Legal

Privacy Policy

Effective date: 24 March 2026 · Last updated: 26 March 2026

1. Who We Are

Openlett is operated by Abdullah AlOtaishan.

Openlett (“we”, “our”, “us”) is the data controller responsible for your personal data. We operate the Openlett mobile application (the “App”) and the website at openlett.com (the “Website”).

Contact: privacy@openlett.com.

We process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Data We Collect

We collect different categories of personal data depending on how you use the App:

2.1 Account & Identity Data

Full name, email address, phone number (optional), date of birth, gender, profile photograph, and password (stored as a cryptographic hash, never in plain text).

2.2 Profile & Preference Data

Budget range, desired move-in date, preferred areas and property types, employment status and occupation, relationship status, pet ownership, smoking status, hobbies, lifestyle preferences, and languages spoken. For landlords: tenant preferences including preferred gender, age range, employment type, and whether pets, smoking, couples, families, or students are accepted.

2.3 Property Listing Data (Landlords)

Property address, postcode, description, price, billing period, number of bedrooms and bathrooms, property type, furnishing status, whether bills are included, floor area, council tax band, deposit amount, amenities, floor plans, EPC ratings, and property photographs.

2.4 Behavioural & Usage Data

Properties you view, like, skip, or save; viewing bookings and attendance; messages sent and received; offers submitted; time spent viewing listings; search filters applied; and feature interactions within the App.

2.5 Location Data

Approximate location (GPS coordinates) when you explicitly grant permission, used solely to show properties nearest to you and calculate distances to transport links. We request foreground location access only and do not track your location in the background.

2.6 Device & Technical Data

Device type, operating system and version, app version, unique device identifiers, push notification tokens (for delivering notifications), and IP address (collected automatically by our servers).

2.7 Verification & Tenancy Documents

Identity documents (e.g. passport, driving licence) uploaded during the tenancy setup process, gas safety certificates, and deposit protection certificates. These are uploaded voluntarily as part of the tenancy onboarding flow.

2.8 Payment & Subscription Data

We do not directly collect or store payment card details.

  • Renter subscriptions are processed through Apple In-App Purchases and managed by RevenueCat Inc. We receive only a confirmation of your subscription status, plan type, and expiry date.
  • Landlord payments (Landlord Pro subscriptions, open-house campaign fees, and boost purchases) are processed by Stripe, Inc. Stripe collects your name, email address, and payment card details directly. We receive a Stripe customer ID, payment status, and transaction references but never your full card number. Stripe’s handling of your data is governed by Stripe’s Privacy Policy.

2.9 Communications Data

Messages exchanged through the in-app messaging system between tenants and landlords, including message content, timestamps, and associated property references.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To create, authenticate, and maintain your account
  • To match you with suitable rental properties based on your preferences and budget
  • To display property listings and facilitate property searches
  • To process viewing bookings, generate QR code tickets, and manage check-ins
  • To enable direct messaging between tenants and landlords
  • To process and manage rental offers between parties
  • To facilitate the tenancy setup process including document collection
  • To send push notifications about viewing updates, new messages, and relevant property alerts
  • To calculate and display your AI match score for each property
  • To show properties nearest to your location (when permission is granted)
  • To process and manage subscriptions
  • To detect, prevent, and address fraud, abuse, and security issues
  • To comply with legal obligations
  • To improve, personalise, and develop the App

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases:

4.1 Performance of a Contract (Article 6(1)(b))

Processing your account data, preferences, viewing bookings, messages, offers, and tenancy documents is necessary to provide you with the services you have signed up for.

4.2 Legitimate Interests (Article 6(1)(f))

Processing usage and behavioural data to improve the App, generate match scores, prevent fraud, and ensure security. We have conducted a legitimate interests assessment and concluded that these interests do not override your fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a))

Processing your location data (requested via an in-app permission prompt) and sending marketing communications. You may withdraw consent at any time by adjusting your device settings or contacting us.

