Privacy

Privacy Policy

What data we collect, why we collect it, who processes it, and exactly how long we keep it. Plain English with the legal basis where it matters.

Last updated: 14 April 2026. This policy applies to all users of valuion.com worldwide.

Valuion is built around one idea: your financial data belongs to you. We collect only what is needed to generate your valuation report, we encrypt it at rest and in transit, and we delete it shortly after delivery unless you have specifically asked us to retain it for a refresh credit.

Who we are

Valuion is operated by Justin O’Brien, an individual trader based in Blackrock, County Dublin, Ireland. For the purposes of GDPR, Justin O’Brien is the Data Controller for personal data processed by Valuion. Contact: privacy@valuion.com.

What we collect

We distinguish between three categories of data.

Data you provide when buying a report

  • Your name and email address (for delivery of the report).
  • Your company name (for the report cover page).
  • Financial data you enter in the questionnaire: revenue, expenses, EBITDA, asset values, customer concentration, growth rate, headcount, industry classification, and similar business metrics.
  • Billing information (handled directly by Stripe; we never see your full card number).
  • Your country of residence (derived from IP address and/or your selected jurisdiction).

Data you provide when using free tools or subscribing

  • Email address (if you opt in to our newsletter or save a calculator result).
  • Summary financial inputs from calculators (stored transiently to generate your result).

Data automatically collected

  • IP address (for geo-location to set the correct currency and jurisdiction, and for fraud prevention).
  • Browser type and operating system (for performance and compatibility).
  • Pages visited and time on page (if you have consented to analytics cookies).
  • Referring website (for attribution).

We do not use third-party advertising cookies, retargeting pixels, or social media trackers. We do not sell or rent your data to anyone.

How we use your data

  • To generate your valuation report. Your questionnaire answers are sent to our AI pipeline, which applies industry multiples from our database and returns a structured report. The report is emailed to you.
  • To process your payment. Stripe handles all payment data under PCI-DSS. We retain only the Stripe customer ID and receipt reference for customer support purposes.
  • To provide customer support. If you email us about a report, we may need to look up your submission to help resolve your issue.
  • To send transactional emails. Delivery confirmation, receipt, refresh reminders, and refund notifications. You cannot opt out of these while you are an active customer.
  • To send marketing emails (only if you opted in). Our Kit email platform handles newsletter subscriptions. You can unsubscribe at any time from any email.
  • To prevent fraud and abuse. We use Stripe Radar, IP-address checks, and pattern detection to prevent chargeback fraud and card testing.
  • To improve the product. We may use aggregated, anonymised data (no identifying fields) to refine our industry multiples and prompt engineering. Individual submissions are never used to train AI models.

Legal basis for processing (GDPR)

Under GDPR Article 6, our legal bases are:

  • Contract (Article 6(1)(b)): processing your questionnaire to generate the report you purchased.
  • Legitimate interests (Article 6(1)(f)): fraud prevention, product improvement on aggregated data, and transactional emails related to your purchase.
  • Consent (Article 6(1)(a)): marketing emails, analytics cookies, and retaining your questionnaire data beyond 30 days for future refresh credits.
  • Legal obligation (Article 6(1)(c)): tax records retained for seven years as required by Irish Revenue.

Who we share your data with (sub-processors)

We use carefully selected third parties to run the product. Each is bound by a Data Processing Agreement and appropriate safeguards.

  • Anthropic PBC (United States): AI report generation. Zero data retention, no training on submitted data. Transfers covered by Standard Contractual Clauses.
  • Stripe, Inc. (United States and Ireland): payment processing. PCI-DSS Level 1 certified. Data residency follows the customer’s country.
  • Resend (United States, EU region available): transactional email delivery. EU region used for EU/UK customers.
  • Netlify, Inc. (United States): static website hosting. Content only; no user data processed here.
  • Render Services, Inc. (EU-Frankfurt for EU customers, US regions otherwise): pipeline hosting.
  • Formspree (United States): form submission handling. Submissions routed to our secure backend.
  • Kit (United States): newsletter and email drip sequences. Only data for users who have explicitly subscribed.
  • Cloudflare, Inc. (global): DNS and CDN. Metadata only (IP addresses for rate limiting and abuse prevention).

The up-to-date list is published at /security.

International data transfers

For EU, UK, and Irish customers, we process data on EU infrastructure where possible (Render EU-Frankfurt, Resend EU region). Some processing (notably AI generation via Anthropic, and payment by Stripe US entity) necessarily involves transfer to the United States. These transfers are covered by the European Commission’s Standard Contractual Clauses and appropriate technical safeguards (encryption, minimisation, zero retention at the AI layer).

For customers outside the EEA and UK, your data may be processed in the region that serves you best (typically the US for North American customers).

How long we keep your data

  • Questionnaire answers: deleted 30 days after report delivery, unless you have opted in to our Annual Refresh Subscription (in which case we retain your submission to pre-fill future refreshes).
  • Generated reports: stored in encrypted form for 90 days from last access, then automatically deleted. You will always have your own copy via email.
  • Shareable web links: expire 90 days after last access.
  • Customer email and payment records: retained for 7 years to meet Irish Revenue obligations.
  • Newsletter subscribers: retained until you unsubscribe.
  • Fraud prevention blocklist: retained indefinitely for blocked email/card pairs.

Your rights under GDPR

If you are in the EU, UK, or any jurisdiction that recognises GDPR-equivalent rights, you have the following rights:

  • Access. Request a copy of all personal data we hold about you, in machine-readable form.
  • Erasure (“right to be forgotten”). Request deletion of your data. We will delete everything within 72 hours except records we are legally required to keep (tax records).
  • Rectification. Correct any inaccurate personal data.
  • Portability. Receive your data in a structured, machine-readable format so you can take it elsewhere.
  • Restriction. Ask us to stop processing your data while a dispute is resolved.
  • Objection. Object to processing based on legitimate interests.
  • Withdraw consent. Unsubscribe from marketing emails, withdraw cookie consent, or opt out of data retention at any time.
  • Complain. Lodge a complaint with the Irish Data Protection Commission (dataprotection.ie) or your local supervisory authority.

To exercise any of these rights, email privacy@valuion.com. We respond within 72 hours.

Cookies

We use a small number of cookies:

  • Essential (always on): jurisdiction preference, cookie consent preference, shopping cart state. These cannot be disabled without breaking core functionality.
  • Analytics (opt-in): anonymised page-view statistics, time on page, and referrer data. Off by default; enabled only if you click “Accept” on the cookie banner.

We do not use advertising cookies, social media tracking pixels, or cross-site retargeting.

Children

Valuion is a product for adult business owners. We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data to us, please contact privacy@valuion.com immediately and we will delete it.

Changes to this policy

We may update this policy as the product evolves. The “Last updated” date at the top of this page always reflects the most recent change. For material changes (new sub-processors, new data categories), we will notify active customers by email at least 30 days in advance.

Questions

Email privacy@valuion.com. We take these seriously and we reply quickly.

Related

Related pages

Terms of service

Legal terms, refund policy, and limitation of liability.

Security practices

Technical and procedural safeguards for your data.

Contact us

Privacy requests, data access, or general enquiries.