Data Protection Policy
Last updated: February 25, 2026
Last updated: 25 February 2026
This Data Protection Policy sets out how Letted Ltd ("Letted", "we", "us", or "our") meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Purpose
We handle personal data belonging to landlords, their team members, and the tenants whose information landlords choose to store on our platform. This policy explains the rules we follow and the responsibilities we accept when processing that data.
2. Our Roles
- Data controller for personal data relating to our own users (landlords, team members, website visitors).
- Data processor for tenant data and other third-party data that landlords upload to the platform. In this role we act only on the landlord's instructions.
3. Lawful Bases for Processing
We only process personal data where we have a valid legal reason to do so. The bases we rely on are:
- Contract where processing is needed to provide the platform under our Terms and Conditions
- Legitimate interests to operate, secure, and improve the platform
- Legal obligation where required by law (for example, financial record-keeping)
- Consent where explicitly given, such as for marketing emails. Consent can be withdrawn at any time.
4. Data Protection Principles
We follow the data protection principles set out in UK GDPR Article 5. In practice this means we:
- Only collect personal data that we actually need
- Keep data accurate and up to date
- Do not hold data for longer than necessary
- Keep data secure using appropriate technical and organisational measures
- Are transparent about what we do with personal data
5. Data Protection Impact Assessments
Before introducing new features or processes that could pose a high risk to individuals, we carry out a Data Protection Impact Assessment. This helps us identify and reduce privacy risks early on.
6. Subject Access Requests
Individuals have the right to request a copy of the personal data we hold about them. We aim to respond to subject access requests within one calendar month, as required by law.
Requests can be sent to support@letted.com.
7. Data Retention
We keep personal data only for as long as we need it. When data is no longer required, we delete it securely.
For tenant data stored by landlords on the platform, retention is controlled by the landlord as the data controller. When a landlord deletes their account, we remove all associated data within 30 days, unless we are legally required to keep it.
8. Data Sharing
We share personal data with a limited number of trusted service providers who help us run the platform (for example, cloud hosting and payment processing). Each provider is bound by a data processing agreement.
We do not sell personal data. We do not share it with third parties for their own marketing purposes.
9. International Transfers
Where personal data is transferred outside the UK, we make sure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions recognised by the UK government.
10. Staff Responsibilities
Everyone at Letted who handles personal data is expected to:
- Understand this policy and follow it
- Only access data they need for their work
- Report any suspected data breaches immediately
- Keep data secure and not share credentials
11. Breach Reporting
If we become aware of a personal data breach, we follow our Incident Management Policy. Where a breach is likely to result in a risk to individuals, we notify the Information Commissioner's Office within 72 hours.
12. Review
We review this policy at least once a year or whenever there is a significant change to how we process personal data.
13. Contact
If you have questions about this policy, contact:
Letted Ltd 22 St. Albans Road Bristol, England, BS6 7SJ Email: support@letted.com
