How we handle your personal data.

This policy explains how we collect, use, store, share, and protect personal data when we:

• Let and manage residential property owned by us or owned by third-party landlords for whom we act.
• Carry out tenant referencing, identity verification, and credit checks on prospective tenants and guarantors.
• Administer ongoing tenancies, including rent collection, deposit handling, maintenance, and renewals.
• Engage and pay contractors, suppliers, and professional advisers.
• Communicate with landlords whose property we manage.

It applies to applicants, current and former tenants, guarantors, landlords we act for, contractors, suppliers, and anyone who contacts us in connection with our property management activities.

3.1 Prospective, current, and former tenants (and guarantors)

• Identity: full name, date of birth, photograph, copy of passport or driving licence, National Insurance number, signature.
• Contact: address history, telephone numbers, email addresses.
• Right to Rent: nationality, immigration status, documentary evidence required under the Immigration Act 2014.
• Financial: employment status, employer name, salary, bank account details, rent payment history, county court judgments, bankruptcy and insolvency records, credit score and credit history, affordability indicators.
• Tenancy: previous landlord references, character references, household composition, pets, vehicles, smoking status.
• Tenancy administration: rent ledger, deposit details, maintenance requests, correspondence, notices served, inventory and inspection reports.

3.2 Landlords for whom we act

• Identity and contact details, including next-of-kin or authorised representatives where relevant.
• Bank account details for rent remittance.
• HMRC unique taxpayer reference and Non-Resident Landlord Scheme details where applicable.
• Property ownership evidence, mortgage lender details, insurance, and service charge information.

3.3 Contractors, suppliers, and brokers

• Trading name, contact details, and bank account details.
• VAT registration number, public liability and employer's liability insurance details, trade accreditations.
• Invoices, quotes, and correspondence relating to work performed.

3.4 Anyone who contacts us

• Name, contact details, and the content of any correspondence or enquiry.

• Directly from you when you enquire, apply, sign a tenancy, or correspond with us.
• From your employer, previous landlord, or accountant when we take up references.
• From credit reference and fraud prevention agencies (see section 7).
• From letting agents or introducers who refer applicants to us.
• From public sources such as Companies House, the Land Registry, and electoral roll data accessed via reference providers.
• From contractors and suppliers who quote for or perform work at our properties.

We only process personal data where we have a lawful basis to do so under the UK GDPR and the Data Protection Act 2018. The pairs below summarise our main purposes and the lawful basis we rely on.

Pre-tenancy referencing and credit checking

Legitimate interests (assessing affordability and risk before granting a tenancy) and, where applicable, taking steps at your request to enter into a contract.

Identity and Right to Rent verification

Legal obligation (Immigration Act 2014; anti-money-laundering legislation where applicable).

Administering your tenancy

Performance of the tenancy contract; legitimate interests in running the property efficiently; legal obligations relating to deposits, gas safety, electrical safety, fire safety, EPC, and HMO licensing.

Collecting rent and managing arrears

Performance of the tenancy contract; legitimate interests in recovering sums due; establishing, exercising, or defending legal claims.

Maintenance, repairs, and inspections

Performance of the tenancy contract; legal obligation under the Landlord and Tenant Act 1985 and related housing legislation.

Engaging contractors, suppliers, and professional advisers

Performance of a contract with the supplier; legitimate interests in running the business; legal obligations under HMRC reporting requirements.

Acting on behalf of landlords whose property we manage

Performance of our management agreement with the landlord; legitimate interests; legal obligations including the Non-Resident Landlord Scheme.

Fraud prevention and dispute resolution

Legitimate interests; establishing, exercising, or defending legal claims.

Responding to enquiries and correspondence

Legitimate interests in handling communications addressed to us.

We do not routinely collect special category data. We may occasionally receive information about health (for example, to arrange reasonable adjustments to a property or to assess vulnerability in an arrears situation) or about criminal convictions (for example, where a guarantor or applicant discloses one). Where we process this data we rely on Article 9(2)(f) of the UK GDPR (establishment, exercise, or defence of legal claims) or your explicit consent, and we hold it only for as long as strictly necessary.

Before granting a tenancy or accepting a guarantor we may carry out checks with credit reference agencies and tenant referencing providers (together, "reference agencies"). The agency or agencies we use may change from time to time. We will tell you who the agency is on request, and the agency's own privacy notice will explain the rights you have in respect of the data they hold.

When you apply for a tenancy or act as a guarantor, we share the personal data necessary to perform the check, typically your name, date of birth, current and previous addresses, and, where relevant, financial information you have provided to us. The agency will return information that may include:

• Confirmation of your identity and address history.
• Public record information such as county court judgments, bankruptcy orders, and individual voluntary arrangements.
• Credit account and payment history available to the agency.
• Affordability indicators and risk scores.
• Fraud prevention indicators where any have been recorded against you.

The agency may record the search on your credit file. Soft searches carried out for tenant referencing do not affect your credit score and are not visible to other lenders. Hard searches, where used, may be visible to other lenders for a limited period. We will tell you the type of search being carried out before we run it.

Reference agencies act as independent controllers for the data held on their own systems. If a check returns information that materially affects our decision, we will tell you and explain how to contact the agency to view the underlying data and exercise your rights with them directly.

We share personal data only where it is necessary and lawful to do so. Recipients include:

• Credit reference and fraud prevention agencies and tenant referencing providers, as described in section 7.
• Landlords on whose behalf we manage property, where the data relates to their property or tenancy.
• Government-approved tenancy deposit protection schemes.
• Contractors and tradespeople carrying out maintenance, repairs, inspections, and safety certifications at the property.
• Utility providers, council tax departments, and water companies, to enable supply transfer at the start and end of a tenancy.
• Solicitors, barristers, debt collection agencies, and the courts, where we need to enforce a tenancy or defend a claim.
• Accountants, auditors, HMRC, and other professional advisers in the ordinary course of running our business.
• Insurance brokers and insurers in connection with buildings, contents, rent guarantee, or legal expenses cover.
• IT and software providers who host or support the systems we use, acting as our processors under written contract.
• Banks and payment service providers who process rent, deposits, and supplier payments.
• Law enforcement, regulators, and other public authorities where we are legally required to disclose information.

We do not sell personal data and we do not share it for third-party marketing.

Our operations are based in the United Kingdom. Most personal data is stored within the UK or the European Economic Area. Where a processor stores data outside these regions (for example, certain cloud-hosting providers), we ensure an appropriate safeguard is in place, such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK addendum, or a UK adequacy regulation.

• Unsuccessful tenancy applications: up to 12 months from the date of the application, then deleted.
• Tenancy records (including referencing and credit-check outputs): for the duration of the tenancy and for 7 years after the tenancy ends, in line with our tax and limitation-period obligations.
• Right to Rent documentation: for the duration of the tenancy and for a minimum of 12 months after it ends, in line with Home Office guidance.
• Deposit records: for the duration of the protection and for 7 years after the deposit is returned.
• Landlord, contractor, and supplier records: for the duration of the relationship and for 7 years after it ends.
• Correspondence with general enquirers: up to 24 months from the last contact.

We may keep data for longer where we are legally required to do so or where it is needed to establish, exercise, or defend a legal claim.

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include:

• Up-to-date antivirus and endpoint protection (Norton) on all company devices, including host-based intrusion detection.
• Unique user accounts with strong passwords (minimum 14 characters, combining upper case, lower case, numbers, and special characters) and no shared logins.
• Multi-factor authentication on email and on cloud business systems.
• Windows Defender enabled and automatic security updates applied to all devices.
• Restrictions on the use of removable storage such as USB drives.
• Encrypted email and file transfer when sending sensitive data externally (256-bit or stronger).
• Written processor agreements with the IT, accounting, and software providers we rely on.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and, where required, inform you directly.

Under UK data protection law you have the right to:

• Be informed about how we use your personal data (this policy).
• Request access to the personal data we hold about you ("subject access request").
• Have inaccurate personal data corrected.
• Request erasure of your personal data where one of the statutory grounds applies.
• Restrict our processing of your personal data in certain circumstances.
• Object to processing carried out on the basis of our legitimate interests.
• Receive a copy of personal data you have provided to us in a portable format where the processing is based on consent or contract and is carried out by automated means.
• Withdraw consent at any time, where consent is the lawful basis we rely on. This does not affect the lawfulness of processing carried out before withdrawal.

We do not use automated decision-making that produces legal or similarly significant effects. Tenancy decisions are always reviewed by a person, even where credit reference data has informed the assessment.

To exercise any of these rights, contact us using the details in section 14. We will respond within one month. We may ask you to verify your identity before we release information.

If you have a concern about how we use your personal data, please contact us first so we can try to put it right. You also have the right to complain to the Information Commissioner's Office:

For any question about this policy or about personal data we hold:

We review this policy at least once a year and whenever there is a material change to how we use personal data. The version number and effective date at the top of the document show the most recent revision. If we make a significant change, we will tell affected individuals directly where we hold contact details for them.