1. About this policy
This Privacy Policy explains how we collect, use, store and protect the personal data of visitors to housecomply.co.uk and users of the HouseComply application at app.housecomply.co.uk (together, "the Service").
We handle personal data in line with our obligations under the UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025, and the Data Protection Act 2018.
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at privacy@housecomply.co.uk.
2. Who we are
HouseComply is operated by:
CCP Project Enablement Ltd (trading as HouseComply)
Company number: 17004871 (registered in England and Wales)
VAT number: GB 513 9486 74
Registered office: Las-Fach, New Mill, Caerfyrddin, SA33 4HY, United Kingdom
ICO registration number: ZC150386
Contact for data protection matters: privacy@housecomply.co.uk
We are registered with the Information Commissioner's Office as a data controller under registration number ZC150386.
3. Our two roles: controller and processor
HouseComply handles personal data in two distinct roles, and it matters which one applies to a given piece of data:
- We are the data controller for your account relationship — the information about you as our customer (your account, contact, billing, subscription, usage and security data). We decide why and how that data is used, so we are responsible for it and rely on our own lawful basis for each use (see section 5).
- We are a data processor for the inspection data you enter about properties, landlords, tenants and occupants. In that role you (the letting agent or property manager) are the controller. We process that data only on your documented instructions, under a separate Data Processing Agreement, to provide the Service to you.
In plain terms: the data about you as our customer is ours to look after as controller; the data about the tenants and properties you inspect remains yours, and we handle it for you as your processor.
4. The personal data we collect
We collect and process the following categories of personal data:
4.1 Information you give us directly (we are controller)
- Account data: name, business name, email address, telephone number, password (stored as a one-way hash)
- Billing data: billing address, VAT number (if applicable), Stripe customer reference
- Subscription data: plan tier, number of properties on your plan, billing history
- Communications: emails you send to us, support requests, feedback you provide
4.2 Information we collect automatically (we are controller)
- Technical data: IP address, browser type and version, time zone, operating system, device identifiers
- Usage data: pages visited, features used, time spent in the application, error logs
- Cookies: see our Cookie Policy for details
4.3 Information about properties, landlords, tenants and occupants (you are controller; we are processor)
When you use the Service to record inspections and produce audit packs, you enter data about properties, landlords, tenants and occupants. This may include names, addresses, contact details, photographs taken on site, signatures, and the hazard and condition observations recorded during an inspection.
Some of this information can include details about a person's health, disability or vulnerability — for example, where a hazard observation notes that an occupant is elderly, has a health condition, or is otherwise vulnerable to a housing hazard. Information of this kind is treated as a special category of personal data, which carries extra protection. How we handle it is explained in section 5.
You are the controller for the data in this section. We process it on your behalf as your processor, only to provide the Service to you, in accordance with our Data Processing Agreement. You are responsible for ensuring you have a lawful basis (and, for special category data, a valid condition) under data protection law to enter that data, and for telling the people the data is about (landlords, tenants and occupants) how their information is used.
5. Special category data (health and vulnerability information)
Some of the data handled through the Service is "special category" data — most often information about a person's health, disability or vulnerability captured in hazard and housing-condition records, and information that may appear in support conversations. The law requires an additional condition for handling data of this kind, on top of the ordinary lawful basis.
5.1 In inspection records (we are processor)
Where special category data appears in the inspection data you enter, you are the controller and you are responsible for holding a valid condition for it under the UK GDPR and the Data Protection Act 2018 (for example, a "substantial public interest" condition relating to housing standards and safeguarding). You should satisfy yourself which condition applies to your use. We handle that data only on your documented instructions under the Data Processing Agreement, and never outside them.
5.2 In support conversations (we are controller)
If you contact our in-product support, a record of that conversation may occasionally include health or vulnerability information. Where we are the controller for that record, we rely on our own condition for handling special category data and maintain an internal policy document governing it, as the law requires. We apply strict limits to this data: we do not store payment card numbers, security codes, account credentials or multi-factor authentication codes, and support records are kept only as described in section 8.
6. How we use your personal data, and our lawful basis
Where we are the controller (your account, billing, usage and security data), we use personal data for the purposes below, on the lawful bases shown. Where we are a processor (inspection data), we act on your instructions under the Data Processing Agreement rather than on our own lawful basis.
| Purpose | Categories of data | Lawful basis |
|---|---|---|
| Provide the Service, manage your account, and deliver audit packs to you | Account data, subscription data, technical data | Performance of our contract with you (Art 6(1)(b)) |
| Take payment, and keep billing and tax records | Billing data | Performance of contract (Art 6(1)(b)); Legal obligation for statutory accounting retention (Art 6(1)(c)) |
| Respond to support requests | Account data, communications | Performance of contract (Art 6(1)(b)); Legitimate interests (Art 6(1)(f)) |
| Send transactional emails (billing, security, service updates) | Account data, billing data | Performance of contract (Art 6(1)(b)) |
| Keep the Service secure and prevent fraud and abuse | Technical data, usage data | Legitimate interests (Art 6(1)(f)) — supported by a documented assessment |
| Understand how the Service is used and improve it | Usage data, technical data | Legitimate interests (Art 6(1)(f)) — kept non-intrusive, with no profiling that has a significant effect on you |
| Send marketing emails about our products and services | Account data | Legitimate interests (Art 6(1)(f)) for existing business contacts under the PECR "soft opt-in"; Consent (Art 6(1)(a)) for others. You can opt out at any time. |
| Meet our legal and regulatory obligations | All categories, as required | Legal obligation (Art 6(1)(c)) |
6.1 Anti-abuse processing
Anti-abuse processing. When you sign up for HouseComply, we process technical signals about your signup (IP address, browser fingerprint, signup timing, business identity, email domain) to detect and prevent automated abuse, fraud, and coordinated attempts to game our signup and subscription processes. We process this data under UK GDPR Article 6(1)(f) — our legitimate interest in running a fair signup system. Reading the small amount of information needed from your device to build the signup fingerprint is done because it is strictly necessary to provide the security and fraud protection you are asking for when you use the Service (the "strictly necessary" basis under regulation 6 of the Privacy and Electronic Communications Regulations) — it is not used for advertising or tracking. We retain this data for 12 months for audit purposes, then delete.
The detection signals target signup conduct (bot behaviour, payment fraud, coordinated grabs), not customer identity. Our anti-abuse measures do not collect or use protected characteristics under the Equality Act 2010. Where a signup is paused or refused under these measures, you will be notified by email with the reason and offered a Support reconsideration path.
7. Who we share your personal data with
We share personal data with the following categories of recipients:
7.1 Service providers and sub-processors
We use carefully selected third-party providers to operate the Service. Each is bound by a data processing agreement that requires them to process personal data only on our instructions and to maintain appropriate technical and organisational measures.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe Payments UK Ltd / Stripe, Inc. | Payment processing, subscription billing, tax calculation | UK / Ireland / US | Stripe DPA incorporating the UK IDTA; see stripe.com/dpa |
| Supabase, Inc. | Application database and authentication, holding your account and login data (the app/auth/account layer) | European Union | Processed within the EEA under the UK's adequacy regulations; Data Processing Agreement available on request |
| Vercel, Inc. | Web application hosting and content delivery | United States (global edge network) | Data Processing Agreement; UK IDTA / UK Addendum for US transfers |
| Cloudinary Ltd | Photo, video and document hosting and transformation (authenticated assets) | United States | Data Processing Agreement; UK IDTA / UK Addendum for US transfers |
| Resend, Inc. | Transactional and escalation email delivery | United States | Data Processing Agreement; UK IDTA / UK Addendum for US transfers |
| Airtable, Inc. | Operational system of record, holding the inspection data — property, landlord, tenant/occupant, inspector and inspection records, and Support Issues records | United States | Data Processing Agreement; UK IDTA / UK Addendum for US transfers |
| Make (Celonis SE / operated by Make.com) | Workflow automation and webhooks connecting parts of the Service | EU / US | Data Processing Agreement; UK Addendum / IDTA where data is transferred outside the UK |
| Anthropic, PBC | Powers the in-product support helper; processes the text of a support conversation to generate a reply | United States | Data Processing Agreement; zero-retention / no-training handling for this use; UK IDTA / UK Addendum for US transfers |
| Upstash, Inc. | Anti-abuse signal storage and rate limiting | United Kingdom (London region) | Data Processing Agreement; UK GDPR Article 28 compliance |
A current list of our sub-processors is available at housecomply.co.uk/sub-processors. We will update this list and give customers advance notice of any material change.
Payment processing. When you subscribe to a paid plan, your name, billing address, email, and payment method details are processed by Stripe Payments UK Ltd, our payment processor. Stripe handles all card data on its own PCI DSS Service Provider Level 1 infrastructure — we never see your card number. Stripe's privacy notice is at stripe.com/privacy and its data processing agreement at stripe.com/dpa. When required by law, we may share transaction information with HMRC for VAT reporting purposes.
7.2 Other recipients
- Professional advisors: our solicitors, accountants and insurers, where reasonably necessary and under duties of confidentiality
- Law enforcement, regulators or other authorities: where we are required to disclose by law, court order, or to protect our legal rights
- Acquirers: in the event of a sale, merger, restructuring or acquisition of our business, in which case personal data may be transferred to the acquirer subject to the same protections set out in this policy
We do not sell your personal data to third parties.
8. International transfers of personal data
Some of our sub-processors are located outside the United Kingdom, primarily in the United States and the European Economic Area (EEA). Where personal data is transferred outside the UK, we put appropriate safeguards in place, including:
- For transfers to the EEA: reliance on the UK's adequacy regulations recognising the EEA
- For transfers to the United States: the UK Extension to the EU–US Data Privacy Framework where the recipient is certified, or the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, supported by a transfer risk assessment
- For transfers elsewhere: the UK IDTA or equivalent contractual safeguards
You can request a copy of the safeguards in place by contacting us at privacy@housecomply.co.uk.
9. How long we keep your personal data
We keep personal data only for as long as we need it for the purposes it was collected for, including to meet legal, accounting or reporting requirements.
| Data category | Retention period |
|---|---|
| Account data (active accounts) | For the duration of your subscription, plus a short closure period (up to 12 months), after which it is deleted or pseudonymised |
| Payment and billing records | At least 6 years after the end of the relevant tax year — see paragraph below |
| Support Issues records (in-product support conversations) | 12 months after the issue is resolved, after which the record is irreversibly pseudonymised |
| General email correspondence | 3 years from the date of last contact |
| Anti-abuse signals (see section 6.1) | 12 months, then deleted |
| Inspection data you enter (we are processor) | Kept during your subscription on your instructions as controller; on termination, returned or deleted in line with the Data Processing Agreement and your instructions, subject to any legal hold |
| Marketing data | Until you unsubscribe or object |
| Technical and usage logs | 13 months |
Payment and billing data. We retain payment and billing records (invoice line items, customer billing address, payment-method token references — but not card numbers, which we never receive) for at least 6 years after the end of the relevant tax year, to comply with HMRC record-keeping rules under the Value Added Tax Regulations 1995 reg.31 and the Companies Act 2006. Underlying transaction-level card processing data is retained by Stripe under its own retention policy.
Inspection data. Because you are the controller for the inspection data you enter, we do not set its retention period on our own. We keep it while you need it during your subscription and, when your subscription ends, return or delete it in line with the Data Processing Agreement and your instructions.
10. Your rights
You have the following rights in respect of your personal data that we hold as controller:
- Right of access — to obtain a copy of the personal data we hold about you
- Right to rectification — to have inaccurate or incomplete personal data corrected
- Right to erasure — to have your personal data deleted in certain circumstances
- Right to restriction of processing — to limit how we use your personal data
- Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format
- Right to object — to object to processing based on legitimate interests, including direct marketing
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time
To exercise any of these rights, contact us at privacy@housecomply.co.uk. We will respond within the time the law allows (usually one month), and there is normally no charge. If your request relates to inspection data where we act as a processor, we will help the relevant controller (the letting agent) respond, and may direct your request to them.
11. Automated decision-making
HouseComply's checks produce information to help a person decide — they flag points for the letting agent or inspector to review and act on. The Service does not make decisions about tenants or occupants by automated means alone, and it does not produce legal or similarly significant effects on anyone by automated means. A person always reviews and decides. Because of this, the rules on solely-automated decision-making do not apply to how the Service currently works. If that ever changes, we will update this policy and put the required safeguards in place first.
