Version 2.0.0Effective 2026-02-10
ESTATEOPS PRIVACY POLICY
Version 2.0.0 — Effective 10 February 2026
1. ABOUT THIS POLICY
1.1 This Privacy Policy explains how EstateOps Ltd ("EstateOps", "we", "us", "our") collects, uses, stores, and protects personal data when you use the EstateOps platform (the "Service").
1.2 EstateOps is committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance issued by the Information Commissioner's Office (ICO).
1.3 This policy applies to all users of the Service, including account holders, team members, and any individual whose personal data is processed through the platform.
2. DATA CONTROLLER
2.1 The data controller for personal data processed through the Service is:
EstateOps Ltd
A company registered in England and Wales
Email: estateops@oshylabs.eu
2.2 If you have questions about this policy or wish to exercise your data protection rights, please contact us using the details above.
3. PERSONAL DATA WE COLLECT
3.1 Account Information
We collect the following when you register for and use the Service:
(a) Full name.
(b) Email address.
(c) Password (stored in hashed form only; we cannot access your plaintext password).
3.2 Estate and Operational Data
Data you input into the Service in connection with property management:
(a) Property names, addresses, and descriptions.
(b) Zone and asset information.
(c) Incident reports and work orders.
(d) Preventive maintenance checklists and completion records.
(e) Vendor contact details and notes.
(f) Team member assignments and roles.
3.3 Technical and Usage Data
(a) IP addresses associated with login events and policy acceptance.
(b) Timestamps of account activity (login, logout, feature usage).
(c) Browser and device information transmitted via standard HTTP headers.
3.4 Consent and Compliance Records
(a) Records of your acceptance of this policy and other legal documents, including timestamps and IP addresses.
3.5 We do not intentionally collect special category data (as defined in Article 9 of UK GDPR). You must not input such data into the Service without a separate written arrangement with us.
4. LAWFUL BASES FOR PROCESSING
4.1 We process personal data under the following lawful bases as set out in Article 6(1) of UK GDPR:
(a) Performance of a contract (Article 6(1)(b)): Processing necessary to provide the Service to you under our Terms of Service. This includes account management, authentication, estate data processing, and team collaboration features.
(b) Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, provided these are not overridden by your rights. Our legitimate interests include:
- Maintaining the security and integrity of the Service.
- Preventing fraud and unauthorised access.
- Generating audit logs for accountability.
- Improving the Service based on aggregated usage patterns.
- Communicating essential service updates and security notices.
(c) Legal obligation (Article 6(1)(c)): Processing necessary to comply with UK law, including tax obligations, regulatory requirements, and responding to lawful requests from authorities.
(d) Consent (Article 6(1)(a)): Where we rely on consent, we will obtain it explicitly. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
5. HOW WE USE YOUR DATA
5.1 We use personal data for the following purposes:
(a) To create and manage your account.
(b) To authenticate your identity when you access the Service.
(c) To process estate management operations you initiate.
(d) To facilitate team collaboration within estates you are a member of.
(e) To generate and maintain audit logs for accountability and compliance.
(f) To communicate service-related notices, including security alerts and maintenance notifications.
(g) To respond to your enquiries and support requests.
(h) To comply with applicable legal obligations.
(i) To detect, prevent, and address technical issues and security threats.
5.2 We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
6. DATA SHARING AND DISCLOSURE
6.1 We do not sell, rent, or trade your personal data.
6.2 We may share personal data with the following categories of recipients:
(a) Infrastructure and service providers acting as data processors on our behalf, under written data processing agreements. Current sub-processors are listed in our Data Processing Addendum.
(b) Other members of the same estate within the Service, to the extent necessary for collaborative estate management. The data visible to other members is limited to your name, email address, and role within that estate.
(c) Law enforcement, regulators, or other authorities where we are required to do so by UK law or in response to a valid legal process.
(d) Professional advisors (legal, accounting, audit) under obligations of confidentiality, where necessary for the operation of our business.
6.3 In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you of any such transfer and any changes to this policy.
7. INTERNATIONAL TRANSFERS
7.1 We primarily process personal data within the United Kingdom and the European Economic Area (EEA).
7.2 Where personal data is transferred to a country outside the UK that has not been deemed adequate by the Secretary of State, we ensure appropriate safeguards are in place, which may include:
(a) The UK International Data Transfer Agreement (IDTA).
(b) The UK Addendum to the EU Standard Contractual Clauses.
(c) Any other mechanism approved under UK data protection law.
7.3 You may request further details about the safeguards applied to international transfers by contacting us.
8. DATA RETENTION
8.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
8.2 Specific retention periods:
(a) Active account data: retained for the duration of your subscription and for 30 days following account closure to allow for data export.
(b) Audit logs: retained for 7 years to meet regulatory and compliance requirements.
(c) Consent records: retained for the duration of the relevant policy version plus 7 years.
(d) Technical logs (IP addresses, login timestamps): retained for 12 months.
8.3 Upon expiry of the applicable retention period, personal data is either securely deleted or anonymised so that it can no longer be associated with you.
8.4 Where you request erasure of your account, we will anonymise your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defence of legal claims.
9. DATA SECURITY
9.1 We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
(a) Encryption of data in transit using TLS.
(b) Encryption of data at rest.
(c) Password hashing using industry-standard algorithms.
(d) Role-based access controls limiting data access to authorised personnel.
(e) Append-only audit logging to maintain accountability.
(f) Regular review of security practices.
9.2 While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
10. YOUR RIGHTS
10.1 Under UK GDPR, you have the following rights in relation to your personal data:
(a) Right of access (Article 15): You may request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
(b) Right to rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
(c) Right to erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for its continued processing. This right is not absolute and is subject to legal exceptions.
(d) Right to restriction of processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
(e) Right to data portability (Article 20): You may request to receive your personal data in a structured, commonly used, and machine-readable format.
(f) Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
(g) Rights related to automated decision-making (Article 22): We do not currently carry out automated decision-making or profiling that produces legal or similarly significant effects.
10.2 To exercise any of these rights, please contact us at estateops@oshylabs.eu. We may need to verify your identity before processing your request.
10.3 We will respond to valid requests within one calendar month. This period may be extended by up to two further months where requests are complex or numerous, in which case we will inform you of the extension and the reasons for it.
11. COOKIES AND SIMILAR TECHNOLOGIES
11.1 The Service uses strictly necessary cookies for session authentication. These cookies are essential for the operation of the Service and cannot be disabled.
11.2 We do not use third-party tracking cookies, advertising cookies, or analytics cookies.
12. CHILDREN
12.1 The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
13. DATA BREACH NOTIFICATION
13.1 In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
13.2 Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, providing details of the breach and the measures taken in response.
13.3 We maintain internal breach response procedures and will document all breaches regardless of whether notification to the ICO is required.
14. CHANGES TO THIS POLICY
14.1 We may update this policy from time to time to reflect changes in our practices, the Service, or applicable law.
14.2 Where changes are material, we will notify you via email or in-app notification and, where appropriate, request your renewed acceptance.
14.3 The "Effective" date at the top of this policy indicates when it was last updated.
15. COMPLAINTS
15.1 If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
15.2 We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us at estateops@oshylabs.eu in the first instance.
16. GOVERNING LAW
16.1 This policy is governed by and construed in accordance with the laws of England and Wales.