Privacy Policy
Last updated: 24 March 2026
1. Introduction
1.1. Britestate Ltd (“Britestate”, “we”, “us”) is the data controller for the personal data processed through the britestate.co.uk platform (the “Platform”). We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER].
1.2. This Privacy Policy explains how we collect, use, share, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
1.3. Our Data Protection Officer can be contacted at privacy@britestate.co.uk or by post at [REGISTERED ADDRESS].
2. Data We Collect
We collect the following categories of personal data:
2.1. Account Data: Name, email address, phone number, password (hashed), profile photo, user role (homebuyer, renter, seller, landlord, estate agent, service provider).
2.2. Identity Verification Data (agents, landlords, service providers): Government-issued ID, proof of address, professional qualifications, company registration details, redress scheme membership.
2.3. Property Data: Listing details, property photos, EPC data, floor plans, property documents uploaded by you.
2.4. Transaction Data: Payment amounts, commission records, subscription history, invoices. Card details are processed by Stripe and not stored by us.
2.5. Search and Browsing Data: Property search queries, saved searches, saved properties, viewing history, alert preferences.
2.6. Communication Data: Messages sent through the Platform, enquiry forms, support tickets.
2.7. Technical Data: IP address, browser type and version, device type, operating system, referring URL, pages visited, session duration.
2.8. AI Interaction Data: Property recommendations viewed, feedback on recommendations, search preference signals used by our AI matching system.
2.9. AML/KYC Data: Where required by the Money Laundering Regulations 2017: source of funds declarations, PEP screening results, sanctions screening results.
3. Legal Basis for Processing
| Processing Activity | Lawful Basis (UK GDPR Art. 6) | Detail |
|---|---|---|
| Account creation and management | Contract (Art. 6(1)(b)) | Necessary to provide the service you signed up for |
| Property search, listings, and alerts | Contract (Art. 6(1)(b)) | Core platform functionality |
| Payment processing via Stripe | Contract (Art. 6(1)(b)) | Necessary to process transactions |
| Identity verification (agents, landlords) | Legal obligation (Art. 6(1)(c)) | Required by MLR 2017 and Estate Agents Act 1979 |
| AML/KYC checks | Legal obligation (Art. 6(1)(c)) | Required by MLR 2017 and POCA 2002 |
| AI-powered property recommendations | Legitimate interests (Art. 6(1)(f)) | To personalise your experience (balanced against your right to opt out) |
| Platform analytics and improvement | Legitimate interests (Art. 6(1)(f)) | To improve platform performance and user experience |
| Marketing emails (opted in) | Consent (Art. 6(1)(a)) | Only with your explicit opt-in; withdraw at any time |
| Marketing to existing customers (soft opt-in) | Legitimate interests (Art. 6(1)(f)) | PECR soft opt-in for similar services; opt-out in every email |
| Fraud prevention and platform security | Legitimate interests (Art. 6(1)(f)) | To protect users and maintain platform integrity |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) | Where required by court order or statutory obligation |
| Tax record retention | Legal obligation (Art. 6(1)(c)) | HMRC requirements |
Special Category Data: We do not intentionally collect special category data (e.g., racial origin, health data). If you voluntarily include such data in communications, we process it on the basis of your explicit consent (Art. 9(2)(a)).
4. How We Use Your Data
4.1. To operate and maintain the Platform, including account management, listing display, search functionality, and communication features.
4.2. To personalise your experience through AI-powered property recommendations and search matching. You can opt out of personalisation in your privacy settings.
4.3. To process payments and commissions through Stripe Connect.
4.4. To verify identities and comply with anti-money laundering regulations.
4.5. To send transactional communications (booking confirmations, account updates, security alerts).
4.6. To send marketing communications where you have opted in or where soft opt-in applies.
4.7. To detect and prevent fraud, spam, and abuse.
4.8. To analyse platform usage and improve our services.
4.9. To comply with legal and regulatory obligations.
5. Data Sharing
We share your data with the following categories of recipients:
| Recipient | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase (database hosting) | Platform infrastructure | EU (Frankfurt) | UK adequacy decision |
| Stripe | Payment processing | USA | UK-approved SCCs |
| Anthropic | AI features (property matching, recommendations) | USA | UK-approved SCCs + DPA |
| Resend | Transactional and marketing email | USA | UK-approved SCCs |
| PostHog | Product analytics | EU | UK adequacy decision |
| Sentry | Error tracking and monitoring | USA | UK-approved SCCs |
| MapTiler | Map display and geocoding | EU | UK adequacy decision |
| Upstash | Rate limiting (Redis) | EU | UK adequacy decision |
| Vercel | Hosting and CDN | Global (edge) | UK-approved SCCs |
We do not sell your personal data to third parties. We may share data with law enforcement or regulators where required by law.
When you contact an estate agent, landlord, or service provider through the Platform, your contact details are shared with that User to facilitate the enquiry. This is necessary for the performance of our contract with you.
6. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Active account data | Duration of account + 30-day deletion grace period | Contract performance |
| Closed account (basic record) | 6 years from closure | Limitation Act 1980 (6-year limitation period) |
| Transaction and payment records | 7 years from transaction | HMRC tax record requirements |
| AML/KYC records | 5 years from end of business relationship | MLR 2017, Reg. 40 |
| Communication records | 2 years from last message | Legitimate interest (dispute resolution) |
| Analytics data | 26 months (aggregated) | Legitimate interest |
| Marketing consent records | Duration of consent + 2 years | PECR compliance evidence |
| SAR/GDPR request records | 3 years | ICO accountability principle |
7. International Transfers
7.1. Some of our sub-processors operate outside the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place.
7.2. For transfers to countries with a UK adequacy decision (including the EU/EEA), no additional safeguards are required.
7.3. For transfers to other countries (including the USA), we rely on UK International Data Transfer Agreements (IDTAs) or UK-approved Standard Contractual Clauses (SCCs), supplemented by a transfer impact assessment where appropriate.
7.4. You may request a copy of the relevant transfer safeguards by contacting privacy@britestate.co.uk.
8. Automated Decision-Making and Profiling
8.1. Our AI-powered property recommendation system uses your search history, saved properties, and stated preferences to generate personalised property suggestions. This constitutes profiling under UK GDPR.
8.2. No decisions with legal or similarly significant effects are made solely by automated means without human oversight.
8.3. You have the right to: (a) opt out of profiling for recommendation purposes in your privacy settings; (b) request human review of any AI-generated output that significantly affects you; (c) receive meaningful information about the logic involved in our AI systems. See our AI Transparency Notice.
9. Your Rights
Under UK GDPR, you have the following rights:
9.1. Right of Access (Art. 15): You may request a copy of all personal data we hold about you.
9.2. Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data.
9.3. Right to Erasure (Art. 17): You may request deletion of your data, subject to our legal retention obligations.
9.4. Right to Restrict Processing (Art. 18): You may request restriction of processing while a dispute is resolved.
9.5. Right to Data Portability (Art. 20): You may request your data in a structured, machine-readable format (JSON).
9.6. Right to Object (Art. 21): You may object to processing based on legitimate interests, including profiling for AI recommendations. We will cease processing unless we have compelling legitimate grounds.
9.7. Rights Related to Automated Decision-Making (Art. 22): You may request human intervention in any solely automated decision that significantly affects you.
9.8. Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any right, use our GDPR Rights page, or email privacy@britestate.co.uk. We will respond within 30 days. We may request identity verification before processing your request. If we cannot action your request, we will explain why.
9.9. Right to Complain: You have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.
11. Children’s Data
The Platform is not directed at children under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
12. Data Security
12.1. We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, regular security testing, and incident response procedures.
12.2. In the event of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and notify affected individuals without undue delay where there is a high risk.
13. Changes to This Policy
We will notify you of material changes to this policy by email or in-app notification at least 30 days before they take effect. The “last updated” date at the top of this page indicates the most recent revision.
14. Contact
Data Protection Officer: privacy@britestate.co.uk
Britestate Ltd, [REGISTERED ADDRESS]
Company No. [COMPANY NUMBER]
ICO Registration: [ICO REGISTRATION NUMBER]