12. If you are a tenant, occupant or landlord
If your information appears in an inspection because a letting agent or property manager uses HouseComply, then that agent or manager is the controller of your data, not us. We act as their processor. The best first point of contact for questions, access requests or concerns about that data is the letting agent or property manager who carried out the inspection — they can tell you how and why your data is used, as they are required to do.
We received your data from that customer (the letting agent or property manager); we did not collect it from you directly. If you are not sure who to contact, or you have contacted them and need our help as the processor, you can reach us at privacy@housecomply.co.uk and we will assist or point you to the right controller.
13. Cookies and similar technologies
Our website uses cookies and similar technologies. For details of which cookies we use, why, and how to control them, please see our Cookie Policy.
14. Marketing communications
We may send you marketing emails about our products and services where we have a lawful basis to do so. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email we send, or by emailing us at privacy@housecomply.co.uk.
15. Security
We use appropriate technical and organisational measures designed to protect your personal data against unauthorised access, accidental loss, disclosure or destruction. These include encryption in transit (TLS), encryption at rest, access controls, regular security reviews and staff training.
No method of transmission over the internet or method of electronic storage is completely secure, however, and we cannot ensure absolute security.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through the Service.
17. How to contact us, and how to complain
For any questions, requests, or concerns about how we handle your personal data, contact us at:
Las-Fach, New Mill, Caerfyrddin, SA33 4HY, United Kingdom
Email: privacy@housecomply.co.uk
17.1 Complaining to us directly
You have the right to complain to us directly about how we handle your personal data, and we want to make that easy. If you are unhappy, email us at privacy@housecomply.co.uk with "Data protection complaint" in the subject line. Under the Data (Use and Access) Act 2025, which strengthens this right from 19 June 2026, we will acknowledge your complaint within 30 days and respond to it without undue delay, keeping you informed of the outcome.
17.2 Complaining to the regulator
You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator, if you believe we have not handled your personal data in accordance with the law. You do not have to contact us first, although we would welcome the chance to put things right.
The ICO is being reconstituted as the Information Commission under the Data (Use and Access) Act 2025; until that change takes effect, the Information Commissioner's Office remains the UK's data protection regulator and the contact details below apply.
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk/make-a-complaint
Version history
| Version | Date | Change |
|---|---|---|
| v1.0 | 17 May 2026 | Initial publication of Privacy Policy under UK GDPR Articles 13/14. |
| v1.1 | 18 May 2026 | Stripe sub-processor row updated to Karen-verbatim text; Stripe payment paragraph added; billing/tax retention line replaced with Karen-verbatim text. |
| v1.2 | 18 May 2026 | New §4.1 Anti-abuse processing added (Art 6(1)(f), 12-month retention, protected-characteristic exclusion, reconsideration path). |
| v1.3 | 18 May 2026 | §4.1 parenthetical extended to include "email domain"; version history table added. |
| v1.4 | 19 May 2026 | §4.1 genericised — Founding 100 references removed following retirement of the mechanic. |
| v1.5 | 22 May 2026 | Sub-processors table extended with Upstash, Inc. row (Karen Stream 1b joint ratification). |
| v1.6 | 31 May 2026 | BL-010 lawful-basis rebuild: law citation updated to UK GDPR as amended by the Data (Use and Access) Act 2025; new section 3 (controller vs processor roles); new section 5 (special category / health & vulnerability data, Art 9); lawful-basis table aligned to BL-010 §2; Make and Anthropic added as sub-processors; retention table extended with Support Issues 12-month pseudonymisation and inspection-data DPA/instruction wording; new section 11 (automated decision-making); new section 12 (tenants/occupants/landlords and their controller); section 17 split into a direct-to-us complaint right (DUA Act 2025, from 19 June 2026) and the ICO complaint right. |
| v1.6 rev | 31 May 2026 | Counsel conditional-ratification fixes: R1 — §7 data stores reconciled (Supabase EU = account/auth; Airtable US = inspection system-of-record); R5 — §5.1 special-category framing softened so HouseComply (processor) does not appear to determine the customer's condition; R6 — §6.1 device-fingerprint basis adds the PECR reg 6 "strictly necessary / security" ground alongside Art 6(1)(f); ICO controller registration number ZC150386 inserted (§2); R2 — DUA complaint wording locked and ICO→Information Commission transition note added (§17.2). |