Back to ProperLet
Privacy Policy
Last updated: November 2025
ProperLet ("we", "us", "our", or "Company") is committed to GDPR compliance and protecting your data rights. This Privacy Policy explains how we collect, use, disclose, and process personal data in connection with our forensic document analysis service for UK landlords and letting agents.
1. Data Controller & Legal Basis
Data Controller: ProperLet operates as the data controller for personal data collected through our platform.
Legal Basis for Processing (GDPR Article 6):
- Consent (6(1)(a)): For email capture, chatbot interactions, and optional marketing communications
- Contract (6(1)(b)): For account creation, forensic analysis services, and report delivery
- Legitimate Interest (6(1)(f)): For fraud prevention, security, service improvement, and legal compliance
- Legal Obligation (6(1)(c)): For compliance with UK money laundering and financial crime regulations
2. Personal Data We Collect
2.1 Data Provided Directly by You
- Account Information: Email address (for magic link passwordless authentication)
- Vetting Context: Applicant name, co-applicant name (if joint), property address, postcode, monthly rent, security deposit amount
- Communications: Feedback, chat messages, support inquiries
2.2 Data from Your Documents
When you upload financial documents, we extract:
- From Bank Statements: Account holder name, bank name, account number (masked), transaction history, balance, statement dates
- From Employment Documents: Employer name, job title, salary figure, payslip dates, employee name
- Metadata: PDF creation date, modification date, software used, file compression signatures
2.3 Automatically Collected Data
- IP Address: For rate limiting (5 requests per 24 hours) and fraud prevention
- User Agent: Browser/device information for security auditing
- Timestamps: When you upload, login, or send chat messages
- File Hash Values (MD5): Cryptographic fingerprints for global fraud database matching
3. How We Use Your Data
3.1 Core Service Delivery
- Forensic Analysis: Detecting fraud, manipulation, and inconsistencies in financial documents
- Behavioral Prediction: Assessing late payment risk, dispute propensity, eviction risk (authenticated users only)
- Report Generation: Creating PDF forensic certificates with findings and recommendations
- Property Portfolio Management: Organizing tenant checks by property location in your dashboard
- Per-Scan Chatbot: Providing AI-powered Q&A about specific tenant analyses
3.2 Security & Fraud Prevention
- IP-based rate limiting to prevent abuse
- Global fraud database hash matching to identify known fraudulent documents
- Network activity monitoring for suspicious patterns
- Compliance with UK money laundering reporting obligations
3.3 Service Improvement
- Analyzing anonymized trends to improve detection algorithms
- User feedback collection to refine accuracy
- ML model training on anonymized historical data only
3.4 Communication
- Magic Link Emails: Authentication emails (no marketing)
- Forensic Reports: PDF reports via Resend API
- Optional Marketing: Only with explicit consent
3.5 Compliance & Legal
- Responding to legal requests from UK authorities
- Defending against legal claims
- Audit and regulatory reporting obligations
4. Data Retention & Automatic Deletion (GDPR Article 5)
Principle: We retain data only for as long as necessary.
4.1 Forensic Check Data
Checks Table (check_id, applicant_name, findings, risk_status, etc.):
- Retention: 24 months from check creation
- Rationale: Enables portfolio tracking, tenant outcome documentation for ML improvement
- Auto-Deletion: PostgreSQL CRON job purges records 24 months after creation_date
4.2 Uploaded Document Files
PDF/image files:
- Retention: 7 days maximum
- Rationale: Time to complete analysis and generate report; deleted immediately after download confirmation
- Auto-Deletion: CRON job runs every 6 hours, removing files older than 7 days
4.3 Email & Lead Data
Email Leads Table (compliance checker signups, reports):
- Retention: 12 months
- Rationale: Lead nurturing window; enables follow-up marketing if consented
- Auto-Deletion: CRON removes records 12 months after creation
4.4 Chat Sessions & Messages
Chat Sessions Table:
- Retention: 6 months
- Rationale: Reference period for tenant discussions
- Auto-Deletion: CRON removes 6 months after creation
4.5 User Accounts
Users Table (email, created_at):
- Retention: As long as account is active
- Deletion: Upon your explicit written request
4.6 Magic Link Tokens
Magic Links Table:
- Retention: 1 hour (auto-expires)
- Auto-Deletion: Used tokens deleted after 1 hour; unused tokens cleaned by CRON
4.7 File Hash Records
Check File Hashes (global fraud database):
- Retention: 24 months (for community fraud prevention)
- Auto-Deletion: Purged with parent check record after 24 months
4.8 Application Logs
- Retention: 7 days (debugging and security monitoring)
- Database Backup Logs: Follow PostgreSQL retention policy (typically 30 days)
5. Data Processing & Security
5.1 Encryption in Transit
- HTTPS/TLS: All data encrypted with TLS 1.2+ between browser and server
- Status Indicator: "ENCRYPTED CONNECTION" badge on navbar
5.2 Encryption at Rest
- Database: PostgreSQL on Replit (automatic encryption via Neon backend)
- Magic Link Tokens: Hashed using werkzeug.security
- Uploaded Files: Temporary filesystem storage, deleted after 7 days
5.3 Access Controls
- Authentication: Passwordless magic link login (no passwords stored)
- Session Management: Secure Flask session cookies with auto-expiration
- Authorization: Authenticated users access only their own checks
- Rate Limiting: 5 API requests per 24 hours per IP on `/analyze` endpoint
5.4 Data Minimization
- Only relevant metadata and financial details extracted from documents
- Images and signatures anonymized
- IP addresses, user agents logged for security auditing only
- No data sold to third parties or brokers
5.5 Third-Party Data Processors (Data Processing Agreements in place)
- Anthropic (Claude AI): Documents sent for analysis; Anthropic does NOT store or train on your data
- Resend API: Email delivery service for forensic reports; DPA in place
- Replit: Infrastructure provider; DPA in place
5.6 AI & ML Processing
- Claude API: Documents sent to Claude Sonnet 4.5 for analysis
- No Model Training: Your data NOT used to train Claude's base models
- ML Models: Trained on anonymized historical data only
5.7 International Data Transfers
- Data Localization: All processing occurs within UK/EU (Replit infrastructure)
- Exception: Anthropic API (US-based); transfers comply with UK-US adequacy frameworks
6. Your Data Rights (GDPR Articles 12-22)
6.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you. Provided within 30 days of verification.
6.2 Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data (e.g., applicant name, property address).
6.3 Right to Erasure (Article 17)
Request deletion of your personal data, subject to legitimate retention periods, ongoing legal proceedings, and fraud database anonymization requirements.
6.4 Right to Restrict Processing (Article 18)
Request limitation of how we use your data (e.g., pause analysis but retain records).
6.5 Right to Data Portability (Article 20)
Request machine-readable copy of your data (checks, findings, chat history) in CSV or JSON format.
6.6 Right to Object (Article 21)
Object to marketing communications or processing based on legitimate interests.
6.7 Automated Decision Making (Article 22)
Our risk assessment is AI-powered but always contextual. You can request human review or explanation of any decision.
How to Exercise Your Rights
Email: privacy@rentforensics.uk
Include: Full name, email address, specific right requested, and any relevant case IDs or dates.
Response time: 30 days (or explanation if extension needed)
7. Children & Age Restriction
ProperLet is intended for users aged 18+. We do not knowingly collect data from children under 13. Such data discovered is deleted immediately.
8. Cookies & Tracking
- Session Cookies: Flask secure session cookies for authentication (essential)
- No Tracking Cookies: No Google Analytics, Facebook Pixel, or third-party tracking
- Cookie Consent: Essential cookies require no consent; manage in browser settings anytime
9. Changes to This Policy
We may update this policy to reflect legal changes or service improvements. Changes published here with updated "Last modified" date. Continued use implies acceptance of updates.
10. Contact & Data Protection
11. GDPR Compliance Summary
- ✓ GDPR (UK GDPR) Compliance: All Articles 5-22 principles followed
- ✓ Data Minimization: Only necessary data collected
- ✓ Transparency: Clear explanations of data use and retention
- ✓ Security: Encryption, access controls, secure authentication
- ✓ Retention Limits: Automatic deletion via CRON jobs
- ✓ User Rights: Full support for access, rectification, erasure, and portability
- ✓ Third-Party Accountability: Data Processing Agreements with all processors
- ✓ No Tracking: No third-party analytics, no data selling, no profiling for ads