Privacy Policy

Introduction

Thank you for using our SaaS products and services. We are committed to protecting your privacy and ensuring you have a positive experience on our platform. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal data about you when you use our services, website, and applications.

This Privacy Policy is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by the Data (Use and Access) Act 2025.

1. Who We Are

2. What Is Personal Data?

Personal data is any information relating to you that can be used to identify you, either directly or indirectly. This includes:

• Contact information (name, email address, phone number, postal address)
• Technical identifiers (IP address, device ID, cookie identifiers)
• Location data (approximate geographical location)
• Business information (company name, job title, department)
• Account information (username, password, account settings)
• Communication records (chat messages, support tickets, call recordings)
• Usage data (pages visited, time spent, feature interactions)
• Financial information (payment details, invoice records)

3. How We Collect Personal Data

We collect personal data through the following means:

• Information you provide directly: When you create an account, upload documents, fill in forms, contact support, or communicate with us.
• Information collected automatically: When you use our platform, we collect usage data, IP addresses, browser type, device information, and interaction logs via cookies and similar technologies.
• Information from third parties: We may receive data from HMRC (via MTD API), FastSpring (payment processing), Brevo (email delivery), Twilio (SMS), and AWS services (hosting, document processing).
• Document data: When you upload tenancy agreements, compliance certificates (Gas Safety CP12, EPC, EICR), or other documents, we process the metadata and content for compliance analysis.

4. How We Use Your Personal Data

We process personal data only for the following purposes, each supported by a lawful basis under UK GDPR:

Performance of a Contract (Article 6(1)(b))

• Providing the Landlord Pro compliance dashboard and evidence vault
• Generating Health Scores, compliance reports, and legal notices
• Processing document uploads and certificate verification
• Sending legally required communications to tenants

Legal Obligation (Article 6(1)(c))

• Maintaining audit trails for RRA 2025 and MTD compliance
• Retaining evidence records for statutory periods
• Responding to lawful requests from regulators or courts

Legitimate Interests (Article 6(1)(f))

• Improving platform functionality and user experience
• Detecting and preventing fraud or unauthorised access
• Sending service-related communications (renewal reminders, expiry alerts)

Consent (Article 6(1)(a))

• Marketing communications (opt-in only)
• Non-essential cookies (managed via cookie preferences)

5. Data Sharing and Disclosure

We share personal data only with trusted sub-processors who provide the infrastructure for our service. All sub-processors are contractually bound to comply with UK GDPR and process data only on our documented instructions.

Sub-Processors

We do not sell personal data to third parties. We do not share personal data for third-party marketing.

Legal Disclosures

We may disclose personal data where required by law, court order, or regulatory authority (e.g., ICO, HMRC, local authority under RRA 2025 investigatory powers).

6. International Data Transfers

Your personal data is primarily stored and processed in the UK (eu-west-2 AWS region). Where data is transferred to sub-processors outside the UK, we ensure appropriate safeguards are in place:

• AWS: Data remains in London (eu-west-2). No transfer outside UK.
• FastSpring: Transferred under UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs.
• Brevo: Data centres in EU. Covered by UK adequacy decision for EU transfers or IDTA.
• Twilio: Data processed in UK/EU regions.

7. Data Retention and Security

Data Retention Periods

Security Measures

We implement the following technical and organisational security measures:

• Encryption at rest: All data stored in DynamoDB and S3 is encrypted using AWS KMS (AES-256).
• Encryption in transit: All API traffic is TLS 1.2+ enforced. No plaintext HTTP endpoints.
• Access control: Multi-tenant data isolation via Cognito JWT claims. IAM least-privilege policies on all services.
• Audit logging: All document access, modifications, and deletions are logged with timestamps and user identity.
• Tamper detection: SHA-256 hashing on all uploaded evidence documents (F-004 Evidence Safe).
• Identity verification: Super Admin multi-factor authentication (F-003).

8. Your Data Protection Rights

You have the following rights under UK GDPR, which we will fulfil within one calendar month of a verified request:

Right of Access (Article 15)

You have the right to obtain confirmation of whether we hold personal data about you and to receive a copy of that data in a structured, commonly used, and machine-readable format.

Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

Right to Erasure (Article 17) – "Right to Be Forgotten"

You have the right to request deletion of your personal data in certain circumstances, subject to our legal retention obligations.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing while a dispute is being resolved.

Right to Data Portability (Article 20)

You have the right to receive your data in a machine-readable format and to transmit it to another controller where processing is based on consent or contract.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, marketing communications, profiling, and automated decision-making.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing where it produces legal effects. Our Health Score (F-015) and Document Reader (F-016) are assistive tools — final decisions rest with the user.

9. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate and improve our platform. For full details, see our Cookie Policy.

Essential cookies (required for platform operation) are set on the basis of legitimate interest. Non-essential cookies require your consent, which you can manage via our cookie preference centre.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to the account holder and/or a notice on the platform. Continued use after the effective date constitutes acceptance of the updated terms.

11. Third-Party Links

Our platform may contain links to third-party websites (e.g., HMRC, Gov.uk). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any personal data.

12. Complaints

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection authority.

We encourage you to contact us first at dpo@compliance-engine.io so we can resolve any concerns directly.

13. Contact Us

For questions about this Privacy Policy, requests to exercise your data protection rights, or any other privacy-related matter: