Legal · Privacy

Privacy policy

Housing Direct connects local authorities with verified landlords to place households into homes. This policy explains what we collect, why we collect it, and the rights you have over your data under the UK GDPR and the Data Protection Act 2018.

Effective 1 May 2026 Last updated 14 May 2026 Version 1.0

01Plain-English summary

The short version. We hold three kinds of data: account data about you (the user), property data about homes you list or place into, and household data about the people being placed. Household data is sensitive — councils control it, we process it on their behalf, and we don't sell anything to anyone.

This summary is here to help. It isn't legally binding — the detailed sections below are. If anything in the summary and the detail seems to conflict, the detail wins.

02Who we are

"Housing Direct" means Housing Direct Media & Tech Ltd., a company registered in England & Wales (company no. 17081854) with its registered office at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We are registered with the Information Commissioner's Office under reference TBA.

For account, billing, and analytics data we collect about you directly, we are the data controller. For household data that councils upload to assess placements, we are a data processor acting on the council's behalf — the council is the controller and their own privacy notice applies first.

You can reach our Data Protection Officer at dpo@housingdirect.co.uk.

03What we collect

3.1 Account & identity data

When you create an account we collect your name, work email, phone number, role, and the organisation you work for. Landlords additionally provide verification documents (photo ID, proof of address, right-to-let evidence, bank details).

3.2 Usage data

Pages you visit, searches you run, listings you shortlist, messages you send. We log IP address, browser and device type, and the approximate location (city level) derived from your IP for fraud prevention.

3.3 Property data

Address, rent, bedrooms, accessibility features, EPC, compliance documents (gas, EICR), and photos for any property you list. Compliance certificates contain the issuing engineer's name and qualification number.

3.4 Household & placement data

For each booking request, councils share occupant details (name, contact, date of birth, gender, risk assessment summary, support worker contact). This is special category data under UK GDPR Article 9 — we only process it under the council's lawful basis and with the safeguards in our Data Sharing Agreement.

04Why we use it

We process each category of data for the purposes listed below, relying on the lawful bases in UK GDPR Articles 6 and 9.

Run your account: Authenticate you, secure your session, and let your colleagues collaborate inside your organisation. Basis: contract.
Verify landlords: Confirm identity, ownership and bank details so councils can trust who they're working with. Basis: legitimate interests + legal obligation (money-laundering rules).
Match listings to households: Surface suitable properties for placements and let you communicate about them. Basis: council's controller-to-processor instructions; legitimate interests for landlord-side matching.
Send service emails: Booking updates, document expiry warnings, account security alerts. Basis: contract — these are not marketing.
Improve the product: Aggregate, de-identified usage analytics. Basis: legitimate interests. You can opt out via Cookies.
Comply with the law: Respond to lawful requests from regulators, courts, and tax authorities. Basis: legal obligation.

06How long we keep it

Account data: While your account is active, plus 6 years after closure (to meet HMRC and limitation-period obligations).
Verification documents: 5 years from your last verification event, after which we delete the originals and keep only a redacted audit record.
Household data: Retained per the controlling council's instructions, typically the duration of the tenancy plus 7 years.
Server logs: 30 days for application logs, 90 days for security logs.
Analytics: De-identified after 13 months.

07How we protect it

Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Verification documents and household records are stored in a dedicated encrypted bucket with field-level access controls. We run penetration tests twice a year and are working towards ISO 27001 certification (expected Q4 2026).

If we discover a personal data breach we will notify the ICO within 72 hours and tell affected users directly where required by law.

08Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, port, and object to the processing of your personal data. To exercise any of these, email privacy@housingdirect.co.uk from the address on your account — we will respond within one month.

If your data was provided by your council (e.g. household records), please raise your request with the council first; we will support their response.

You can complain to the Information Commissioner's Office at any time. We'd appreciate the chance to put things right first.

09International transfers

Personal data is stored in the United Kingdom (AWS eu-west-2). Some sub-processors operate from the European Economic Area under an adequacy decision. We use the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for the small number of providers (transactional email metadata only) based in the United States.

10Changes & contact

We post material changes to this policy on this page and email account holders at least 14 days before they take effect. Previous versions are linked from the change log at the bottom of this page.

Anything unclear? Email privacy@housingdirect.co.uk or write to the Data Protection Officer at the registered office address above.