Legal · UK GDPR
Privacy policy
How LetCompliance processes landlord and tenant data under UK GDPR: what we collect, why, how long we keep it, and your rights.
Last updated:
01Who We Are
LetCompliance ("we", "us", "our") is a software service operated by Erdem Volkan, trading as LetCompliance, a sole trader based in the United Kingdom. Our business address is available on request at letcomplianceuk@gmail.com. We are registered with the UK Information Commissioner's Office (ICO) as a data controller, registration number ZC175264. For the purposes of UK GDPR and the Data Protection Act 2018, we are the Data Controller of the personal information of our account holders (landlords, letting agents and property managers). Where you use LetCompliance to process personal information about your tenants or applicants, you are the Data Controller of that information and we act as your Data Processor, handling it only on your instructions to provide the Service.
02What Data We Collect
- Account information: your name, email address and password (stored as a hash, we never see your password).
- Sign in with Google (optional): if you choose to sign in with Google, we receive your name, email address and profile photo from your Google account to create and sign you into LetCompliance. We never receive or store your Google password.
- Profile information: your phone number (if you opt in to SMS reminders).
- Property data: addresses, compliance certificate dates, financial figures you enter.
- Documents: files you upload (Gas Safety certificates, EICRs, EPCs, etc.) stored encrypted in Supabase Storage.
- Tax information (if you use our Making Tax Digital tools): your National Insurance number and the income and expense figures used to prepare quarterly updates and your year-end declaration.
- Connection and device data (if you connect to HMRC): your IP address, a device identifier, browser type, screen size, time zone and similar technical details. HMRC’s anti-fraud rules require this to be collected and sent with each submission (see Section 6).
- Billing information: processed entirely by Stripe. We store only your Stripe customer ID, not card numbers.
- Usage data: pages visited, features used, browser type. Used only to improve the product.
- Cookies: strictly necessary cookies for sign-in, security and payments, plus optional analytics and marketing cookies that stay off until you opt in (see our Cookie Policy).
03How We Use Your Data
- To provide the LetCompliance service, compliance tracking, reminders and document storage.
- To send compliance reminders via email and/or SMS (only if you opt in).
- To prepare and, on your instruction, submit Making Tax Digital updates and declarations to HMRC.
- To process payments and manage your subscription, and to operate rent collection where you enable it, via Stripe.
- To communicate with you about your account, updates and security.
- To comply with legal obligations.
- We never sell your personal data or use it to build cross-site advertising profiles. Any analytics or ad-measurement happens only through cookies you have opted into.
04Legal Basis for Processing
We process your data under the following legal bases as defined by UK GDPR: (a) Contract: to deliver the service you signed up for. (b) Consent: for SMS reminders, which you can withdraw at any time in Settings. (c) Legitimate interests: to improve our product and prevent fraud. (d) Legal obligation: to comply with financial, tax and data regulations, including HMRC’s mandatory anti-fraud requirements.
05Data Sharing
We share data only with the following service providers and, where you choose to use those features, HMRC:
- Supabase (database and file storage), hosted in the EU (Frankfurt region). Personal data transferred from the UK to the EEA is protected by the UK Government’s data adequacy regulations for the EEA.
- Google (Sign-In), only if you choose “Sign in with Google” to authenticate. Google processes your sign-in under its own privacy policy (policies.google.com/privacy); we receive only your name, email address and profile photo. You can revoke access at any time in your Google Account settings.
- Stripe (payment processing and, where enabled, rent collection), PCI-DSS Level 1 certified.
- Resend (email delivery), used only to send compliance reminders you have requested.
- Brevo (SMS delivery), used only to send the compliance reminders you opt in to.
- Vercel (application hosting), edge network infrastructure.
- HMRC (HM Revenue & Customs), only where you connect your account and submit Making Tax Digital information. We transmit your National Insurance number, the relevant income and expense figures, and the technical anti-fraud data HMRC mandates.
We do not share data with any other third parties without your explicit consent.