4.4 Legal Obligation (Article 6(1)(c))

Processing data where required to comply with applicable laws, regulations, or legal proceedings.

5. Data Sharing

We share your personal data only with the following categories of recipients and only to the extent necessary:

5.1 Other Users

When you book a viewing or send a message, limited profile information (name, profile photo, match score, and verification status) is shared with the relevant landlord or tenant. Landlords can see the profiles of tenants who have registered for their viewings.

5.2 Service Providers

  • Hosting & Infrastructure: Our backend is hosted on Render Inc. (servers located in the EU/EEA). Data is encrypted in transit (TLS 1.2+) and at rest.
  • Push Notifications: Expo (by 650 Industries Inc.) and Apple Push Notification Service for delivering push notifications. Only your push token and notification content are transmitted.
  • Renter Subscription Management: RevenueCat Inc. processes subscription purchases made through Apple In-App Purchases. RevenueCat receives your anonymised user ID and purchase receipt.
  • Landlord Payment Processing: Stripe, Inc. processes Landlord Pro subscriptions, open-house campaign payments, and boost purchases. Stripe receives your name, email address, and payment card details to process transactions. See Stripe’s Privacy Policy.

5.3 Law Enforcement & Legal

We may disclose your data to law enforcement agencies, courts, or other government bodies where required by law, regulation, legal process, or enforceable governmental request.

5.4 No Sale of Data

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes. We do not use third-party advertising trackers.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom, including the United States (where some of our service providers are located). Where such transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46, including:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • The UK Extension to the EU-US Data Privacy Framework (where applicable)
  • Adequacy decisions by the UK Secretary of State

You may request a copy of the safeguards we use by contacting privacy@openlett.com.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Account data: Retained while your account is active and for 30 days after deletion request, to allow for account recovery.
  • Messages: Retained while your account is active. Deleted within 30 days of account deletion.
  • Behavioural data: Retained for up to 24 months for service improvement, then anonymised or deleted.
  • Tenancy documents (ID, certificates): Retained for the duration of the tenancy plus 12 months, or as required by law.
  • Financial records: Retained for up to 7 years as required by HMRC and UK company law.
  • Device data & push tokens: Deleted or refreshed upon logout or account deletion.

When data is no longer required, it is securely deleted or irreversibly anonymised.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data. You can also update most data directly in the App.
  • Right to erasure (Article 17): Request deletion of your personal data. You can delete your account directly in the App settings, or contact us.
  • Right to restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Article 20): Request your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
  • Right to withdraw consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Rights relating to automated decision-making (Article 22): Our match score is generated algorithmically but is not used to make decisions with legal or similarly significant effects. You may request human review of any automated assessment.

To exercise any of these rights, contact us at privacy@openlett.com. We will respond within one month. If your request is complex, we may extend this by a further two months and will inform you accordingly.

We will not charge a fee for reasonable requests. If a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse the request.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data transmitted between the App and our servers is encrypted using TLS 1.2 or higher
  • WebSocket connections for real-time messaging use WSS (encrypted WebSocket)
  • Passwords are stored as cryptographic hashes (never in plain text)
  • Authentication tokens are stored in your device’s secure enclave (iOS Keychain / Android Keystore)
  • Data at rest on our servers is encrypted
  • Access to personal data is restricted to authorised personnel on a need-to-know basis
  • Regular security reviews of our codebase and infrastructure

No system is completely secure. If you become aware of any security vulnerability or data breach, please report it immediately to security@openlett.com.

10. Cookies & Tracking

The App does not use cookies. The Website uses only strictly necessary cookies required for basic functionality. We do not use any third-party advertising trackers, analytics cookies, or retargeting technologies in the App or on the Website.

11. Children

The App is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting a prominent notice within the App
  • Sending a push notification or email (where we have your contact details)
  • Updating the “Last updated” date at the top of this policy

Continued use of the App after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with the revised policy, you should stop using the App and delete your account.

13. Complaints

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at privacy@openlett.com.

14. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data: