Privacy Policy
Last updated: 10 April 2026
Who we are
Melvore Registry ("we", "us") provides a private asset registry and related services. This policy describes how we process personal data when you use our website and application. Commercial terms are set out in the terms you accept when you subscribe; there is no separate paper contract in the MVP phase.
What we process
We process account data (such as name, email, authentication factors), organisation and membership information, and everything you choose to store in the product: assets, valuations, documents, images, timeline events, contacts, addresses, reminder settings, share-links, and security audit events. Payment data is processed by Stripe; we receive billing status from Stripe, not your full card number.
Purposes and legal bases
We use data to provide and secure the service, authenticate users, send operational and reminder emails you configure, fulfil subscriptions, comply with law, and improve reliability (for example error monitoring with privacy-conscious providers). Where GDPR applies, we rely on contract, legitimate interests (security and product operation), and consent where required (for example marketing, if offered separately).
Location and transfers
Infrastructure is deployed in the European Union (for example Supabase in Frankfurt, Vercel in Frankfurt, Cloudflare R2 in an EU bucket). We do not move your registry content outside the EU unless you initiate an action that sends data outward (such as a share-link or an email to a third party).
Security
We use TLS 1.3 in transit, encryption at rest on storage, signed time-limited URLs for files, row-level access control in the database, rate-limited login, optional TOTP two-factor authentication, and audit logging. These measures are described in more detail for signed-in users under Privacy & data in Settings.
Confidentiality
We do not access your assets, documents, or portfolio for our own purposes. Support is provided without routinely opening customer content. We do not build cross-customer benchmarks or analytics on what you own. Anyone with potential system access is subject to strict confidentiality obligations.
Retention
While your subscription is active, we retain your data so you can use the service. If billing fails, access may be suspended; we typically keep data for about thirty days so you can resolve payment or take copies, then remove it from production systems. Backups may take up to about ninety further days to expire completely. If you delete your account in settings, live data is removed promptly and backups follow the same backup-purge timeline. Exact behaviour is also summarised in-app under Privacy & data.
Your rights
Depending on your jurisdiction, you may have rights to access, rectify, erase, restrict, or object to certain processing, and to data portability. You can export Asset Passport PDFs from the application, configure Dead Man's Switch handover where available, and delete your account in Danger zone. For other requests, contact us through your usual Melvore Registry support or onboarding channel.
Subprocessors
We use vetted infrastructure providers (including Supabase for database, auth, and storage, Vercel for hosting, Cloudflare for object storage, Stripe for payments, and email delivery providers such as Resend). Their processing is governed by their terms and, where applicable, standard contractual clauses or equivalent safeguards.
Changes
We may update this policy when the product or legal requirements change. We will adjust the "Last updated" date and, where appropriate, notify you by email or in the product.
Contact
For privacy questions, use the contact details provided in your onboarding or invoice materials, or sign in and open Privacy & data in Settings for product-specific detail.