Privacy policy

At a glance

• We collect the minimum personal data we need to run the service and bill for it.
• We are transparent about the small set of named sub-processors who help us deliver the service.
• We do not sell personal data and we do not use it for advertising.
• Our processing is aligned with UK GDPR and the Data Protection Act 2018.
• Retention windows are short by default — see the retention schedule below.
• Privacy and rights-exercise contacts route to a monitored mailbox, with the ICO available as a final escalation route.

Who we are and our role

House It Ltd is a company registered in England and Wales. We are the controller for personal data about marketing-site visitors and for the account-level data of our customers (the letting business that signs up). For personal data about tenants, landlords, properties and communications inside a customer’s workspace, the customer (the letting agent) is the controller and House It acts as the processor on the customer’s behalf.

The controller / processor split matters for rights-exercise: a tenant or landlord wishing to exercise rights over data held inside a letting agent’s workspace contacts the agent in the first instance; House It assists the agent. See the UK GDPR notice for the forwarding mechanics.

Categories of personal data

• Identifiers — full name, email address, phone number where provided.
• Authentication data — hashed sign-in credentials, session tokens, multi-factor settings, login history.
• Billing data — payment method tokens, billing address, invoice history. Card details are handled by Stripe and not stored by House It.
• Workspace data — properties, tenancies, rent ledger entries, supplier records, attached documents and communications between letting agents and tenants or landlords.
• Diagnostic data — IP address, user-agent string, request logs, error stacks, performance samples.
• Cookie data — see the cookie policy for the inventory of cookies and similar storage we set.

Where we get the data

We collect personal data directly from you when you sign up, fill in account or workspace details, send a message through the service, or contact us. Some data is collected automatically when you use the service — diagnostic data, request logs, and the cookies described in the cookie policy.

We also receive data from our customers when an Authorised User uploads tenant or landlord records into a workspace, and from third parties that support the service: Stripe (billing events, dispute notifications), Twilio (delivery receipts and inbound WhatsApp messages), our transactional email sender (delivery status), and the AI inference router (model responses to prompts we send).

Purposes and lawful bases

• Provide the service — running the application, authenticating users, processing tenancies and rent, delivering messages. Lawful basis: contract.
• Keep the service secure — abuse prevention, fraud detection, intrusion monitoring, audit logs. Lawful basis: legitimate interests.
• Bill for the service — invoicing, payment collection, dispute handling. Lawful basis: contract for active customers and legal obligation for retained tax records.
• Send operational email — sign-in links, billing receipts, service updates that are necessary to use the service. Lawful basis: contract.
• Send marketing email — product news and educational content to subscribers who opt in. Lawful basis: consent, withdrawable at any time via the unsubscribe link in every marketing email.
• Comply with HMRC bookkeeping — retention of invoices, tax records and accounting data. Lawful basis: legal obligation.
• Defend legal claims — preserving relevant records during a dispute or investigation. Lawful basis: legitimate interests.

Automated decisions and AI

The service uses AI to assist Authorised Users — currently for case triage from inbound tenant messages and drafting suggestions for outbound replies. AI assists humans rather than replacing them: an Authorised User reviews and confirms the output before it is sent or recorded. We do not make solely automated decisions about tenants, landlords or Authorised Users that produce legal or similarly significant effects.

When a feature calls an AI provider, we send the minimum information needed to produce the suggestion; prompts and outputs are not used to train third-party models. You have the right to object to AI-assisted processing of your personal data and to request a human review — see the UK GDPR notice for how to exercise that right.

Recipients and sub-processors

We rely on a small set of named sub-processors to deliver the service. Each is bound by a written data-processing agreement aligned with UK GDPR Article 28. The list is canonical: other legal pages cross-link here rather than duplicating it.

• Vercel Inc. (United States) — Application hosting, edge runtime, Vercel Analytics and Vercel Speed Insights.
• Stripe Payments UK, Ltd. (United Kingdom) — Payment processing, customer billing portal, invoice storage.
• Twilio Ireland Limited (Ireland and the United Kingdom) — WhatsApp Business API gateway and SMS fallback.
• OpenRouter (United States) — AI model inference for case triage and drafting suggestions. Prompts and outputs are not used to train third-party models; routing prefers UK or EU model endpoints where the provider supports them.
• Resend (United States) — Outbound transactional email, including sign-in links, billing receipts and tenant notifications.
• Neon (United States) — Primary application database (Postgres) and managed backups.
• Sentry (United States) — Error and performance telemetry for the application.

Adding or replacing a sub-processor is a public-facing change: we update this section, bump the effective date and notify the account contact for material changes.

International transfers

Some of our sub-processors operate outside the United Kingdom, notably in the United States and the European Economic Area. Where personal data leaves the UK, we rely on UK adequacy regulations for transfers to recognised jurisdictions (including the EEA), and on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for transfers to non-adequate jurisdictions including the United States.

See the UK GDPR notice for a brief summary of how transfers are handled.

How long we keep data

• Account and workspace records — Active for the life of the subscription. Deleted or anonymised within 30 days of cancellation, except where a longer hold is required by UK law.
• Tenant and landlord records inside a workspace — Controlled by the letting agent. House It retains the data while the workspace is active and deletes it within 30 days of workspace deletion.
• Billing and invoice records — Retained for 7 years to satisfy UK HMRC bookkeeping obligations.
• Communication logs (WhatsApp, email) — Retained for 24 months from the last message, then archived in cold storage for a further 12 months and deleted.
• Authentication and session logs — Retained for 90 days for security investigation, then deleted.
• Audit events (administrative actions) — Retained for 24 months.
• Marketing-site analytics— Retained according to Vercel Analytics’ published retention; the data is aggregated and not linked to a personal identifier.

Security measures

Technical measures include encryption in transit (TLS) and at rest, scoped access controls, audit logging of administrative actions, multi-factor authentication on administrative accounts, and regular dependency and vulnerability review. Organisational measures include least-privilege access for staff, vendor due-diligence review of sub-processors, and security training for everyone with production access.

If we become aware of a confirmed personal-data breach affecting your data, we will notify the relevant controller without undue delay and within 72 hours where the breach meets the UK GDPR notification threshold (Article 33). For breaches inside a customer workspace, we notify the letting agent (who is the controller) so they can notify their data subjects.

Your rights

Under UK GDPR you have the rights to be informed, to access your data, to rectify inaccurate data, to have data erased in defined circumstances, to restrict or object to processing, to data portability, and rights relating to automated decisions and profiling. Each right has practical conditions and limits.

The full mechanics — how to make a request, identity verification, response times, exemptions, and how requests inside a customer workspace are forwarded to the agent — live in the UK GDPR notice.

Marketing and cookies

Marketing emails are sent only to subscribers who opt in. Every marketing email includes a one-click unsubscribe; withdrawing consent removes the address from the marketing list. Operational email (sign-in links, billing receipts, service updates that are necessary to use the service) is sent on the contract basis and is not opt-out.

Cookies and similar storage used on the marketing site and inside the product are itemised in the cookie policy, including how to manage consent and how to clear individual cookies.

Children

The service is not directed at children under 13. We do not knowingly collect personal data about children. If you believe a child’s personal data is in our system, please contact privacy@houseit.co.uk and we will investigate and delete it where appropriate.

Changes to this policy

We may update this policy from time to time. Material changes are notified to the account contact by email; non-material changes (clarifications, fixes to cross-references, additions to the sub-processor list of an existing category of provider) take effect when published. The effective date at the top of this page reflects the current version.

Contact and complaints

For privacy questions or to exercise a right, email privacy@houseit.co.uk. Our postal address and company-registration details are available on request from the same mailbox.

If you are not happy with our response, you can complain to the UK Information Commissioner’s Office. The ICO contact route and the steps for tenant or landlord requests inside a customer workspace are set out in the UK GDPR notice.