Privacy Policy
Last Updated: January 21, 2026
Introduction
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Tenant Portal. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.
1. Data Controller
Data Controller: [YOUR COMPANY NAME]
Registered Address: [YOUR COMPANY ADDRESS]
Company Number: [YOUR COMPANY REGISTRATION NUMBER]
Email: privacy@yourcompany.com
Phone: [YOUR COMPANY PHONE]
As the Data Controller, we determine how and why your personal data is processed. If you have any questions about how we handle your data, please contact us using the details above.
2. What Personal Data We Collect
We collect and process the following categories of personal data:
Identity Information
- Full name
- Date of birth
- Email address
- Phone number
- Residential address
Tenancy Information
- Tenancy agreement details
- Rent payment history
- Deposit information
- Move-in and move-out dates
- Digital signatures and agreement timestamps
Maintenance Requests
- Issue descriptions and photos
- Communication history
- Contractor feedback and ratings
- Job completion sign-offs
Financial Information
- Rent invoice records
- Payment dates and amounts
- Bank account details (if provided for standing orders)
- Arrears information
Technical Information
- IP address (for security and audit purposes)
- Login timestamps
- Device and browser information
- Portal activity logs
3. Legal Basis for Processing
We process your personal data under the following legal bases defined by GDPR Article 6:
| Purpose | Legal Basis |
|---|---|
| Managing your tenancy, processing rent, and providing portal access | Contractual Necessity (Article 6(1)(b)) |
| Compliance with legal obligations (tax, housing regulations, deposit protection) | Legal Obligation (Article 6(1)(c)) |
| Improving portal services and fraud prevention | Legitimate Interest (Article 6(1)(f)) |
| Marketing communications (only if you opt in) | Consent (Article 6(1)(a)) |
4. How We Use Your Data
We use your personal data for the following purposes:
- Tenancy Management: Creating and managing your tenancy agreement, processing rent, and handling deposits
- Maintenance Services: Processing maintenance requests, coordinating contractors, and resolving property issues
- Communication: Sending important notices, reminders, and updates about your tenancy
- Compliance: Meeting legal obligations including gas safety certificates, EPCs, and deposit protection schemes
- Financial Administration: Invoicing, payment processing, and arrears management
- Security: Protecting your account from unauthorized access and fraud
- Service Improvement: Analyzing portal usage to improve user experience (anonymized where possible)
5. Third-Party Service Providers
We share your personal data with trusted third-party processors who help us deliver our services. All processors are bound by data processing agreements and must comply with GDPR:
Financial Services
- Xero: Accounting and invoicing platform (Privacy Policy)
- Stripe: Payment processing for deposits and rent (Privacy Policy)
Communication Services
- Twilio: SMS notifications and reminders (Privacy Policy)
- Google Workspace: Email and calendar management (Privacy Policy)
Referencing & Compliance
- The Letting Hub (TLH): Tenant referencing and background checks (Privacy Policy)
AI & Automation
- Google Gemini: AI-assisted maintenance triage (issue descriptions only, no personal identifiers) (Privacy Policy)
International Transfers: Some of our processors (e.g., Google, Stripe) may transfer data outside the UK/EEA. These transfers are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs) or adequacy decisions approved by the UK Information Commissioner's Office (ICO).
6. How Long We Keep Your Data
We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy:
- During Your Tenancy: All data is retained for active tenancy management
- After Tenancy Ends: Financial records retained for 6 years (UK tax law requirement)
- Legal Claims: Data may be retained longer if required for legal proceedings
- Marketing Consent: Retained until you withdraw consent
- Audit Logs: Security logs retained for [X years] for fraud prevention
After the retention period expires, your data will be securely deleted or anonymized. You can request early deletion by visiting your Privacy Settings.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
✓ Right of Access (Article 15)
Request a copy of all personal data we hold about you
✓ Right to Rectification (Article 16)
Correct inaccurate or incomplete personal data
Contact us at privacy@yourcompany.com
✓ Right to Erasure (Article 17)
Request deletion of your personal data (subject to legal obligations)
Request Data Deletion (available after tenancy ends)
✓ Right to Data Portability (Article 20)
Receive your data in a machine-readable format (JSON)
✓ Right to Object (Article 21)
Object to processing based on legitimate interests or direct marketing
Contact us at privacy@yourcompany.com
✓ Right to Restrict Processing (Article 18)
Limit how we use your data in certain circumstances
Contact us at privacy@yourcompany.com
✓ Right to Withdraw Consent (Article 7(3))
Withdraw consent for marketing or optional data processing
Contact us at privacy@yourcompany.com
Response Time: We will respond to your requests within 30 days as required by GDPR. We may ask you to verify your identity before fulfilling your request.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption: All data transmitted over the internet is encrypted using TLS/SSL
- Access Controls: Staff access to personal data is role-based and logged
- Authentication: Secure password requirements and session management
- Regular Backups: Encrypted backups with restricted access
- Security Monitoring: Intrusion detection and activity logging
- Staff Training: Regular data protection training for all staff members
In the unlikely event of a data breach that poses a risk to your rights, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by GDPR Article 33.
9. Children's Privacy
The Tenant Portal is intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18 without parental consent. If you become aware that a child has provided us with personal data, please contact us immediately.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you via email or through a prominent notice on the portal. The "Last Updated" date at the top of this page shows when the policy was last revised.
11. How to Complain
If you have concerns about how we handle your personal data, please contact us first. We will investigate and respond to your complaint promptly.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
12. Contact Us
For any questions about this Privacy Policy or to exercise your data protection rights, please contact us:
Data Protection Contact
[YOUR COMPANY NAME]
Email: privacy@yourcompany.com
Phone: [YOUR COMPANY PHONE]
Address: [YOUR COMPANY ADDRESS]
Related Policies
- Terms of Service - Rules for using the Tenant Portal
- Cookie Policy - How we use cookies
- My Privacy Settings - Manage your data and privacy preferences