Privacy Policy

Last updated: 30 March 2026

1. Who We Are

This privacy policy explains how Oates Property Holdings LTD ("we", "us", "our") collects, uses, and protects your personal data when you use our website and associated services, including property listings, the tenant portal, online store, document storage, and repairs system.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller.

2. What Data We Collect

Category	Examples	Why
Identity & Contact	Name, email, phone number, address	Account creation, tenancy management, order fulfilment
Account Data	Login credentials (password stored hashed)	Authentication & security
Property & Tenancy	Tenancy address, postcode, repair requests	Property management, repairs service
Documents	Tenancy agreements, certificates uploaded by us	Document storage & access for tenants
Payment Data	Transaction IDs, card last-4 digits, billing address	Store purchases & payment card storage (via SumUp)
Uploaded Content	Repair photos, messages	Repairs tracking & communication
Technical Data	IP address, browser type, pages visited	Security, fraud prevention, troubleshooting
Log Data	Login/logout timestamps, failed login attempts	Security monitoring & abuse prevention

3. How We Use Your Data

We process your personal data on the following lawful bases:

Contract: To provide our services — managing your tenancy, processing store orders, providing document access, and handling repair requests.
Legitimate interest: To maintain the security of the Service, prevent fraud, and improve user experience.
Legal obligation: To retain records required by law (e.g. tenancy documentation, financial records).
Consent: Where we send optional marketing communications (you can withdraw consent at any time).

4. Cookies & Session Data

We use only strictly necessary session cookies (e.g. PHPSESSID) to keep you logged in and maintain CSRF protection. These are essential for the Service to function and do not track you across other websites. We do not use analytics, advertising, or third-party tracking cookies.

5. Payment Processing

Online payments are processed by SumUp, a PCI DSS-compliant payment provider. We do not store your full card number, CVV, or expiry date on our servers. We may store a tokenised card reference and the last four digits of your card for your convenience, as provided by SumUp.

6. Document Storage

Documents uploaded by us to the tenant portal (such as tenancy agreements, gas safety certificates, EPC documents) are stored securely on our server. Access is restricted to the tenant(s) the document has been assigned to and to our administrators. Documents are retained for as long as your tenancy is active and for a reasonable period afterwards as required by law.

7. Data Sharing

We do not sell your personal data. We may share data with:

Payment processors (SumUp) — to process transactions.
Maintenance workers — repair address and postcode are shared with assigned workers to carry out repairs. Workers do not receive your email or phone number through the system.
Legal authorities — where required by law or court order.

8. Data Retention

Account data: Retained while your account is active, then deleted or anonymised within 12 months of account closure.
Tenancy documents: Retained for the duration of the tenancy plus 6 years (in line with statutory limitation periods).
Store order records: Retained for 6 years for tax and accounting purposes.
Repair records: Retained for the duration of the tenancy plus 6 years.
Security logs: Retained for up to 12 months.

9. Your Rights

Under UK GDPR, you have the right to:

Access — Request a copy of the personal data we hold about you.
Rectification — Request correction of inaccurate data.
Erasure — Request deletion of your data (subject to legal retention requirements).
Restriction — Request that we limit processing of your data.
Portability — Receive your data in a machine-readable format.
Object — Object to processing based on legitimate interest.

To exercise any of these rights, please contact us using the details on our website. We will respond within one month.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

Password hashing (bcrypt).
CSRF token protection on all forms.
Rate-limiting on login attempts.
HTTPS encryption in transit.
Access controls restricting data to authorised users only.

11. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top will be revised. We encourage you to review this page periodically.

13. Contact & Complaints

If you have questions about this policy or wish to exercise your data rights, please contact us via the details on our website.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.