Privacy Policy

1. Who We Are

RightHold Ltd ("we", "us", "our") is the data controller for the personal data collected through the RightHold platform ("Service"). We are registered in England and Wales. Our ICO registration number will be published here upon registration.

2. What Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, phone number, company name, billing address
• Property data: property addresses, tenancy details, certificate dates, compliance records
• Tenant data: tenant names, contact details, tenancy dates and related compliance information that you upload to the Service
• Usage data: pages visited, features used, session duration, device and browser information
• Payment data: payment card details are processed securely by Stripe and are never stored on our servers

3. How We Use Your Data

We use your personal data for the following purposes:

• Service delivery: to provide, maintain and improve the Service (lawful basis: contract performance)
• Compliance alerts: to send you reminders and notifications about compliance deadlines (lawful basis: contract performance)
• Account management: to manage your subscription, process payments and communicate about your account (lawful basis: contract performance)
• Product updates: to inform you about new features, changes to the Service, and relevant industry updates (lawful basis: legitimate interest, with opt-out)
• Analytics: to understand how the Service is used and to improve it (lawful basis: legitimate interest)
• Legal compliance: to comply with legal obligations and respond to lawful requests (lawful basis: legal obligation)

AI processing: We use AI technology (Anthropic Claude) to extract data from compliance certificates you upload. Certificate images are sent to Anthropic's API for automated data extraction. You review and confirm all extracted data before it is saved.

4. Data Sharing

We do not sell your personal data. We share data only with:

• Service providers: Vercel (hosting and edge compute, US-based), Supabase (database and authentication, US-based), Anthropic (AI-powered certificate data extraction, US-based), payment processing (Stripe), email delivery (Resend), error monitoring (Sentry). We have appropriate data processing agreements in place with all service providers in accordance with Article 28 of the UK GDPR
• Legal requirements: where required by law, regulation, legal process, or enforceable governmental request
• Business transfers: in the event of a merger, acquisition, or sale of assets, with prior notice to you

5. Data Storage and Security

Your data is stored on servers operated by our sub-processors, primarily in the United States and European Economic Area. All transfers are protected by appropriate safeguards as described in the International Transfers section below. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. Access to personal data is restricted to authorised personnel on a need-to-know basis.

6. Data Breach Notification

In the event of a personal data breach, we will notify the ICO within 72 hours where required under Article 33 of the UK GDPR, and notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

7. Data Retention

We retain your data as follows:

• Active accounts: for the duration of your subscription
• After cancellation: property and compliance data is retained for 90 days to allow for export, then permanently deleted
• Billing records: retained for 7 years as required by HMRC
• Marketing communications: until you unsubscribe

8. Your Rights

Under UK GDPR, you have the following rights:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate personal data
• Erasure: request deletion of your personal data (subject to legal retention requirements)
• Portability: request a machine-readable copy of your data
• Objection: object to processing based on legitimate interest
• Restriction: request restriction of processing in certain circumstances

To exercise any of these rights, contact us at privacy@righthold.co.uk. We will respond within 30 days.

9. Cookies

We use cookies to operate and improve the Service. For full details, see our Cookie Policy.

10. International Transfers

We primarily store and process data within the United Kingdom. Where data is processed by sub-processors outside the UK (including Vercel, Supabase, Anthropic, Stripe, Resend, and Sentry, all US-based), we ensure appropriate safeguards are in place, including UK adequacy decisions or standard contractual clauses approved by the ICO.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at privacy@righthold.co.uk.

13. Contact

For any privacy-related enquiries, contact our data protection contact at privacy@righthold.co.uk or write to RightHold Ltd, registered address on file at Companies House.