landlordcheck
Policy

Privacy policy

Last updated · 6 May 2026

This is the formal privacy policy for LandlordCheck. For a plain-English summary and a one-click way to delete your data, see your data.

1. Who controls your data

Kasdena Ltd, registered in England and Wales (company number [Company Number]), registered office [Registered Office], is the data controller for any personal data processed through LandlordCheck. We are registered with the Information Commissioner’s Office under registration number [ICO Number]. We are not required to appoint a Data Protection Officer because our processing does not include core large-scale special-category processing. Any data protection question goes to [Public Email].

2. What we collect, why, and on what lawful basis

We collect the following personal data, and only the following personal data:

  • The answers you give to the self-assessment wizard. Lawful basis: contract (UK GDPR Article 6(1)(b)), to deliver the service. Some fields, such as your tenants being on benefits, can be inferred from your answers; we treat these as ordinary personal data, not special category.
  • The full property postcode, used in real time to look up the local council and any selective licensing scheme via postcodes.io. Lawful basis: contract. We only store the outcode (e.g. “NW5”) after the lookup, not the full postcode.
  • Your email address, but only if you buy a report. Lawful basis: contract, plus a legitimate interest (UK GDPR Article 6(1)(f)) to send you the receipt and the PDF report.
  • Standard request metadata (IP address, user-agent string) in our hosting server logs for 14 days. Lawful basis: legitimate interest, namely security, abuse prevention, and incident triage.

3. Cookies and similar technologies

We do not use advertising cookies or any cookies that identify you. We use Vercel Web Analytics for aggregate page-view counts: it sends a page-view ping to Vercel without setting any cookies, without writing to your device, and without identifying you across sessions or sites. We also use two strictly necessary local-storage entries to keep your wizard answers saved while you complete the assessment. The Privacy and Electronic Communications Regulations 2003 (PECR) do not require consent for strictly necessary storage, and the ICO has confirmed that cookieless aggregate analytics fall outside the consent requirement. If we ever add cookies that identify you, fingerprinting, or any other identifying tracker, we will add a consent banner first. See our cookies page for the current list.

4. How long we keep it

Reports and the answers behind them are retained for 12 months after the report is generated, then hard-deleted. Abandoned wizard drafts are deleted after 7 days. The 12-month period reflects the time needed to handle refund and chargeback queries during the cooling-off and chargeback windows, and to respond to any tenant or council enquiry about a report we issued. You can ask us to delete your record sooner; see your data.

5. Who we share your data with

We use the following processors. Each only sees the data it needs:

  • Stripe Payments UK Ltd, for payment processing. Stripe handles your card details directly under the redirected Stripe Checkout flow, so we never see them. Stripe is PCI-DSS Level 1 certified.
  • Resend, Inc., for sending the receipt email with the report PDF. Resend processes your email address only.
  • Supabase, Inc., for storing reports and answers. Supabase encrypts data at rest.
  • Vercel Inc., for hosting the website and for cookieless aggregate page-view analytics (Vercel Web Analytics). Vercel counts page views without setting cookies and without identifying you across sessions or sites.
  • postcodes.io, an open-data service operated by the Open Postcode Consortium, for the postcode-to-council lookup. Your postcode is sent in the request URL; no other data is shared.

We do not sell, lease, or rent your data to anyone. We do not provide your data to advertisers, brokers, or marketing platforms. If we are ever required to disclose data under a court order or to comply with a legal obligation, we will narrow the disclosure to what the order requires.

6. International transfers

Some of our processors operate servers outside the United Kingdom. Stripe Payments UK Ltd is UK-based, but Stripe’s parent group operates in the US under the UK’s adequacy regulations. Resend, Inc. and Supabase, Inc. are US-headquartered. We rely on the UK’s International Data Transfer Agreement (IDTA) and the relevant adequacy regulations to make these transfers. Vercel Inc. operates UK and EU hosting regions; we use the EU region for primary storage where available.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (a subject access request).
  • Correct any data that is inaccurate.
  • Have your data deleted (the right to erasure).
  • Restrict our processing of your data.
  • Receive your data in a portable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where consent is the lawful basis (this does not affect any processing that already happened).

To exercise any right, email [Public Email]. We will respond within one calendar month. We may need to verify your identity before acting on a request, particularly for access or deletion requests.

8. Right to complain to the regulator

You can complain to the Information Commissioner’s Office at any time if you think we have mishandled your data. The ICO is at ico.org.uk, telephone 0303 123 1113. We would prefer you contact us first so we have a chance to put it right, but you do not have to.

9. Children

LandlordCheck is for users aged 18 or over. We do not knowingly collect personal data from children. If you believe a child has used the service, contact us at [Public Email] and we will delete the relevant record.

10. Security

We use TLS for every connection, encrypted-at-rest storage at the database level, and access controls so that only the engineers who need access to production data have it. We have a documented breach-response plan that includes notifying the ICO within the 72-hour window required by UK GDPR Article 33 where a breach is likely to result in risk to your rights and freedoms.

11. Updates to this policy

We may update this policy from time to time. The current version is always at landlordcheck.uk/privacy with the date at the top. Material changes will be flagged at the top for at least 30 days.

12. Contact

Kasdena Ltd, [Registered Office]. Data protection email [Public Email]. ICO registration [ICO Number].