Privacy and data protection

A quick note on your privacy

Thanks for wanting to know more about how we handle and treat your data. We hope you find this page satisfies any questions you might have, in case it doesn’t – please contact us for more information by emailing hello@reposit.co.uk.

This Privacy Notice has been written to be fully compliant with Data Protection Laws such as the UK Data Protection Act 2018, the UK GDPR and the EU GDPR. We’ve made the effort to ensure it’s all written in a format that is easily understood and as easy as possible to read.

Let’s start by outlining the basics to give you an overview of our data protection principles:

• We only collect data required to adequately fulfil our core service.
• We will never sell your personal data to a third party unless you have given us your explicit consent to do so.
• We will only share data with another entity if you’ve given us consent to do so or if it’s required as a part of our service to you. 
• You may withdraw your consent at any time by contacting us. 
• We will only use your contact details to notify you if you are required to perform an action, or if you have requested for us to do so. Our server infrastructure is provided by Amazon Web Services.
• We never store highly sensitive information such as passwords in plain text, they are encrypted so even we can’t read them!
• We hold all users of our platform to the same standards we comply to, if you’d like to know more about your use on our platform please refer to the Terms and Conditions as set out in your Partner or Tenant terms with us. 

1. General

Reposit Group Limited (“we” or “us”) take the privacy of your information very seriously. Our Privacy Notice is designed to tell you, the user of our website (www.reposit.co.uk) or tenancy deposit replacement service (“Service”) about our practices regarding the collection, use and disclosure of personal and other information about you or your business that you may provide to us or that is collected via this website or through our web application or otherwise. 

This Privacy Notice  pertains to our collection and use of your personal data prior to you registering to use our Service. When you register to use our Service, you will be presented with our full Terms and Conditions for you to review and agree before you proceed to use our Services. These Terms and Conditions contain more information about the collection and processing of your personal data.  

The processing of a Reposit requires information relating to tenancies. A letting agent or landlord (“Partner”) will be required to enter Tenancy Information into our system in order to offer the option of Reposit to a prospective tenant and to create a Reposit. Tenants will then be invited to complete further information associated with that Reposit. In case a letting agent is creating a Reposit on behalf of a landlord where the landlord will subsequently take over the management of the Reposit (e.g. when a letting agent is appointed by a landlord on a “Let Only” basis), they will be required to enter the landlord’s Contact Information so that the Reposit can be transferred to the landlord once the tenants have paid the Reposit fee. 

The Partner must have all necessary consent and notices to ensure that any personal information of the Tenant or Landlord can be transferred to Reposit. 

Where we act as a controller or processor 

Reposit Group Limited can act as a controller of personal data. That is we determine the purpose and means of processing personal data. On other occasions we may act as a processor (that is we act in accordance with the instructions of the Landlord, or Letting Agent on behalf of the Landlord). Please refer to our full Terms and Conditions as provided to all registered account holders for further information on how we process personal data as a controller or processor. 

2. Our policy

We aim to limit our interaction with your data wherever possible. Our general policy relating to access to your data is that we will seek only to access that data which is necessary in accordance with supplying the service which you the user originally entered the data to receive. If for whatever reason, we require data for other purposes we will always ask for your consent in clear terms.

3. Basis on which we store or process personal data

We will only store or process your data for the following reasons:

• You have consented to the processing for the specific purposes such as to communicate with us or to receive information from us.
• The processing is required to provide our Service of a tenancy deposit alternative to you and other users.
• To determine your eligibility to use our platform as outlined in our terms and conditions.
• To monitor usage of our website and Service and to improve our user experience and service offering.
• The processing is necessary in pursuit of a “legitimate interest”, a legitimate interest in this context means a valid interest we have or a third party has in processing your personal data which is not overridden by your interests in data privacy and security.
• For security purposes to prevent unauthorised use of our platform.

4. Personal data we collect

We may collect and process the following personal information or data (information that can be uniquely identified with you) about you:

• log-in details and information you provide as an account holder when you register with the Service (“Log-in Information”);
• contact information, for example your name, address, telephone number and/or email address that we may collect from you when you communicate with us via a form on our website, live chat, or email or that you provide to us or that is provided to us on your behalf by someone who you have given consent to do so (“Contact Information”);
• details about any tenancy for which a Reposit is to be offered or used including the property address, tenant names and email addresses, landlord name and email address, guarantor name and email address (when applicable), rent price per month and the tenancy start and end date (“Tenancy Information”)
• information we may require from you when you report a problem or complaint (“Complaints Information”)
• details about you when you visit our website and details of your visits to the website, the resources and pages that you access and any searches you make (“Technical Information”).
• a record of any correspondence between you and us and other interactions with the Service or the website (“Correspondence Information”)

We only collect such information when you choose to supply it to us. You do not have to supply any personal information to us and you may withdraw your authority for us to process your data or request that we restrict our processing (see below) but our Service may not be operable in practice without providing such data to us.

Information may also be gathered through the website without you actively providing it, through the use of various technologies and methods such as Internet Protocol (IP) addresses and cookies.

An IP address is a number assigned to your computer by your Internet Service Provider (ISP), so you can access the Internet. We use your IP address for your security and to diagnose problems with our server, report aggregate information, and determine the fastest route for your computer to use in connecting to our site, and to administer and improve the site.

5. How we use your personal data

Please see the table below which sets out the manner in which we will process the different types of personal data we hold:

Purpose/Activity	Type of data	Lawful basis for obtaining or processing including legitimate interests
When a user visits our website	Technical Information	Consent – via agreement to our Cookie & Privacy Notice either explicitly or tacitly via the use of our website.
When a user fills out a contact form on our website	Technical InformationContact InformationCorrespondence Information	Consent – via agreement to our Cookie & Privacy Notice either explicitly or tacitly via the use of our website. Necessary for our legitimate interests (to provide the information that the user has requested by filling out the relevant form).
When a user or Landlord/Partner/Employer registers with us to provide our Service	Log-in InformationContact InformationTechnical InformationCorrespondence Information	Performance of our contract. Necessary for our legitimate interests (to establish necessary information in order to provide our Service).
When a Partner uses the service to offer or create a Reposit	Log-in InformationContact InformationTenancy InformationTechnical InformationCorrespondence Information	Performance of our contract. Necessary for our legitimate interests (in order to provide our Service).
When a Tenant is offered the option to use Reposit by a Partner	Log-in InformationContact InformationTenancy InformationCorrespondence Information	Performance of our contract. Necessary for our legitimate interests (in order to provide our Service).
When a Tenant or Landlord is added to a Reposit by a Partner	Log-in InformationContact InformationTenancy InformationCorrespondence Information	Performance of our contract. Necessary for our legitimate interests (in order to provide our Service).
When a Landlord is invited to use Reposit due to a Partner creating a Reposit on their behalf that needs to be transferred to them	Log-in InformationContact InformationTenancy InformationCorrespondence Information	Performance of our contract. Necessary for our legitimate interests (in order to provide our Service).
To manage our relationship with our users which will include: – Notifying users about the status and changes to their contact details, log in and account details – Notifying users about changes to our terms or privacy notice – Asking users to leave a review or to take a survey – Communicating updates to our servicesReceiving and responding to complaints	Log-in InformationContact InformationTenancy InformationTechnical InformationCorrespondence InformationComplaints Information	Performance of our contract. Complying with a legal obligation. Necessary for our legitimate interests (to keep our records updated and study how our customers use our Service).
To verify whether our Terms of Conditions are being complied with	Log-in InformationContact InformationTechnical InformationCorrespondence Information	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation. Necessary to comply with a legal obligation.
To administer and protect our business, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data	Log-in InformationContact InformationTechnical InformationComplaints InformationCorrespondence Information	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation. Necessary to comply with a legal obligation.
To use data analytics to improve the Service, website, marketing, customer relationships and experiences	Log-in InformationContact InformationTenancy InformationTechnical InformationComplaints InformationCorrespondence Information	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our services updated and relevant, to develop our business and to inform our marketing strategy).

6. Sharing your information

We may have to share person data to third parties for the following reasons: 

• if you are a Partner, we will share information that identifies you or your business to the Tenants and the Landlord that you add to a Reposit. We will also share any information relating to that Reposit with them;
• if you are a Partner, we will share all account information with any other user you add to your account as a team member. Team members should be people who are employed at your organisation;
• if you are a Tenant, your Letting Agent or Landlord may share information with us about you and your tenancy. For further details please see our Tenant Terms which are presented to you when you sign up to use our Service;
• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
• in order to enforce any terms and conditions or agreements for our Services that may apply;
• when a Partner instructs us to transfer their Reposits to a new Partner (Landlord or Letting Agent) due to a transfer of management of one or more tenancies where Reposit has been used, or for any other reason including the sale of their business, we will transfer the relevant Reposits, including the details and documents relating to those Reposits that are stored on our system to the new Partner.
• we may transfer your personal information to a third party if our business is sold or some or all of our business and assets are transferred to any third party or as part of any business restructuring or reorganisation, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;
• to protect the rights, property, or safety of Reposit Group Limited, our account holders, or any other third parties;
• our third-party service providers who may have access to personal information but does not actively process it e.g. providers who ensure that our platform and website(s) are running properly. 

7. Security

In order to safeguard the information we collect from you we will take all reasonable steps to ensure that:

• our servers are protected by security mechanisms and can only be administered via strictly controlled cryptographic keys.
• our data processing storage facilities are sited in secure locations to prevent unauthorised access, our infrastructure is provided by Amazon Web Services (AWS) and certifications for infrastructure provided by AWS. 
• all communication with our servers is encrypted through Secure Sockets Layer (SSL), an industry standard encryption method that encrypts data between your computer and our servers so that in the event of your network being insecure no data is passed in a format that could easily be deciphered.
• regular security assessments of our infrastructure are performed. This includes web vulnerability scans, dependency vulnerability scans, static code analysis, rule based OS inspection and manual assessments.

