Privacy Policy
Last updated: March 2026 · Applies to housedata.uk
1. Who we are
HouseData.uk is a property intelligence and landlord compliance platform. References to "we", "us", or "HouseData" in this policy refer to the operator of housedata.uk. If you have any questions about how we handle your data, contact us at hello@housedata.uk.
We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. What data we collect and why
| Data | Source | Purpose | Lawful basis |
|---|---|---|---|
| Email address | Registration / email capture | Account management, transactional emails, marketing (with consent) | Contract; Legitimate interest; Consent |
| Password (bcrypt hashed) | Registration | Authentication — we never store plain-text passwords | Contract |
| Name, company name, phone | Profile / onboarding | Account personalisation, communication | Contract |
| User type, portfolio size | Onboarding questionnaire | Personalising the product experience | Legitimate interest |
| Property addresses and postcodes | User input | Portfolio compliance checking, EPC lookup | Contract |
| EPC certificate data | Government EPC Register API (open data) | Compliance analysis, upgrade recommendations | Legitimate interest; Public task (data is already public) |
| Safety certificate expiry dates | User input | Compliance tracking and alerts | Contract |
| Page views (hashed IP) | Internal analytics middleware | Product improvement and usage analytics | Legitimate interest |
| Stripe payment data | Stripe (payment processor) | Billing and subscription management | Contract |
| Installer business details | Self-submitted or public registers (TrustMark, MCS) | Populating the installer directory | Legitimate interest (public register data) |
| Installer lead enquiries | User-submitted | Connecting landlords with installers | Contract |
| Uploaded documents | User upload | Document storage for property management | Contract |
3. EPC data and open government data
EPC (Energy Performance Certificate) data is sourced from the government's EPC Register, operated by the Ministry of Housing, Communities and Local Government (MHCLG) and published via Open Data Communities. This data is published under the Open Government Licence v3.0. We do not claim ownership of this data.
Price paid data is sourced from HM Land Registry under the same licence. Planning and flood data is sourced from local authorities and the Environment Agency, also under open data licences.
4. Cookies
We use one essential cookie:
housedata_session— An authentication cookie set when you log in. It is HttpOnly (not accessible to JavaScript), uses SameSite=Lax, and expires after 30 days. This cookie is strictly necessary for the service to function and does not require consent under PECR.
We do not use Google Analytics, advertising cookies, or any third-party tracking cookies. Our analytics are entirely first-party, with IP addresses hashed daily using a rotating salt so no individual can be identified.
5. How we use your data
- To provide the portfolio compliance checker and property intelligence features
- To send transactional emails (account verification, password reset, EPC expiry alerts)
- To send marketing emails — only with your explicit consent, and you can unsubscribe at any time
- To improve the product based on aggregated, anonymised usage data
- To detect and prevent fraud or abuse
We do not use your data for automated decision-making or profiling that produces legal effects.
6. Data sharing
We share your data only where necessary:
- Stripe — Payment processing. Stripe's privacy policy applies to payment data they hold.
- SendGrid — Transactional email delivery. We share only your email address and the email content.
- Installers — When you submit an enquiry to an installer, we share your contact details and the enquiry message with that specific installer only.
We do not sell your data to third parties. We do not share data with advertisers.
7. Data retention
| Data type | Retention period |
|---|---|
| Account data (email, name, preferences) | While your account is active, plus 2 years after account deletion |
| Property and compliance data | Deleted immediately when you remove the property or delete your account |
| Uploaded documents | Deleted when the associated property is removed or account is deleted |
| Page view analytics | Raw logs: 90 days. Aggregated stats: retained indefinitely |
| Email send logs | 12 months |
| Installer lead records | 24 months |
| Stripe billing data | As required by Stripe's retention policies (typically 7 years for financial records) |
8. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — You can request a copy of all personal data we hold about you (Subject Access Request)
- Right to erasure — You can ask us to delete your personal data ("right to be forgotten")
- Right to rectification — You can ask us to correct inaccurate data
- Right to data portability — You can request your data in a structured, machine-readable format
- Right to object — You can object to processing based on legitimate interest
- Right to restrict processing — You can ask us to restrict how we use your data
To exercise any of these rights, email hello@housedata.uk. We will respond within 30 days. You can also delete your account directly in your account settings, which immediately removes your property and compliance data.
If you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO).
9. Marketing emails
We send marketing emails only with your explicit consent (for example, when you opt in via our email capture form). Every marketing email includes a one-click unsubscribe link. Unsubscribes are honoured immediately and maintained on a suppression list.
Transactional emails (account verification, password reset, compliance alerts you have enabled) do not require consent and cannot be unsubscribed from while your account is active, as they are part of the service.
10. Installer directory data
Installer profiles in our directory may be seeded from publicly available registers such as TrustMark and MCS (Microgeneration Certification Scheme). This data is publicly available and we process it on the basis of legitimate interest.
Installers can request removal of their listing at any time by emailing hello@housedata.uk. We will remove the listing within 5 business days.
11. Security
We take reasonable technical and organisational measures to protect your data:
- Passwords are hashed using bcrypt with a work factor of 12 — plain-text passwords are never stored
- All connections use HTTPS (TLS)
- Session tokens are random 32-byte hex strings stored as HttpOnly cookies
- Admin access requires a separate bearer token, not your account password
- File uploads are stored in a non-public directory
No system is 100% secure. If you believe your account has been compromised, contact us immediately at hello@housedata.uk.
12. Children
HouseData.uk is not directed at persons under 18. We do not knowingly collect personal data from minors. If you believe a child has created an account, contact us and we will delete it promptly.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to registered users at least 14 days before they take effect. The date at the top of this page shows when it was last updated. Continued use of the service after changes take effect constitutes acceptance of the updated policy.