Privacy Policy

1. Introduction

LieuTenant ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, and protect your information when you use our property management platform.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

3. What Data We Collect

3.1 Personal Information

• Identity Data: First name, last name, email address, phone number
• Financial Data: Bank account details, payment history, rent amounts
• Property Data: Property addresses, tenancy agreements, inventory reports
• Document Data: ID documents, Right to Rent evidence, certificates, references
• Technical Data: IP address, browser type, device information, usage data

3.2 Special Category Personal Data

We process special category personal data under specific lawful bases:

• Right to Rent verification data (immigration status): Processed under GDPR Article 9(2)(g) (substantial public interest) and Schedule 1, Part 2, Paragraph 10 of the Data Protection Act 2018, as required by the Immigration Act 2014
• Identification documents (passport, driving license, biometric residence permit): Processed under GDPR Article 9(2)(a) with your explicit consent
• Financial information for credit checks: Processed with your explicit consent under GDPR Article 9(2)(a)

Your Rights: You may withdraw consent at any time for processing based on consent. However, we must continue to process Right to Rent data to comply with legal obligations.

4. How We Use Your Data

4A. Automated Decision-Making and Profiling

The Platform uses automated processes for the following purposes:

• Payment Reminders: Automated emails are sent when rent payments are overdue
• Compliance Alerts: Automated notifications for expiring certificates and documents
• Tenancy End Reminders: Automated notifications before tenancy end dates

No fully automated decisions: We do not make decisions with legal or similarly significant effects based solely on automated processing (GDPR Article 22). All significant decisions (e.g., tenancy approvals, evictions) require human review.

Your right to object: You may opt out of automated reminders at any time through your account settings.

5. Who We Share Your Data With

We may share your personal data with the following third parties (data processors):

• Landlords and Property Managers: For tenancy management (joint data controllers - see Section 5A)
• Deposit Protection Schemes: TDS, DPS, or MyDeposits (legal obligation)
• Maintenance Contractors: When handling repair requests (with your consent)
• Payment Processors: Stripe, GoCardless (for rent payments)
• Email Services: Resend (for transactional emails)
• Cloud Storage: Supabase (data hosting)
• Legal Authorities: When required by law or court order

Data Processing Agreements (DPAs): We maintain GDPR-compliant DPAs with all third-party processors to ensure your data is protected to the same standard we apply. You may request information about our DPAs by contacting dpo@getlieutenant.com.

5A. Joint Data Controllers

For tenant personal data, LieuTenant and your landlord/property manager are joint data controllersunder GDPR Article 26. This means we share responsibility for data protection compliance.

Division of responsibilities:

• LieuTenant: Responsible for platform security, data processor agreements, technical security measures
• Landlord: Responsible for lawful collection, consent management, responding to tenant rights requests
• Shared: Both parties must ensure GDPR compliance for tenant data processing

You may exercise your data subject rights against either LieuTenant or your landlord. We will coordinate to ensure your request is handled appropriately.

6. How Long We Keep Your Data

6.1 Retention Strategy

We use a "passive retention" strategy that balances GDPR compliance with our legal obligation to defend potential claims. This means we retain data for defined periods but do not automatically delete it.

6.2 Personal Tenant Data

We retain your personal information (ID documents, references, Right to Rent evidence) for up to 6 years after your tenancy ends. This is our legitimate interest for defending potential legal claims under the UK Limitation Act 1980 (Section 5 - contract disputes) and GDPR Article 17(3)(e) (legal claims exception).

Your Right to Request Deletion: You can request deletion of your personal data at any time. However, we may refuse your request if we need the data to establish, exercise, or defend legal claims (GDPR Article 17(3)(e)). This typically applies within the 6-year limitation period. We will explain our reasoning if we refuse your request.

6.3 Property & Business Records

We retain the following records indefinitely for property management, legal compliance, and business operations. These are not subject to automatic deletion as they are essential business records:

• Safety certificates (Gas Safety, EICR, EPC, Fire Safety, Legionella)
• Property documents (title deeds, planning permissions, building regulations)
• Financial records (invoices, receipts, statements)
• Insurance policies
• Legal notices (Section 21, Section 13, Section 8)
• Property maintenance and inspection history

Legal Basis: GDPR Article 6(1)(f) - Legitimate interest for property management, legal defense, regulatory compliance, and business operations.

6.4 Deletion Process

We conduct annual reviews to identify and delete personal data that is no longer needed. You can also request deletion at any time by contacting privacy@getlieutenant.com or using the data management features in your tenant portal.

7. Your Rights Under UK GDPR

You have the following rights:

How to exercise your rights: Contact us at privacy@getlieutenant.com or dpo@getlieutenant.com, or use the data export/deletion features in your account settings. We will respond within 1 month(extendable to 3 months for complex requests).

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Row Level Security (RLS) to isolate tenant and landlord data
• Multi-factor authentication (MFA) for account access
• Regular security audits and penetration testing
• Automated audit logging of all document access
• Staff training on data protection best practices
• Incident response and breach notification procedures
• Access controls limiting staff access to personal data on a need-to-know basis

8.1 Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach (GDPR Article 33)
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to you (GDPR Article 34)
• Provide details of the breach, likely consequences, and measures taken to mitigate the risk
• Maintain a record of all data breaches for ICO review

9. Cookies and Tracking

We use essential cookies to provide core functionality (authentication, session management). We also use analytics cookies (with your consent) to understand how you use our platform and improve the service.

Essential cookies (no consent required):

• Authentication and session management
• Security and fraud prevention
• Load balancing

Analytics cookies (consent required):

• Google Analytics (anonymized)
• Vercel Analytics

You can manage cookie preferences in your browser settings or through our cookie consent banner. Withdrawing consent for analytics cookies will not affect core functionality.

10. International Data Transfers

Your data is primarily stored in the UK/EU (Supabase EU region). If we transfer data outside the UK/EU, we ensure appropriate safeguards are in place:

• EU/EEA: Adequate protection under UK GDPR
• USA: Standard Contractual Clauses (SCCs) with supplementary measures
• Other countries: SCCs or adequacy decisions only

Third-party processors (Stripe, Resend) may process data outside the UK/EU. We have verified they provide adequate protection through SCCs, Privacy Shield successor frameworks, or equivalent safeguards.

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately at privacy@getlieutenant.com and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of material changes via:

• Email to your registered email address (at least 30 days before changes take effect)
• Prominent notice on the Platform
• In-app notification upon your next login

The "Last updated" date at the top indicates when this policy was last revised. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us & Complaints

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your personal data, please contact:

13.1 Right to Complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not complied with data protection laws:

We encourage you to contact us first so we can address your concerns directly. However, you have the right to complain to the ICO at any time without contacting us first.