Privacy Policy
We are committed to protecting your personal data and being transparent about how we collect, use, and safeguard it.
Last updated: 13 May 2026
Introduction and Data Controller
This Privacy Policy explains how USELATCH LTD(trading as “Latch”, and referred to herein as “we”, “our”, or “us”) collects, uses, stores, and protects your personal data when you use our property management platform at uselatch.co.uk and any associated services (collectively, the “Service”).
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Company: USELATCH LTD
Registered in: Scotland
Company No.: SC879051
Email: [email protected]
Address: USELATCH LTD, 5 Orrok Lane, Edinburgh, EH16 5HF
ICO Registration Number: 02450028338
This policy applies to all users of the Service, including landlords, property managers, tenants accessing the tenant portal, builders who list services on our marketplace, external signers who sign documents via our e-signature service (even if they do not hold a Latch account), and any other contacts whose personal data may be stored within the platform by its users.
Information We Collect
We collect the following categories of personal data in the course of providing the Service:
Account and Authentication Data
- Email address, first name, last name, and password (stored in hashed form only — we never store passwords in plain text)
- Account type (landlord or tenant) and organisation or company name where applicable
Device and Security Data
- IP address, user agent string, and device fingerprint (a cryptographic hash of your browser characteristics)
- Device type (e.g., “Chrome on Windows”) and approximate geographic location (city and country, derived from your IP address for security purposes)
- Trusted device identifiers, email verification codes, and two-factor authentication records
- Login history records including IP address, approximate geolocation (city, country, latitude/longitude derived via IP lookup), timestamp, and device information, used for suspicious access detection and security monitoring
- IP address reputation data obtained from IP-API.com, including ISP name, organisation, and flags indicating whether the IP belongs to a VPN, proxy, Tor exit node, or hosting provider. This data is cached in our database for 7 days and is used for fraud prevention during authentication
- HMRC device identifier (
hmrc_device_id): a persistent UUIDv4 stored in your browser’slocalStoragethe first time you initiate an HMRC Making Tax Digital action. The identifier is generated client-side, retained indefinitely until you clear your browser storage, and transmitted to HMRC as theGov-Client-Device-IDfraud-prevention header on every MTD API request. We use it solely to satisfy HMRC’s mandatory fraud-prevention header specification; it is not joined to your user identity beyond the MTD audit-log entries described below
Property Data
- Property addresses, unit details (name, bedrooms, bathrooms, floor, square footage), and property type
- Geocoding coordinates (latitude and longitude) derived from property addresses via the Google Maps Places API, used for map display and location services
- Purchase price, current valuations, mortgage details (provider, account number, balances, interest rates)
- Compliance certificates (EPC, Gas Safety, EICR, Insurance) including issue and expiry dates
- Gas Safety Certificates (CP12) and expiry dates
- Electrical Installation Condition Reports (EICR)
- Energy Performance Certificates (EPC) and ratings
- Legionella risk assessments
- Fire risk assessments
- Smoke and carbon monoxide alarm compliance records
- HMO (House in Multiple Occupation) licence details and expiry dates
- Right to Rent check records and outcomes
- Landlord registration numbers (Scotland) and expiry dates
- Rent Smart Wales registration and licensing details
- Any other compliance certificates uploaded by the user
- Property notes, tags, and inventory records
Tenant and Contact Data
- Names, email addresses, phone numbers, and instant messaging handles (e.g., WeChat)
- Company name, contact type (tenant, contractor, supplier, or agent), and preferred contact method
- Free-form notes added by the account holder about their contacts
Lease and Tenancy Data
- Lease start and end dates, monthly rent amounts, deposit amounts, and payment day
- Lease status (active, pending, or ended) and any special terms or conditions
Financial and Payment Data
- Payment amounts, types (rent, deposit, maintenance), payment methods (bank transfer, cash, card, direct debit), and transaction references
- Outstanding balances, payment period records, and carried forward amounts
- Subscription billing data processed via Stripe (we never see or store your full payment card number)
Bank Feed Data (Plaid Open Banking)
- Bank account and routing identifiers, account names, masked account numbers, account balances, and OAuth-style access tokens, obtained when you voluntarily connect a bank account via our Plaid Open Banking integration (PSD2)
- Transaction history including amounts, dates, merchant names, categories, and reconciliation status
- Bank login credentials are entered into Plaid Link directly on Plaid's domain and are never received by, or stored by, Latch
Document Data
- Uploaded files (PDFs, images, Office documents, and other formats, up to 25MB per file)
- Document metadata, file names, upload timestamps, AI-generated summaries, labels, and extracted data points
E-Signature Data
- Signer names, email addresses, and (where provided) phone numbers
- Digital signature representations (typed name, drawn signature, or uploaded image)
- IP addresses and user-agent strings captured at the time of signing
- Timestamps of signature events (sent, viewed, signed, declined)
- Consent records and method of identity verification
- Cryptographic document hashes (SHA-256) for tamper detection
- Complete audit trail of all signing-related events
Communication Data
- Direct messages exchanged between landlords and tenants via the marketplace, including message content, attachments, read status, and timestamps
- Viewing scheduling data including proposed dates, confirmed times, cancellation reasons, and outcome records
- Pre-screening questions and responses submitted by prospective tenants
- WhatsApp messages sent to and received from tenants via the Twilio WhatsApp Business API, including message content, recipient phone numbers, delivery status (queued, sent, delivered, read, failed), Twilio message identifiers, and tenant opt-in/opt-out consent records
Invoice Data
- Invoice details including invoice number, line items, amounts, VAT calculations, payment terms, due dates, and payment status
- Invoice recipient details (tenant name, email address, property reference)
- Invoice view tokens — unique, time-limited URLs that allow recipients to view and download invoice PDFs without requiring authentication
- Generated invoice PDF documents stored in secure file storage
Builder Profile and Marketplace Data
- Business name, trading name, and contact details (email, phone, address)
- Geographic coverage areas and service radius
- Trade categories and specialisations (e.g., plumbing, electrical, roofing)
- Professional certifications, accreditations, and insurance details
- Portfolio images and descriptions of completed work
- Job listings, bid submissions, and bid amounts
- Payment and invoicing information related to marketplace transactions
- Reviews, ratings, and feedback from landlords
Tenant Referencing Data
- Tenant name, date of birth, current and previous addresses submitted for referencing
- Type of screening requested (e.g., credit check, right to rent, employment verification)
- Referencing status and outcome summaries received from Canopy
- Canopy reference IDs and timestamps
- Landlord’s decision to proceed or decline (where recorded)
AI and Agent Data
- Messages you submit to the AI assistant and the contextual account data (property details, tenant information, financial summaries) required to generate responses
- AI task context, tool call history, confidence scores, and agent action audit trails
HMRC and Tax Data
- National Insurance Number (NINO) — encrypted at rest using AES-256-GCM and stored only when you provide it to enable MTD submissions
- Unique Tax Reference (UTR) — encrypted at rest using AES-256-GCM
- HMRC Business ID — an identifier assigned by HMRC to your UK property business income source
- HMRC OAuth access and refresh tokens — encrypted at rest using AES-256-GCM, used to maintain your authorised connection to HMRC
- Aggregated rental income and property expense data compiled from your Latch records for HMRC quarterly, annual, and final declaration submissions
- HMRC submission records including submission identifiers, correlation IDs, submission timestamps, obligation periods, and submission status
- Expense category mappings that you configure between Latch expense categories and HMRC-recognised categories
- Tax calculation results retrieved from HMRC, including estimated tax liabilities and allowances
- HMRC MTD APIs called on your behalf: Business Details (MTD), Obligations (MTD), Property Business (MTD), Individual Calculations (MTD), Business Source Adjustable Summary (BSAS, MTD), Individual Losses (MTD), and the HMRC Test Fraud Prevention Headers validator. Only data necessary for the called endpoint is transmitted in each call
Property Management Client Data
- Landlord client names, email addresses, phone numbers, and correspondence addresses
- National Insurance Numbers (NINO) and Unique Taxpayer References (UTR) provided for tax filing
- VAT registration numbers (where applicable)
- Bank account details for rent disbursement and fee collection
- Management fee structures and commission rates
- Owner statements and financial summaries generated on behalf of landlord clients
- Fee ledger entries and payment records between property manager and landlord client
HMRC Fraud Prevention Data
HMRC legally requires all software that connects to its APIs to collect and transmit fraud-prevention headers with every API request. This is a mandatory requirement under HMRC’s terms of use for MTD-compatible software and is the lawful basis on which we collect and transmit the following items (UK GDPR Art. 6(1)(c) — legal obligation). The table below enumerates each header value, where it is collected, whether it is stored at rest by Latch, and how long it is retained.
| Header | Element | Where collected | Storage at rest | Retention |
|---|---|---|---|---|
| Gov-Client-Browser-JS-User-Agent | Browser user-agent string | Client (per request) | Not persisted as a separate field; captured in the MTD audit-log target_resource snapshot | 12 months in audit log; transient otherwise |
| Gov-Client-Device-ID | Persistent UUIDv4 device identifier | Client localStorage (hmrc_device_id) | Stored indefinitely in your browser localStorage; copied into the audit-log target_resource snapshot per request | Indefinite in your browser; 12 months in audit log |
| Gov-Client-Screens | Screen width, height, colour-depth, pixel-ratio | Client (per request) | Not persisted; captured in audit-log snapshot only | 12 months in audit log; transient otherwise |
| Gov-Client-Window-Size | Viewport width and height | Client (per request) | Not persisted; captured in audit-log snapshot only | 12 months in audit log; transient otherwise |
| Gov-Client-Timezone | Timezone offset (UTC±HH:MM) | Client (per request) | Not persisted; captured in audit-log snapshot only | 12 months in audit log; transient otherwise |
| Gov-Client-User-IDs | URL-encoded Supabase user ID, namespaced as uselatch={userId} | Server (per request) | Captured in audit-log row (actor_user_id) | 12 months in audit log |
| Gov-Client-Connection-Method | Constant: WEB_APP_VIA_SERVER | Server (per request) | Not persisted (constant) | n/a |
| Gov-Client-Public-IP | Your public IP address (from x-forwarded-for / x-real-ip) | Server (per request) | Recorded as audit-log ip_address column | 12 months in audit log |
| Gov-Client-Public-IP-Timestamp | ISO 8601 timestamp of IP capture | Server (per request) | Not persisted separately; bound to audit-log created_at | 12 months in audit log |
| Gov-Client-Multi-Factor | Sent only when MFA factor is currently verified: type=TOTP×tamp=<ISO>&unique-reference=<userId> | Server (per request) | Not persisted | Transient |
| Gov-Vendor-Public-IP | Our outbound (vendor) public IP | Server (5-minute in-memory cache) | Memory cache only; not in DB | 5 minutes |
| Gov-Vendor-Forwarded | Vendor proxy chain (by={server}&for={client}) | Server (per request) | Not persisted | Transient |
| Gov-Vendor-License-IDs | SHA-256 hash of our HMRC vendor licence ID | Server (hashed at request time) | Not persisted (constant per deploy) | n/a |
| Gov-Vendor-Product-Name | Constant: UseLatch | Server (per request) | Not persisted (constant) | n/a |
| Gov-Vendor-Version | Vendor product version string (e.g., UseLatch=1.0.0) | Server (per request) | Not persisted (constant per deploy) | n/a |
Intentionally omitted headers
Two headers from HMRC’s fraud-prevention specification are deliberately not transmitted, in each case for a documented technical reason that HMRC permits:
- Gov-Client-Public-Port:Latch is hosted on Vercel, which terminates inbound TLS connections at its edge proxy before reaching our application code. Your originating client TCP source port is therefore not available to us in any request header. HMRC’s validator response acknowledges this scenario for vendors whose connection between client and server traverses a private network.
- Gov-Client-Multi-Factor: sent only when an MFA factor is currently in
verifiedstatus for the active session. We omit the header entirely when no MFA factor is verified, rather than sending a misleading negative. HMRC explicitly permits this behaviour for single-factor sessions (e.g., email and password without a second factor).
HMRC MTD Audit Log
We maintain a tamper-evident audit log of MTD events in our organization_audit_logs table to support HMRC dispute resolution, fraud-prevention header reproducibility, and our own security monitoring. The lawful basis is a combination of UK GDPR Art. 6(1)(c) (legal obligation under MTD regulations) and Art. 6(1)(f) (legitimate interest in service-integrity record-keeping).