8. Data retention

Our current data retention policy is to delete or destroy to the extent we are able to the personal data we hold about you in accordance with the following:

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal information we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.

We may anonymise your personal data so that it can no longer be associated with you for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).

We review the personal data (and the categories of personal data) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.

10. Your data subject rights

Data Protection Laws gives you the following rights in respect of personal data we hold about you. Please note not all rights are absolute. 

The right to be informed	You have a right to know about our personal data protection and data processing activities, details of which are contained in this notice and in our Terms and Conditions specific to you before you agree to our services.
The right of access	You can make what is known as a Subject Access Request (“SAR”) to request information about the personal data we hold about you (free of charge, save for reasonable expenses for repeat requests). If you wish to make a SAR please contact us as described below.
The right to correction	Please inform us if information we hold about you is incomplete or inaccurate in any way and we will update our records as soon as possible, but in any event within one month. We will take reasonable steps to communicate the change to any third parties to whom we have passed the same information.
The right to erasure (the ‘right to be forgotten’)	Please notify us if you no longer wish us to hold personal data about you although in practice it is not possible to provide our Service without holding your personal data. Unless we have reasonable grounds to refuse the erasure, on receipt of such a request we will securely delete the personal data in question within one month. The data may continue to exist in certain backup, but we will take steps to ensure that it will not be accessible. We will communicate the erasure to any third parties to whom we have passed the same information.
The right to restrict processing	You can request that we no longer process your personal data in certain ways, whilst not requiring us to delete the same data.
The right to data portability	You have right to receive copies of personal data we hold about you in a commonly used and easily storable format (please let us know a format which suits you). You may also request that we transfer your personal data directly to third party (where technically possible).
The right to object	Unless we have overriding legitimate grounds for such processing, you may object to us using your personal data if you feel your fundamental rights and freedoms are impacted. You may also object if we use your personal data for direct marketing purposes including profiling or for research or statistical purposes. Please notify your objection to us and we will gladly cease such processing, unless we have overriding legitimate grounds.
Rights with respect to automated decision-making and profiling	You have a right not to be subject to automated decision-making(including profiling when those decisions have a legal or similarly significant effect on you. You are not entitled to this right when the automated processing is necessary for us to perform our obligations under a contract with you, it is permitted by law, or if you have given your explicit consent.
Right to withdraw consent	If we are relying on your consent as the basis on which we are processing your personal data, you have the right to withdraw your consent at any time. Even if you have not expressly given your consent to our processing, you also have the right to object (see above).

• All SARs and other requests or notifications in respect of your above rights may be sent to us via email at hello@reposit.co.uk 
• We will endeavour to comply with such requests as soon as possible but in any event we will comply within one month of receipt unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests.
• We reserve the right to charge a nominal fee if your request results in significant time investment, complexity or volume of requests.

11. Other websites

Our website may contain links, redirects and references to other websites. Please be aware that this Privacy Notice does not apply to those websites.

We cannot be responsible for the privacy policies and practices of websites that are not operated by us, even if you access them via our website and/or any other service that is operated by us. We recommend that you check the policy of each site you visit and contact its owner or operator if you have any concerns or questions.

In addition, if you came to this website via a third-party website, we cannot be responsible for the privacy policies and practices of the owners or operators of that third party site and recommend that you check the policy of that third party site and contact its owner or operator if you have any concerns or questions.

12. Transferring your information outside of UK

Reposits server infrastructure is currently located in the UK. In the event that we may transfer and process your personal data outside of the United Kingdom/European Union to countries where data protection laws are less stringent than those in the UK/EU When we transfer your personal data outside of the UK/ EU we only do so to entities that offer our users the same level of data protection as that afforded by the UK Data Protection Act 2018, UK GDPR and the EU GDPR. 

1. We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information; or 
2. We will use specific contracts approved for use in the UK or EU which give personal information the same protection it has in the UK/EU. For example, the use of Article 46 UK and EU GDPR safeguard mechanisms to transfer personal data endorsed by the UK Government or European Commission. 

To find out more about the transfer mechanism used please contact us. 

13. Notification of changes to our Privacy Notice 

We will post details of any changes to our Privacy Notice on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.

14. Contact Us or a Data Protection Supervisory Authority 

If at any time you would like to contact us with your views about our privacy practices, or with any enquiry relating to your personal information, you can contact us via hello@reposit.co.uk. If you would like to raise a concern with a Data Protection Supervisory Authority, you should contact the Information Commissioner’s Office.

This Privacy Notice was last updated on 10th December 2024.