Updated: October 9th, 2020
Flatfair Limited (“Flatfair”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal information. We want to be transparent with you about how we collect and use your personal information.
This Privacy Notice (“Notice”) sets out our personal information processing practices, and your rights and options regarding the ways in which your personal information is collected (including through our website, https://flatfair.co.uk/ and web portal (through which you sign up to our services)) and used in accordance with applicable data privacy law.
This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information.
The provision of your personal information to us is voluntary. However, without providing us with your personal information, your use of our services or your interaction with us may be adversely impaired. For example, you would not be able to receive other content that may be of interest and relevance to you.
1. When do we collect personal information about you?
Before you read any further, it might be useful to explain what we mean by “personal information”. The relevant legal definition can be found here. In brief, it is information which relates to you and from which you can be identified, whether from that information alone; or from that information combined with other information.
It does not include ‘anonymous data’ (i.e., information from which you cannot be identified, for example website usage statistics).
We collect personal information in the following ways:
1.1 When you give it to us directly
For example, personal information that you submit to us when you fill in forms on our website or web portal to use our deposit replacement service, deposit registration service or referencing service, make a payment using our payment service provider Stripe, subscribe to our services or marketing communications, search for a product or service, request further services, enter a competition or promotion, report a problem with our website or app, complete a survey, or communicate with us (by phone, email, in person or otherwise).
1.2 When you visit our website or use our web portal
When you visit or use our website or web portal, we automatically collect the following types of personal information:
- technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms; and
- information about your visit to our website, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling and clicks) and methods used to browse away from the page).
1.3 When we obtain it indirectly
We also collect your personal information from third party sources. For example, your personal information may be shared with us by our select business partners: sub-contractors in technical, payment and delivery services (such as Stripe and MyDeposits as at the date of this Notice), analytics providers and search information providers. We may also obtain your personal information from publicly available third-party sources, such as social media accounts (depending on your privacy settings). To the extent we have not done so already, we will notify you when we receive personal information about you from such sources and tell you how and why we intend to use that personal information.
In general, we may combine your personal information from these different sources for the purposes set out in this Notice.
1.4 When it is publicly available
For example, if you interact with us on social media and depending on your privacy settings, certain information about your user account or profile (such as username, profile picture or other details in your profile).
2. What personal information do we use?
We may collect, store and otherwise process the following kinds of personal information:
- your name and contact details (including emergency contacts) such as postal address, telephone number and email address;
- date of birth, gender and nationality;
- marital status and details of dependents;
- your user account details, such as username and password;
- your date of birth and gender;
- your financial information, including income level (requested, or calculated from level of rent) and information such as bank details and/or credit/debit card details, account holder name, sort code and account number;
- information relevant to payment of council tax;
- information relevant to payment of utility bills;
- information turned out by background searches which we are obliged by law to carry out;
- information related to social media accounts or profiles;
- transaction history and details between landlords and tenants;
- information relevant to potential disputes between landlords and tenants;
- information about your computer/mobile device and your visits to and use of our website, including, for example, your IP address and geographical location;
- information about our services and products, or our selected partners’ services and products, which we consider may be of interest to you;
- if applicable, your behaviour as a landlord including property address(es), business or residential address;
- if applicable, your behaviour as a tenant including rent payment history, any previous damage to a property and how this was dealt with and past deadlines with landlords; and/or
- any other personal information which you choose to share with us as per section 1.
Do we use special categories of personal information?
Applicable data privacy law recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs. This is known as “special category” personal information.
Depending on our relationship with you and your individual circumstances, we may collect and use special categories of personal information. For example, we may need to know medical information in relation to tenants who require access adjustments in their homes. We may also collect personal information about criminal offences (including alleged offences), for example if revealed via a background search or if committed / alleged to have been committed during the course of a tenancy.
3. How and why will we use your personal information?
We mainly collect and use personal information because we can’t provide our services otherwise.
In general, we use your personal information to achieve the purposes set out in this Notice. In particular, we may use your personal information to:
- personalise, administer and manage your account and the web portal;
- provide you with information, products or services you request from us;
- carry out any other obligations arising from contracts entered into between you and us;
- ensure that content from our website and web portal is presented in the most effective manner for you and for your devices;
- allow you to participate in interactive features of our services, when you choose to do so;
- to administer your transaction or other interaction with us;
- respond to communications from you in general;
- provide you with information about other products or services we or offer that are similar to those you have already purchased, used or enquired about (only where you have provided your consent for us to do so – please see section 5 of this Notice);
- administer our website and web portal for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- keep our website and web portal safe and secure, for example by conducting analysis required to detect malicious data and understand how this may affect your IT system;
- notify you about changes to our services;
- analyse and improve our work, services and products;
- maintain internal records where appropriate (for example, in case a legal claim is reasonably foreseeable);
- provide training and/or quality control;
- audit and/or administer our accounts;
- satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- prevent fraud and/or misuse of services; and/or
- establish, defend and/or enforce legal claims.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
4. Lawful basis for processing
Data privacy law requires us to rely on one or more from a set of “lawful bases” to collect and use your personal information. In short, these are six reasons recognised by regulators as giving us lawful grounds to collect and use your personal information.
We consider the grounds listed below to be relevant:
- Where you have provided your consent for us to use your personal information in a certain way (for example, we will ask for your consent to collect your personal information by using cookies or other tracking technologies, or to send you marketing material by email);
- In order for us to comply with a legal obligation which is binding on us (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services);
- Where necessary for the performance of obligations under a contract to which you are a party or to take steps at your request prior to entering a contract (for example, to collect a deposit or to provide a reference); or
- Where there is a legitimate interest in us doing so.
Applicable data privacy law allows us to collect and use your personal information if it is reasonably necessary to achieve our, your or others’ legitimate interests (as long as that use is fair, balanced and does not unduly impact your rights).
In brief, “legitimate interests” is a broad concept and can potentially include any reasonable, legitimate and valid objective (whether commercial or otherwise). Our legitimate interests could, for example, include provision, promotion or improvement of our products and services.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under applicable data privacy law. We will not use your personal information for activities where our interests are overridden by the impact on you, such as where that use would be excessively intrusive (unless, for instance, we are otherwise required to or permitted to by law).
6. How long do we keep your personal information?
In general, unless still required in connection with the purpose(s) for which it was collected and/or subsequently used, we remove your personal information from our records 6 years after the date it was collected.
However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 9 below), we will remove it from our records at the relevant time.
7. Security/storage of and access to your personal information
Flatfair takes reasonable and proportionate technical and organisational precautions to prevent the loss, misuse or alteration of your personal information. We restrict access to those who have a need to know and we train staff in handling your personal information securely and in line with Flatfair’s obligations under applicable data privacy law.
Unfortunately, there is no such thing as 100% security in the online environment. As a result we cannot and do not guarantee the security of any personal information you submit to us through or in connection with our website or web portal.
If you consider that your interaction with us is no longer secure (e.g. you consider that the security of any account you might have with us has been compromised), please immediately notify us by contacting us at email@example.com.
8. International transfers of your personal information
As we are a UK-based organisation, when we use your personal information internally we will not transfer it outside of the European Economic Area (“EEA”). However, because (as set out in section 5 above) we share your personal information with third parties, it is possible information that we collect from you will be transferred to and stored in a location outside the EEA.
Some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals.
Where we cause your personal information to transferred, stored and/or otherwise used outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses approved by the European Commission, or requesting that they have signed up to a domestic certification scheme which guarantees the same level of protection) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any questions about the transfer of your personal information, please contact us using the details below.
9. Your rights and how to exercise them
Applicable data privacy law gives you certain rights to control how we use your personal information. These are as follows:
- Right to withdraw consent: where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing purposes (including to stop receiving promotions and offers from us or our partners at any time).
- Right of access: you can ask us for confirmation of what personal information we hold about you and to request a copy of that information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply under data privacy law to oblige or allow us to withhold it.
- Right of erasure: at your request we will delete (and ask parties with whom we have shared your personal information to delete) your personal information from our records as far as we are required to do so.
- Right of correction: if you believe that our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate or up to date.
- Right to restrict processing: you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage (until that disagreement is resolved).
- Right to object: in the following situations, you have the right to object to our processing of your personal information:
– where we use your personal information relying on the lawful basis of legitimate interests (please see section 5 above);
– where we use your personal information for marketing purposes; or
– where we use your personal information for statistical purposes.
- Right to portability: in certain limited situations where we process your personal information by automated means, you may ask us to provide that personal information, or another service provider, in a commonly used, machine-readable format.
- Automated decision-making: you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision is:
– necessary to enter into/perform a contract between you and us/another organization;
– is authorised by EU or UK law to which we are subject (as long as that law offers you sufficient protection); or
– is based on your explicit consent.
- Right to complain: you are further entitled to make a complaint about us or the way we have used your personal information to the data privacy supervisory authority in your home country. In the UK, the supervisory authority is the Information Commissioner’s Office – www.ico.org.uk.
We are then required to stop using your personal information in the manner to which you object unless we can demonstrate a reason of compelling importance to continue (unless you object to our use of your personal information for marketing purposes, in which case we must stop regardless of any compelling grounds to continue).
We may ask you for additional information to confirm your identity and for security purposes before actioning any attempt to exercise these rights. Please note that some of these rights only apply in limited circumstances. For further information on how to exercise these rights, or the extent to which they may apply to you, please contact us using the details below.
10. Communications for marketing
We may use your contact details to provide you with information about our work, events, services and/or products which we consider may be of interest to you (for example, about services which you previously used or updates about new products we are offering).
Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless we are allowed to do so via applicable law).
Where you have provided us with your consent previously but do not wish to receive marketing material from us anymore, please let us know by emailing firstname.lastname@example.org. You can also opt out of receiving marketing emails from Flatfair at any time by clicking the “unsubscribe” link at the bottom of our emails.
12. Children’s personal information
When we process children’s personal information, where required we will not do so without their consent or, where required, the consent of a parent / guardian. We will always have in place appropriate safeguards to ensure that children’s personal information is handled with due care and safety.
13. Changes to this Notice
We reserve the right to make changes to this Notice at any time. Any changes we may make to this Notice in the future will be posted on this page and, where appropriate and reasonably possible for us to do so, notified to you by email. We may also notify you in other ways from time to time about the processing of your personal information. This Notice was last updated on 12 June 2020.
14. How to contact us
Flatfair is registered in England under company number 10487576, and our registered address is 107 Cheapside, London, EC2V 6DN.
Questions, comments and requests regarding this Notice are welcomed and should be sent via post using our registered address above or by emailing email@example.com.