GDPR Policy
Privacy Notice & GDPR Policy
Introduction
This Privacy Notice explains how MBS Lettings Ltd (“we”, “our”, or “us”) collects, uses, stores and protects personal data.
We are committed to protecting your privacy and handling personal data fairly, lawfully and transparently in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and all other applicable privacy and data protection laws.
This notice applies to tenants, prospective tenants, guarantors, contractors, applicants, website users and other individuals whose personal data we process during the course of our business activities.
Who We Are
MBS Lettings Ltd is the data controller responsible for your personal data.
ICO Registration Number: ZA588328
Contact Details:
Christopher Powell
Email: help@mbslettings.co.uk
If you have any questions regarding this Privacy Notice or how we process your data, please contact us using the details above.
The Information We Collect
We may collect and process the following categories of personal data:
Identity & Contact Information
-
Full name
-
Date of birth
-
Current and previous addresses
-
Telephone numbers
-
Email addresses
-
Nationality
-
National Insurance number
-
Photographic identification and Right to Rent documentation
Financial Information
-
Bank account details
-
Employment and income information
-
Credit history and affordability information
-
Details of benefits received
-
Information relating to debts, CCJs, insolvency or bankruptcy where relevant
Tenancy Information
-
Tenancy agreements
-
Rent payment history
-
Deposit information
-
Maintenance and repair records
-
Correspondence relating to your tenancy
Guarantor Information
Where a guarantor is provided, we may collect similar identity, financial and contact information relating to them.
Technical Information
If you use our website or digital services, we may collect:
-
IP address
-
Device and browser information
-
Website usage information
-
Cookies and analytics data
CCTV
Where CCTV systems operate at properties we manage, images may be recorded for the purposes of crime prevention, public safety, property protection and the prevention or detection of anti-social behaviour or unlawful activity.
How We Collect Information
We may collect information:
-
Directly from you
-
Through tenancy applications and enquiries
-
From referencing agencies
-
From employers, accountants or referees
-
From credit reference agencies
-
From previous landlords or letting agents
-
From utility providers or local authorities where appropriate
-
Through our website, email or telephone correspondence
-
Through CCTV systems where installed
Why We Use Your Information
We process personal data for the following purposes:
-
To assess tenancy applications
-
To verify identity and Right to Rent eligibility
-
To carry out affordability and referencing checks
-
To create, manage and enforce tenancy agreements
-
To collect rent and manage accounts
-
To arrange repairs and maintenance
-
To comply with legal and regulatory obligations
-
To protect against fraud, money laundering and unlawful activity
-
To communicate with tenants, guarantors and contractors
-
To manage deposits and tenancy disputes
-
To improve our services and business operations
-
To protect the safety and security of our staff, tenants and properties
Lawful Bases for Processing
Under UK GDPR, we rely on one or more of the following lawful bases when processing personal data:
-
Performance of a contract
-
Compliance with legal obligations
-
Legitimate interests
-
Consent (where specifically required)
Where we rely on legitimate interests, we ensure that your rights and freedoms are not overridden.
Sharing Your Information
We may share your information with trusted third parties where necessary, including:
-
Tenant referencing providers
-
Credit reference agencies
-
Deposit protection schemes
-
Local authorities
-
Utility suppliers
-
Maintenance contractors and tradespeople
-
Accountants, solicitors and professional advisers
-
Insurers
-
Debt recovery agencies
-
IT and cloud storage providers
We only share information where necessary, proportionate and lawful.
We do not sell your personal data to third parties.
Third-Party Systems & Data Storage
We use a range of trusted third-party systems and providers to assist in the operation of our business and the secure handling of personal data.
These providers may include:
-
Accounting and financial management platforms, including Xero
-
Electronic document signing providers, including Adobe Acrobat Sign and DocuSign
-
Referencing and credit checking providers, including services provided through the National Residential Landlords Association
-
Email, document management and cloud services provided by Microsoft
-
Secure local network attached storage (NAS) systems used for operational file storage and backups
-
Cloud backup and synchronisation services including Microsoft OneDrive
-
Hosted infrastructure and database services provided by Hetzner in connection with our maintenance and tenancy management systems
-
AI-assisted administrative software used to support drafting, organisation and operational efficiency
We take reasonable steps to ensure that all third-party providers handling personal data maintain appropriate technical and organisational security measures.
International Transfers
Some of the third-party providers we use may process or store personal data outside the United Kingdom.
Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR requirements, including:
-
UK adequacy regulations;
-
Standard contractual clauses;
-
Encrypted storage and transmission methods; and
-
Secure access controls and authentication measures.
Data Security
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or disclosure.
These measures may include:
-
Password protection
-
Encrypted systems
-
Secure cloud storage
-
Restricted access controls
-
Antivirus and network security protections
-
Multi-factor authentication where appropriate
-
Secure backup procedures
Use of AI Tools
We may use AI-assisted software tools to assist with administrative tasks, drafting communications, organising information and improving operational efficiency.
We do not use automated decision-making systems to make legally significant decisions about tenants or applicants without meaningful human involvement.
How Long We Keep Your Information
We only retain personal data for as long as necessary for the purposes it was collected, including to satisfy legal, accounting and regulatory requirements.
Typical retention periods may include:
-
Tenancy records: up to 7 years after tenancy end
-
Financial records: 6 years
-
CCTV footage: typically 30–90 days unless required for investigation
-
Unsuccessful tenant applications: typically 12 months
Retention periods may vary depending on legal obligations or ongoing disputes.
Your Rights
Under UK GDPR, you have the right to:
-
Request access to your personal data
-
Request correction of inaccurate data
-
Request erasure of your data in certain circumstances
-
Restrict or object to processing
-
Request transfer of your data
-
Withdraw consent where consent is relied upon
-
Lodge a complaint with the Information Commissioner’s Office (ICO)
To exercise any of these rights, please contact:
Complaints
If you are unhappy with how we handle your personal data, please contact us first so we can attempt to resolve the issue.
You also have the right to complain to the:
Information Commissioner’s Office
ICO Website
Telephone: 0303 123 1113
Changes to This Notice
We may update this Privacy Notice from time to time to reflect legal, regulatory or operational changes.
The latest version will always be available on request or via our website where applicable.
The accuracy of your information is important to us. Please help us keep our records up to date by informing us of any changes to your contact details or personal circumstances.
