Data Processing Addendum

Version 2026-04-26

This DPA is automatically incorporated into the LettingGuru Terms of Service and applies as soon as you (the agency) accept the Terms — no separate signature is required for the standard pilot or self-service plans.

Enterprise customers (typically 100+ properties) who require a counter-signed PDF for procurement audits should email hello@lettingguru.co.uk — we'll return a DocuSign envelope of this exact text within 2 business days.

This Data Processing Addendum ("DPA") forms part of the agreement between LettingGuru ("Processor", "we", "us") and the agency or organisation accepting these Terms ("Controller", "you") and applies whenever we process Personal Data on your behalf in connection with the LettingGuru platform.

It is designed to comply with Article 28 of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable the EU GDPR. Where these Terms and this DPA conflict on data protection matters, this DPA prevails.

1. Definitions

Words in capital letters not defined here have the meaning given to them in the UK GDPR. In particular: Personal Data, Processing, Data Subject, Controller, Processor, Sub-processor, Personal Data Breach, and Supervisory Authority.

2. Subject matter and duration

We process Personal Data on your behalf solely for the purpose of providing the LettingGuru platform (the "Services"). This DPA is effective for as long as we process Personal Data for you, plus any retention period required by law or under your subscription agreement.

3. Nature and purpose of Processing

We process Personal Data to:

  • Host and operate the property management, tenancy, maintenance, compliance, and financial features you use.
  • Generate landlord statements, contractor remittance advices, and platform invoices.
  • Operate the AI receptionist (call routing, transcription, scheduling) when enabled.
  • Send transactional and operational emails / SMS / push notifications on your instruction.
  • Provide audit logs, analytics, and reporting back to you.
  • Comply with legal obligations applicable to us (e.g. HMRC record-keeping, anti-money-laundering).

4. Categories of Personal Data and Data Subjects

The Personal Data we process on your behalf typically includes:

  • Tenants: name, contact details, identification documents (Right to Rent), bank details, tenancy and rent payment history, maintenance reports, communications.
  • Landlords: name, contact details, bank details, NRL status, property ownership records, payouts.
  • Contractors: name, contact details, bank details, VAT and CIS information, invoices, photos of completed work.
  • Applicants and viewers: name, contact details, viewing history, referencing data.
  • Staff users: name, work email, role, IP address, audit log entries.
  • Call participants: phone number, voice recordings (subject to your retention setting), AI-generated transcripts.

5. Our obligations as Processor

We will:

  • Process Personal Data only on your documented instructions, including with regard to international transfers, unless required by law to do otherwise (in which case we will inform you, unless that law prohibits such information on important grounds of public interest).
  • Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality undertakings.
  • Implement and maintain the technical and organisational security measures described in Annex 1 below.
  • Engage Sub-processors only in accordance with Section 6.
  • Assist you, taking into account the nature of the Processing and the information available to us, in fulfilling your obligations to respond to Data Subject rights requests.
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation).
  • Notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Personal Data we process for you.
  • At your choice, delete or return all Personal Data on termination of the Services, and delete existing copies unless retention is required by law.
  • Make available to you all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 9.

6. Sub-processors

You give us general written authorisation to engage Sub-processors for the provision of the Services. We maintain a current list at /legal/sub-processors/, including each Sub-processor's name, purpose, and the country in which it processes Personal Data.

We will give you at least 30 days' prior written notice (typically by email to your account contact) of any intended addition or replacement of Sub-processors. You may object on reasonable, documented data-protection grounds within that period. If we cannot accommodate your objection, you may terminate the affected Services without penalty.

Where we engage a Sub-processor, we do so by way of a written contract that imposes substantially the same data-protection obligations as set out in this DPA. We remain liable to you for the performance of each Sub-processor's obligations.

7. International data transfers

Where we transfer Personal Data outside the United Kingdom or the European Economic Area, we rely on one of the following safeguards: an adequacy decision; the UK International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses; or another mechanism permitted by UK GDPR. The current basis for transfers to each Sub-processor is recorded on the sub-processor register.

For AI processing specifically (e.g. Anthropic Claude, OpenAI, Retell), we use the providers' published DPAs and zero-retention API contracts where available, so prompts and transcripts are not retained or used to train third-party models.

8. Data Subject rights

We will, taking into account the nature of the Processing and to the extent possible, assist you to fulfil your obligations to respond to Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making).

If a Data Subject contacts us directly, we will not respond to the substance of their request but will refer them to you and notify you promptly so you can respond.

9. Audits and information rights

On reasonable written notice (no more than once per year, except where required by a Supervisory Authority or following a Personal Data Breach), you may request access to documentation and records that demonstrate our compliance with this DPA. We may satisfy this obligation by providing third-party certifications (e.g. SOC 2, ISO 27001 reports from our infrastructure providers), summary penetration test reports, and the security measures in Annex 1.

Where you reasonably require an on-site audit, we will agree the scope, timing, and confidentiality terms in good faith. You will bear your own costs and ours where the audit is on-site.

10. Personal Data Breach

If a Personal Data Breach affects Personal Data we process for you, we will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware.
  • Provide reasonable information about the nature of the Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its possible adverse effects.
  • Where the information cannot all be provided at once, provide it in phases without further undue delay.
  • Cooperate with you and reasonably assist you in fulfilling your obligation to notify the ICO (or other Supervisory Authority) and affected Data Subjects.

11. Return or deletion of Personal Data

Within 30 days of termination or expiry of the Services, we will, at your written choice, return or securely delete all Personal Data we processed on your behalf, and delete existing copies. We may retain Personal Data to the extent and for so long as required by applicable law or for the establishment, exercise, or defence of legal claims (for example, financial records retained for HMRC compliance). Any Personal Data so retained will continue to be protected under the terms of this DPA.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the main Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law (including liability for fraud or fraudulent misrepresentation, death or personal injury caused by negligence, or breaches of the UK GDPR that result in the imposition of an administrative fine on either party which the parties' agreement cannot lawfully exclude).

13. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with it.

14. Order of precedence

In the event of any conflict between this DPA, the main Terms of Service, and any other agreement between the parties, the following order of precedence applies on data-protection matters: (1) this DPA; (2) the Terms of Service; (3) any order form or other written agreement.

Annex 1 — Technical and organisational security measures

We maintain the following measures (and others as appropriate to the risk):

Encryption

  • TLS 1.2 or higher for all data in transit.
  • AES-256 (or equivalent) for data at rest in our databases and object storage.
  • End-to-end encryption for stored backups.

Access control

  • Role-based access controls (RBAC) for all internal systems.
  • Mandatory multi-factor authentication for all staff with production access.
  • Least-privilege principle: production access limited to engineers with a documented need.
  • Audit logs of every administrative action, retained for at least 1 year.

Network and infrastructure

  • Hosting on Vercel + Neon (UK / EU regions) and Cloudflare R2; TLS-terminated edge.
  • Web application firewall and DDoS protection on the edge layer.
  • Regular dependency-update sweeps + automated security advisory monitoring.

Personnel

  • Confidentiality undertakings for all staff and contractors.
  • Onboarding training on data protection and security.
  • Access removed within 1 working day of personnel leaving.

Resilience and recovery

  • Daily encrypted backups of the production database with point-in-time recovery.
  • Documented disaster-recovery runbook.
  • Periodic restore testing.

Incident management

  • Documented incident-response plan with named on-call engineers.
  • Post-incident reviews to identify and address root causes.

Sub-processor governance

  • Public list of Sub-processors at /legal/sub-processors/.
  • Each Sub-processor bound by a written DPA on substantially equivalent terms.
  • 30 days' advance notice of material changes to the Sub-processor list.

Annex 2 — List of Sub-processors

See the live register at https://lettingguru.co.uk/legal/sub-processors/ for the up-to-date list of Sub-processors, their purpose, the categories of Personal Data they process, and the country in which they operate.

DPA version: 2026-04-26. Questions? Email hello@lettingguru.co.uk.