Privacy Policy
How Crocker Digital Ltd (trading as RentersActReady) collects, uses, and protects your personal data under UK GDPR.
Privacy Policy
Last updated: 23 April 2026
Who we are
RentersActReady is operated by Crocker Digital Ltd, a company incorporated in England and Wales (company number 17008789), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are registered with the Information Commissioner's Office under registration number ZC128626.
You can contact us at:
- General support: support@rentersactready.co.uk
- Privacy and data-protection: privacy@rentersactready.co.uk
- Postal: Crocker Digital Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
We do not currently have a statutory Data Protection Officer (we do not meet the Article 37 thresholds), but the privacy@rentersactready.co.uk inbox is monitored and responded to within the UK GDPR one-month deadline.
The two capacities we act in
RentersActReady is used in two ways, and our role under UK data-protection law differs between them.
When you create a personal account — we are the controller
Your own account record — the name, email, password, portfolio size, ICP category, billing data, audit-log entries, and your service-notification email preference (the email_opt_out flag) — is something we determine the purpose and means of processing for. In respect of that data, we are the data controller. This section of the policy describes that processing. We do not collect or retain direct-marketing preferences — the marketing_consents table was dropped in migration 033 and no marketing opt-in flag exists anywhere in the product.
When you upload data about your landlord clients, tenants, or other people — we are the processor
If you are a letting agent, you will upload data about people who are not users of our service — typically your landlord clients, their tenants, guarantors, referees, and council or solicitor correspondents. In respect of that data, you are the controller and we are the processor acting on your documented instructions.
That processing is governed by our Data Processing Agreement (DPA) at /legal/dpa/, which is automatically incorporated into your Terms of Service when you use the service as a letting agent. The DPA sets out our Article 28 obligations, sub-processor list, technical measures, breach-notification commitment, and transfer mechanisms. You remain responsible for the lawful basis on which you collect and share that data.
If you are a self-managing landlord using the service for your own portfolio, there is no third-party controller layer above you: you upload your own tenants' data, and while you remain the controller of it in the UK GDPR sense, the service behaves no differently. The DPA at /legal/dpa/ is available to you as well and automatically attaches to your subscription if any of your use involves personal data you act as controller of (for example, data about someone else who is not a user of our service).
Data we process about you as a controller
| Category | What it includes | Source |
|---|---|---|
| Account profile | Name, email, hashed password, portfolio size, ICP category, plan preference | You — on signup or in dashboard settings |
| Billing | Stripe customer ID, subscription status, plan, invoice history | Stripe (we do not see your card number) |
| Support correspondence | Messages you send us, and the device/browser metadata in those messages | You (Microsoft 365 inbox) |
| Audit log | Security-relevant actions you take in the product (sign-in, data export, account deletion) with timestamp and correlation ID. PII is stripped from the log entries themselves. | The service |
| Analytics | Aggregated page views and referrer, via GoatCounter, which is cookieless and does not track you across sites | GoatCounter |
| Error diagnostics | Stack traces and request metadata (request bodies are stripped before the report leaves the server) | Sentry |
| Notification preferences | Whether you have opted out of the Core-tier service-notification emails (deadline-reminder digest + regulatory-update alerts), and when you last opted in or out | You — in profile settings, or via the unsubscribe link on any notification email |
Lawful bases (UK GDPR Article 6)
We rely on the following lawful bases:
| Processing | Lawful basis | Notes |
|---|---|---|
| Delivering the service you have subscribed to (account, portfolio features, billing) | Contract — Article 6(1)(b) | Necessary to perform our contract with you. |
| Transactional email (account confirmation, password reset, billing receipts, cancellation confirmation, deletion confirmation) | Contract — Article 6(1)(b) | Not marketing; you cannot opt out of these while your account exists. |
| Service-notification email to Core subscribers (deadline-reminder digest + regulatory-update alerts about the regulations you pay us to track) | Legitimate interests — Article 6(1)(f) | See our full Legitimate Interests Assessment. Recipients are restricted to active paid Core subscribers whose use of the product depends on these notifications; the fan-out is filtered on subscription_tier = 'core' and email_opt_out = false. Opt out any time via the unsubscribe link on every email (RFC-8058 one-click) or at /dashboard/settings/profile. |
| Security, fraud prevention, audit log | Legitimate interests — Article 6(1)(f) | Needed to investigate incidents and demonstrate compliance. Balancing test: the intrusion is small (no content-level PII in logs) and the benefit to users is material. |
| Error monitoring | Legitimate interests — Article 6(1)(f) | Necessary to keep the service running. Request bodies stripped. |
| Responding to a subject-access request, right to erasure, or other data-subject right | Legal obligation — Article 6(1)(c) | |
| Responding to a lawful request from a regulator, court order, or law-enforcement body | Legal obligation — Article 6(1)(c) |
Where we rely on legitimate interests, you have the right to object. See "Your rights" below.
We do not rely on Article 6(1)(d) (vital interests) or Article 6(1)(e) (public task).
Special-category data
We do not ask you for special-category data. If you upload correspondence that happens to contain it (for example, a tenant's reference to a disability, or health information in a complaint), we process it only as a processor for you under the DPA and on your instructions. You remain responsible for identifying the Article 9 condition that applies.
Recipients of your data
We share your data with the following sub-processors:
- Supabase Inc. (UK — London,
eu-west-2region) — database, authentication, file storage - Stripe Payments UK Ltd — payment processing, customer portal, subscription billing
- Resend, Inc. — transactional + service-notification email delivery
- Netlify, Inc. — hosting and edge functions
- Upstash, Inc. (EU region) — rate-limiting cache (stores IP + request counters only; no account or portfolio data)
- Cloudflare, Inc. — Turnstile bot challenge on signup, login, and forgot-password (device fingerprint token + IP address, seen by Cloudflare only)
- GoatCounter — cookieless analytics
- Sentry (Functional Software, Inc.) — error monitoring (EU region
de.sentry.ioselected) - Microsoft Ireland Operations Limited — support mailbox
The full list with data categories, processing locations, and transfer mechanisms is at /legal/subprocessors.
We do not sell your personal data. We do not share your personal data with advertisers, data brokers, or AI model-training services. We may disclose data to law-enforcement or regulatory bodies in response to a lawful request.
International transfers
Most of our processing takes place in the UK or the EEA. Where a sub-processor processes data outside the UK/EEA — specifically Cloudflare (Turnstile challenges served from its global edge), Resend and Netlify (both may route data to the US to a limited extent), Stripe group support operations (US + EU), Supabase administrative metadata (US transit — the production database itself remains in eu-west-2), and Sentry (EU region de.sentry.io selected, SCCs held as a fallback) — the transfer is protected by the International Data Transfer Agreement issued by the ICO on 2 February 2022, or the UK Addendum to the European Commission's Standard Contractual Clauses, in each case incorporated into our contract with the sub-processor. We have completed a transfer-risk assessment for each such transfer and a summary is available on request to privacy@rentersactready.co.uk.
How long we keep your data
| Data | Retention |
|---|---|
| Account profile, portfolio data, uploaded documents | For as long as your account is open. On deletion: soft-delete for 90 days, then hard-delete by a scheduled sweep. |
| Stripe customer + invoice records | Retained by Stripe under their own retention policy (typically 7 years to meet Stripe's own regulatory obligations) |
| Audit log | Retained indefinitely as an append-only ledger. The audit_logs table is write-once by design (a database trigger blocks UPDATE and DELETE), to preserve an integrity-protected record of service events, billing decisions, and your own consent + deletion requests. Our minimum floor is the six-year limitation period under section 5 of the Limitation Act 1980 for contractual claims; in practice we keep the ledger for the life of the service. Rows that reference your account are unlinked from your identity when we hard-delete your account data — we set the actor_id to null so the trail remains auditable without retaining your user reference. |
| Support email | Retained in the Microsoft 365 mailbox for 6 years from the date of the last exchange. |
| Error diagnostics (Sentry) | 90 days from capture. |
| Analytics (GoatCounter) | 24 months in raw form, then aggregated without identifiers. |
If you delete your account, the audit-log entries that reference you are preserved (with your actor_id unlinked at hard-delete) so we can evidence that you asked us to delete. All other rows — profile, properties, documents, deadlines, assessments, written-statement audits — are purged at the 90-day mark.
Your rights
Under UK data-protection law you have the right to:
- Access a copy of your personal data — use the Download data (JSON) button at
/dashboard/settings, or email privacy@rentersactready.co.uk; - Rectify inaccurate data — edit it in the dashboard, or email privacy@rentersactready.co.uk for fields you cannot edit;
- Erase your data ("right to be forgotten") — use the Delete my account button at
/dashboard/settings, or email privacy@rentersactready.co.uk; - Restrict processing in certain cases;
- Port your data in a machine-readable format — the JSON export is designed for this;
- Object to processing that relies on legitimate interests, including to a balancing test;
- Object to our legitimate-interests processing of service-notification emails at any time, via the unsubscribe link on every email or at
/dashboard/settings/profile; - Not be subject to solely automated decisions that produce legal or similarly significant effects — we do not make such decisions. The readiness score is generated deterministically from your inputs against published rules, is presented as guidance, and is not used to decide anything about you.
We respond to rights requests within one month. If the request is complex we may extend by up to a further two months, and we will tell you why.
Complaints
You have the right to complain to the Information Commissioner's Office (ICO):
- Online: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would, of course, appreciate the chance to resolve the concern directly first — write to privacy@rentersactready.co.uk.
Service-notification emails
Active paid Core subscribers receive two classes of service-notification email that form part of the compliance product you pay for:
- Deadline-reminder digest — a weekly summary of the compliance deadlines you (or a system rule) have entered against your portfolio.
- Regulatory-update alerts — notifications when a new commencement order or secondary statutory instrument publishes that materially changes the regulations the product tracks.
Both classes are processed on the basis of our legitimate interests — UK GDPR Article 6(1)(f) — because they are necessary for you to get the value you pay for under your Core subscription, and because you can object at any time with one click. See our Legitimate Interests Assessment for the balancing test in full.
The recipient query is filtered to subscription_tier = 'core' and email_opt_out = false; Free-tier users never receive these broadcasts. The unsubscribe link on every email (and the RFC-8058 one-click endpoint used by supporting email clients) sets email_opt_out = true on your profile, which removes you from the recipient list for both classes.
Transactional email (account confirmation, password reset, billing receipts, subscription cancellation, account deletion) is sent on the basis of contract — Article 6(1)(b) and is not opt-out-able while your account exists.
We do not send direct marketing. We do not rely on PECR soft opt-in (reg 22(3)). If you have not subscribed to Core, we will not email you service-notification broadcasts.
Cookies
We use first-party authentication cookies set by Supabase Auth so you can stay signed in across pages. These are strictly necessary under the Privacy and Electronic Communications Regulations and so do not require a consent banner. GoatCounter analytics is cookieless. We do not use third-party advertising, social, or tracking cookies.
Full cookie inventory:
| Cookie / storage | Purpose | Class | Lifetime |
|---|---|---|---|
Supabase Auth cookies (sb-*) |
Keep you signed in | Strictly necessary | Until logout or session expiry |
rar_checkout_intent_id |
Resume paid signup after email confirmation (server-side) | Strictly necessary to the service you requested | 24 hours (one-shot) |
signup_source (sessionStorage) |
Conversion attribution | Strictly necessary to the service you requested | Tab close |
intended_checkout (sessionStorage) |
Resume paid signup after email confirmation (progressive-enhancement fallback) | Strictly necessary | Tab close or on use |
rar.public_tool.answers.v1 (sessionStorage) |
Carry public-tool answers across signup so you don't re-answer | Strictly necessary to the service you requested | Tab close or seeded into the signed-in draft |
rar.assessment.draft.v1.{userId} (localStorage) |
Progressive save of the readiness assessment, scoped per user | Strictly necessary | Cleared on submit |
Turnstile challenge cookies (on challenges.cloudflare.com only) |
Cloudflare Turnstile bot challenge served during signup, login, and forgot-password — stops automated sign-up floods | Strictly necessary | Set and read by Cloudflare only; do not flow back to rentersactready.co.uk |
When you start a paid checkout via Stripe, you're handed off to checkout.stripe.com. Stripe sets its own cookies on its own domain, governed by Stripe's privacy policy — they do not flow back to rentersactready.co.uk.
Automated decision-making and profiling
We do not perform solely automated decision-making within the meaning of Article 22.
Children
The service is not directed to children under 18. We do not knowingly collect personal data from children.
Changes to this policy
We will update this policy as our practices change. Material changes will be communicated by updating the "Last updated" date and, for active paid customers, by email. Where the change requires your fresh consent, we will ask for it before relying on it.
Questions about this policy? Email privacy@rentersactready.co.uk — we respond within one month (UK GDPR Art. 12).