Renopay Privacy Policy
Customer Privacy Notice | Version 2.0
Last updated: 6 July 2026
Renopay Limited | Company No. 16521097 | Registered in England and Wales
Registered office: 124-128 City Road, London, EC1V 2NJ
This privacy notice explains what Renopay Limited (“Renopay”, “we”, “us”, “our”) does with your personal information when you use the Renopay platform, website, and app (the “Platform”). It forms part of, and should be read together with, the Renopay Master Platform Agreement. Capitalised terms used but not defined here have the meanings given in that Agreement.
1. Who we are and how to contact us
Renopay Limited is the controller of the personal data we collect through the Platform for the purpose of operating the marketplace. You can contact us about this notice or about your personal data:
- (a) by email, for data protection and privacy matters, at privacy@renopay.co.uk;
- (b) by email, for general enquiries, at info@renopay.co.uk; or
- (c) by post, at Renopay Limited, 124-128 City Road, London, EC1V 2NJ, United Kingdom.
1.1 Renopay and OPP
Payments on the Platform are processed by Online Payment Platform Ltd (“OPP”), an electronic money institution authorised and regulated by the Financial Conduct Authority (Firm Reference Number 1003976). Renopay and OPP are separate and independent controllers of personal data: Renopay controls the data it processes to operate the marketplace, and OPP independently controls the data it processes to provide its regulated payment, e-money, escrow, and safeguarding services (including its customer due diligence, KYC, and anti-money-laundering checks). OPP processes your personal data under its own privacy policy, available on its website. The respective roles of Renopay and OPP are set out in the arrangements between us and, where applicable, in a data sharing agreement.
2. The personal information we collect and use
Depending on how you use the Platform, we collect and use the following categories of personal information:
- Identity and contact details — your name, email address, postal address, and telephone number.
- Account information — your registration details, account settings, marketing preferences, and information used for security purposes.
- Project information — details of the construction, renovation, or landscaping Projects you create or work on, including Milestones, specifications, photographs, videos, documents, completion evidence, and messages exchanged through the Platform.
- Payment and transaction information — bank account details and records of payments, Milestone funding, escrow deposits, releases, refunds, fees, and related transaction logs. Card details are not collected by Renopay; Milestones are funded by bank transfer or payment initiation. Much of this information is collected and held by OPP as the regulated payment provider.
- Verification and compliance information — identification documents and related information used for identity verification, KYC, anti-money-laundering, sanctions, and fraud-prevention purposes. This verification is carried out by OPP; we may receive verified status and compliance flags from OPP.
- Technical and usage information — your IP address, device and browser information, and information about how you use the Platform, collected partly through cookies and similar technologies (see section 8).
- Correspondence — records of your communications with us, including support queries, complaints, and Dispute records.
2.1 Special category and sensitive information
Renopay does not set out to collect special category personal data (such as data revealing health, racial or ethnic origin, or religious beliefs). However, project photographs and messages that you choose to upload may occasionally contain such information — for example, an image of the inside of your home. Where this happens, we rely on your explicit consent, and you should avoid uploading sensitive information that is not necessary for your Project. Identity documents processed for verification are handled by OPP as part of its regulated compliance processes.
3. How we use your information, and our lawful bases
Under UK data protection law we must have a lawful basis for using your personal information. The table below sets out what we use your information for and the lawful basis we rely on. These lawful bases mirror those in Section 13.2 of the Agreement.
| Purpose | What this involves | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Providing the Platform and your account | Creating and operating your account, enabling Projects and Milestones, facilitating the escrow and payment process with OPP, and providing support. | Performance of a contract (Art. 6(1)(b)) |
| Legal and regulatory compliance | Meeting our legal obligations, supporting OPP's regulated KYC/AML and fraud-prevention duties, and keeping required records. | Legal obligation (Art. 6(1)(c)) |
| Security, fraud prevention, and platform integrity | Monitoring for suspicious activity, preventing and investigating fraud and misuse, securing the Platform, and resolving Disputes. | Legitimate interests (Art. 6(1)(f)) |
| Improving the Platform | Understanding how the Platform is used and developing new and improved features. | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications | Sending you updates and promotional messages where you have asked to receive them. | Consent (Art. 6(1)(a)) |
| Identifiable photographs of you or your home | Using project photographs that identify you, the interior of your home, or other private spaces (including for marketing, where you opt in). | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests, we have considered your rights and freedoms and concluded that our use of your information is proportionate and does not override them. You can ask us for more information about this assessment. Where we rely on consent, you can withdraw it at any time (see section 4); withdrawing consent does not affect the lawfulness of anything we did before you withdrew it.
4. Your data protection rights
Under UK data protection law, you have the following rights, which you can exercise free of charge:
- Right of access — to ask for a copy of your personal information.
- Right to rectification — to ask us to correct information that is inaccurate or incomplete.
- Right to erasure — to ask us to delete your information, subject to our legal and regulatory retention obligations.
- Right to restriction — to ask us to limit how we use your information.
- Right to object — to object to our use of your information where we rely on legitimate interests, and to direct marketing at any time.
- Right to data portability — to ask us to transfer certain information to you or another organisation.
- Right to withdraw consent — where we rely on consent, to withdraw it at any time.
To exercise any of these rights, contact us at privacy@renopay.co.uk or use your in-app settings. We will respond without undue delay and in any event within one month, although we may extend this by up to two further months for complex requests, in which case we will let you know. Some rights do not apply in all circumstances, and exemptions may apply.
5. Where we get your information from
We collect most personal information directly from you when you register and use the Platform. We may also receive information about you from:
- OPP — our FCA-authorised payment provider, which carries out identity verification (KYC), AML checks, and manages escrow; we may receive verified user data and compliance flags.
- fraud-prevention and risk tools — where integrated, we may receive alerts or data flagging suspicious activity, duplicate accounts, or higher-risk indicators.
- referral partners — where a Homeowner or Builder is referred to us by a trusted partner, we may receive basic information for onboarding.
- regulatory and law-enforcement bodies — where required by law or in connection with the prevention or investigation of crime.
- our service providers — our hosting, communications, analytics, and support providers (see section 7) may provide information generated in the course of your use of the Platform.
6. Who we share your information with
We share personal information with:
- OPP, for payment processing, escrow, KYC/AML, and safeguarding, as an independent controller;
- the other party to your Project (your Homeowner or Builder), to the extent necessary to carry out the Project;
- an Expert appointed in any Expert Determination, where relevant to a Dispute;
- our service providers and processors, who process personal data on our behalf and under our instructions (see section 7);
- professional advisers, auditors, regulators, and law-enforcement or other authorities, where necessary or required by law; and
- a buyer or successor, if we sell or reorganise our business, subject to appropriate protections.
6.1 Our processors
We use the following service providers to process personal data on our behalf. We have, or will have in place, data processing agreements with each that require them to protect your information and use it only on our instructions.
| Provider | Purpose | Processing location |
|---|---|---|
| Supabase | Database and application backend (account and project data) | United Kingdom (London) |
| Vercel | Website and application hosting | United Kingdom (London) region; global edge network |
| GetStream | In-app messaging | United States |
| Resend | Transactional email | United States |
| Sentry | Error monitoring | United States |
| Google Analytics (GA4) and Mixpanel | Product and website analytics | United States |
| HubSpot | Customer relationship management | European Union (Germany); some usage data processed in the United States |
We keep this list under review and update it as our providers change. Card payment data is handled by OPP and its own payment processors, not by Renopay.
7. International transfers
Your core personal data — including your account, Project information, and the data held in our primary database — is stored in the United Kingdom. We do not transfer your primary account and Project data outside the UK.
However, some of the service providers we use to support specific functions process personal data outside the UK, including in the United States, and OPP's wider group operates in the European Economic Area (EEA). In particular, our email, in-app messaging, error-monitoring, and analytics providers (such as Resend, GetStream, Sentry, Google Analytics, and Mixpanel) process certain data in the United States, and our CRM provider (HubSpot) stores data in the EEA with some usage data processed in the United States. This means limited categories of your personal information may be transferred to, stored, or processed in those countries.
