Terms of Service

Last updated: 26 April 2026

1. Acceptance of Terms

By accessing or using the LettingGuru platform ("Service"), operated by LettingGuru ("we", "us", "our"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, you must not use the Service.

These Terms apply to all users of the Service, including agency staff, administrators, and any other authorised users within your organisation.

2. Service Description

LettingGuru is a cloud-based property management platform designed for UK letting and estate agencies. The Service includes property portfolio management, tenant onboarding, maintenance tracking, financial management, compliance tools, reporting, and related features as described on our website.

We may update, modify, or discontinue features of the Service at any time. We will provide reasonable notice of any material changes that affect your use of the platform.

3. Account Terms

  • You must be at least 18 years old and have the authority to enter into these Terms on behalf of your organisation.
  • You are responsible for maintaining the security of your account credentials. Do not share your login details with unauthorised individuals.
  • You are responsible for all activity that occurs under your account and within your agency workspace.
  • You must provide accurate and complete information when creating your account and keep it up to date.
  • We reserve the right to suspend or terminate accounts that violate these Terms or are used for unlawful purposes.

4. Acceptable Use

You agree not to:

  • Use the Service for any unlawful purpose or in violation of UK regulations.
  • Attempt to gain unauthorised access to the Service, other accounts, or our systems.
  • Upload malicious code, viruses, or any harmful content.
  • Reverse engineer, decompile, or disassemble any part of the Service.
  • Resell, sublicense, or redistribute the Service without our prior written consent.
  • Use the Service in any way that could damage, disable, or impair its functionality.

5. Your Data

You retain ownership of all data you input into the Service ("Your Data"). By using the Service, you grant us a limited licence to process, store, and display Your Data solely for the purpose of providing the Service to you.

We will not access, use, or share Your Data except as necessary to provide the Service, comply with the law, or as described in our Privacy Policy. Your Data is isolated within your agency workspace and is not accessible to other agencies.

6. Payment Terms

  • Subscription fees are billed monthly or annually, as selected during sign-up. Prices are in GBP and exclusive of VAT unless stated otherwise.
  • Payment is due at the start of each billing period. Failure to pay may result in suspension of access to the Service.
  • We may change our pricing with at least 30 days' notice. Price changes will take effect at the start of your next billing period.
  • Refunds are handled on a case-by-case basis at our discretion. We do not offer refunds for partial billing periods.

7. Cancellation

You may cancel your subscription at any time through your account settings or by contacting us at hello@lettingguru.co.uk. Upon cancellation:

  • Your access will continue until the end of your current billing period.
  • You may export Your Data before your access ends. We provide CSV export functionality for this purpose.
  • After the billing period ends, your account will be deactivated and Your Data will be deleted within 90 days, unless retention is required by law.

8. Intellectual Property

The Service, including its design, code, features, branding, and documentation, is owned by LettingGuru and protected by UK and international intellectual property laws. These Terms do not grant you any rights to our intellectual property except the limited right to use the Service as described herein.

9. Limitation of Liability

To the maximum extent permitted by law:

  • The Service is provided "as is" and "as available" without warranties of any kind, whether express or implied.
  • We do not warrant that the Service will be uninterrupted, error-free, or free of harmful components.
  • Our total liability for any claim arising from or related to the Service shall not exceed the fees you paid in the 12 months preceding the claim.
  • We shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or business opportunities.

Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be excluded by law.

10. Indemnification

You agree to indemnify and hold LettingGuru harmless from any claims, losses, or damages (including legal fees) arising from your use of the Service, your violation of these Terms, or your infringement of any third-party rights.

11. Changes to These Terms

We may update these Terms from time to time. We will notify you of material changes via email or a notice on the platform at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated Terms.

12. Governing Law

These Terms are governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Severability

If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will remain in full force and effect.

14. Contact

If you have any questions about these Terms, please contact us:

Schedule 1 — Data Processing Addendum

The following Data Processing Addendum (DPA) forms part of these Terms and applies to all Personal Data processed by LettingGuru on behalf of the agency. By accepting these Terms you accept this Schedule. A standalone, identically-worded version is also published at /legal/dpa/ for procurement reviews.

