LetHub
Last updated: 15 June 2025

GDPR Compliance

LetHub is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines the measures we take to protect personal data and uphold data subject rights.

1. Our role under GDPR

LetHub acts as a data processor for the personal data our customers upload to the Platform (tenant data, landlord data, property records). Our customers are the data controllers for this data. For our own business operations (customer account data, billing records, support communications), LetHub acts as a data controller. Both roles are fully documented in our Records of Processing Activities (ROPA), which are maintained and reviewed quarterly.

2. Lawful basis for processing

We process personal data under the following lawful bases, as defined in Article 6 of the UK GDPR:

  • Contractual necessity — to deliver the Platform and services you have subscribed to.
  • Legitimate interest — to improve our Platform, communicate service updates, and prevent fraud.
  • Consent — for marketing communications (you may withdraw consent at any time).
  • Legal obligation — to comply with tax, regulatory, and law enforcement requirements.

3. Data subject rights

We fully support all data subject rights under the UK GDPR. Our processes ensure we can respond to requests within the statutory one-month timeframe:

  • Right of access (Article 15) — request a copy of personal data we hold.
  • Right to rectification (Article 16) — correct inaccurate data.
  • Right to erasure (Article 17) — request deletion of data.
  • Right to restrict processing (Article 18) — limit how data is used.
  • Right to data portability (Article 20) — receive data in a structured format.
  • Right to object (Article 21) — object to processing based on legitimate interests.

To exercise any of these rights, contact our Data Protection Officer at dpo@lethub.co.uk. We will verify your identity before processing any request.

4. Data Processing Agreement (DPA)

Our standard Data Processing Agreement (DPA) incorporates the mandatory clauses required by Article 28 of the UK GDPR. The DPA covers:

  • Subject matter, nature, and duration of processing.
  • Categories of data subjects and personal data.
  • Our obligations as a processor, including confidentiality, security, and sub-processing.
  • Your rights and obligations as a controller.
  • Technical and organisational measures (TOMs) we implement.
  • Procedures for data breach notification (within 72 hours).
  • Procedures for data subject access requests.
  • Data deletion or return upon contract termination.
  • Audit rights and compliance verification.

You can request a copy of our DPA by emailing legal@lethub.co.uk. The DPA forms part of our Terms of Service and is automatically incorporated when you create an account.

5. International data transfers

We store and process data primarily within the United Kingdom. Where we use sub-processors based outside the UK, we ensure appropriate safeguards are in place:

  • UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), as applicable.
  • Transfer Impact Assessments (TIAs) conducted for all international transfers.
  • Supplementary technical measures (encryption at rest and in transit).
  • Regular review of sub-processor security certifications (ISO 27001, SOC 2).

6. Data breach procedures

We maintain a comprehensive data breach response plan. In the event of a personal data breach, we will:

  • Contain and investigate the breach immediately upon detection.
  • Notify the ICO within 72 hours if the breach poses a risk to individuals' rights and freedoms.
  • Notify affected data controllers without undue delay.
  • Notify affected data subjects if the breach poses a high risk.
  • Document all breaches, actions taken, and lessons learned in our breach register.

7. Technical and organisational measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3).
  • Multi-factor authentication for all staff accounts.
  • Role-based access control with principle of least privilege.
  • Continuous security monitoring, vulnerability scanning, and penetration testing.
  • Regular data protection training for all employees.
  • Secure development lifecycle with code review and security testing.
  • Business continuity and disaster recovery plan tested annually.

8. Sub-processors

We use the following sub-processors to deliver the Platform. All are vetted for GDPR compliance:

Sub-processorPurposeLocation
SupabaseDatabase hosting and authenticationEU (Ireland)
VercelApplication hostingUS (EU SCCs in place)
StripePayment processingUS (EU SCCs in place)
ResendTransactional email deliveryUS (EU SCCs in place)

9. Contact our DPO

Our Data Protection Officer can be reached at:
Email: dpo@lethub.co.uk
Post: Data Protection Officer, LetHub Ltd, 3rd Floor, WeWork, 1 St Peter's Square, Manchester M2 3AE

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113