Privacy Policy
Last updated: May 2026
1. Who we are
LetReady Ltd is a company registered in England and Wales (company number 17209704), with registered office at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ. We operate the LetReady platform at let-ready.co.uk, which provides compliance management tools for UK landlords.
For the purposes of UK GDPR, LetReady Ltd is the data controller for personal data processed through our platform.
Contact us at: info@let-ready.co.uk
We have not appointed a Data Protection Officer as we do not meet the threshold criteria under UK GDPR Article 37. For all data protection queries, please contact us at info@let-ready.co.uk.
ICO registration: [INSERT ICO REGISTRATION NUMBER HERE AFTER REGISTRATION AT ICO.ORG.UK — £40/YEAR, REQUIRED BEFORE LAUNCH]
2. What data we collect
We collect and process the following categories of personal data:
- Account data: your full name and email address, provided at registration.
- Property data: property addresses, rental amounts, and status information you add to your account.
- Tenancy data: tenant names, tenancy start and end dates, and tenancy type (periodic or fixed term).
- Certificate data: gas safety, EICR, EPC, and other compliance certificate details including expiry dates.
- Document data: files you upload to the platform such as certificates and tenancy agreements.
- Tenant contact data: where you use the document-sending feature, we process the name and email address of tenants you specify as recipients. This data is used solely to deliver the requested documents; it is not stored beyond the send log and is not used for marketing.
- Billing data: subscription and payment records (card details are held by Stripe, not by us).
- Usage data: log data and session information necessary for platform operation and security.
3. Lawful basis for processing
The primary lawful basis for processing your personal data is performance of a contract (UK GDPR Article 6(1)(b)). Processing your account, property, tenancy, and certificate data is necessary to provide the LetReady service you have subscribed to.
For compliance with legal obligations (such as retaining financial records), we rely on legal obligation (Article 6(1)(c)).
For sending compliance alert emails (certificate expiry reminders, pet request alerts, and RRA 2025 information sheet reminders), we rely on legitimate interests (Article 6(1)(f) UK GDPR). These alerts are sent by default to all registered users because they are directly necessary to deliver the compliance management service you have subscribed to. You can opt out of alert emails at any time in your account settings.
Where we send optional service-improvement communications, we rely on your consent (Article 6(1)(a)), which you may withdraw at any time via Account Settings.
4. How long we retain your data
Different categories of data have different retention periods depending on their purpose and applicable legal obligations. The table below sets out our retention schedule:
| Data category | Retention period | Legal basis |
|---|---|---|
| Account and profile data (name, email, settings) | Duration of account + 7 years after deletion | Companies Act 2006 (accounting records); Limitation Act 1980 |
| Property, tenancy and certificate records | Duration of account + 7 years after deletion | Limitation Act 1980 (6-year limitation period); Companies Act 2006 |
| Tenant contact data (name and email stored in your tenancy records) | Deleted when you remove the tenancy or close your account, whichever is sooner | Minimisation — held only as long as you actively manage the tenancy |
| Email send logs (document_sends — records of documents sent to tenants) | 2 years from date of send, then automatically deleted | Legitimate interests (audit trail for compliance disputes); proportionate to purpose |
| Financial and billing records | 6 years from date of transaction | HMRC requirement under the Taxes Management Act 1970 |
| Uploaded documents and generated PDFs | Duration of account + 30 days after closure | Contract performance; deleted on account closure after grace period |
| Usage and session logs | 90 days, then automatically deleted | Security and fraud prevention |
Note on account deletion: When you request account deletion, your profile, properties, tenancies, and certificates are flagged for deletion. Certain records (such as financial records and compliance audit logs) are retained for the statutory periods shown above even after account closure. All other data is permanently deleted within 30 days of your deletion request.
You can delete your account yourself at any time via Settings → Security → Delete account within the LetReady dashboard. Alternatively, email info@let-ready.co.uk with the subject line "Account deletion request". We will confirm erasure within 30 days.
5. Third parties we share data with
We use the following third-party sub-processors to operate the platform:
- Supabase Inc. — database and file storage. Your data is stored on Supabase infrastructure. Data is encrypted at rest and in transit.
- Vercel Inc. — hosting and content delivery for the LetReady web application.
- Resend Inc. — transactional email delivery. When you send documents to tenants via LetReady, the recipient name, email address, and document content are transmitted to Resend solely to deliver that email. Resend does not use this data for any other purpose.
- Stripe Inc. — payment processing. Stripe handles all card data directly and is PCI-DSS certified. We do not store card numbers.
- Plausible Analytics OÜ — privacy-friendly, cookie-free website analytics. Plausible does not use cookies, does not track individuals, and does not process personal data as defined under UK GDPR. It collects only anonymised aggregate metrics (page views, referrer, country). No personal data is transferred to Plausible. Their privacy policy is available at plausible.io/privacy.
We do not sell your personal data to any third party. We do not share your data with advertisers or marketing platforms.
6. International data transfers
Some of our sub-processors are based in the United States: Supabase Inc., Vercel Inc., Resend Inc., and Stripe Inc. Your personal data may therefore be transferred to and processed in the United States.
These transfers are made under the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum (as approved by the Information Commissioner's Office), which provide appropriate safeguards under UK GDPR Chapter V.
You may request a copy of the relevant transfer safeguards by emailing us at info@let-ready.co.uk.
7. Your rights under UK GDPR
You have the following rights in relation to your personal data:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete data.
- Right to erasure — you can request that we delete your personal data, subject to legal retention requirements.
- Right to data portability — you can request your data in a structured, machine-readable format.
- Right to restrict processing — you can ask us to pause processing of your data in certain circumstances.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where we process your data on the basis of consent (for example, optional email notifications), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, update your notification preferences in Account Settings or contact us at info@let-ready.co.uk.
Provision of data: Providing your name, email address, and property details is a contractual requirement necessary to use LetReady. Without this information we cannot provide the service. Providing optional information (such as your phone number or company name) is voluntary.
Automated decision-making: We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you.
To exercise any of these rights, email us at info@let-ready.co.uk. We will respond within 30 days.
8. Cookies
We use strictly necessary session cookies to keep you logged in securely. These cookies are essential for the platform to function and cannot be disabled.
With your consent, we also load Plausible Analytics — a privacy-friendly, cookie-free analytics tool that collects anonymised usage data (page views, referrer, country) without tracking individuals or setting cookies. You can accept or decline analytics when you first visit the site, and update your preference at any time by clearing your browser's local storage. Plausible's privacy policy is available at plausible.io/privacy. Plausible Analytics OÜ is registered in Estonia and processes only anonymised, non-personal data. It is therefore not a data processor under UK GDPR Art. 4(8) and no Data Processing Agreement is required.
9. Complaints
Internal complaints: If you have a concern about how we handle your personal data, please contact us at info@let-ready.co.uk in the first instance. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's OfficeWycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
ico.org.uk
10. Changes to this policy
We will notify you of material changes to this policy by email to the address on your account at least 30 days before the changes take effect. If you do not wish to accept the changes, you may close your account before the effective date.