Data Protection

1. About This Page

This Data Protection page is designed to help you understand:

• The legal framework governing our data processing
• The critical distinction between property data and personal data
• Your rights under UK GDPR and how to exercise them
• Our security measures and safeguards
• How to contact us with questions or complaints

This is a summary document intended to improve accessibility and transparency. Full legal details are provided in our Privacy Policy.

2. Our Legal Framework

Property Passport UK operates under the following legal and regulatory framework:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Information Commissioner's Office (ICO) guidance and oversight

We are registered with the ICO and maintain internal governance structures consistent with our obligations as a data controller.

The ICO is the UK's independent regulator for data protection and information rights. You may verify our registration or contact the ICO directly at ico.org.uk.

3. Data Controller

Property Passport UK Ltd is the data controller for the purposes of UK data protection law. This means we determine how and why your personal data is processed.

Data Protection Officer

You may contact our Data Protection Officer with any questions, requests, or concerns regarding how we handle your personal data.

4. Property Data vs Personal Data

This is the most important distinction to understand about Property Passport UK:

Personal Data

Personal data is information that relates to you as an identifiable individual:

• Your name and email address
• Your account credentials and access permissions
• Your role designation (owner, buyer, tenant, professional)
• Documents or content you upload to your account
• Audit logs of your access and activity

We process personal data only for the following purposes:

• Account management and authentication
• Access control and permissions
• Verification and security
• Communication with you about the service

5. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal data:

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. This is commonly known as a "Subject Access Request" (SAR). We will provide this information free of charge within one month of your request.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. We will rectify the data without undue delay.

Right to Erasure (Article 17)

Also known as the "right to be forgotten", you have the right to request deletion of your personal data in certain circumstances. This right is not absolute and may be limited by legal retention obligations or legitimate interests.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis for processing.

These rights are not absolute and may be subject to legal limitations. We will explain any limitations that apply when responding to your request.

6. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

What to Include

• Your full name and email address associated with your account
• The specific right you wish to exercise
• Details of your request (be as specific as possible)
• Proof of identity (if requested for verification purposes)

Our Response

We will:

• Acknowledge your request within 2 working days
• Verify your identity to protect your personal data
• Respond to your request within 30 days (one month)
• Explain any limitations or reasons if we cannot fully comply

7. Data Retention

We apply different retention rules to personal data and property data:

Personal Data

Personal data is retained only as long as necessary for the purposes for which it was collected:

• Account data: Retained while your account is active, plus 30 days after deletion request
• Audit logs: Retained for 7 years for legal and regulatory compliance
• Communications: Retained for the duration of the relationship plus legal retention periods

Property Data

This approach aligns with public interest record-keeping principles and ensures that authoritative property information remains accessible for legitimate purposes such as conveyancing, valuation, and property transactions.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

Technical Safeguards

• Encryption at rest: All data is encrypted in our database
• Encryption in transit: All communications use TLS/SSL
• Row-Level Security (RLS): Database-level access control enforced for every query
• Audit trails: All access and modifications are logged
• Authentication: Secure password hashing and session management

Organisational Safeguards

• Principle of least privilege: Staff access limited to what is necessary
• Role-based access control: Permissions based on legitimate need
• Security monitoring: Continuous monitoring for suspicious activity
• Incident response: Procedures for detecting and responding to breaches

For more detailed information about our security posture, please visit our Security page.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for new processing activities that involve personal data, particularly where they present a high risk to individuals' rights and freedoms.

Our DPIA process includes:

• Systematic assessment of processing operations
• Identification of risks to individuals
• Evaluation of necessity and proportionality
• Implementation of measures to mitigate identified risks
• Documentation and review of findings

DPIA findings inform our system design, security measures, and operational procedures. This ensures that privacy and data protection are embedded in our platform from the outset (privacy by design).

10. International Transfers

Your personal data is stored and processed within the UK and European Economic Area (EEA):

• Our database infrastructure is hosted by Supabase in UK/EU data centers
• We do not transfer personal data to countries with inadequate data protection standards
• Any future international transfers will comply with UK GDPR requirements

Where transfers outside the UK/EEA become necessary, we will implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or ensure the recipient country has been deemed adequate by the UK government.

11. Complaints

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can address your concerns directly.

Contact Us First

Complain to the ICO

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

The ICO is the UK's independent regulator for data protection. They can investigate your complaint and take enforcement action if necessary.

12. Related Pages

For more information about how we protect and handle your data:

• Privacy Policy — Comprehensive details about data collection, use, and sharing
• Security — Technical security measures and infrastructure
• Cookies — How we use cookies and similar technologies
• Contact Us — Get in touch with questions or concerns