06Making Tax Digital and HMRC
If you connect LetCompliance to HMRC for Making Tax Digital for Income Tax, we use HMRC’s official, secure OAuth connection. We never see or store your HMRC or Government Gateway sign-in details, only a secure access token that you can revoke at any time by disconnecting. HMRC’s anti-fraud rules ("fraud prevention headers") legally require us to collect and transmit technical information about your device and connection, such as your IP address, a device identifier, browser type and screen size, with each request. This is mandated by HMRC, is not optional, and is used solely for HMRC’s fraud prevention. You are responsible for the accuracy of the figures you choose to submit; we provide the tools to prepare and send them.
07Rent Collection and Payments
Subscription billing and, where you enable it, Direct Debit rent collection are handled by Stripe. For rent collection we use Stripe Connect: your tenant authorises a Direct Debit, and rent is collected directly into your own connected Stripe account. We do not hold, control or have access to those funds. We store references such as payment and mandate identifiers needed to show the status of payments in your account, but we do not store full bank account details, which are handled by Stripe.
08Data Retention
We retain your personal data for as long as your account is active. If you delete your account, all personal data, including property information, documents and compliance records, is permanently deleted within 30 days. Billing and tax records are retained for the period required by UK law (generally up to 7 years).
09Your Rights Under UK GDPR
- Right of access: request a copy of all data we hold about you.
- Right to rectification: correct inaccurate data.
- Right to erasure ("right to be forgotten"): delete your account and all associated data.
- Right to restrict processing: limit how we use your data.
- Right to data portability: receive your data in a machine-readable format.
- Right to object: object to processing based on legitimate interests.
- Right to withdraw consent: cancel SMS reminders at any time in Settings.
To exercise any of these rights, email letcomplianceuk@gmail.com. We will respond within 30 days. Where we act as Processor for tenant data, requests from your tenants should be directed to you as the Controller, and we will assist you in responding.
10Security
We implement industry-standard security measures: All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Authentication is handled by Supabase Auth — with secure password hashing for email sign-in, or via Google’s OAuth where you choose “Sign in with Google”. Row Level Security (RLS) ensures no user can access another user's data. HMRC access tokens are stored server-side only, restricted to backend access. We conduct regular security reviews and apply updates promptly. If a personal data breach occurs, we have procedures to detect, investigate and contain it. Where a breach is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office (ICO) without undue delay — and within 72 hours of becoming aware, where required — and we will inform you without undue delay where the breach is likely to result in a high risk to you.
12International Data Transfers
We aim to keep your personal data within the UK and the European Economic Area (EEA). Our primary database and file storage (Supabase) are hosted in the EEA (Frankfurt), and transfers from the UK to the EEA are protected by the UK Government’s data adequacy regulations. Some of our service providers (for example Stripe, Google, Resend, Brevo and Vercel — see Section 5) may process limited personal data outside the UK and EEA, including in the United States. Where they do, we rely on a UK adequacy regulation (such as the UK Extension to the EU–US Data Privacy Framework) or on appropriate safeguards required by UK GDPR, such as the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses. Making Tax Digital submissions are sent to HMRC’s systems in the UK.
13Automated Decision-Making and Profiling
We do not make decisions that produce a legal or similarly significant effect on you based solely on automated processing. Some features use automation to assist you — for example our AI tools (which suggest, triage or summarise based on the information you enter) and tenant referencing (where a regulated UK credit reference agency carries out an automated affordability and credit assessment). These produce information and suggestions for you to review; the final decision — such as whether to let a property or accept a tenant — is always made by you, not by us. You can ask us about any automated processing, request human review, or object, by emailing letcomplianceuk@gmail.com.
14Changes to This Policy
We will notify you by email if we make material changes to this privacy policy. The "Last updated" date at the top of this page will always reflect the most recent version.
15Contact & Complaints
For any privacy questions, or to report a security or data concern, contact us at letcomplianceuk@gmail.com. If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.