THE ESTATECREATE GROUP:
ESTATECREATE LIMITED AND CREDIT BUILDER LIMITED
This is the privacy notice for estatecreate Limited and Credit Builder Limited (referred to hereafter as estatecreate, Credit Builder, the estatecreate Group, Our or We). This privacy notice sets out the basis on which any personal data We collect from data subjects (as defined below) or which data subjects provide to us, directly or indirectly, will be processed by the estatecreate Group. Please read the following carefully to understand our views and practices regarding personal data and how We treat it.
The estatecreate Group comprises:
- estatecreate Limited, which is a company registered in England and Wales under company number 06289199. Our registered office is at Sg House, 6 St. Cross Road, Winchester, Hampshire, England, SO23 9HX; and
- Credit Builder Limited, which is a company registered in England and Wales under company number 11002149. Our registered office is at Sg House, 6 St. Cross Road, Winchester, Hampshire, England, SO23 9HX.
For the purpose of the General Data Protection Regulation 2016/679 and the Data Protection Act 2018 (save where otherwise identified) and with respect to the companies identified above, the data controller is estatecreate Limited, which is registered at the Information Commissioner’s Office under ICO registration number Z1350689; and Credit Builder, which is registered at the Information Commissioner’s Office under ICO registration number ZA304636.
With respect to estatecreate limited and Credit Builder Limited, each can be contacted at the registered office address or firstname.lastname@example.org
THE GENERAL DATA PROTECTION REGULATION 2016/679
In this statement We have used certain terms which are set out in the General Data Protection Regulation 2016/679 (GDPR or the Regulation):
personal data means: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
controller means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
WHO WE ARE; WHAT WE DO
The estatecreate Group develops and invests in Web software for the property industry. Our products and services include:
Estatecreate: we design and deploy data rooms for the benefit of the property market. These facilitate ease of access to commercial information, including sales memoranda, dynamic charts, videos and images. Our services allow our clients to track new users and activity; it also allows clients and users to ensure that all information is up to date.
Estatecreate also operates www.primaryrun.com, a service to manage Primary School running clubs.
Credit Builder: We provide tenants with the ability to report their rental payments to Experian Limited, thereby allowing Experian Limited to reflect the tenants’ ongoing compliance with their payment obligations and facilitating a more accurate credit report. This allows tenants to build their credit history; and offers landlords an added incentive for tenants to ensure that their payments are made on time.
OUR STATUS UNDER GDPR
Depending on the nature of the interaction, We act as a processor in that We are acting upon instructions from our clients when We provide our services to them. When We control the purposes and means of the processing of personal data, such as processing our employee’s personal data, We are a controller, as defined under the Regulation.
THE PERSONAL DATA WE COLLECT
We collect personal data for a number of purposes in order to transact our business. This includes the collection of personal data that identifies data subjects when they sign up to our services or our mailing list, or communicate with estatecreate. If a data subject shares any access requirements or other special requirements with us We will note this in the relevant record within our information management system. We keep a record of the emails We send and We may track whether the data subject has received them, so We can make sure We are sending the most relevant information. When We collect personal data We store it under a strict safeguarding and confidentiality regime.
In general, we collect and process personal data which relates to the services we offer. If a third party signs up to a data room provided by estatecreate, we will process basic contact details unless the interaction requires more specific personal data. If a tenant consents to the release of personal data to Experian Limited, pursuant to the services provided by Credit Builder, We only process personal data to the extent that this is necessary for the provision of our services. We do not process personal data which is not required by the estatecreate Group, and any additional processing of personal data is incidental only. We delete personal data once it is no longer needed.
OUR USE OF PERSONAL DATA
General: The estatecreate group only processes personal data to provide data subjects with information or services that they have requested, to meet contractual requirements and comply with administrative duties, sectoral regulations and the general law. Personal data collected this way will only be used to provide data subjects with information that they would reasonably expect or have agreed to. When We run activities in partnership with other organisations We will only share personal data with them if (where this is a requirement under the Regulation) a data subject has given us consent to do so; or in accordance with the Regulation. We do not share or sell personal data with other organisations to use for their own purposes without data subjects’ consent. As set out below, We may pass personal data to third-party service providers contracted to us. In these circumstances, the third party will be obliged to keep personal data secure, and to use them only to fulfil their contractual obligations to the estatecreate Group. When they no longer need personal data to fulfil this service, they will dispose of the details in line with our data retention policy, the Regulation and our contract with them.
Employees: estatecreate employees provide estatecreate with their personal data though email, digital or paper-exchange, for the employee and estatecreate to undertake a normal employer-employee relationship. Personal data collected might include a name, mobile number, email address, home address, photo, post code and notes about their role and skills. We collect sensitive personal data with respect to health, as necessary and in a proportionate manner. Personal data of estatecreate employees is controlled by estatecreate and is processed within third party platforms used to help us provide standard employment requirements such as payment of the employee through a third-party payroll business; or dissemination of payment data to HMRC, as is required by law. All estatecreate employee data is used in accordance with the Regulation to ensure that the relationship between the employee and estatecreate is undertaken in a manner that is consistent with the legal expectations of the parties in addition to third parties (such as HMRC, as referred to above). estatecreate employee personal data is stored within estatecreate for the duration of the employee’s contract with estatecreate.
We may share information with third parties so that they can assist us in providing our services. Such third parties could include:
- Clients, suppliers, consultants and sub-contractors for the performance of any contract We enter into with them (for example, so that our platform can work effectively, We may engage with contractors to carry out part of our services.)
- Analytics and search engine providers that assist us in the improvement and optimisation of our site.
- We share personal data with Experian Limited as part of the services we offer. This exchange is only undertaken where We have established that we have the data subject’s consent to share personal data in this way.
Please note: We will disclose personal data to third parties:
- If estatecreate (as a whole) or substantially all of its assets are acquired by a third party, in which case personal data held about data subjects will be one of the transferred assets.
- If estatecreate is under a duty to disclose or share personal data to comply with any legal obligation, or in order to enforce or apply terms and other agreements (but subject, always, the Regulation); or to protect the rights, property, or safety of estatecreate, our clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
THE LEGAL BASIS UPON WHICH WE ACT
We only process personal information where We have a lawful basis for doing so. These are:
Where We process personal data as a result of data subject consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where a data subject wishes to withdraw consent, We have set out below how this may be done.
Where We enter into a contract with third parties, processing of personal data may, as a matter of course, be necessary to execute such contract or take pre-contract preparation steps.
Where We have legal obligations, processing of personal data may be required by law. This may include contact with our regulators or public institutions.
Where We process personal data as it is necessary for the purpose of our legitimate interests, We do so on the basis of a balanced evaluation of our interests and those of relevant data subjects. We may therefore contact data subjects about things which We feel are of interest or which, based on what We know about data subjects. This will from time to time include marketing and raising awareness, but at any stage data subjects can tell us that they do not want to receive such information and We will stop contact.
WITHDRAWAL OF CONSENT
Consent should be as easy to withdraw as it is to give; and data subjects may ask, at any time, that We do not process their personal data. A data subject may contact us to withdraw consent using the contact details at the end of this privacy statement. Equally, where We process personal data based on our legitimate interest, a data subject has a right to request that We stop processing personal data for our legitimate interests.
HOW WE PROTECT PERSONAL DATA
We take appropriate physical, electronic and managerial measures to ensure that We keep information secure, accurate and up to date, and that We only keep it as long as is reasonable and necessary. Any external providers We use to process personal data (for instance the operators of our contact management system) must meet our security policies and comply with all relevant legislation about how they store and process personal data. We may also receive information about data subjects from third parties.
YOUR RIGHTS TO FURTHER INFORMATION
At a data subject’s request, We will confirm the information We hold and how it is processed. A data subject can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process personal data.
- The purpose of the processing as Well as the legal basis for processing.
- If the processing is based on the legitimate interests, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the personal data is/will be disclosed to.
- If We intend to transfer the personal data to a third country or international organisation, information about how We ensure this is done securely.
- How long the personal data will be stored.
- Details of rights to correct, erase, restrict or object to such processing.
- Information about the right to withdraw consent at any time.
- The source of personal data if it wasn’t collected directly from the data subject.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as Well as the significance and expected consequences of such processing.
What forms of ID will I need to provide in order to access this?
We accept the following forms of ID when information with respect to personal data is requested: passport, driving licence, birth certificate, utility bill from the previous 3 months.
SENSITIVE PERSONAL DATA
Where We process sensitive personal data in acting as a processor, We do so on the basis that the controller has established a lawful exception to the prohibition on processing sensitive personal data under Article 9 of the Regulation; and where We are processing the sensitive personal data of employees, we do so pursuant to its employment relationship with its personnel and so uses the exception set out in paragraph 2(b) of Article 9 of GDPR.
TRANSFERRING OUT OF THE EEA
Storing: We use cloud providers to store our personal data. Personal data may be transferred to and stored at a destination outside of the European Economic Area (EEA).
