C
CertMyHome
Start free

Legal

Privacy Policy

Last updated: 16 May 2026

This Privacy Policy explains what personal data CertMyHome collects, how we use it, and the rights you have under the UK GDPR and the Data Protection Act 2018. We are the data controller for personal data you provide directly to us as a CertMyHome account holder.

1. What we collect

  • Account data: name, email, password hash, company, phone, profile photo.
  • Property data: addresses, asset details, certificates and notes you upload.
  • Tenant references: names or contact details you choose to record against a property.
  • Billing data: handled by our payment processor (Stripe); we receive only a customer ID and subscription status.
  • Usage data: log-ins, IP address, device/browser, pages viewed, error reports.

2. How we use it (lawful bases)

  • Contract: to deliver the Service you signed up for.
  • Legitimate interests: to secure the platform, prevent fraud, debug issues and improve the product.
  • Consent: for optional marketing emails - you can withdraw consent at any time.
  • Legal obligation: to keep records required by tax, accounting or regulatory authorities.

3. Sharing

We do not sell your personal data. We share it only with processors who help us run the Service, under written contracts that require equivalent protection:

  • Cloud hosting and database (Supabase / Cloudflare).
  • Payment processing (Stripe).
  • Email delivery and customer support tooling.
  • Analytics and error monitoring.

We may disclose data where required by law, or to protect the rights, safety or property of CertMyHome or others.

4. International transfers

Some processors may host data outside the UK. Where they do, we rely on UK-approved transfer mechanisms (UK IDTA, EU SCCs with the UK Addendum, or adequacy decisions) to protect your data.

5. Retention

We keep account and compliance data for as long as your account is active and for a reasonable period afterwards so you can reactivate or export it. After permanent deletion, residual copies may persist in encrypted backups for up to 90 days before being overwritten.

6. Your rights

Under UK GDPR you have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data.
  • Erase data (subject to legal retention obligations).
  • Restrict or object to certain processing.
  • Data portability.
  • Withdraw consent where processing is based on consent.

To exercise these rights, contact us. You also have the right to complain to the Information Commissioner's Office (ico.org.uk).

7. Security

We use TLS in transit, encryption at rest, role-based access controls, audit logging and Row-Level Security at the database layer. No system is perfectly secure - please use a strong, unique password and enable any future MFA option.

8. Children

The Service is not intended for anyone under 18.

9. Cookies

See our Cookie Policy for what we set and how to control it.

10. Changes

We may update this Policy. Material changes will be notified by email or in-app before they take effect.