Where we transfer personal information outside the UK, we make sure it is protected by an appropriate safeguard recognised under UK data protection law. In particular:
- (a) for transfers to the EEA, we rely on the UK Government's finding that the EEA provides an adequate level of protection (UK adequacy regulations);
- (b) for transfers to the United States and other countries without UK adequacy, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (or the UK International Data Transfer Agreement), together with any additional measures needed to protect your information; and
- (c) where a provider is certified under the UK Extension to the EU–US Data Privacy Framework, we may also rely on that certification.
You can ask us for more information about the safeguards we use, and for a copy of the relevant transfer mechanism, by contacting us at privacy@renopay.co.uk.
8. Cookies and similar technologies
We use cookies and similar technologies on our website and Platform. Cookies are small files placed on your device that help a website function and allow us to understand how it is used.
We use two broad categories of cookie:
- Essential cookies — these are necessary for the website and Platform to work and to keep them secure (for example, to keep you signed in, to remember your cookie choices, and to protect against fraud and misuse). These cookies do not require your consent.
- Analytics cookies — these help us understand how visitors use our website and Platform so that we can improve them. We use analytics and monitoring providers including Google Analytics, Mixpanel, and Sentry, and our hosting provider (Vercel) may set cookies necessary for performance and delivery. These cookies are only set where you have given your consent.
Non-essential cookies, including analytics cookies, are only set where you have given your consent through our cookie banner. You can accept or reject non-essential cookies when you first visit, and you can change your preferences at any time through the banner or your browser settings. Withdrawing consent will not affect the lawfulness of anything done before you withdrew it. Cookies typically last from the duration of your browsing session up to around 24 months, depending on the cookie and provider.
Some analytics providers are based outside the UK; where that involves a transfer of personal data, the safeguards described in section 7 apply. You can find out more about how to manage cookies in your browser at aboutcookies.org.
9. How long we keep your information
We keep your personal information only for as long as we need it for the purposes set out in this notice, and to meet our legal and regulatory obligations. Our usual retention periods are:
| Category | Purpose | Retention | Basis |
|---|---|---|---|
| KYC / AML information (ID, proof of address) | Compliance with money-laundering and financial regulations | 5 years after account closure | Legal obligation |
| Transaction records (escrow, Milestone releases, payment logs) | Audit, dispute resolution, financial record-keeping | 7 years | Legal obligation (incl. HMRC) |
| Account information | Account creation, service delivery, communication | Active account + 2 years | Contract / legitimate interest |
| Complaint & Dispute records | Investigating and resolving complaints and claims | 6 years from resolution | Legal obligation |
| Marketing preferences / opt-in records | Consent tracking | Until withdrawn, or 2 years from last opt-in | Consent |
| Customer support queries & case notes | Responding to support requests | 3 years from resolution | Legitimate interest |
| Audit logs & platform usage | Security, fraud monitoring, operational analysis | 2–3 years | Legitimate interest |
| Cookies / analytics data | Site performance and usage trends | 12–24 months | Consent / legitimate interest |
Where information is held by OPP as a separate controller (for example, KYC records), OPP applies its own retention periods under its privacy policy. The retention periods above reflect our role; the specific legal basis for a given period may arise from anti-money-laundering law, HMRC requirements, or general limitation periods.
10. How to complain
If you have any concerns about how we use your personal information, please contact us first at privacy@renopay.co.uk so that we can try to put things right. You also have the right to complain to the Information Commissioner's Office (ICO):
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk/make-a-complaint.
If your complaint concerns OPP's handling of your personal data as part of its regulated payment services, you may also contact OPP using the details in its own privacy policy.
11. Changes to this notice
We may update this notice from time to time. Where changes are material, we will take reasonable steps to bring them to your attention. The version in force is the one published on the Platform, and the date of the latest update is shown at the top of this notice.
— End of Privacy Policy —