PropertyApp

Privacy Policy

Last updated: March 2026

1. Data Controller

MAR Property Investments Ltd ("we", "us", "our") is the data controller responsible for your personal data. We are registered in England & Wales.

2. Data We Collect

When you use PropertyApp, we may collect:

  • Identity data: Name, username, display name
  • Contact data: Email address
  • Financial data: Property values, rental income, mortgage details, expenses (entered by you)
  • Tenancy data: Tenant names, contact details, lease information
  • Technical data: IP address, browser type, session data
  • Usage data: Feature usage, login timestamps

3. How We Use Your Data

  • To provide and maintain your PropertyApp account
  • To process property and financial data as directed by you
  • To generate tax reports and financial summaries
  • To send compliance and expiry alerts
  • To process document signing requests
  • To manage your subscription and billing

4. Lawful Basis

We process your data under the following lawful bases: contract performance (providing the service), legal obligation (financial record-keeping, HMRC requirements), legitimate interests (service improvement, security), and consent (marketing communications).

5. Data Security

  • All data transmitted via HTTPS/TLS encryption
  • Sensitive financial fields encrypted with AES-256-GCM at rest
  • Passwords hashed with bcrypt
  • Each customer gets an isolated database
  • Rate limiting on authentication endpoints
  • Audit logging of all data access and modifications

6. Data Retention

  • Financial records: 7 years (HMRC requirement)
  • Tenancy data: duration of tenancy + 12 months
  • Compliance certificates: validity period + 2 years
  • Audit logs: 3 years
  • Sessions: automatically purged when expired

7. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data (Article 15)
  • Rectify inaccurate data (Article 16)
  • Erase your data (Article 17) — subject to legal retention requirements
  • Restrict processing (Article 18)
  • Data portability (Article 20)
  • Object to processing (Article 21)
  • Withdraw consent at any time

8. Third-Party Services

We use the following third-party services: Vercel (hosting), Neon (database), Stripe (billing), Anthropic Claude (AI receipt scanning), DocuSeal (e-signatures). Each processes data only as necessary to provide their service.

9. Complaints

If you have concerns about how we handle your data, please contact us first. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.