Skip to content
House It
Skip to legal content

UK GDPR notice

Effective date:

This notice covers the rights you have under UK GDPR and the practical steps to exercise them with House It. For the detail of what data we hold and why, see the privacy policy; for cookies and similar storage, see the cookie policy.

Overview

UK GDPR and the Data Protection Act 2018 give you a set of rights over your personal data. This notice explains each right in plain English, the channel for making a request, the steps we take to confirm identity, how long we take to respond, and the limited cases where we may refuse or partially fulfil a request. The privacy policy covers the categories of data we hold and the lawful bases for processing them.

Who this notice covers

This notice applies to three audiences. Marketing-site visitors and customers (the letting business that signs up) interact with House It as a controller, so requests are handled directly by House It. Tenants and landlords whose data flows through a customer’s workspace interact with House It as a processor, and the letting agent is the controller — so requests are routed to the agent (see Tenant and landlord requests).

The controller / processor split is set out in the privacy policy.

Your rights under UK GDPR

The eight UK GDPR rights and what they mean in practice:

  • Right to be informed — You have the right to clear information about how your personal data is collected and used. Our privacy policy is the primary surface for this right; this notice covers the rights-mechanics layer on top.
  • Right of access — You can ask for confirmation that we process your personal data and for a copy of it, usually free of charge. We provide the copy in a common structured format.
  • Right to rectification— You can ask us to correct inaccurate personal data and complete data that is incomplete. Where possible, we make corrections directly in the workspace; for tenant or landlord records inside a letting agent’s workspace the request is forwarded to the agent.
  • Right to erasure— Also called the "right to be forgotten". You can ask us to delete your personal data in defined circumstances, for example where it is no longer necessary for the purpose it was collected. The right does not always apply — for example we keep billing records for the period required by HMRC.
  • Right to restriction — You can ask us to limit how your personal data is processed in defined circumstances, for example while we resolve a dispute about accuracy. While restricted, we keep the data but stop most processing.
  • Right to data portability — Where processing is based on consent or contract and is automated, you can ask for a copy of your data in a structured, commonly used, machine-readable format and ask us to send it directly to another controller where technically feasible.
  • Right to object — You can object to processing based on legitimate interests, including profiling, and to direct marketing at any time. Objection to direct marketing is absolute; we stop sending marketing email on request.
  • Rights related to automated decisions and profiling — You have the right not to be subject to a solely automated decision that produces legal or similarly significant effects. We do not make such decisions; AI features assist humans rather than replace them. You can still object to AI-assisted processing of your data.

How to make a request

Email privacy@houseit.co.uk from the address on your account. Include:

  • which right you want to use;
  • the data scope (for example, "everything associated with this email address" or "the case opened on 15/03/2026");
  • your preferred response format (PDF, JSON, plain text), where relevant;
  • any helpful context, such as which letting agent holds the workspace.

You do not have to use a specific form of words — a clear plain- English message is enough. If you are unsure which right applies, describe what you want and we will help.

Identity verification

Before fulfilling a request we may need to confirm you are who you say you are, particularly where the request involves data beyond the address you email from. Verification options include signing in to your account from a known device, replying to an email sent to the address on the account, or providing reasonable evidence that links you to the data (for example, a tenancy reference and the property address).

We will not ask for more information than is necessary to confirm your identity, and we do not retain identity-verification documents longer than needed for that purpose.

Response times and extensions

We aim to respond within one calendar month of receiving a verified request. For complex or numerous requests, UK GDPR allows us to extend the deadline by up to two further months; where we use the extension we will tell you the reason within the first month.

When we may apply exemptions

UK GDPR allows controllers to refuse or partially fulfil requests in limited cases. We may apply an exemption where fulfilling the request would prejudice the establishment, exercise or defence of legal claims; would disclose third-party personal data without their consent; or where the request is manifestly unfounded or excessive (for example, repetitive identical requests). Where we apply an exemption we explain the reason and your right to complain to the ICO.

Tenant and landlord requests

For data held inside a letting agent’s workspace — for example, your tenancy record, your communications with the agent, or rent-ledger entries about you — House It is the processor and the letting agent is the controller. UK GDPR requests for that data are decided by the controller, not by House It.

If you contact House It about data inside an agent’s workspace, we forward your request to the agent so they can fulfil it within the statutory timeline, and we assist them with the technical steps where needed. Requests are best raised with the agent in the first instance — they hold the relationship and can act fastest. The controller / processor split is also set out in the terms of service.

Sub-processors

The canonical list of sub-processors used to deliver the service lives in the privacy policy and is the single source of truth. See privacy policy — recipients and sub-processors.

International transfers

Some sub-processors operate outside the United Kingdom. Where personal data leaves the UK, we rely on UK adequacy regulations for transfers to recognised jurisdictions (including the EEA), and on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for transfers to non-adequate jurisdictions including the United States.

Full detail and context, including which sub-processors trigger a transfer, is in the privacy policy.

Complaints to the ICO

We would prefer you to contact us first at privacy@houseit.co.uk so we have a chance to put things right. If you are not happy with our response, you can complain to the UK Information Commissioner’s Office.

  • Phone — 0303 123 1113
  • Online ico.org.uk
  • Post— Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Data protection contact

We are not statutorily required to appoint a Data Protection Officer, but we maintain a named privacy contact who handles rights-exercise requests and privacy queries. Reach the contact at privacy@houseit.co.uk.

Children

The service is not directed at children under 13. We do not knowingly collect personal data about children. If you believe a child’s personal data is in our system, contact privacy@houseit.co.uk and we will investigate and delete it where appropriate.

Changes to this notice

We may update this notice from time to time, particularly when ICO guidance or our internal request-handling steps change. Material changes are notified to the account contact by email; non-material changes (clarifications, fixes to cross-references) take effect when published. The effective date at the top of this page reflects the current version.