Privacy Policy
Last updated: April 2026
1. Who we are
Hartcroft Ltd (“Hartcroft”, “we”, “us”, “our”) is the data controller for the personal data processed through the Hartcroft platform. We are registered with the Information Commissioner's Office (ICO) as a data controller. Our registered office is in England.
If you have questions about how we handle your data, contact us at privacy@hartcroft.com.
2. What data we collect
We collect the following categories of personal data, depending on how you use the platform:
Account data
Email address, name, and authentication credentials. If you subscribe, we also process your billing details through Stripe (we do not store card numbers directly).
Property data
Addresses, property details, EPC ratings, gas safety and electrical inspection records, tenancy information, mortgage and insurance details (educational use only), and maintenance records. This data is provided by you during onboarding and ongoing use.
Tenant data
Where you add tenant information to your properties, we process tenant names, contact details, tenancy start dates, rent amounts, and deposit information. If tenants use the Hartcroft Tenant Portal, they provide their own email address, reference details, and any correspondence they generate through the platform.
Usage and analytics data
We collect information about how you use the platform, including pages visited, features used, and session duration. We use Google Analytics 4 for this purpose, with IP anonymisation enabled. We also collect the source of your visit (UTM parameters) to understand how people find Hartcroft.
Analysis data
When you use Hartcroft's analysis features (compliance checks, portfolio health reports, tax estimates, and similar), the platform processes your property and tenancy data to generate reports. These reports are stored against your account for future reference.
3. Our legal bases for processing
We process your data under the following lawful bases as defined by the UK General Data Protection Regulation (UK GDPR):
Contract: Processing necessary to provide the Hartcroft service you have subscribed to, including generating reports, sending transactional emails, and managing your account.
Legitimate interest: Processing necessary for our legitimate business interests, including improving the platform, preventing fraud, and ensuring security. We balance these interests against your rights and freedoms.
Consent: Where we rely on your consent (for example, for marketing communications), you can withdraw it at any time through your account settings or by contacting us.
Legal obligation: Processing necessary to comply with our legal obligations, such as maintaining records for tax purposes or responding to lawful requests from authorities.
4. How we use your data
We use your personal data to provide and operate the platform, process payments and manage subscriptions, generate property analysis and compliance reports, send transactional emails (account confirmations, morning briefings, billing notifications), communicate service updates and changes, monitor and improve platform performance, and comply with legal obligations.
We do not sell your personal data. We do not use your data for profiling or automated decision-making that has legal or similarly significant effects on you. The analysis features on the platform are informational tools — they generate reports for your consideration, not automated decisions about you or your tenants.
5. Who we share data with
We use the following third-party service providers to operate the platform. Each has a data processing agreement in place:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Frankfurt, eu-west-1) |
| Stripe | Payment processing | EU / US (UK–US Data Bridge) |
| Resend | Transactional email delivery | US (UK–US Data Bridge) |
| Anthropic | Analysis report generation | US (UK–US Data Bridge) |
| Vercel | Application hosting | Global CDN (primary: EU) |
| Google Analytics 4 | Usage analytics (anonymised) | EU / US (UK–US Data Bridge) |
We do not share your data with any other third parties unless required to do so by law (for example, in response to a court order or regulatory request).
6. International data transfers
Your primary data is stored in the European Union (Supabase, Frankfurt). Where data is transferred to the United States (Stripe, Resend, Anthropic), these transfers are protected by the UK–US Data Bridge, under which each provider maintains an active Data Privacy Framework certification. The European Union has a current UK adequacy decision (renewed December 2025, valid until December 2031), permitting free data flow between the UK and EU.
7. How long we keep your data
We retain your account data for as long as your account is active. If you cancel your subscription, we retain your data for 90 days to allow for reactivation, after which it is deleted. Analysis reports and property data are deleted with your account.
We retain billing and transaction records for six years after the end of the financial year in which the transaction occurred, as required by HMRC record-keeping obligations. Anonymised analytics data may be retained indefinitely for aggregate reporting.
You can request earlier deletion at any time (see Section 8).
8. Your rights
Under the UK GDPR, you have the following rights in relation to your personal data:
Access: You can request a copy of the personal data we hold about you.
Rectification: You can ask us to correct inaccurate or incomplete data. You can also update most information directly through your account settings.
Erasure: You can request that we delete your personal data, subject to any legal retention obligations.
Restriction: You can ask us to restrict processing of your data in certain circumstances.
Portability: You can request your data in a structured, commonly used, machine-readable format.
Objection: You can object to processing based on legitimate interests.
To exercise any of these rights, email privacy@hartcroft.com. We will respond within one month.
9. Cookies
We use a small number of cookies to operate the platform:
Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
Analytics cookies: Used by Google Analytics 4 to understand how people use the platform. Under the Privacy and Electronic Communications Regulations 2003 (as amended by the Data Use and Access Act 2025), analytics cookies used solely for statistical purposes are exempt from consent requirements.
Preference cookies: Store your choices, such as cookie consent preferences. These are set only when you interact with the consent banner.
We do not use marketing or advertising cookies. We do not engage in cross-site tracking.
10. Automated processing
Hartcroft uses automated systems to generate analysis reports, including compliance assessments, portfolio health summaries, tax estimates, and maintenance recommendations. These systems process property and tenancy data you have entered to produce informational reports.
These outputs are for your information only. They do not constitute automated decision-making within the meaning of UK GDPR Article 22 — no decisions with legal or similarly significant effect are made about you or your tenants through automated means. All reports include a disclaimer that they do not constitute legal, tax, or financial advice.
11. Tenant data
If you are a landlord using Hartcroft, you are responsible for ensuring you have a lawful basis to share tenant personal data with us (typically as part of the performance of the tenancy agreement). We process tenant data on your behalf and as a controller in our own right where tenants interact directly with the Hartcroft Tenant Portal.
Tenants using the Tenant Portal can manage their own data, including reference visibility preferences, directly through their account.
12. Children
Hartcroft is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or by a prominent notice on the platform at least 14 days before the changes take effect. Continued use of the platform after changes take effect constitutes acceptance.
14. Complaints
If you are unhappy with how we have handled your data, please contact us first at privacy@hartcroft.com and we will do our best to resolve your concern.
You also have the right to complain to the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection. You can contact the ICO at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
15. Contact
For all privacy-related enquiries:
Hartcroft Ltd
Email: privacy@hartcroft.com
Internal note: This policy has been drafted to reflect Hartcroft's actual data processing practices and comply with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended by the Data Use and Access Act 2025). It should be reviewed by a qualified solicitor before publication to confirm accuracy and completeness. Remove this notice after review.