Privacy Policy

LetClear is a software service operated from the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, the operator of LetClear is the data controller for the personal data described in this policy. We do not currently process special-category data within the meaning of Article 9 UK GDPR.

For any privacy enquiries, including subject-access and other rights requests, contact us at hello@letclear.co.uk.

We collect only what we need to run the service:

• Account data. Email address and a password hash, set during signup.
• Property data. Address, type, and country of properties you add.
• Tenancy data. Start date, deposit details, prescribed-information status, and tenancy type.
• Compliance data. Certificate issue and expiry dates you record for gas safety, EPC, EICR, and smoke alarm checks.
• Documents. Files you upload to attach to a property or compliance record.
• Service logs. Standard request logs (IP address, user agent, timestamp) used to run and secure the service.

We rely on the lawful bases in Article 6 UK GDPR as follows:

• Article 6(1)(b) contract performance: account, property, tenancy, compliance, and document data. Without this data we cannot deliver the service you signed up for.
• Article 6(1)(f) legitimate interest: service logs and anonymous analytics, used to keep the service running, detect abuse, and improve product reliability. We have assessed that this processing is necessary, proportionate, and does not override your rights.
• Article 6(1)(c) legal obligation: limited records we are required to keep, for example billing records under HMRC rules.
• Article 6(1)(a) consent: only where we expressly ask for it (for example, if we ever introduce optional marketing emails). You may withdraw consent at any time.

We store the primary application data (account records, property and tenancy information, compliance items, and uploaded documents) in Supabase's London (UK) region.

Some of our other service providers (listed in section 5) are headquartered outside the UK or EEA and may process limited personal data such as your email address, IP address, or payment details outside the UK or EEA, in particular in the United States. Specifically:

• Vercel hosts the web application and serves static assets through a global content delivery network. Request and analytics data may be processed by Vercel infrastructure outside the UK or EEA.
• Resend sends transactional and reminder emails. Your email address transits through their infrastructure, which may include servers outside the UK or EEA.
• Stripe, when you subscribe, processes your payment details on its global payments infrastructure.

Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK GDPR and EU GDPR, including the UK International Data Transfer Addendum and the EU Standard Contractual Clauses. You can request more information about these safeguards by emailing hello@letclear.co.uk.

We share data only with the service providers we use to operate the product:

• Supabase, for database, auth, and storage.
• Vercel, for application hosting.
• Vercel Web Analytics, for aggregate, anonymous usage statistics. No cookies are set and no personal data is collected.
• Resend, for transactional emails (signup confirmation, password reset, future reminder emails).
• Stripe, when subscription billing is enabled, for payment processing only.

We do not sell your data. We do not share it with advertisers.

Specific retention periods:

• Account, property, tenancy, compliance and document data: for as long as your account is active. When you delete your account we delete this data within 30 days, except where law requires us to retain specific records for longer.
• Service logs (request logs, IP address, user agent, timestamp): up to 90 days for security and debugging, then deleted or aggregated.
• Billing and tax records: for at least 6 years from the end of the accounting period to which they relate, as required by HMRC.
• Anonymised analytics: retained indefinitely as it no longer identifies you.
• Backups: rolling backups may retain previously deleted data for up to 30 days before being overwritten.

Under UK GDPR you have the following rights:

• Right of access (Article 15). Obtain a copy of the personal data we hold about you and information about how we use it.
• Right to rectification (Article 16). Have inaccurate or incomplete personal data corrected.
• Right to erasure (Article 17). Have your personal data deleted in defined circumstances. You can delete your account from settings at any time.
• Right to restriction (Article 18). Restrict our processing of your personal data while a request is investigated.
• Right to data portability (Article 20). Receive a copy of your data in a structured, commonly used and machine-readable format.
• Right to object (Article 21). Object to processing based on legitimate interest, including any direct marketing.
• Rights related to automated decision-making (Article 22). We do not subject users to fully automated decision-making that produces legal or similarly significant effects (see section 11).
• Right to withdraw consent. Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to complain to the regulator. You have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you believe we have mishandled your personal data. We would prefer to address your concerns directly first, so please contact us before complaining where you can.

To exercise any of these rights, email hello@letclear.co.uk. We will respond within one calendar month, which may be extended by up to two further months for complex or numerous requests as permitted by Article 12(3) UK GDPR. We may need to verify your identity before responding.

LetClear uses only essential cookies, required to keep you signed in and to remember your preferences. We do not use advertising cookies or third-party tracking cookies.

We use Vercel Web Analytics to understand which pages visitors use. Vercel Web Analytics is cookieless and does not collect personal data: it records aggregate information such as page views and approximate location at country level. If we adopt any analytics product that does set cookies, we will update this page and ask for your consent before any non-essential cookies are set.

We take appropriate technical and organisational measures to protect your personal data, taking into account the nature of the data and the risks involved. These include encryption in transit and at rest, row-level security so users can only read and write their own records, principle-of-least-privilege access controls, regular review of infrastructure security advisories, and secure software-development practices.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours where required by Article 33 UK GDPR, and we will notify you without undue delay where required by Article 34.

LetClear is not directed at children. The service is intended for adult landlords (18+) and we do not knowingly collect personal data from anyone under 18. If you become aware that a minor has provided personal data to us, please contact us and we will take steps to delete it.

LetClearsurfaces compliance status and readiness signals computed deterministically from the data you supply and the rules we encode. These outputs are decision-support information, not legally binding decisions about you, and they do not produce legal or similarly significant effects on you within the meaning of Article 22 UK GDPR. You remain in control of any action taken on the basis of the service's output.

We may update this policy from time to time. The “last updated” date at the top of this page reflects the most recent change. Material changes will be announced via email to your account address and surfaced inside the application before they take effect.

Questions about this policy or your data: hello@letclear.co.uk.