Renters' Rights Act 2025 — Phase 1 commencement
Transition readiness pack
LetSafe UK

Legal

Privacy policy

UK GDPR and the Data Protection Act 2018 govern how we handle your data. Here's the plain-English version of what we collect, why, and how long we keep it.

Last reviewed: 18 April 2026 · Controller: WSC Group Ltd trading as LetSafe UK · ICO registration: CSN0004881 · Contact: Richard@letsafeuk.co.uk

1. What we collect

We collect only what we need to deliver the templates you bought and to run a small business:

  • Account data — email address, hashed password, and (optionally) your name.
  • Order data — the products you've bought, the price, and a receipt reference. Stripe handles the card details — we never see them.
  • Support correspondence — emails you send us, retained for the duration of the issue.
  • Technical data — anonymised analytics (page views, country, device class) retained for up to 12 months to help us improve the site.

2. Lawful basis

We rely on three lawful bases under UK GDPR:

  • Performance of a contract — to deliver the template you bought.
  • Legitimate interests — to fight fraud, monitor site performance, and improve our products.
  • Consent — for optional marketing emails only. You can withdraw consent at any time by clicking "unsubscribe".

3. Who we share data with

  • Stripe — payments (PCI-DSS Level 1).
  • Supabase — hosted database and auth, on AWS eu-west-2 (London).
  • Resend — transactional email (receipts, download links).
  • Vercel — static site hosting and CDN.

We do not sell your data. We do not share it for third-party marketing purposes. We do not profile you for advertising.

4. International transfers

Our primary hosting region is the UK/EEA. Some support subprocessors (Resend, Vercel) may process data in the United States under UK Addendum-compliant Standard Contractual Clauses.

5. How long we keep data

  • Order records — 7 years (HMRC requirement for business records).
  • Account data — until you ask us to delete it.
  • Analytics — 12 months.
  • Support emails — 24 months after the ticket closes.

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of your data.
  • Rectification — correct anything wrong.
  • Erasure — ask us to delete your account (we'll keep order records for HMRC).
  • Portability — get your data in a machine-readable format.
  • Objection — opt out of marketing at any time.
  • Complain — to the UK Information Commissioner's Office at ico.org.uk.

Email Richard@letsafeuk.co.uk with the subject "Data request" to exercise any of these rights. We respond within one calendar month.

7. Security

Passwords are salted and hashed (bcrypt). All traffic is HTTPS-only with HSTS. Download links are signed with a 48-hour expiry. We enforce MFA on all staff admin accounts.

8. Cookies

We use strictly-necessary cookies for login sessions and a single optional analytics cookie with consent. See the cookie policy for the full list.

9. Children

LetSafe UK is a B2B product for adults. We do not knowingly collect data from anyone under 18. If you believe a child has submitted data to us, email us and we'll delete it immediately.