← Back to home

Privacy policy

Last updated: 2 July 2026

Who we are

Holdfast is an online service that helps small landlords in England navigate Section 8 possession proceedings. The data controller for personal data collected through this service is the operator of Holdfast (“we”, “us”, “our”). For data protection queries, contact us at privacy@holdfast.app.

Data we collect

  • Account data: email address and password hash (managed by Supabase Auth). Required to create and maintain your account.
  • Property and tenancy data: property addresses, tenancy start and end dates, rent amounts, deposit details, and compliance certificate records that you enter into the service.
  • Notice data: the answers you provide in the wizard and the generated notices and rent-increase forms.
  • Payment data: billing is handled entirely by Stripe. We store a Stripe customer ID and a record of your entitlement; we never see or store card numbers or payment details.
  • Communications: if you contact us by email, we retain those communications.
  • Technical data: server logs (IP address, timestamp, HTTP method and path, user-agent) retained for up to 30 days for security and error diagnosis.

Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Performance of a contract (Art. 6(1)(b)): to provide the service — storing properties, tenancies, documents and notices; processing payments; issuing entitlements.
  • Legitimate interests (Art. 6(1)(f)): diagnosing errors, improving the service, and maintaining security. Our interests do not override your rights given the limited scope of this processing.
  • Consent (Art. 6(1)(a)): sending optional transactional emails (certificate expiry reminders, service updates) if you opt in. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): retaining financial records for the period required by HMRC.

Retention periods

  • Account, property and tenancy data: retained while your account is active. Deleted within 30 days of account deletion.
  • Notice and wizard data: retained with your account; deleted on account deletion.
  • Payment records: Stripe retains billing records independently per their policy. We retain our record of your entitlement for 7 years (HMRC requirement).
  • Server logs: up to 30 days, then deleted.
  • Email communications: retained for as long as reasonably necessary to resolve the query.

Third-party processors

We share data with the following processors, each bound by a data processing agreement:

  • Supabase: authentication, database and file storage. Data is stored on servers in the European Union.
  • Stripe: payment processing. Stripe is a US-based company — see “International transfers” below. Stripe's own privacy policy applies to data you provide at checkout.
  • Vercel: hosting and edge delivery. Vercel processes request data (IP, path, headers) as part of serving the application; this is covered by Vercel's DPA. We also use Vercel Web Analytics to see aggregate page-view and visit counts — it is cookieless and does not build a profile of individual visitors.

We do not sell your data, use it for advertising, or share it with any other third parties.

International data transfers

Stripe, our payment processor, is based in the United States. Transfers of personal data to Stripe are made under Standard Contractual Clauses approved by the UK ICO, providing equivalent protections to those required by UK GDPR. No other personal data is transferred outside the UK or European Economic Area.

Cookies and tracking

We use only essential cookies — specifically the session token set by Supabase Auth to keep you signed in. No advertising or tracking cookies are set.

We use Vercel Web Analytics to understand overall traffic and page views. It does not use cookies or any other persistent identifier, and it does not track you individually or across other websites — it only reports aggregate, anonymised counts.

A cookie banner appears on marketing pages to record your preference. Because we do not use non-essential cookies, both choices have the same practical effect. If you later clear your cookies, the banner will reappear.

You can also block cookies in your browser settings, though doing so may prevent you from staying signed in.

Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (the “right to be forgotten”), subject to our legal retention obligations.
  • Restrict processing in certain circumstances, for example while a complaint is investigated.
  • Portability — receive a copy of your data in a structured, machine-readable format.
  • Object to processing based on our legitimate interests.
  • Withdraw consent at any time for processing based on consent (e.g. marketing emails), without affecting the lawfulness of processing before withdrawal.
  • Not be subject to solely automated decisions that produce legal or similarly significant effects. Holdfast does not make such decisions.

To exercise any of these rights, email privacy@holdfast.app. We will respond within 30 days. You can also delete your account directly in account settings, which removes your personal data within 30 days.

How to raise a concern

If you have a concern about how we handle your personal data, please contact us first at privacy@holdfast.app. We will acknowledge your concern within 5 working days and aim to resolve it within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator.

Changes to this policy

We may update this policy from time to time. We will display the updated date at the top of this page and, for material changes, we will notify users by email or in-app notice.

Privacy policy · Holdfast