Privacy Protocol.
EasyBTL Data Stewardship
1. Data Roles & Accountability
Under UK GDPR and the Data Protection Act 2018, EasyBTL operates in two capacities:
- Data Controller: We are the controller for the information provided by Landlords and Company Directors (Name, Email, Phone) used to manage your account and billing.
- Data Processor: We are the processor for any information you upload regarding your tenants or individual properties. Processing of Tenant data is further governed by the Data Processing Addendum found in our Terms of Service. The Landlord remains the legal controller for all tenant-related data.
2. Information We Process & Lawful Basis
We process data to deliver our institutional management suite and optimize platform performance. Under UK GDPR, every data category is mapped to a specific Lawful Basis for absolute transparency.
| Data Category | Scope & Justification | Lawful Basis |
|---|---|---|
| Account Data | Directors & Organizations Director names, professional contact details, and organization identity managed via Clerk[cite: 1]. Used to manage subscriptions, billing, and enforce secure organization-level access control[cite: 19]. | Contractual Necessity |
| Operational Data | Tenancies & Assets Tenant contact details, tenancy agreements, compliance certification storage, and Property Financial Performance Tracking (Opex/Capital Growth)[cite: 1, 3]. Necessary for the Landlord to manage their business assets and for EasyBTL to provide administrative tools. | Legitimate Interests |
| Tax & Financial | Statutory Records Lifetime financial transaction metadata. Maintained to assist the Landlord in fulfilling UK statutory requirements for financial record keeping and HMRC audits (6-year minimum retention). As detailed in Section 3, this data is retained in an anonymized state upon account closure to preserve the mathematical integrity of historical benchmarking and 'Real Estate Alpha' simulations for the remaining organization silo. | Legal Obligation |
| Site Analytics | Tracking & Benchmarking Anonymous events (e.g.,LANDING_PAGE_VISIT) strictly to measure the effectiveness of our Pilot Program intake and institutional benchmarking tools[cite: 1]. Gathered only after explicit opt-in via our cookie banner[cite: 10]. | Consent |
| Tech Infrastructure | Operational Metadata Strictly necessary cookies for Clerk Authentication and Row Level Security (RLS) enforcement. Includes local storage used to remember cookie consent and dashboard visual preferences (e.g., rounding metrics for readability). | Legitimate Interests |
3. Security Architecture
We employ a multi-layered security model to protect institutional data:
- Row Level Security (RLS): Every database query is strictly filtered by your Clerk Organization ID, ensuring absolute data isolation.
- Encrypted Storage: All compliance documents are stored in RLS-hardened Supabase buckets.
- Soft-Delete Logic: Records are logically archived to maintain historical integrity of financial performance. While PII is permanently purged upon request, non-identifiable financial transaction metadata (dates and amounts) is retained in an anonymized state. This is strictly required to maintain the mathematical integrity of historical company performance metrics and 'Real Estate Alpha' benchmarking for the remaining organization silo
4. Your Rights
Under UK law, you have the right to access, rectify, or erase your personal data stored on EasyBTL. To exercise any of these rights regarding your Account Data, please contact our Data Protection lead at support@easybtl.co.uk. For Tenant data, please contact your Landlord directly. As we act as a processor for tenant data, tenants wishing to exercise these rights must contact the Landlord (the Data Controller) directly.
5. Sub-processors
In delivering the EasyBTL platform, we engage the following third-party sub-processors. Each is bound by data processing agreements consistent with UK GDPR requirements and the Data Processing Addendum outlined in our Terms of Service.
Clerk — Authentication & Identity
Manages user authentication, session management, and organisation-level access control. Processes Director names, email addresses, and device session tokens.
Supabase / PostgreSQL — Database & File Storage
Hosts all platform data including property records, tenancy agreements, financial transactions, and compliance documents. All data is isolated per organisation via Row Level Security (RLS).
Resend — Transactional Email
Delivers system-generated transactional emails (e.g., compliance alerts, account notifications). Processes recipient email addresses solely for the purpose of message delivery.