AgentInABox

Introduction

AgentInABox Ltd ("we", "us", "our", or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our property management Software-as-a-Service (SaaS) platform, including related services and applications.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services. By accessing and using AgentInABox, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

1. Data Controller

AgentInABox Ltd is the data controller responsible for your personal data. You can contact us at:

We are registered with the Information Commissioner's Office (ICO) as a data controller under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

2. What Personal Data We Collect

We collect and process personal data necessary to provide our property management services. This includes:

User Account Information

When you create an account, we collect your full name, email address, phone number, and job title. For letting agents and agency staff, we also collect business address information and details about your role within the organisation.

Property and Tenancy Data

To manage properties, we collect property addresses, postcodes, descriptions, and photographs. For tenancies, we process tenant names, contact details, email addresses, phone numbers, emergency contact information, and tenancy agreement details including move-in and move-out dates.

Maintenance and Compliance Data

We collect information about maintenance requests and issues, including descriptions, photographs, videos, and reports submitted by tenants, agents, and tradespeople. We also process compliance-related documents such as electrical safety certificates, gas safety certificates, EPC ratings, and landlord insurance details.

Payment and Financial Information

We collect payment method information to process subscription fees. Payment processing is handled by our payment processor Stripe, and we do not store full credit card details.

Communications Data

We process emails, SMS messages, and other communications sent through the platform. This includes messages between agents, tenants, and tradespeople, including attachments and documents.

Technical and Usage Data

We collect information about how you interact with our platform, including IP addresses, browser type, device information, pages accessed, time spent on features, and error logs. This data helps us improve our services and detect security issues.

3. Legal Basis for Processing

Under the UK GDPR and Data Protection Act 2018, we process your personal data on the following legal bases:

Contract Performance

We process data necessary to provide the services you have contracted for. This includes user account information, property details, tenancy information, and communications required to deliver the property management platform.

Legitimate Interests

We process technical data, usage analytics, and security information to operate and improve our platform, prevent fraud and abuse, and enforce our terms of service. We have considered the balance between our legitimate interests and your rights, and believe our processing to be proportionate.

Consent

We collect consent-based processing for marketing communications such as newsletters, product updates, and promotional emails. You may withdraw consent at any time by unsubscribing or contacting us directly.

Legal Obligation

We may process data where required by law, regulation, or to respond to lawful requests from public authorities.

4. Third-Party Data Processors

We use the following third-party service providers to process your data on our behalf. All processors are contractually bound by Data Processing Agreements to ensure adequate safeguards:

Resend (Email Service)

Resend processes email addresses and message content to deliver email notifications, communications, and alerts through our platform. Resend operates servers in the European Union.

The SMS Works (SMS Service)

The SMS Works processes phone numbers and SMS message content to deliver text message communications and alerts. They may process data in jurisdictions outside the UK, subject to appropriate safeguards.

Render (Hosting and Infrastructure)

Render provides cloud hosting and infrastructure services. Your data, including databases and application servers, may be processed and stored in servers located in the United States. We have in place Standard Contractual Clauses to ensure adequate protection of your data when transferred to the US.

Stripe (Payment Processing)

Stripe processes payment method information and subscription data to facilitate payment for platform services. Stripe's servers are located globally, including in the United States. We have in place Standard Contractual Clauses and rely on Stripe's compliance with the UK GDPR framework.

You can request details of how third-party processors handle your data by contacting us at agentinaboxsales@gmail.com.

5. Data Retention

We retain personal data for as long as necessary to provide our services and fulfil the purposes outlined in this Privacy Policy. Specific retention periods are as follows:

• User Accounts:Retained while your account is active and for 12 months after account deletion, unless longer retention is required by law.
• Property & Tenancy Data:Retained for the duration of the tenancy plus 7 years, in accordance with landlord and tax record-keeping requirements.
• Compliance Documents:Retained for the duration of their validity plus 7 years for legal and regulatory compliance purposes.
• Communications:Retained for 3 years unless required for legal proceedings, regulatory compliance, or dispute resolution.
• Technical & Usage Data:Retained for 12 months for security, debugging, and analytics purposes.
• Marketing Records:Retained until you unsubscribe, after which we retain only your email to suppress future communications.

