Privacy notice

Who we are

SimpleFreeholder is operated by SimpleFreeholder Ltd, a company registered in England and Wales (company number [TO CONFIRM], registered office [TO CONFIRM]). In this notice “we”, “us”, and “SimpleFreeholder” mean SimpleFreeholder Ltd.

For questions about this notice or about your personal data, contact our data protection contact at [TO CONFIRM: privacy@simplefreeholder.com]. We are registered with the Information Commissioner's Office (ICO) under registration number [TO CONFIRM].

Controller or processor — which role we play

SimpleFreeholder plays two different roles, and the role determines who is responsible for the data:

• For your account. When you create an account, sign in, or are invited as an administrator, accountant, or viewer, we are the controller of that account data — your name, email address, role, and sign-in activity.
• For a building's records. The leaseholder details, charges, invoices, payments, expenses, and documents that an RMC enters into the product belong to that RMC. The RMC is the controller of that data and SimpleFreeholder is its processor — we process it only on the RMC's instructions. The terms governing that relationship are set out in our Data Processing Agreement.

If you are a leaseholder and want to know how your data is used, your first point of contact is your RMC (the controller). We will support them in answering you.

What we collect

• Account information — name, email address, the role you hold in an organisation, and a record of sign-in events.
• Building and financial data — the information an RMC enters to run its building: flats, leaseholders and their contact details, service-charge and ground-rent schedules, invoices, payments, expenses, uploaded documents, and year-end figures.
• Technical data — when the application encounters an error, a technical error report (including a stack trace, request URL, browser and operating-system metadata, and the user ID of the affected account) is sent to our error-monitoring provider. No financial records, document contents, or message bodies are included.
• Aggregate analytics — anonymous, aggregate page-view counts for our public marketing pages. These set no cookies and do not identify individuals. See our cookie notice.

Why we use it, and our lawful basis

• To provide the service — operating the product for the RMC that signed you up, generating invoices, statements, and year-end paperwork. Lawful basis: performance of a contract, and our legitimate interest in running the service.
• To keep the service secure and reliable — authentication, the audit log, and error monitoring. Lawful basis: legitimate interests and our legal obligation to keep personal data secure.
• To meet legal obligations — retaining financial records for the periods UK tax and company law require. Lawful basis: legal obligation.
• To communicate with you — service emails such as invitations, invoice notifications, and reminders. Lawful basis: performance of a contract and legitimate interests. We do not send marketing email to leaseholders.

For building and financial data, the lawful basis is determined by the RMC as controller; it is typically the RMC's legal obligations and legitimate interests in administering the building.

Who we share it with

We do not sell personal data. We share it only with the sub-processors below, each engaged under a written contract that limits them to processing data on our instructions:

Google Cloud (Google Cloud EMEA Limited)

Application hosting, database, file storage, and background job processing. Data is held in Google's London (europe-west2) region — within the United Kingdom.

Resend

Delivery of outbound transactional email (invitations, invoice notifications, reminders). Processing location and transfer basis: [TO CONFIRM].

Sentry

Error and performance monitoring. We use Sentry's European Union data region; technical error data is stored within the EU and retained for 30 days before permanent deletion.

We may also disclose personal data where the law requires it — for example, in response to a valid request from a regulator or court.

Where your data is held

Application data — your account, and every building's records — is hosted within the United Kingdom, encrypted in transit and at rest, and backed up daily. Error-monitoring data is held within the European Union, which the UK recognises as providing an adequate level of data protection. Outbound email is handled by the provider listed above.

How long we keep it

Different categories of data are kept for different periods — financial records for seven years, the email log for 90 days, and so on. The full schedule is published in our data retention policy.

Your rights

Under UK data protection law you have the right to:

• ask for a copy of the personal data we hold about you;
• ask us to correct data that is wrong or incomplete;
• ask us to delete your data, or to restrict how we use it, where the law allows;
• object to processing based on our legitimate interests; and
• ask us to transfer your data to another provider.

Some of these rights are qualified — for example, we may need to keep financial records to meet a legal obligation even after a deletion request, in which case we will restrict the data to that purpose and tell you. To exercise any right, contact us at the address above. If your request concerns a building's records, we will pass it to the relevant RMC as controller and support them in responding.

Cookies

The public marketing pages set no cookies. Once you sign in, we set a small number of strictly necessary first-party cookies to keep you signed in. Full detail is in our cookie notice.

Complaints

If you are unhappy with how we have handled your personal data, please tell us first so we can put it right. You also have the right to complain to the Information Commissioner's Office, the UK data protection regulator, at ico.org.uk.

Changes to this notice

We may update this notice from time to time. The current version is always published here; material changes are notified to organisation administrators.