Events logged
MTD_CONNECTED— you authorise the HMRC OAuth connectionMTD_DISCONNECTED— you revoke the HMRC connectionMTD_QUARTERLY_SUBMITTED— quarterly cumulative update submitted to HMRCMTD_ANNUAL_SUBMITTED— annual adjustment submitted to HMRCMTD_FINAL_DECLARATION— end-of-year final declaration submitted to HMRC (and any subsequent confirm-amendment)MTD_SUBMISSION_SAVE_FAILED— HMRC accepted a submission but we failed to record it locally (so support can reconcile)
Fields per audit-log row
Actor user ID, actor email, action name, target resource metadata (HMRC submission ID, X-CorrelationId, obligation period, and a snapshot of the fraud-prevention header values sent with the call), IP address, and UTC timestamp.
Retention
12 months by default, configurable per organisation. Automated purge is being progressively rolled out; until each cleanup job is enabled, audit-log entries may persist beyond the configured window. All audit-log rows are deleted on permanent account deletion regardless of the configured retention window.
Analytics and Usage Data
- Session identifiers, page views, navigation paths, and session heartbeat timestamps
- Real-time session presence data, including a randomly generated visitor identifier (stored in session storage), device type (desktop/tablet/mobile), current page path, and heartbeat timestamps sent approximately every 30 seconds while the platform is active in your browser. This data is used to display active user counts and is not linked to your user account on public pages
- Marketing conversion analytics, including trial email delivery records, trial-to-paid conversion metrics, and trial source attribution. This data is aggregated internally to measure the effectiveness of our communications and is not shared with third parties
- All analytics data is collected and stored internally on our own infrastructure. We do not use any third-party analytics services such as Google Analytics
Other Data
- Feature requests, feedback, votes, and comments you submit
- Tenant insurance details (provider, dates, certificates) where applicable
- Contractor directory entries (names, contact details, trade, certifications, and reviews)
- Audit logs recording administrative actions including actor identity, action type, IP address, and before/after change values
How We Collect Your Information
Information You Provide Directly
- When you create an account or register for the Service
- When you add properties, tenants, leases, payments, expenses, or other records to the platform
- When you upload documents, send messages, submit feature requests, or interact with the AI assistant
- When you create and send invoices to tenants through the platform
- When you contact us for support or make enquiries
E-Signature Data Collection
- Collected automatically when a signer interacts with a signature request, including IP address, user-agent, and timestamps captured at each signing event
Builder Marketplace Data Collection
- Provided directly by builders when creating or updating their marketplace profile, submitting bids, or responding to job listings
Tenant Referencing Data Collection
- Initiated by landlords through the platform; tenant personal details are submitted to our referencing partner Canopy, who returns screening results
Property Management Client Data Collection
- Provided by property managers when onboarding landlord clients, setting up management agreements, and recording fee structures
Compliance Portfolio Data Collection
- Uploaded by users when recording property compliance certificates, or extracted from documents where supported
Information We Collect Automatically
- Device and browser information via your user agent string
- IP address and approximate geographic location (used for security and fraud prevention)
- IP address reputation data obtained from IP-API.com when you log in or perform security-sensitive actions, used to detect potentially suspicious access from VPNs, proxies, Tor exit nodes, or hosting providers
- Usage patterns and session data, stored in our own database and never shared with third parties
- Authentication tokens and session cookies, which are essential for the Service to function
Information from Third-Party Services
- Bank account and transaction data when you voluntarily connect your bank via Open Banking
- Email content and attachments when you authorise Gmail integration via Google OAuth
- Calendar events when you connect Google Calendar or Microsoft Outlook
- Payment and subscription status data from Stripe
- Tax data, obligation periods, submission confirmations, and tax calculation results from HMRC when you connect your HMRC account via the MTD integration
Lawful Bases for Processing
Under Article 6 of the UK GDPR, we process your personal data on the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Providing and maintaining the Service (property, tenant, lease, payment, and expense management) | Performance of contract (Art. 6(1)(b)) |
| Account authentication and security (device fingerprinting, two-factor authentication, trusted devices) | Legitimate interests — protecting your account and preventing fraud (Art. 6(1)(f)) |
| AI-assisted features (document analysis, chat assistant, automated recommendations) | Performance of contract (Art. 6(1)(b)) — these features form part of the Service |
| Bank feed integration via Plaid (UK Open Banking) | Consent (Art. 6(1)(a)) — you explicitly authorise this connection through Plaid Link, supported by Plaid's PSD2 licence |
| AI processing of account data via Google Gemini, Zhipu, and Tavily | Performance of contract (Art. 6(1)(b)) where AI is part of a feature you have enabled; legitimate interests (Art. 6(1)(f)) for cost monitoring and abuse-detection logging |
| Abuse detection and automated rate-limiting / account restrictions | Legitimate interests (Art. 6(1)(f)) — protecting platform integrity, other users, and our cost limits |
| Login history retention (IP, device hash, geolocation, outcome) | Legitimate interests (Art. 6(1)(f)) — detection of suspicious access; supports Article 32 security obligations |
| Email delivery event tracking (delivered, bounced, opened, clicked, spam-reported) | Legitimate interests (Art. 6(1)(f)) — maintaining email deliverability and resolving delivery disputes (transactional emails only) |
| Tenant Portal account creation (tenant auth data) | Performance of contract (Art. 6(1)(b)) — provision of the tenant portal account requested by the tenant |
| E-signature audit trail (IP/UA capture for non-account signers) | Legal obligation (Art. 6(1)(c)) under the UK Electronic Communications Act 2000; legitimate interests (Art. 6(1)(f)) in maintaining evidential value of the signed document |
| Gmail integration for email access | Consent (Art. 6(1)(a)) — you explicitly authorise via Google OAuth |
| Calendar synchronisation (Google Calendar, Microsoft Outlook) | Consent (Art. 6(1)(a)) — you explicitly authorise this connection |
| Sending transactional emails (verification, security alerts, rent reminders, payment receipts) | Performance of contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) |
| Internal analytics and service improvement | Legitimate interests — improving and maintaining the Service (Art. 6(1)(f)) |
| Marketplace operations and messaging between landlords and tenants | Performance of contract (Art. 6(1)(b)) |
| Billing and subscription management via Stripe | Performance of contract (Art. 6(1)(b)) |
| HMRC Making Tax Digital integration — submitting income, expenses, and tax declarations to HMRC on your behalf | Performance of contract (Art. 6(1)(b)) — you instruct us to make these submissions; and Legal obligation (Art. 6(1)(c)) — HMRC MTD regulations require digital record-keeping and submission |
| Collecting and storing your NINO and UTR for HMRC submissions | Performance of contract (Art. 6(1)(b)) — necessary to fulfil the MTD service you have requested; and Legal obligation (Art. 6(1)(c)) — required for HMRC tax submissions |
| Collecting and transmitting fraud prevention data to HMRC | Legal obligation (Art. 6(1)(c)) — HMRC mandates this data collection for all MTD-compatible software under the Income Tax (Digital Requirements) Regulations |
| E-Signature processing and audit trail | Contract performance (Article 6(1)(b)) — necessary to provide the e-signature service requested; Legitimate interest (Article 6(1)(f)) — maintaining audit trails for legal evidential purposes |
| Builder marketplace profile and listings | Contract performance (Article 6(1)(b)) — necessary to enable builders to offer services through the marketplace |
| Builder geographic and trade data | Contract performance (Article 6(1)(b)) — necessary to match builders with relevant job opportunities in their service area |
| Tenant referencing and background screening | Explicit consent (Article 6(1)(a)) — landlord must obtain tenant’s explicit consent before initiating referencing through Canopy |
| Compliance certificate tracking and expiry monitoring | Contract performance (Article 6(1)(b)) — necessary to provide the compliance management features of the platform |
| Property management client data and financial records | Contract performance (Article 6(1)(b)) — necessary to enable property managers to manage properties on behalf of their landlord clients |
| Detecting and preventing fraud, abuse, and security incidents | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal obligations (e.g., financial record-keeping) | Legal obligation (Art. 6(1)(c)) |
| Audit logging for data integrity and accountability | Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
| Newsletter email delivery | Consent (Art. 6(1)(a)) — you explicitly opt in via the newsletter subscription form |
| Address autocomplete and geocoding via Google Maps | Performance of contract (Art. 6(1)(b)) — necessary to provide property location features of the Service |
| WhatsApp messaging via Twilio (rent reminders, landlord-tenant communications) | Consent (Art. 6(1)(a)) — tenants must opt in to receive WhatsApp messages; and Performance of contract (Art. 6(1)(b)) where the landlord has enabled WhatsApp reminders as part of lease management |
| Invoice generation, delivery, and view token access | Performance of contract (Art. 6(1)(b)) — necessary to provide the invoicing features of the Service |
| IP address reputation checking via IP-API.com | Legitimate interests (Art. 6(1)(f)) — detecting and preventing fraudulent or suspicious access to protect user accounts |
| Marketing conversion analytics and trial source tracking | Legitimate interests (Art. 6(1)(f)) — measuring the effectiveness of marketing efforts and improving the Service |
How We Use Your Information
- Service Delivery: To operate, maintain, and provide the core property management platform, including property tracking, tenant management, lease administration, payment recording, expense tracking, and document management
- Authentication and Security: To verify your identity, manage device trust, detect suspicious login activity from new devices or locations, and protect your account from unauthorised access
- AI-Powered Features: To provide AI document analysis, chat assistance, automated recommendations, and intelligent transaction matching (see Section 6 for further details)
- Financial Processing: To process subscription payments, generate financial reports (rent rolls, profit and loss statements), and reconcile bank transactions
- HMRC Tax Submissions: To aggregate your rental income and property expense data, submit quarterly and annual updates to HMRC, trigger tax calculations, and submit final declarations via the Making Tax Digital for Income Tax Self Assessment service
- Communications: To send transactional emails including email verification, password resets, security alerts, rent reminders, payment receipts, invoice notifications, viewing confirmations, compliance expiry warnings, and account notifications
- WhatsApp Communications: To send automated rent reminders, payment confirmations, and other property management communications via WhatsApp, where tenants have opted in to receive WhatsApp messages. Messages are sent via the Twilio WhatsApp Business API, and delivery status is tracked to ensure reliable communication
- Invoice Management: To generate, send, and track invoices for rent and other charges; to generate PDF invoices; to provide time-limited view tokens allowing recipients to view invoices without authentication; and to send automated overdue invoice reminders
- Marketplace Operations: To facilitate property listings, tenant pre-screening, viewing scheduling, and secure messaging between landlords and prospective tenants
- E-Signature Services: To facilitate the creation, sending, tracking, and completion of electronic signature requests; to maintain legally compliant audit trails; and to verify document integrity through cryptographic hashing
- Builder Marketplace: To enable builders to create profiles, list their services, submit bids on jobs, and receive reviews; to match landlords with suitable tradespeople based on location, trade, and availability
- Tenant Referencing: To facilitate tenant background screening by transmitting applicant details to our referencing partner Canopy and presenting the results to the requesting landlord; to maintain records of referencing requests and outcomes
- Compliance Portfolio Management: To track property compliance certificates, monitor expiry dates, and send reminder notifications to help landlords and property managers maintain regulatory compliance
- Property Management Portal: To enable property managers to manage properties on behalf of landlord clients, including generating owner statements, tracking management fees, recording bank details for rent disbursement, and maintaining client financial records
- Internal Analytics: To understand how the Service is used and identify areas for improvement. All analytics are processed internally and never shared with third parties
- Compliance and Legal: To maintain audit trails, comply with regulatory requirements, and respond to lawful requests from authorities
AI and Automated Processing
Latch uses artificial intelligence to enhance the Service. We believe in transparency about how AI processes your data.
Models and Providers
- Google Gemini 2.5 Pro / Gemini 2.5 Flash (United States)— default models for chat assistant, document analysis, and most AI features. Data is processed under Google's API terms and is not used to train Google's general-purpose models.
- Zhipu AI (People's Republic of China)— secondary inference provider used for selected background AI tasks (such as low-cost classification). Data is transferred under the UK International Data Transfer Agreement (IDTA), supported by a documented Transfer Risk Assessment that considers the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021. Categories of data sent to Zhipu are constrained per the “Data Sent to AI Providers” subsection below.
- Tavily (United States)— AI search provider used to supply current public information when an AI feature requires a live web lookup. Only the search query string is transmitted; no account context.
Data Sent to AI Providers
When you invoke an AI feature, the following data may be transmitted to the relevant provider above:
- your prompt and any attached file content
- relevant context drawn from your account (e.g. property summary, lease text, expense descriptions, tenant notes, document text)
- prior turns in the same conversation
We do not transmit your password, payment card details, National Insurance Number, Unique Tax Reference, HMRC OAuth tokens, or trusted-device identifiers to AI providers.
Logging and Cost Controls
- Every AI call is logged in our
ai_feature_usagetable for audit, cost monitoring, and abuse detection. Each record contains: feature name, model, input/output token counts, thinking-token counts (where applicable), provider cost in USD, latency, success/failure, and technical metadata. We do not store the full prompt or response in this table. - A global platform AI spending cap (currently $200 per month) and per-account caps are enforced. If you reach a limit, AI features may be temporarily restricted on your account. This is a security and abuse-prevention measure, not a punitive decision.
Agent Actions
Our AI assistant can take actions on your behalf, including:
- drafting and sending rent reminder emails or WhatsApp messages
- recording expenses against properties from receipts you provide
- querying public web sources (via Tavily) to answer your questions
- scheduling viewings and following up on prospects
Every agent action is logged in an audit trail with actor, timestamp, tool used, and result. You can review and undo agent actions from your account settings.
No Model Training on Your Data
None of the providers above are authorised by us to train their general-purpose models on your data. Data sent to Google Gemini is processed under Google's API terms (no training). Data sent to Zhipu is processed under Zhipu's enterprise API terms. Data sent to Tavily is the search query only.
Your Choices
- AI features are optional. You can disable AI for your account from Settings → AI.
- You may request that we delete the AI usage records associated with your account at any time, except where we are required to retain abuse-related records.
- You can request human review of any AI-generated output by contacting [email protected].
Automated Processing via Third-Party Services
- When a landlord initiates tenant referencing through the platform, personal data is transmitted to Canopy, who may perform automated credit checks, identity verification, and employment verification
- These automated checks are carried out by Canopy as an independent data controller for the purposes of the checks themselves
- The results of these automated checks are provided to the landlord as one factor in their tenancy decision. They do not constitute solely automated decision-making under Article 22 of the UK GDPR, as the landlord retains full discretion over whether to proceed with the tenancy
- Tenants have the right to request information about the logic involved in any automated processing by contacting Canopy directly
Automated Decision-Making and Profiling
Abuse Detection (Article 22 carve-out)
We operate automated abuse-detection systems that monitor for irregular usage of AI features, rapid bursts of failed authentication, and patterns associated with credential-stuffing or scraping. When thresholds are exceeded, automated actions may be taken without prior notice, including temporary AI throttling, account freezes, or, in serious cases, account suspension. These records are stored in our abuse_alerts table.
These actions can produce a “significant effect” on you under Article 22 of the UK GDPR. You therefore have the right to:
- obtain a human review of any automated abuse decision affecting your account
- express your point of view
- contest the decision
To exercise this right, contact [email protected] within 30 days of the action. We aim to respond within 5 working days.
Other Automated Processing (Not Article 22)
The following features involve automated logic but always present outputs for your decision and do not constitute “solely automated decisions”:
- AI tenant-prospect ranking, viewing-time recommendations, and bank-transaction reconciliation suggestions
- tenant referencing recommendations from Canopy (the landlord retains discretion)
- risk-based authentication scoring (used to require additional verification, not to refuse access outright)
Forthcoming ICO Consultation
We are monitoring the Spring 2026 ICO consultation on automated decision-making and profiling and will update this section as final guidance is published.
Newsletter Data Processing
If you subscribe to our newsletter via the developer blog or changelog pages, we collect and process the following data:
Data Collected
- Email address
- Subscription preferences (Developer Blog and/or Changelog & Release Notes)
- Subscription date and last update timestamp
- Unsubscribe token (a randomly generated unique identifier used to manage your preferences without requiring authentication)
Lawful Basis
- Consent (Art. 6(1)(a)): You explicitly subscribe to our newsletter by entering your email address and selecting your preferred newsletter types. This constitutes a clear affirmative opt-in action in compliance with Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
- We do not use pre-ticked boxes, and we do not add users to our mailing list without their explicit opt-in action.
How We Use Newsletter Data
- To send you the newsletter content types you have selected (Developer Blog and/or Changelog)
- To send a welcome confirmation email upon subscription
- To manage your subscription preferences via the preference management page
Third-Party Processing
- Newsletter emails are delivered via SendGrid (Twilio). Only your email address and the email content are shared with SendGrid for delivery purposes.
Your Rights
- You can update your newsletter preferences at any time via the manage preferences link included in every newsletter email
- You can unsubscribe entirely using the one-click unsubscribe link in every newsletter email
- Both preference management and unsubscription are token-based and do not require authentication
- Upon full unsubscription, your email address, preferences, and associated data are permanently deleted from our newsletter subscribers database
Retention
- Newsletter subscriber data is retained while your subscription is active
- All data is deleted upon unsubscription
- Newsletter subscription data is independent of your Latch platform account (if any) — unsubscribing from the newsletter does not affect your platform account, and vice versa
Third-Party Service Providers
We share your personal data with the following third-party processors, strictly for the purposes described below. Each processor is contractually obligated to protect your data in accordance with applicable data protection laws. For a complete and up-to-date list of all third-party sub-processors, including their locations and DPA status, please see our List of Subprocessors.
Supabase (Database, Authentication, and File Storage)
- Data shared: All core application data including account details, property records, tenant information, financial records, documents, and uploaded files
- Purpose: Primary database infrastructure, user authentication, and secure file storage
- Hosted on AWS infrastructure in the EU region. Supabase Privacy Policy
Stripe (Payment Processing)
- Data shared: Your name, email address, subscription plan selection, and payment card details (we never see or store your full card number)
- Purpose: Processing subscription payments and managing billing. Stripe Privacy Policy
Plaid (Open Banking / Bank Connectivity)
- Data shared:When you initiate a bank connection, we redirect you to Plaid Link. Your bank login credentials are entered directly into Plaid Link on Plaid's domain and are never seen by Latch. Plaid returns to us bank account identifiers (account/routing), masked account numbers, balances, transaction history, and an OAuth-style access token.
- Purpose: Connecting your bank accounts for transaction reconciliation under PSD2 Open Banking. You explicitly authorise this connection and can disconnect at any time. We retain bank-feed data for the duration of the connection plus 90 days of inactivity, after which it is deleted. Plaid Legal Centre
SendGrid (Twilio) — Email Communications
- Data shared: Recipient email addresses, names, and the content of transactional emails (verification codes, rent reminders, payment receipts, invoice notifications, security alerts) and newsletter communications
- Event tracking: SendGrid returns delivery webhooks (delivered, bounced, deferred, dropped, opened, clicked, spam-reported) which we record in our
email_delivery_eventstable for deliverability monitoring and dispute resolution - Purpose: Delivering system-generated emails and newsletter content. Twilio Privacy Policy
Twilio (WhatsApp Business API)
- Data shared: Recipient phone numbers, WhatsApp message content (rent reminders, payment confirmations, landlord-tenant communications), and delivery status webhook data (message SID, status, timestamps)
- Note:WhatsApp message content additionally traverses Meta's WhatsApp infrastructure as part of the WhatsApp Business API.
- Purpose: Sending WhatsApp messages for rent reminders and landlord-tenant communications on behalf of users who have enabled WhatsApp messaging and where the recipient has opted in. Twilio Privacy Policy
Google Gemini API (Artificial Intelligence)
- Data shared: User chat messages, document content, attached files, and contextual account data when AI features are actively used
- Purpose: Powering the AI chat assistant, document analysis, and intelligent recommendations. Data sent to the Gemini API is processed under Google’s API terms and is not used to train Google’s general models. Google Privacy Policy
Zhipu AI (Secondary AI Inference, China)
- Data shared: Selected user prompts and contextual account data routed only for the relevant AI feature. We do not transmit passwords, payment details, NINO/UTR, HMRC tokens, or trusted-device identifiers.
- Location:People's Republic of China. Transfers are made under the UK International Data Transfer Agreement (IDTA), supported by a documented Transfer Risk Assessment that considers the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021.
- Purpose:Used for selected background AI tasks (e.g. low-cost classification). Not authorised to train Zhipu's general-purpose models on our data.
Google Gmail API (Email Integration)
- Data shared: OAuth authorisation tokens
- Data received: Email content and attachments from your Gmail account
- Purpose: Enabling email integration features that you explicitly authorise via Google OAuth. Our use of Google user data complies with the Google API Services User Data Policy. Google Privacy Policy
Google Calendar and Microsoft Outlook (Calendar Integration)
- Data shared: OAuth authorisation tokens and calendar event details (titles, dates, times)
- Purpose: Synchronising viewing schedules and property-related calendar events. You explicitly authorise these connections and can revoke access at any time from your account settings
Tavily (Web Search)
- Data shared: Search queries generated by the AI assistant when current web information is needed
- Purpose: Providing up-to-date information in response to AI assistant queries. Tavily Privacy Policy
HMRC (Statutory Recipient — Not a Sub-processor)
Important distinction: HMRC is an independent UK government data controllerunder the Commissioners for Revenue and Customs Act 2005. HMRC is not a sub-processor, sub-contractor, or vendor of Latch, and we have no Article 28 controller-processor agreement with HMRC because none is required — HMRC processes the data you submit under its own statutory authority. When you use the MTD integration, Latch transmits data to HMRC on your instruction, and HMRC processes that data as an independent data controller.
- Data shared:National Insurance Number (encrypted at rest before transmission), aggregated rental income and property expenses, annual adjustment data, and fraud-prevention headers per the full enumeration in the “HMRC Fraud Prevention Data” subsection above
- Purpose: Fulfilling your obligations under Making Tax Digital for Income Tax Self Assessment. Data is submitted at your instruction via HMRC’s APIs. HMRC Privacy Notice
- Data controller status:HMRC acts as an independent data controller for all data it receives. Once data is submitted to HMRC, it is subject to HMRC’s own data protection policies and retention schedules. Latch cannot modify or delete data held by HMRC.
Canopy (Tenant Referencing)
- Data shared: Tenant name, date of birth, current and previous addresses, employment details, and landlord reference information as provided by the tenant and/or landlord
- Data received: Credit check results, identity verification outcomes, employment verification status, right to rent confirmation, and overall referencing recommendation
- Purpose: To enable landlords to make informed tenancy decisions based on independent third-party screening
- Controller status: Canopy acts as an independent data controller for the purpose of conducting the referencing checks. For the transmission of tenant data to Canopy and the receipt and storage of results, the landlord is the data controller and Latch acts as data processor
- Further information:Tenants should refer to Canopy’s own privacy policy for details of how Canopy processes their data during the referencing process
Vercel (Hosting and Infrastructure)
- Data shared: Server access logs and request metadata
- Purpose: Application hosting, serverless function execution, and scheduled task processing. Vercel Privacy Policy
Google Maps/Places API (Address Services)
- Data shared: Property addresses entered by users when using address autocomplete
- Data received: Formatted address suggestions and geocoded coordinates (latitude/longitude)
- Purpose: Providing address autocomplete and geocoding for property locations. Google Privacy Policy
Cloudflare R2 (File Storage)
- Data shared: Uploaded files including documents, receipts, certificates, photographs, and avatars
- Purpose: Secure object storage for user-uploaded files across two buckets: private (accessed via signed URLs) and public (avatars and assets). Cloudflare Privacy Policy
Inngest (Background Job Processing)
- Data shared: Event payloads containing account and property identifiers and task metadata; no tenant personal data is passed directly
- Purpose: Event-driven background job processing for rent arrears checks, lease reminders, compliance expiry notifications, and account lifecycle tasks. Inngest Privacy Policy
Langfuse (AI Observability — Optional)
- Data shared: AI prompt/response traces including user messages and AI outputs, only when AI observability is configured
- Purpose: Monitoring AI quality and performance. This integration is optional and only active when explicitly configured. Hosted in the EU (Germany). Langfuse Privacy Policy
IP-API.com (IP Reputation)
- Data shared: User IP addresses when logging in or performing security-sensitive actions
- Data received: ISP name, organisation, and flags indicating whether the IP belongs to a VPN, proxy, Tor exit node, or hosting provider
- Purpose: Fraud prevention and security monitoring. Results are cached in our database for 7 days to reduce external API calls. The free tier of IP-API.com is used (US-based). IP-API.com Terms
International Data Transfers
Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place as required by Chapter V of the UK GDPR. The table below summarises the transfer mechanisms applied to each destination country in which our processors operate:
| Destination | Sub-processors there | UK transfer mechanism |
|---|---|---|
| United Kingdom | Canopy | Domestic — no international transfer |
| EEA / EU | Supabase (AWS eu-west), Langfuse (Germany) | UK adequacy regulations 2021 |
| United States | Stripe, SendGrid, Twilio (WhatsApp), Plaid, Google (Gemini, Maps, OAuth, Gmail, Calendar), Microsoft Graph, Cloudflare R2, Vercel, Inngest, Tavily, IP-API | UK International Data Transfer Agreement (IDTA) and/or EU Standard Contractual Clauses with the UK Addendum, per the relevant sub-processor DPA |
| People's Republic of China | Zhipu AI | UK IDTA supported by a documented Transfer Risk Assessment considering the PRC Cybersecurity Law 2017, Data Security Law 2021, and Personal Information Protection Law 2021. Categories of data sent are constrained per the AI section above. |
You may request further information about the specific safeguards applied to your data transfers by contacting us at [email protected].
Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy, or as required by law. The following table sets out our retention periods for each category of data:
| Data Category | Retention Period |
|---|---|
| Active account data (properties, tenants, leases, payments, expenses, documents) | Retained for the duration of your active account |
| Account data following a deletion request | Soft-deleted immediately; permanently and irreversibly deleted after a 30-day grace period |
| Unverified accounts (email not confirmed) | Automatically deleted after 30 days |
| Inactive free-plan accounts | Warning sent after 365 days of inactivity; account soft-deleted 7 days after warning if no activity resumes |
| Authentication and security logs (device records, trusted devices, IP addresses) | Retained for the duration of your account; deleted upon permanent account deletion |
| AI chat messages and agent task logs | Retained for the duration of your account; deleted upon permanent account deletion |
| Internal analytics events (page views, sessions) | Retained for up to 24 months, then aggregated or deleted |
| Audit logs (organization_audit_logs, including MTD events) | 12 months by default, configurable per organisation. Automated purge is being progressively rolled out; until each cleanup job is enabled, entries may persist beyond the configured window. All entries are deleted on permanent account deletion. |
| HMRC fraud-prevention header snapshots (captured in audit-log target_resource) | Bound to the 12-month audit-log retention above; not stored as a separate dataset. |
| Stripe billing records | Retained in accordance with Stripe’s retention policy and applicable tax and accounting laws (minimum 6 years) |
| Bank feed data (Plaid Open Banking transactions) | Retained for the duration of the bank connection; deleted within 90 days of connection inactivity, or immediately on disconnect or account deletion |
| AI feature usage records (token counts, cost, model, metadata; no full prompt or response) | Personal data fields retained for 12 months; cost rollups retained indefinitely as aggregates only |
| Abuse alerts (security and rate-limit events) | 24 months |
| Email delivery events (SendGrid webhooks) | 13 months |
| Uploaded documents | Retained for the duration of your account; permanently deleted from storage within 30 days of account deletion |
| Communication and messaging data | Retained for the duration of your account; deleted upon permanent account deletion |
| Newsletter subscriber data (email address, preferences) | Retained while newsletter subscription is active; deleted upon unsubscription |
| E-Signature audit trails | 6 years after the last signature event on a document, in line with the Limitation Act 1980. Audit trails are retained to provide evidence of signing events in the event of a legal dispute |
| Builder marketplace profiles | Duration of the builder’s active account, plus 12 months after account closure. Profile data is deleted 12 months after account closure unless required for dispute resolution |
| Tenant referencing records | Duration of the landlord’s active account, plus 12 months after account closure. Results are retained to support ongoing tenancy management and any subsequent disputes |
| Compliance portfolio data | Duration of the subscriber’s active account, plus 12 months after account closure. Compliance records are retained to support audit and regulatory obligations |
| Property management client financial data | 6 years after the end of the management relationship, in line with HMRC record-keeping requirements. Financial records including owner statements, fee ledgers, and payment records are retained for tax and audit purposes |
| HMRC MTD data (connection details, NINO, UTR, submission records, expense mappings) | Connection details, submission records (submission IDs, correlation IDs, obligation periods, status), and expense mappings are retained for the duration of your account so that you can review your submission history; deleted within 30 days of permanent account deletion. Latch does not undertake to retain MTD submission records for 6 years on your behalf — UK tax law places that obligation on you, the taxpayer, and HMRC retains its own copy of every submission. Encrypted NINO and UTR are deleted upon HMRC disconnection or account deletion. |
| Login history records (IP address, geolocation) | Retained for the duration of your account; deleted upon permanent account deletion |
| Property geocoding data (latitude/longitude) | Retained as part of the property record for the duration of your account |
During the 30-day grace period following a deletion request, your account is deactivated and inaccessible. You may contact us at [email protected] to cancel a pending deletion and restore your account within this period.
Note on retention enforcement: we are progressively rolling out automated retention enforcement (per-category cron jobs that delete or aggregate records once their retention window expires). Until each category-specific job is deployed, retention is enforced on request and at account deletion. The dates above represent our intended retention schedule.
Cookies and Similar Technologies
We use a minimal set of cookies, all of which are essential for the Service to function. We do not use any marketing cookies, advertising trackers, or third-party analytics cookies.
Essential Cookies
- Authentication session cookies: Set by Supabase to maintain your logged-in session. These are required for the Service to function and contain an encrypted session token
- Cookie consent preference: Stores whether you have accepted or declined cookies via our cookie banner (stored for 365 days, SameSite: Lax)
- Device trust cookie: Used to recognise previously authenticated devices for security purposes, reducing the need for repeated verification
- HMRC OAuth state cookies: Short-lived, httpOnly cookies (hmrc_state and hmrc_code_verifier) set during the HMRC authorisation flow to prevent cross-site request forgery and authorisation code interception. These are automatically deleted after the authorisation completes
Internal Analytics (Not Cookie-Based)
- Our internal analytics system uses server-side session tracking (session identifiers, page views, and heartbeat timestamps) stored directly in our own database. This does not use browser cookies and no data is shared with any third party
We do not use Google Analytics, Facebook Pixel, or any other third-party tracking tools. Our cookie banner on public pages is provided for transparency and to allow you to manage the essential cookie consent preference.
Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or misuse.
Technical Measures
- All data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256 encryption within our database infrastructure
- Passwords are salted and hashed using bcrypt; we never store passwords in plain text
- Device fingerprinting and risk-based authentication detect suspicious login attempts from new devices or geographic locations
- Multi-factor authentication (MFA) is available via TOTP authenticator apps (Supabase native). We currently do not issue printable recovery codes; if you lose your authenticator device, regaining access requires an identity-verification flow with our support team at [email protected]. Trusted-device cookies and step-up email verification codes provide additional checks for sensitive actions. Your MFA verification status is transmitted to HMRC via the
Gov-Client-Multi-Factorfraud-prevention header only when a verified TOTP factor is present on the request - API rate limiting is applied to prevent abuse and brute-force attacks
- OAuth tokens for third-party integrations (Gmail, Calendar) are encrypted at rest using AES-256-GCM
- National Insurance Numbers (NINOs), Unique Tax References (UTRs), and HMRC OAuth tokens are encrypted at rest using AES-256-GCM with a dedicated encryption key. These values are never stored in plain text and are decrypted only at the point of use for HMRC API calls. We refresh HMRC access tokens with a 60-second proactive buffer before their expiry and treat refresh tokens as single-use — every refresh issues a new refresh token and invalidates the previous one, minimising the window during which an exposed credential could be misused
Organisational Measures
- Access to production data is restricted to authorised personnel on a need-to-know basis
- Our infrastructure is hosted on Supabase (AWS) and Vercel, both of which maintain SOC 2 compliance certifications
- Row-level security (RLS) policies in our database ensure that each user can only access data belonging to their own account, enforcing strict multi-tenant isolation
- All sensitive administrative operations are recorded in audit logs, including the actor, action, IP address, and before/after change values
- Account deletion follows a controlled process: immediate soft-delete, 30-day grace period, then permanent irreversible deletion of all associated data
Your Rights Under UK GDPR
Under the UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at [email protected].
- Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you. We will respond within one calendar month of your request. At present we do not operate a self-service Subject Access Request export endpoint; requests must be made by email to [email protected]. SAR responses are compiled manually across our database tables and Cloudflare R2 object storage within the one-month statutory deadline. A self-service export is on our roadmap and we will update this policy when it is available
- Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data. You can also update most of your data directly within the Service via your account settings
- Right to Erasure (Art. 17): You have the right to request deletion of your personal data. You can initiate account deletion directly from your account settings. Your data will be soft-deleted immediately and permanently erased after a 30-day grace period
- Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of contested data
- Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us to request an export of your data. Portability exports are currently produced on request as JSON/CSV bundles; no automated portability endpoint is yet exposed
- Right to Object (Art. 21): You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests
- Right to Withdraw Consent (Art. 7(3)): Where we process your data based on consent (such as bank feed connections, email integration, or calendar sync), you have the right to withdraw consent at any time by disconnecting these integrations from your account settings or, for newsletter subscriptions, by using the unsubscribe link in any newsletter email. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal
- Rights Related to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI features assist your decision-making but do not make autonomous decisions affecting your legal rights
We will respond to all rights requests within one calendar month of receipt. In complex cases, we may extend this by a further two months, but we will inform you of any extension and the reasons for it within the first month.
If you are not satisfied with our response to your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Address:Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at [email protected] and we will promptly delete such data.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make changes:
- We will update the “Last updated” date at the top of this page
- For material changes that significantly affect how we process your personal data, we will notify you by email or by displaying a prominent notice within the Service
- We encourage you to review this page periodically for the latest information on our privacy practices
Your continued use of the Service after any changes to this policy constitutes your acknowledgement of the updated terms.
How to Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us. You may also wish to review our related policies: Subscriber Data Policy, List of Subprocessors, and Cookie Policy.
Privacy enquiries: [email protected]
General enquiries: [email protected]
Postal address: USELATCH LTD, 5 Orrok Lane, Edinburgh, EH16 5HF
Supervisory Authority
If you wish to raise a concern about our data processing practices, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Address:Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Material Change History
- 13 May 2026 (v2.1) — HMRC MTD ITSA compliance pack alignment: disclosed the in-app
hmrc_device_idlocalStorage UUID (retention, lawful basis, transmission to HMRC); listed the seven HMRC MTD APIs called on the user’s behalf; replaced the prose fraud-prevention header section with a full per-header table (collection point, storage at rest, retention) and an explicit “Intentionally omitted headers” paragraph documentingGov-Client-Public-Port(Vercel edge) andGov-Client-Multi-Factor(single-factor sessions); added a new “HMRC MTD Audit Log” subsection enumerating events, fields, and 12-month default retention; tightened the HMRC subsection to identify HMRC as an independent UK government data controller under the Commissioners for Revenue and Customs Act 2005; corrected the retention table to remove dishonest 6-year claims on audit logs and HMRC submission records (now 12 months and 30-days-after-deletion respectively, with the user’s statutory tax record-keeping obligation surfaced); replaced the email-codes-only 2FA bullet with a TOTP MFA disclosure noting the current absence of printable recovery codes; expanded the AES-256-GCM bullet with the 60-second proactive refresh buffer and single-use refresh-token behaviour; honest disclosure that the SAR (Art. 15) and portability (Art. 20) flows are currently email-based, not self-service. - 5 May 2026 (v2.0)— Replaced “Bank Feed (Coming Soon)” with live Plaid disclosure (data flows, retention); rewrote §6 (AI and Automated Processing) to name Google Gemini, Zhipu AI (PRC), and Tavily, with explicit data-flow, logging, agent-actions, and no-training disclosures; added a new §7 Automated Decision-Making with an Article 22 carve-out for abuse detection (right to human review); split Twilio into separate SendGrid (email) and WhatsApp rows in §8; added Zhipu disclosure with UK IDTA + Transfer Risk Assessment language; replaced §9 International Transfers with a structured destination/mechanism table; added retention rows for AI feature usage, abuse alerts, and email delivery events to §10, and added an honest note that automated retention enforcement is being progressively rolled out; updated several lawful-basis rows to cover Plaid, AI, abuse detection, login history, email tracking, tenant portal, and e-signature audit trails.
- 23 March 2026 (v1.x)— Earlier additions including HMRC MTD integration, e-signature system, tenant referencing, builder marketplace, property management portal, and invoice management.