This Data Processing Addendum ("DPA") forms part of the agreement between LettingGuru ("Processor", "we", "us") and the agency or organisation accepting these Terms ("Controller", "you") and applies whenever we process Personal Data on your behalf in connection with the LettingGuru platform.

It is designed to comply with Article 28 of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable the EU GDPR. Where these Terms and this DPA conflict on data protection matters, this DPA prevails.

1. Definitions

Words in capital letters not defined here have the meaning given to them in the UK GDPR. In particular: Personal Data, Processing, Data Subject, Controller, Processor, Sub-processor, Personal Data Breach, and Supervisory Authority.

2. Subject matter and duration

We process Personal Data on your behalf solely for the purpose of providing the LettingGuru platform (the "Services"). This DPA is effective for as long as we process Personal Data for you, plus any retention period required by law or under your subscription agreement.

3. Nature and purpose of Processing

We process Personal Data to:

  • Host and operate the property management, tenancy, maintenance, compliance, and financial features you use.
  • Generate landlord statements, contractor remittance advices, and platform invoices.
  • Operate the AI receptionist (call routing, transcription, scheduling) when enabled.
  • Send transactional and operational emails / SMS / push notifications on your instruction.
  • Provide audit logs, analytics, and reporting back to you.
  • Comply with legal obligations applicable to us (e.g. HMRC record-keeping, anti-money-laundering).

4. Categories of Personal Data and Data Subjects

The Personal Data we process on your behalf typically includes:

  • Tenants: name, contact details, identification documents (Right to Rent), bank details, tenancy and rent payment history, maintenance reports, communications.
  • Landlords: name, contact details, bank details, NRL status, property ownership records, payouts.
  • Contractors: name, contact details, bank details, VAT and CIS information, invoices, photos of completed work.
  • Applicants and viewers: name, contact details, viewing history, referencing data.
  • Staff users: name, work email, role, IP address, audit log entries.
  • Call participants: phone number, voice recordings (subject to your retention setting), AI-generated transcripts.

5. Our obligations as Processor

We will:

  • Process Personal Data only on your documented instructions, including with regard to international transfers, unless required by law to do otherwise (in which case we will inform you, unless that law prohibits such information on important grounds of public interest).
  • Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality undertakings.
  • Implement and maintain the technical and organisational security measures described in Annex 1 below.
  • Engage Sub-processors only in accordance with Section 6.
  • Assist you, taking into account the nature of the Processing and the information available to us, in fulfilling your obligations to respond to Data Subject rights requests.
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation).
  • Notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Personal Data we process for you.
  • At your choice, delete or return all Personal Data on termination of the Services, and delete existing copies unless retention is required by law.
  • Make available to you all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 9.

6. Sub-processors

You give us general written authorisation to engage Sub-processors for the provision of the Services. We maintain a current list at /legal/sub-processors/, including each Sub-processor's name, purpose, and the country in which it processes Personal Data.

We will give you at least 30 days' prior written notice (typically by email to your account contact) of any intended addition or replacement of Sub-processors. You may object on reasonable, documented data-protection grounds within that period. If we cannot accommodate your objection, you may terminate the affected Services without penalty.

Where we engage a Sub-processor, we do so by way of a written contract that imposes substantially the same data-protection obligations as set out in this DPA. We remain liable to you for the performance of each Sub-processor's obligations.

7. International data transfers

Where we transfer Personal Data outside the United Kingdom or the European Economic Area, we rely on one of the following safeguards: an adequacy decision; the UK International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses; or another mechanism permitted by UK GDPR. The current basis for transfers to each Sub-processor is recorded on the sub-processor register.

For AI processing specifically (e.g. Anthropic Claude, OpenAI, Retell), we use the providers' published DPAs and zero-retention API contracts where available, so prompts and transcripts are not retained or used to train third-party models.

8. Data Subject rights

We will, taking into account the nature of the Processing and to the extent possible, assist you to fulfil your obligations to respond to Data Subjects exercising their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decision-making).

If a Data Subject contacts us directly, we will not respond to the substance of their request but will refer them to you and notify you promptly so you can respond.

9. Audits and information rights

On reasonable written notice (no more than once per year, except where required by a Supervisory Authority or following a Personal Data Breach), you may request access to documentation and records that demonstrate our compliance with this DPA. We may satisfy this obligation by providing third-party certifications (e.g. SOC 2, ISO 27001 reports from our infrastructure providers), summary penetration test reports, and the security measures in Annex 1.

Where you reasonably require an on-site audit, we will agree the scope, timing, and confidentiality terms in good faith. You will bear your own costs and ours where the audit is on-site.

10. Personal Data Breach

If a Personal Data Breach affects Personal Data we process for you, we will:

  • Notify you without undue delay and in any event within 72 hours of becoming aware.
  • Provide reasonable information about the nature of the Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its possible adverse effects.
  • Where the information cannot all be provided at once, provide it in phases without further undue delay.
  • Cooperate with you and reasonably assist you in fulfilling your obligation to notify the ICO (or other Supervisory Authority) and affected Data Subjects.

11. Return or deletion of Personal Data

Within 30 days of termination or expiry of the Services, we will, at your written choice, return or securely delete all Personal Data we processed on your behalf, and delete existing copies. We may retain Personal Data to the extent and for so long as required by applicable law or for the establishment, exercise, or defence of legal claims (for example, financial records retained for HMRC compliance). Any Personal Data so retained will continue to be protected under the terms of this DPA.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the main Terms of Service. Nothing in this DPA limits liability that cannot be limited under applicable law (including liability for fraud or fraudulent misrepresentation, death or personal injury caused by negligence, or breaches of the UK GDPR that result in the imposition of an administrative fine on either party which the parties' agreement cannot lawfully exclude).

13. Governing law and jurisdiction

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction to settle any dispute arising out of or in connection with it.

14. Order of precedence

In the event of any conflict between this DPA, the main Terms of Service, and any other agreement between the parties, the following order of precedence applies on data-protection matters: (1) this DPA; (2) the Terms of Service; (3) any order form or other written agreement.

Annex 1 — Technical and organisational security measures

We maintain the following measures (and others as appropriate to the risk):

Encryption

  • TLS 1.2 or higher for all data in transit.
  • AES-256 (or equivalent) for data at rest in our databases and object storage.
  • End-to-end encryption for stored backups.

Access control

  • Role-based access controls (RBAC) for all internal systems.
  • Mandatory multi-factor authentication for all staff with production access.
  • Least-privilege principle: production access limited to engineers with a documented need.
  • Audit logs of every administrative action, retained for at least 1 year.

Network and infrastructure

  • Hosting on Vercel + Neon (UK / EU regions) and Cloudflare R2; TLS-terminated edge.
  • Web application firewall and DDoS protection on the edge layer.
  • Regular dependency-update sweeps + automated security advisory monitoring.

Personnel

  • Confidentiality undertakings for all staff and contractors.
  • Onboarding training on data protection and security.
  • Access removed within 1 working day of personnel leaving.

Resilience and recovery

  • Daily encrypted backups of the production database with point-in-time recovery.
  • Documented disaster-recovery runbook.
  • Periodic restore testing.

Incident management

  • Documented incident-response plan with named on-call engineers.
  • Post-incident reviews to identify and address root causes.

Sub-processor governance

  • Public list of Sub-processors at /legal/sub-processors/.
  • Each Sub-processor bound by a written DPA on substantially equivalent terms.
  • 30 days' advance notice of material changes to the Sub-processor list.

Annex 2 — List of Sub-processors

See the live register at https://lettingguru.co.uk/legal/sub-processors/ for the up-to-date list of Sub-processors, their purpose, the categories of Personal Data they process, and the country in which they operate.

DPA version: 2026-04-26. Questions? Email hello@lettingguru.co.uk.