Privacy Policy
Last updated: 2026-04-23
This Privacy Policy explains how Open Bridge Ltd ("we", "us", "our") collects, uses, shares, and protects your personal data when you use Anchorlet (the "Service").
We are committed to protecting your privacy and complying with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Irish Data Protection Act 2018, and other applicable data protection laws.
1. Who we are
Open Bridge Ltd is a limited company incorporated in Ireland.
- Registered office: 51 Bracken Road, Dublin 18, D18 CV48, Ireland
- Company number: 517991
- Contact for privacy matters: support@anchorlet.ie
We are the data controller for personal data we collect about you directly as a user of the Service.
We act as a data processor for personal data you upload to the Service about third parties (such as tenants, contractors, or other landlords). In that case, you are the controller and we process the data on your instructions. See section 11 below.
2. Personal data we collect
Data you provide to us
- Account data: your name, email address, password (stored as a secure hash), role (landlord or property manager), company name.
- Workspace data: the names of your portfolios and the users you invite to them.
- Property and tenancy data: property addresses, property details, financial information (rent, expenses), lease terms, tenant names and contact details, contractor details, correspondence, and document uploads (such as leases, BER certificates, invoices).
- Communications: emails you send or receive through the Service, messages to our support team.
- Payment data: your billing name, address, and VAT number (if applicable). Card details are handled directly by our payment processor and are not stored on our systems.
Data we collect automatically
- Technical data: IP address, browser type and version, operating system, device identifiers, referring URLs, timestamps.
- Usage data: pages and features used, actions taken within the Service, error logs.
- Cookies and similar technologies: see section 10.
3. How we use your personal data
We use your personal data for the following purposes, each with its legal basis under the GDPR:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service | Performance of contract (Article 6(1)(b)) |
| Communicating with you about your account and the Service | Performance of contract (Article 6(1)(b)) |
| Processing payments | Performance of contract (Article 6(1)(b)) |
| Sending product updates, newsletters, and marketing | Consent (Article 6(1)(a)) or legitimate interest (Article 6(1)(f)); you can opt out at any time |
| Protecting the Service from fraud, abuse, and security threats | Legitimate interest (Article 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Article 6(1)(c)) |
| Improving the Service (based on aggregated and anonymised usage data) | Legitimate interest (Article 6(1)(f)) |
4. AI processing
4.1 The Service uses third-party AI providers (currently Anthropic, PBC) to power features including the "Elliot" assistant, document classification, and photo analysis.
4.2 When you interact with AI features, relevant data — which may include personal data — is transmitted to the AI provider for processing.
4.3 We have contractually restricted our AI providers from using your data to train their models.
4.4 AI interactions may be retained in short-term logs for debugging and safety purposes, typically for no longer than 30 days.
5. Who we share your personal data with
We share personal data only where necessary, with the following categories of recipients:
Service providers (data processors acting on our behalf)
- Supabase Inc. (USA) — database hosting and file storage.
- Vercel Inc. (USA) — application hosting.
- Resend, Inc. (USA) — transactional email delivery.
- Anthropic, PBC (USA) — AI processing.
- [Payment processor] — card processing and billing.
We have entered into written data processing agreements with each of these providers that include GDPR-compliant safeguards.
Other users
- Users you invite to a Workspace will see the data you share in that Workspace.
Authorities and third parties
- We may share data with law enforcement, regulators, or courts when legally required.
- In connection with a business sale, merger, or reorganisation, personal data may be transferred to a successor entity (subject to the same privacy protections).
We do not sell your personal data.
6. International transfers
6.1 Several of our service providers are located outside the European Economic Area, primarily in the United States.
6.2 When we transfer personal data outside the EEA, we use appropriate safeguards, typically the European Commission's Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.
6.3 You can request further information about these safeguards by contacting us at support@anchorlet.ie.
7. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data | For the life of your account, plus 30 days after closure |
| Customer Data (properties, tenants, documents) | For the life of your account, plus 30 days after closure, subject to your right to earlier deletion |
| Financial and tax records | 7 years (required by Irish tax law) |
| Support communications | 2 years |
| AI interaction logs | Up to 30 days |
| Backups | Up to 90 days after deletion from primary storage |
8. Your rights under GDPR
You have the following rights in relation to your personal data:
- Right of access — to obtain a copy of the personal data we hold about you.
- Right to rectification — to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — to request deletion, subject to legal exceptions.
- Right to restriction — to limit our processing in certain circumstances.
- Right to data portability — to receive your data in a structured, commonly-used, machine-readable format, and to transmit it to another controller.
- Right to object — to processing based on legitimate interest or direct marketing.
- Right to withdraw consent — at any time, where processing is based on consent.
To exercise any of these rights, email us at support@anchorlet.ie. We will respond within one month.
You also have the right to lodge a complaint with the Irish Data Protection Commission if you believe we have mishandled your personal data:
- Irish Data Protection Commission
- 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- dataprotection.ie
9. Security
We implement technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS) and encryption at rest for sensitive fields.
- Role-based access controls and strong authentication.
- Workspace-level data isolation between customers.
- Regular security reviews and dependency updates.
- Logging and monitoring of access to production systems.
No system is entirely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Irish Data Protection Commission as required by Articles 33 and 34 of the GDPR.
10. Cookies and similar technologies
We use cookies and similar technologies for the following purposes:
- Strictly necessary cookies: authentication, session management, security. These are required for the Service to function and cannot be disabled.
- Analytics cookies: to understand how the Service is used so we can improve it.
We do not use third-party advertising cookies.
You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent the Service from working correctly.
11. Data you upload about others
11.1 When you upload personal data about third parties (such as tenants or contractors) to the Service, you act as the data controller for that personal data, and we act as your data processor.
11.2 As controller, you are responsible for:
(a) having a lawful basis for processing the personal data;
(b) providing the necessary privacy information to the data subjects;
(c) responding to data-subject rights requests (access, erasure, etc.);
(d) notifying relevant authorities and data subjects of any breaches.
11.3 Data Processing Agreement. We provide a Data Processing Agreement ("DPA") that governs our role as processor, including the processing terms required by Article 28 of the GDPR. The DPA is available on request to support@anchorlet.ie and is provided by default with paid subscription plans.
12. Children
The Service is not directed at children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or through a prominent notice in the Service at least 14 days before they take effect. The "Last updated" date at the top of this policy reflects the latest version.
14. Contact
For privacy questions, requests, or complaints:
Email: support@anchorlet.ie Post: Open Bridge Ltd, 51 Bracken Road, Dublin 18, D18 CV48, Ireland
© 2026 Open Bridge Ltd. All rights reserved.