Processing: We may use third parties to help us deliver our services and they may be based outside the EEA. Where data is transferred outside the EEA, We adhere to compliance mechanisms that are identified by the European Commission, for example, the use of EU model contract clauses or conformity to US Privacy Shield.
Where We are the processor: in general, personal data is stored in the locations required by our clients. Periodically, our clients may agree specific terms as to where customer data, venue employee data and head office employee data is stored by us. At all times, We act in accordance with the Regulation.
DATA RETENTION PERIODS
We have a data retention policy which sets out how long it will store personal data, which is consistent with Article 5 of the Regulation. estatecreate only keeps personal data for as long as is necessary. For example, estatecreate is required to retain certain information in accordance with the general law, where information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on estatecreate’s business needs, which are balanced against the requirements of GDPR and the rights of the individual.
Where We are the controller
We will retain personal data for as long as necessary. As described above, in some cases, We will have a legal or statutory obligation to retain information for a set period, such as the limitation period.
Where We are the processor
Personal data is stored as instructed by the controller in accordance with their approach to retention of personal data provided that this is within GDPR.
SUMMARY OF DATA PROCESSORS
In order to provide our services to our clients and their customers, estatecreate defines the different categories of personal data and works with carefully selected third parties. Some of our selected third parties are required to process personal data on our behalf, in compliance with our role as both a controller and processor.
We have implemented security measures that are designed to help protect the personal data We collect or receive in connection with our services, from unauthorised access or disclosure. For example, We use encryption techniques to ensure the security of data; We also use password protection. However, no transmission or storage of data can be guaranteed to be completely secure and We cannot ensure or warrant the security of any information which We collect and store.
CONTACTING YOU FOR MARKETING PURPOSES
We strive to provide data subjects with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
Promotional offers from estatecreate: We may use activity disclosed to us to form a view on what we think a data subject may want or need, or what may be of interest. This is how We decide which products, services and offers may be relevant for the data subject, who will receive marketing communications from Us if you have requested information from us or purchased goods or services from Us and in each case, you have not opted out of receiving that marketing.
Third-party marketing: We will get your express opt-in consent before we share your personal data with any company outside of estate create for marketing purposes.
Opting out: You can ask Us or third parties to stop sending You marketing messages at any time by contacting estate create on email@example.com at any time.
CONTACTING YOU IN THE EVENT OF BREACH
Where there is a requirement to contact data subjects or the supervisory authority in the event of an unauthorized breach or disclosure of personal data, We will get in touch with the supervisory authority (which in estatecreate’s case is the Information Commissioner on the United Kingdom) and with affected data subjects – in each case, in the event of the unauthorized disclosure of personal data which results in a risk (or high risk) to the rights and freedoms of data subjects.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites of interest. However, once these links to leave our site have been used, We do not have any control over that other Website. Therefore, We cannot be responsible for the protection and privacy of any personal data which is provided whilst visiting such sites and such sites are not governed by this privacy statement. Our recommendation is to exercise caution and look at the privacy statement applicable to the website in question.
Strictly necessary cookies
These are cookies that are required for the operation of our website. They include, for example, cookies that enable users to log into secure areas of our website.
They allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily
These are used to recognize data subjects when they return to our website. This enables us to personalise content, greet returners by name and remember preferences (for example, choice of language or region).
These cookies record visits to our website, the pages visited and the links followed. We will use this information to make our Website more relevant.
FIRST PARTY COOKIES
How do I block first party cookies?
It is possible to block first party cookies by activating the setting on a browser that allows you to refuse the setting of all or some cookies. If you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
THIRD PARTY COOKIES
We may use Google Analytics cookies to track anonymous usage statistics but We do not collect any personal information that can be used to identify data subjects. This data helps us analyze Web page usage and improve our Website to tailor it to our audience needs.
Google Analytics stores information about what pages you visit, how long you are on the site, how you got there and what you clicked on.
These are cookies served by a third-party service provider and are usually used to identify a computer when it visits another Website, for example, when a data subject logs in to a social media site to share an article.
How do I block third party cookies?
Third party cookies may be blocked by activating the settings on your browser that allows you to refuse the setting of all or some cookies. However, if browser settings are used to block all cookies (including essential cookies) data subjects may not be able to access all or parts of our site.
For more information on cookies, go to www.aboutcookies.org
YOUR RIGHT TO COMPLAIN
Data subjects have a right to complain about the way We process personal data and can register their concern by contacting the Information Commissioner and following the instructions set out at www.ico.org.uk
6 St. Cross Road
England, SO23 9HX
FAO Data Protection Owner