Privacy Policy

⚠ DRAFT — Before publishing, replace every [TODO] marker with real content and have this document reviewed by a qualified solicitor. This template is a starting structure, not legal advice.

Last updated: [TODO: Date]

Version [TODO: 1.0]

Who we are

Creed PS Ltd ("we," "us," "our") is a property management company registered in England and Wales under company number [TODO: Company number]. Our registered office is at [TODO: Registered office address].

For the purposes of UK GDPR, we are the data controller of the personal information you provide to us. Our ICO registration number is [TODO: ICO registration number].

Our Data Protection Officer

If you have any questions about this policy or how we handle your data, our Data Protection Officer can be reached at dpo@creedps.com or by post at the address above, marked "For the attention of the DPO."

What data we collect

Information you give us

We collect personal information when you contact us, enquire about a property, register as a tenant or landlord, or use our services. This typically includes:

Full name, date of birth, and contact details (email, phone, address)
Identification documents (passport, driving licence) for right-to-rent and AML checks
Employment and income information for tenant referencing
Financial information including bank details, credit history, and rent payment records
Property ownership and leasehold information
Next of kin or guarantor details where applicable
Communication records (calls, emails, WhatsApp, portal messages)

Information collected automatically

When you use our website, we collect limited technical information such as your IP address, browser type, device type, and pages visited. See our Cookie Policy for details.

Information from third parties

We may receive information about you from:

Referencing agencies (e.g. [TODO: Agency name])
Credit reference agencies (Experian, Equifax, TransUnion)
Our tenant and landlord portal partners
Previous landlords or managing agents where you have provided consent

How we use your data

We use your personal data for the following purposes, relying on the legal bases below:

Performance of a contract — to manage your tenancy or property, collect rent, arrange maintenance, and communicate about your property.
Legal obligation — to meet our statutory duties including right-to-rent checks, AML checks, deposit protection, HMRC reporting, and tax filings.
Legitimate interests — to respond to enquiries, improve our services, prevent fraud, and keep you informed about your property.
Consent — for marketing communications about our other services, which you can withdraw at any time.

Who we share data with

We share personal data only where necessary, with the following categories of recipient:

Credit reference and tenant referencing agencies
The Deposit Protection Service (DPS) or equivalent approved scheme
HMRC and other government bodies where legally required
Our contractors and tradespeople (only name, address, and contact for the purpose of arranging works)
Our professional advisers (solicitors, accountants, insurers)
Technology providers who host our systems (portal, CRM, email) under data processor agreements
Law enforcement where legally required

We do not sell your personal data to any third party.

International transfers

Some of our service providers may store or process data outside the UK and EEA. Where this happens, we ensure adequate safeguards are in place, including: [TODO: Specify mechanism — e.g. Standard Contractual Clauses, adequacy decisions].

How long we keep data

We retain personal data only as long as necessary for the purposes described above, and to meet our legal obligations:

Enquiry data (no contract formed): [TODO: e.g. 12 months]
Tenancy records: [TODO: e.g. 7 years after tenancy ends]
Accounting records: 7 years (HMRC requirement)
Right-to-rent check records: 12 months after end of tenancy
Complaints: [TODO: e.g. 6 years]

Your rights

Under UK GDPR you have the right to:

Request a copy of the personal data we hold about you (a "Subject Access Request")
Have inaccurate data corrected
Have your data erased ("right to be forgotten"), subject to our legal obligations
Restrict or object to processing in certain circumstances
Request your data in a portable format
Withdraw consent for marketing at any time
Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any right, email dpo@creedps.com. We will respond within one month.

If you are unhappy with our response, you can contact the ICO at ico.org.uk or call 0303 123 1113.

Security

We take security seriously and implement appropriate technical and organisational measures to protect personal data against accidental or unlawful loss, alteration, unauthorised disclosure, or access. These include encryption of data in transit and at rest, access controls, staff training, and regular security reviews.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this document indicates when we last made changes. Material changes will be notified to you directly where you are on our records.

Contact us

Questions about this policy? Email dpo@creedps.com or write to us at the registered address above.