of your personal data where we rely on legitimate interest.
- Right to lodge a complaint — you have the right to complain to the Information Commissioner's Office (ICO) at www.ico.org.uk.
7. Security
We implement appropriate technical and organisational measures to protect your data:
- Encryption in transit — all data is transmitted using TLS 1.2 or higher.
- Encryption at rest — data stored in our database is encrypted using AES-256.
- Role-based access controls — access to data is restricted based on user roles and organisational permissions.
- Audit logging — all data access is logged for security and accountability purposes.
- Breach notification — in the event of a data breach, we will notify affected parties within 72 hours as required by UK GDPR.
8. Cookies
- Session cookies (required) — used for authentication. These are essential for the Service to function and cannot be disabled.
- Analytics (legitimate interest) — we use Google Analytics and Microsoft Clarity for product improvement and security monitoring. These load on all pages under our legitimate interest basis. No personally identifiable information is collected. You may block these via your browser settings or a browser extension.
- We do NOT use marketing or advertising cookies.
9. International Transfers
- All data is stored in the UK (Fly.io, London) and the EU (Supabase, eu-west-1).
- We do not transfer data to the US or other third countries.
- The UK adequacy decision covers EU transfers.
10. Contact
If you have questions about this Privacy Policy or wish to exercise your data protection rights:
- Privacy inquiries: [email protected]
- Data subject requests: [email protected] (include "Data Access Request" in the subject line)
- ICO: www.ico.org.uk · 0303 123 1113
Bilans Solutions PDOO
North Macedonia