Privacy Policy

For the purposes of UK data protection law, the data controller responsible for your personal data is:

Lettable Ltd
Registered in England and Wales
Email: privacy@lettable.co

If you have any questions about this policy or how we handle your personal data, please contact us at the email address above.

We collect and process the following categories of personal data:

• Account data— your full name, email address, and a hashed password when you register. If you sign in via Google OAuth, we receive your name and email address from Google. We also store your role within your organisation (owner, admin, or member).
• Organisation data— your organisation name and type (landlord or managing agent).
• Property data— addresses (line 1, line 2, town, postcode, ward), property types, bedroom counts, council areas, EPC ratings and expiry dates, and built year. Property addresses may constitute personal data where linked to a named individual.
• Tenancy data— tenancy start and end dates, tenancy type, monthly rent amounts, deposit amounts and protection scheme details (scheme name, reference number, protection date).
• Occupier data— tenant and occupier names, right-to-rent check status and expiry dates.
• Certificate data— uploaded certificate PDFs (Gas Safety, EICR, EPC, HMO licences, fire risk assessments, smoke/CO alarm tests, PAT testing, deposit protection certificates), along with extracted metadata including issue dates, expiry dates, issuer names, registration numbers, and AI-parsed content.
• Generated document data— documents generated through the Platform (notices, prescribed information, applications), including the parameters used to generate them.
• Billing data— payment card details are processed directly by Stripe and are never stored on our servers. We retain only a tokenised payment reference, your billing email address, and subscription plan details.
• Usage and technical data— pages visited, features used, timestamps, browser type, device type, IP address, and error logs. This data helps us maintain, secure, and improve the Platform.
• Communications— emails and messages you send to us, support requests, and feedback.

We collect personal data through the following means:

• Account registration— when you sign up by email or via Google OAuth.
• Onboarding— when you enter your organisation details, add properties, and configure tenancies during the onboarding flow.
• Platform use— when you add properties, record tenancy details, add occupiers, or update compliance records.
• Certificate uploads— when you upload PDF certificates for AI-powered parsing and compliance tracking.
• Document generation— when you generate statutory documents using the Platform.
• AI assistant— when you ask questions of the compliance assistant. Your queries and the property context provided with them are processed to generate responses.
• Billing— when you enter payment details during subscription checkout (processed by Stripe).
• Automated collection— server logs, error monitoring (Sentry), and analytics (PostHog) collect technical data automatically when you use the Platform.

We process your personal data on the following legal bases under Article 6(1) of UK GDPR:

• Performance of a contract(Article 6(1)(b)) — processing necessary to provide the Platform services you have subscribed to, including operating your compliance workspace, tracking deadlines, generating documents, processing certificate uploads, and managing your account and billing.
• Legitimate interests(Article 6(1)(f)) — processing necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include: sending compliance deadline reminder emails; detecting and preventing fraud and abuse; analysing anonymised and aggregated usage patterns to improve the Platform; ensuring the security and stability of our systems; and enforcing our Terms and Conditions.
• Legal obligation(Article 6(1)(c)) — processing necessary to comply with a legal obligation to which we are subject, including retention of billing records as required by HMRC, and responding to lawful requests from public authorities.
• Consent(Article 6(1)(a)) — where we rely on your consent (for example, for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We use your personal data for the following purposes:

• Compliance tracking— mapping statutory obligations to your properties, calculating deadline dates, computing compliance scores, and displaying your compliance status.
• Deadline reminders— sending automated email notifications when certificates, licences, or other compliance deadlines are approaching or overdue.
• Document generation— populating statutory document templates with your property, tenancy, and organisation data.
• Certificate parsing— processing uploaded PDF certificates through our AI parser to extract structured data (dates, issuers, reference numbers).
• AI compliance assistant— providing contextual answers to your compliance questions using your property data as context.
• Account management— managing your subscription, processing payments, and communicating with you about your account.
• Platform improvement— analysing anonymised usage patterns to develop and improve features.
• Security— detecting, preventing, and responding to security incidents, fraud, and abuse.

We do not sell your personal data to third parties. We do not use your personal data for profiling or automated decision-making that produces legal effects concerning you.

We share personal data with the following third-party sub-processors, each of which operates under a data processing agreement with us:

• Supabase Inc.— database hosting, authentication, and file storage. Our database is hosted in the EU West (London) region. Supabase processes your account data, property data, tenancy data, occupier data, certificate data, and uploaded files.
• Vercel Inc.— application hosting and edge network. Vercel serves the Platform globally via its CDN. Server-side rendering occurs in the region closest to the user. Vercel processes technical data (IP addresses, request logs).
• Stripe Inc.— payment processing. Stripe is PCI-DSS Level 1 certified and processes your payment card details directly. We do not have access to your full card number. Stripe may process data in the United States under Standard Contractual Clauses.
• Resend Inc.— transactional email delivery. Resend processes your email address and the content of deadline reminder emails, account notifications, and other transactional communications.
• Anthropic PBC— AI model provider for the compliance assistant and certificate parser. When you use the AI assistant, upload a certificate for parsing, or generate a document, relevant property data and/or document text is sent to Anthropic's API for processing. Anthropic is based in the United States. Under our enterprise API agreement, Anthropic does not use your inputs or outputs to train its models and does not retain prompts or responses beyond the API request lifetime (typically 30 days for trust and safety purposes). This transfer is covered by an adequate safeguards mechanism (see Section 8).
• Sentry (Functional Software Inc.)— error monitoring and performance tracking. Sentry may receive technical data including stack traces, request metadata, and anonymised user identifiers when errors occur.
• PostHog Inc.— product analytics. PostHog processes anonymised and aggregated usage events. We do not send personal identifiers to PostHog.

All sub-processors are required to apply appropriate technical and organisational security measures and to process personal data only on our documented instructions.

We retain your personal data for the following periods:

• Account and property data— retained for the duration of your active account. If you close your account, personal data is deleted within 90 days, except where a longer retention period is required by law.
• Uploaded certificates and generated documents— retained in Supabase Storage for the duration of your active account and deleted within 90 days of account closure. You may delete individual certificates and documents at any time from within the Platform.
• Billing records— retained for six years from the date of the relevant transaction, as required by HMRC for tax and accounting purposes.
• Audit logs— retained for two years from the date of the logged action, for security, debugging, and regulatory compliance purposes.
• Server and error logs— retained for up to 90 days and then automatically purged.
• AI assistant conversations— not stored by Lettable beyond the current browser session. Anthropic may retain API request data for up to 30 days for trust and safety monitoring under their data processing terms.

Your personal data is primarily stored in the EU West (London) region via Supabase. However, some of our sub-processors are based in the United States, and personal data may be transferred to, stored in, or processed in the United States as a result.

Where personal data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Article 46 of UK GDPR. These safeguards include:

• UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with the UK Addendum— incorporated into our data processing agreements with US-based sub-processors including Anthropic, Stripe, Vercel, and Sentry.
• Supplementary measures— including encryption in transit (TLS 1.2+), encryption at rest, access controls, and contractual commitments not to disclose data to government authorities except as required by law.

You may request a copy of the relevant safeguards by contacting us at privacy@lettable.co.

Lettable uses the following types of cookies:

• Strictly necessary cookies— required to maintain your authenticated session, remember your login state, and protect against cross-site request forgery (CSRF). These cookies cannot be disabled as the Platform will not function without them. No consent is required for strictly necessary cookies under the Privacy and Electronic Communications Regulations 2003 (PECR).
• Functional cookies— used to remember your preferences (such as selected tab state or last-viewed property). These are first-party cookies that do not track you across other websites.
• Analytics cookies— we may use a first-party analytics cookie (via PostHog) to collect anonymised, aggregated data about how the Platform is used. This data does not identify individual users and is used solely to improve the service.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies.

Under the UK General Data Protection Regulation, you have the following rights in relation to your personal data:

• Right of access(Article 15) — the right to request a copy of the personal data we hold about you, together with information about how and why it is processed.
• Right to rectification(Article 16) — the right to request that inaccurate or incomplete personal data be corrected. You can update most data directly within the Platform.
• Right to erasure(Article 17) — the right to request deletion of your personal data where processing is no longer necessary, where you withdraw consent, or where you object to processing and there are no overriding legitimate grounds. This right does not apply where we are required by law to retain the data.
• Right to restriction of processing(Article 18) — the right to request that we restrict processing of your personal data while a complaint or accuracy dispute is being resolved.
• Right to data portability(Article 20) — the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (such as CSV or JSON), and to transmit that data to another controller.
• Right to object(Article 21) — the right to object to processing of your personal data based on our legitimate interests. Where you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
• Rights related to automated decision-making(Article 22) — you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you. Lettable does not make such decisions.

How to exercise your rights. To exercise any of the above rights, please email privacy@lettable.co with the subject line “Data Rights Request”. We will verify your identity and respond within 30 days. In complex cases, we may extend this period by a further 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

These rights are provided free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests, in accordance with Article 12(5) of UK GDPR.

Lettable Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. Our registration details can be verified on the ICO's public register at ico.org.uk.

If you are not satisfied with how we have handled a data protection matter, you have the right to lodge a complaint with the ICO:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint

We encourage you to contact us first at privacy@lettable.co so that we have the opportunity to address your concern directly.

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact us and we will delete it promptly.

We may update this policy from time to time to reflect changes in our data processing practices, legal requirements, or the services we offer. Material changes will be notified by email to account holders at least 14 days before they take effect. The “last updated” date at the top of this page will be revised accordingly. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

For all data protection enquiries and rights requests:
Lettable Ltd
Registered in England and Wales
Email: privacy@lettable.co

For general platform support:
hello@lettable.co