After the retention period expires, data is securely deleted or anonymised. Some data may be retained longer if required by legal or regulatory obligations.

6. Your Data Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you, including information about how it is processed. We will respond to your request within 30 calendar days.

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update much of your information directly in your account settings.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or when you withdraw consent. We may retain data where required by law or for legitimate business purposes.

Right to Restrict Processing

You may request that we restrict processing of your data while we verify its accuracy or assess the legitimacy of our processing.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly-used, machine-readable format and to transmit that data to another controller where technically feasible.

Right to Object

You have the right to object to processing of your data, including for marketing purposes. We will cease processing for marketing purposes upon receipt of your objection.

Right to Not Be Subject to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects. We do not use automated decision-making in a manner that would significantly affect you.

To exercise any of these rights, please contact us at agentinaboxsales@gmail.com with your request and supporting identification. We will respond within the timeframes required by law.

7. International Data Transfers

Some of your personal data may be transferred to and processed in countries outside the United Kingdom and European Union, including the United States, where servers operated by our hosting provider (Render) and payment processor (Stripe) are located.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements with third parties
• Supplementary safeguards such as encryption and technical measures to protect data in transit
• Regular assessments of the adequacy of protections in recipient jurisdictions

By using AgentInABox, you consent to the transfer of your personal data as described above. You may contact us if you wish to obtain a copy of the Standard Contractual Clauses or other mechanisms used to safeguard your data in international transfers.

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, maintain security, and analyse platform usage.

Essential Cookies

These cookies are necessary for the platform to function, including authentication tokens and session management. They cannot be disabled.

Analytical Cookies

We use analytics cookies to understand how users interact with our platform, identify technical issues, and improve features. These cookies do not identify you personally.

Marketing Cookies

If you have consented, we use marketing cookies to deliver targeted advertising and track campaign effectiveness. You can withdraw consent or disable these cookies in your browser settings at any time.

Most browsers allow you to refuse cookies or alert you when cookies are being sent. You can manage your cookie preferences through your browser settings. However, disabling essential cookies may impair platform functionality.

9. Data Security

We implement comprehensive technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest
• Secure authentication with JWT tokens and refresh token rotation
• Regular security audits and vulnerability assessments
• Access controls limiting employee access to personal data
• Monitoring and logging of data access and system events
• Incident response procedures for data breaches

While we employ industry-standard security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we remain committed to protecting your data through continued investment in security infrastructure.

If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the ICO without undue delay, as required by law.

10. Children's Privacy

AgentInABox is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without proper consent, we will delete that data promptly. Parents or guardians who believe their child has provided personal data to us should contact us immediately at agentinaboxsales@gmail.com.

11. Third-Party Links and Services

Our platform may contain links to third-party websites and services that are not operated by AgentInABox. This Privacy Policy applies only to AgentInABox. We are not responsible for the privacy practices of third-party sites. When you access external websites through links on our platform, we recommend that you review their privacy policies before providing your personal data.

12. Marketing Communications

We may send you marketing emails and SMS messages about our services, new features, updates, and promotional offers. These communications are only sent where you have provided explicit consent or where we have a legitimate business relationship.

You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Replying "STOP" to any SMS from us
• Updating your communication preferences in your account settings
• Contacting us directly at agentinaboxsales@gmail.com

We will cease marketing communications within 10 business days of receiving your opt-out request. This will not affect transactional emails necessary to operate your account.

13. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify you without undue delay and within 72 hours where feasible
• Provide information about the nature of the breach and potential impacts
• Recommend steps you can take to protect yourself
• Provide contact details for further information

We will also notify the Information Commissioner's Office as required by law unless the breach is unlikely to result in risk to you.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated Privacy Policy on our website and updating the "Last Updated" date at the top of this page.

Your continued use of AgentInABox following publication of changes constitutes your acceptance of the updated Privacy Policy. We recommend that you review this Privacy Policy regularly to stay informed about how we protect your personal data.

15. Contact Us and Data Protection Complaints

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your data rights, please contact us:

Complaints to the ICO

If you are not satisfied with how we have handled your personal data or your data rights, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), which is the independent authority for data protection in the UK.