Legal
Privacy Policy
Last updated: 20 April 2026
Download this policy as a PDF1. Who We Are
1.1 This Privacy Policy explains how LLCR Technologies Ltd (“LLCR”, “we”, “us”, or “our”) collects, uses, stores, and shares your personal data when you use our Platform and visit our website.
1.2 LLCR Technologies Ltd is the data controller for the personal data described in this Policy. This means we decide why and how your personal data is processed.
1.3 Our details:
Full company name: LLCR Technologies Ltd
Company number: 17167813 (registered in England and Wales)
Registered office: 28 Beaufort Court Admirals Way, London, United Kingdom, E14 9XL
ICO registration number: ZC128424
Email: [email protected]
1.4 We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Article 37 of the UK GDPR. If you have any questions about this Policy or our data practices, please contact us at [email protected].
2. What This Policy Covers
2.1 This Policy applies to personal data we collect when you:
(a) visit our marketing website at llcr.uk;
(b) create an account and use our Platform at llcr-app.uk;
(c) subscribe to a paid Plan;
(d) contact us by email or through the Platform; or
(e) interact with our AI assistant, Ava.
2.2 This Policy does not cover third-party websites or services linked from our Platform. We encourage you to read the privacy policies of those third parties before providing them with your personal data.
3. The Personal Data We Collect
We collect the following categories of personal data:
| Category | Data collected | Source |
|---|---|---|
| Account data | Full name, email address, password (hashed), account preferences | Provided by you at registration |
| Property data | Property addresses, tenancy details (type, start date), jurisdiction | Provided by you via the Platform |
| Tenant data | Tenant names, addresses, contact details (where you choose to enter them) | Provided by you via the Platform (see clause 8) |
| Certificate data | Certificate types, issue dates, expiry dates, issuer names, file uploads | Provided by you via the Platform |
| Payment data | Billing email, last four digits of card, payment history, subscription status | Stripe (our payment processor). We never see or store your full card number. |
| Usage data | Pages visited, features used, session duration, timestamps, device type, browser type | Collected automatically via cookies and server logs |
| Communications | Messages to Ava (AI assistant), emails to support, feedback | Provided by you when you communicate with us |
| Technical data | IP address, browser type and version, operating system, referral URL | Collected automatically when you access the Platform |
| Document Builder data | Information entered into forms (landlord name, tenant name, property address, ground for possession, rent amounts) | Provided by you when generating documents |
3.1 We do not collect any special category data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data) unless you voluntarily include it in free-text fields. We strongly discourage this.
3.2 We do not knowingly collect personal data from anyone under the age of 18. The Service is intended for adult landlords only.
4. How and Why We Use Your Personal Data
The UK GDPR requires us to have a lawful basis for each way we use your personal data. The table below sets out our purposes for processing, the lawful basis we rely on, and the categories of data involved.
| Purpose | Lawful basis (UK GDPR Art. 6) | Data used |
|---|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) | Account data, technical data |
| Providing the Service (property tracking, certificate management, compliance reminders) | Performance of a contract (Art. 6(1)(b)) | Account data, property data, certificate data |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) | Account data, payment data |
| Generating documents via the Document Builder | Performance of a contract (Art. 6(1)(b)) | Document Builder data, property data, tenant data |
| Operating the AI assistant (Ava) | Performance of a contract (Art. 6(1)(b)) | Communications, property data, certificate data |
| Sending transactional emails (confirmations, expiry reminders, password resets) | Performance of a contract (Art. 6(1)(b)) | Account data |
| Sending optional Telegram alerts | Consent (Art. 6(1)(a)) — you opt in explicitly | Account data, property data |
| Improving the Service, fixing bugs, analysing usage patterns | Legitimate interests (Art. 6(1)(f)) — our interest in improving the product | Usage data, technical data |
| Preventing fraud, enforcing our Terms, protecting security | Legitimate interests (Art. 6(1)(f)) — our interest in keeping the Service secure | Account data, technical data, usage data |
| Complying with legal obligations (e.g. tax records, responding to law enforcement) | Legal obligation (Art. 6(1)(c)) | Account data, payment data |
| Responding to your enquiries and providing support | Legitimate interests (Art. 6(1)(f)) — our interest in providing good customer service | Account data, communications |
4.1 Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your fundamental rights and freedoms. You can ask us for details of this balancing test by contacting [email protected].
4.2 Where we rely on your consent, you may withdraw it at any time by contacting us or changing your settings in the Platform. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
5. Who We Share Your Data With
5.1 We do not sell your personal data to anyone. We never have and we never will.
5.2 We share your personal data only with the following categories of recipients, and only to the extent necessary to provide the Service:
| Recipient | Purpose | Data shared | Location & safeguards |
|---|---|---|---|
| Supabase (database & auth) | Hosting your data, authenticating your account | All Platform data | EU (AWS Frankfurt). UK adequacy decision applies to EU. |
| Vercel (hosting) | Serving the web application | Technical data, IP address | US. UK-US Data Bridge / International Data Transfer Agreement (IDTA). |
| Stripe (payments) | Processing subscription payments | Payment data, email | US. UK-US Data Bridge / Standard Contractual Clauses. |
| Anthropic (AI) | Powering Ava, our AI assistant | Messages to Ava, portfolio summary data | US. Standard Contractual Clauses (UK Addendum). Anthropic does not use your data to train models. |
| Resend (email) | Sending transactional emails | Email address, name | US. UK-US Data Bridge / Standard Contractual Clauses. |
| Telegram (optional) | Sending compliance alerts (if you opt in) | Telegram user ID, property alerts | Global. You control this by opting in. Telegram’s privacy policy applies. |
5.3 We may also disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5.4 If LLCR is acquired, merges with another company, or sells substantially all of its assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your data.
6. International Data Transfers
6.1 Some of our third-party service providers are based in the United States. When we transfer your personal data outside the United Kingdom, we ensure that appropriate safeguards are in place as required by Chapter V of the UK GDPR.
6.2 The safeguards we rely on include:
(a) the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework), for US providers who are certified under it;
(b) the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where the Data Bridge does not apply; and
(c) UK adequacy decisions, where the destination country has been assessed by the UK Government as providing an adequate level of data protection (this covers transfers to the EU/EEA).
6.3 You may request a copy of the relevant safeguards by contacting us at [email protected].
7. How Long We Keep Your Data
We do not keep your personal data for longer than necessary. The specific retention periods are:
| Data type | Retention period | Reason |
|---|---|---|
| Account data | Duration of your account, plus 30 days after closure | To allow you to reactivate and to handle any post-closure queries |
| Property and certificate data | Duration of your account, plus 30 days after closure | Core Service data; deleted after the post-closure grace period |
| Payment records | 6 years after the transaction | HMRC requirement under the Income Tax (Trading and Other Income) Act 2005 and the Limitation Act 1980 |
| Ava conversation logs | 90 days from the date of the conversation | To support debugging and Service improvement; then permanently deleted |
| Support emails | 2 years from the date of the last communication | To maintain context for recurring issues |
| Usage and technical data (analytics) | 12 months from collection | To analyse trends and improve the Service |
| Terms acceptance audit log | 6 years after account closure | To evidence acceptance of contractual terms in the event of a dispute (Limitation Act 1980) |
7.1 When a retention period expires, we securely delete or anonymise the data so that it can no longer be linked to you.
8. Tenant Data — Your Responsibilities as a Data Controller
8.1 When you enter personal data about your tenants into the Platform (such as their names, addresses, and contact details), you are acting as a data controller for that data within the meaning of the UK GDPR. We act as a data processor on your behalf.
8.2 As a data controller, you are responsible for:
(a) having a lawful basis (such as legitimate interests or performance of a contract) for entering your tenants’ personal data into the Platform;
(b) informing your tenants about how their data is processed, including that you use LLCR as a data processor; and
(c) responding to any data subject access requests from your tenants.
8.3 We will assist you in responding to data subject requests to the extent that the relevant data is within our systems, and we will notify you without undue delay if we receive a request directly from one of your tenants.
8.4 We process tenant data only on your documented instructions (which are given by your use of the Platform) and in accordance with our obligations as a data processor under Article 28 of the UK GDPR.
8.5 If you require a formal Data Processing Agreement (DPA), please contact us at [email protected] and we will provide one.
9. AI Assistant (Ava) — How Your Data Is Used
9.1 Ava is powered by Anthropic’s Claude language model. When you send a message to Ava, we transmit the following to Anthropic’s API:
(a) your message;
(b) recent conversation history (up to the last 8 messages in the session); and
(c) a summary of your property portfolio (property names, compliance status, and certificate expiry dates) so Ava can give you relevant answers.
9.2 Anthropic processes this data solely to generate a response to your message. Anthropic does not use your data to train its models. Anthropic’s data handling is governed by its API terms and its data retention policies, which you can review at anthropic.com.
9.3 We do not send Anthropic your payment data, your password, or your tenants’ personal contact details.
9.4 Ava conversations are stored on our systems for up to 90 days for debugging and Service improvement purposes, after which they are permanently deleted.
10. Cookies
10.1 Our Cookie Policy is set out in a separate document available at llcr.uk/cookies. It explains what cookies we use, why we use them, and how you can manage your preferences.
10.2 In summary, we use:
(a) strictly necessary cookies for authentication and session management (these cannot be disabled);
(b) analytics cookies (subject to your consent) to help us understand how the Platform is used; and
(c) preference cookies to remember your settings (such as dark mode).
10.3 We do not use advertising or tracking cookies. We do not share cookie data with advertisers.
11. Your Rights Under the UK GDPR
Under the UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions.
| Right | What this means |
|---|---|
| Right of access | You can ask us for a copy of the personal data we hold about you (a “Subject Access Request”). We will respond within one month. |
| Right to rectification | You can ask us to correct any personal data that is inaccurate or incomplete. You can also update most of your data directly through the Platform. |
| Right to erasure | You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it (e.g. payment records for HMRC). |
| Right to restrict processing | You can ask us to temporarily stop processing your data in certain circumstances (for example, while we verify its accuracy). |
| Right to data portability | You can ask us to provide your personal data in a structured, commonly used, machine-readable format so you can transfer it to another provider. |
| Right to object | You can object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling grounds that override your interests. |
| Right to withdraw consent | Where processing is based on your consent (e.g. analytics cookies, Telegram alerts), you can withdraw consent at any time. |
| Right to complain | You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113. |
11.1 To exercise any of these rights, please email us at [email protected]. We will respond within one month. If your request is complex, we may extend this by a further two months, but we will tell you within the first month if this is the case.
11.2 We will not charge you a fee to exercise your rights, except in cases where your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
11.3 We may need to verify your identity before acting on a request.
12. Data Security
12.1 We take the security of your data seriously. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:
(a) encryption of data in transit (TLS/HTTPS) and at rest;
(b) access controls using role-based permissions;
(c) secure password hashing (bcrypt via Supabase Auth);
(d) regular security reviews of our codebase;
(e) use of reputable, certified third-party infrastructure providers (Supabase, Vercel, Stripe); and
(f) workspace isolation, so that each user can only access their own data.
12.2 No system is completely secure. While we take reasonable precautions, we cannot guarantee the absolute security of your data. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO without undue delay, and in any event within 72 hours, in accordance with Article 33 of the UK GDPR.
13. Automated Decision-Making and Profiling
13.1 We do not use your personal data for automated decision-making that produces legal effects or similarly significant effects on you.
13.2 Ava (our AI assistant) provides informational responses based on your queries and property data. Ava does not make decisions about your access to the Service, your subscription, or your legal rights. You are always in control of any actions you take based on Ava’s responses.
13.3 Compliance scores and traffic-light indicators displayed on the Platform are calculated algorithmically based on your certificate expiry dates. These are informational tools to help you manage your portfolio, not automated decisions. They do not have legal or contractual effects.
14. Changes to This Policy
14.1 We may update this Policy from time to time to reflect changes in our data practices, legal requirements, or the Service itself.
14.2 If we make material changes, we will notify you by email at least 14 days before the changes take effect. We will also update the “Last updated” date at the top of this Policy.
14.3 We encourage you to review this Policy periodically.
15. How to Contact Us
15.1 If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your data, please contact us:
Email: [email protected]
Post: LLCR Technologies Ltd, 28 Beaufort Court Admirals Way, London, E14 9XL
15.2 If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF