GDPR Statement

Last updated: March 9, 2026

Last updated: 9 March 2026

This page explains how Letted Ltd complies with the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR") (together, the "GDPR"), and what that means for you.

It sits alongside our Privacy Policy, Terms and Conditions and Cookie Policy, which together describe in detail what personal data we handle and on what legal basis. This page is a shorter summary of our overall GDPR position.

Our role under the GDPR

When you sign up to Letted as a landlord or letting agent, we usually act in two roles at the same time:

  • Controller — for the personal data we collect about you directly (your account details, billing information, support correspondence and similar). We decide what data to collect and how it is used.
  • Processor — for the personal data you upload into the platform about your tenants, contractors and properties. You decide what to put in, and we process it on your instructions to provide the Services.

The split is set out more formally in the Data Processing Addendum that forms part of our Terms and Conditions.

The principles we work to

We process personal data in line with the seven GDPR principles:

  1. Lawfulness, fairness and transparency — we always have a legal basis to process data and we tell you what we are doing.
  2. Purpose limitation — we only use data for the specific purposes set out in our Privacy Policy.
  3. Data minimisation — we only collect what we actually need to run the Services.
  4. Accuracy — we keep data up to date and let you correct or delete inaccurate data.
  5. Storage limitation — we don't keep personal data for longer than we need it.
  6. Integrity and confidentiality — we use appropriate technical and organisational security measures to protect personal data.
  7. Accountability — we keep records of processing and can demonstrate compliance on request.

Your rights

Under the GDPR you have the following rights in relation to the personal data we hold about you. Full detail and the request process are in our Privacy Policy.

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing, including for direct marketing
  • Right to withdraw consent at any time, where processing is based on consent
  • Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects

We will respond to any request within one month, extendable to three months for complex requests.

Legal bases we rely on

Depending on the activity, we rely on one or more of the following legal bases:

  • Performance of a contract — to provide the Services to you and your Tenants and Authorised Users.
  • Legal obligation — to meet our tax, accounting, anti-money laundering and other regulatory duties.
  • Legitimate interests — to run, secure and improve the Services, where this is not overridden by your rights.
  • Consent — for marketing communications and non-essential cookies, which you can withdraw at any time.

International transfers

Our primary data storage and hosting is in London-region UK data centres operated by Vercel and Supabase. Some of our sub-processors are based outside the UK (for example OpenAI, Resend, Mailchimp, PostHog, Slack and Notion in the United States). Where personal data is transferred outside the UK, we rely on appropriate safeguards under the GDPR, including:

  • transfers to countries that are subject to UK adequacy regulations;
  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; and
  • the UK Extension to the EU-U.S. Data Privacy Framework, where the receiving organisation is registered.

A current list of our sub-processors is included in the Data Processing Addendum at the end of our Terms and Conditions.

Security

We use multiple layers of protection, including enterprise-grade encryption in transit and at rest, role-based access controls, regular security testing, staff training and an incident response plan. Where a personal data breach occurs that is likely to result in a risk to individuals, we will notify the Information Commissioner's Office without undue delay and, where required, the affected individuals.

Data Processing Agreements

If you are a business customer (rather than an individual consumer), the Data Processing Addendum in our Terms and Conditions forms a UK GDPR-compliant data processing agreement between us. It sets out our obligations as a processor when handling personal data you upload into the platform, including security, sub-processing, data subject requests, breach notification and deletion at the end of the contract. You do not need to sign a separate document — accepting the Terms also accepts the Addendum.

If your organisation requires a standalone signed agreement, contact us at support@letted.com.

Making a complaint

If you believe we have not handled your personal data in line with the GDPR, we would like the chance to put it right — please contact us first at support@letted.com.

You also have the right to complain directly to the Information Commissioner's Office (ICO), the UK's data protection regulator:

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Contact us

For any data protection enquiry, including to exercise your GDPR rights:

  • Email: support@letted.com
  • Registered office: Letted Ltd, 22 St. Albans Road, Bristol, England, BS6 7SJ
  • Company number: 16826979

2026 is not the year
to figure this out later

Get started for free. No card required. Add one property, see how it works, and take it from there.

Get started for freeCheck your compliance
Free 30-day trialNo card requiredUnlimited propertiesCancel anytime