GDPR & Data Protection
Our commitment to processing personal data lawfully, fairly, and transparently — in full compliance with UK data protection law.
BravoHomesUK is committed to protecting the privacy and personal data of all users — tenants, landlords, letting agents, and maintenance vendors. We operate as a Data Controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page explains how we uphold the seven GDPR principles in everyday platform operations and sets out your rights as a data subject in plain English.
BravoHomesUK Ltd acts as the Data Controller for all personal data processed through the platform. As Data Controller, we determine the purposes and means of processing your personal data.
- Registered Name: BravoHomesUK Ltd
- Registered Address: London, United Kingdom
- ICO Registration: In progress / registered
- Privacy Contact: info@bravohomesuk.com
Where we engage third-party processors (e.g. Stripe for payments, AWS for hosting), we ensure appropriate Data Processing Agreements (DPAs) are in place as required by Article 28 UK GDPR.
Under Article 5 UK GDPR, we must comply with seven data protection principles. Here is how we apply each one:
The seventh principle — Accountability — requires us to demonstrate compliance with all the above, including through DPAs, privacy impact assessments, and training.
Tenant Data
- Contact details (name, email, phone, address)
- Financial data (rent payments, payment history)
- Property history (tenancy dates, premises)
- Maintenance requests and communication logs
Landlord & Agent Data
- Contact and identity information
- Property portfolio details
- Financial and subscription records
- Legal compliance documents (EPC, gas safety, EICR)
Vendor Data
- Professional contact details and qualifications
- Location and service area data
- Job completion and performance records
- Payment disbursement records
| Processing Activity | Legal Basis |
|---|---|
| User account creation & management | Contract (Art. 6(1)(b)) |
| Rent payment processing | Contract (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Audit trail & financial records | Legal Obligation (Art. 6(1)(c)) |
| Fraud prevention & security | Legitimate Interests (Art. 6(1)(f)) |
| Platform analytics & improvement | Legitimate Interests (Art. 6(1)(f)) |
| Compliance certificates storage | Legal Obligation (Art. 6(1)(c)) |
| Data Category | Retention Period |
|---|---|
| Active user accounts | Duration of account + 30 days after deletion request |
| Financial / payment records | 6 years (HMRC requirement) |
| Tenancy agreements | 6 years from tenancy end date |
| Maintenance records | 7 years for dispute resolution |
| Marketing consent records | Until withdrawal of consent |
| Security / access logs | 12 months rolling |
| Correspondence / emails | 3 years post-last contact |
| Right | What It Means | How to Exercise |
|---|---|---|
| Access | Obtain a copy of personal data we hold about you (Subject Access Request) | Email DPO — 30 days to respond |
| Rectification | Correct inaccurate or incomplete data | Account settings or email DPO |
| Erasure | Request deletion of your data where no legal retention obligation applies | Email DPO — 30 days to respond |
| Restriction | Limit processing in specific circumstances (e.g., while accuracy dispute is resolved) | Email DPO |
| Portability | Receive your data in a structured, machine-readable format | Email DPO — JSON/CSV available |
| Object | Object to processing based on legitimate interests or direct marketing | Email DPO or unsubscribe links |
| Withdraw Consent | Withdraw consent at any time where consent is the legal basis | Account settings or email DPO |
All rights requests are responded to within 30 days as required by UK GDPR. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
Where data is transferred outside the UK/EEA, we ensure adequate safeguards under Chapter V UK GDPR. Mechanisms include:
- Adequacy decisions — countries deemed adequate by the UK Secretary of State
- Standard contractual clauses (SCCs) — UK-approved clauses in third-party contracts
- Binding corporate rules — where applicable for group transfers
- Certification schemes — approved codes of conduct
We have a documented Incident Response Policy. In the event of a personal data breach:
- The breach will be assessed for risk to data subjects
- The ICO will be notified within 72 hours if the breach poses a risk to individuals (Article 33 UK GDPR)
- Affected data subjects will be notified without undue delay where the breach poses a high risk to their rights and freedoms (Article 34 UK GDPR)
- All breaches are recorded in the internal Data Breach Register
If you believe your personal data has been compromised, contact us at info@bravohomesuk.com immediately and mark the subject line Security Incident.
BravoHomesUK has appointed a Data Protection Officer (DPO) who is responsible for:
- Monitoring compliance with UK GDPR and the Data Protection Act 2018
- Advising on Data Protection Impact Assessments (DPIAs)
- Being the point of contact for the ICO
- Handling data subject rights requests
Privacy Contact: info@bravohomesuk.com
The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO). If you are not satisfied with our response to a data rights request, you have the right to lodge a complaint with the ICO:
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We respectfully request that you contact us first to resolve any data concerns before escalating to the ICO.
Data Protection Contacts
Reach us for Subject Access Requests, data rights exercises, or general GDPR enquiries.