Privacy Policy
Last updated: 7 May 2026 · Version: 1.0
Notice to publisher: This document has been drafted by reference to UK GDPR Articles 13 & 14, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR) as amended by the Data (Use and Access) Act 2025, and ICO guidance current at the date above. It is comprehensive but is not legal advice. You should have it reviewed by a UK-qualified data-protection solicitor or DPO before publishing, and update the placeholders marked [ ] with your real registered company details and ICO registration number.
1. Who we are
This Privacy Policy explains how Property Investor App ("PIA", "we", "us", "our") collects, uses, shares and protects personal data when you use the Article 4 HMO Checker (the "Tool") at article4checker.com.
For the purposes of UK GDPR, we are the data controller of the personal data we collect through the Tool.
- Controller name: [Registered company name — e.g. Property Investor App Ltd]
- Registered address: [Registered office address]
- Companies House number: [Number]
- ICO registration number: [ZA-number — register at ico.org.uk/registration]
- Data Protection contact: [email protected]
2. The personal data we process
2.1 Data you give us directly
- Email address and first name — when you submit the lead-magnet form to receive the Article 4 master spreadsheet.
- Consent preferences — your tick-box selections for privacy policy acceptance, marketing emails, and Article 4 alert notifications.
- Identification information — when you submit a data-rights request (your name and email so we can verify the request).
2.2 Data created when you use the Tool
- Postcode and house number you enter into the checker. Held only on your device in browser storage. We never transmit them to our servers.
- Cookie / storage preference recorded by our cookie banner. Held only on your device.
2.3 Data collected automatically by our infrastructure provider
- IP address, user agent, request timestamps — logged transiently by our hosting provider for security and abuse prevention. Retention: typically 14-30 days. Not used for marketing or analytics.
2.4 Special category data
We do not intentionally collect special category data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health, sex life or sexual orientation data) or criminal-conviction data.
2.5 Children's data
The Tool is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has submitted personal data to us, contact [email protected] and we will delete it promptly.
3. Why we process your data and our lawful basis
Under UK GDPR Article 6, every processing activity must have a lawful basis. Here's how this applies to us:
| Activity | Purpose | Lawful basis |
|---|---|---|
| Postcode lookup via the Tool | Returning Article 4 status, sold prices and council compliance data you asked for | Legitimate interests (Art 6(1)(f)) — you initiated the lookup |
| Lead-magnet email delivery | Sending you the Article 4 master spreadsheet you requested | Consent (Art 6(1)(a)) — you ticked the privacy policy box |
| Marketing emails | Periodic updates about Article 4, HMOs and property investing | Consent (Art 6(1)(a)) + PECR Reg 22 — you ticked the marketing box |
| Article 4 alert notifications | Notifying you when new Article 4 directions are announced | Consent (Art 6(1)(a)) + PECR Reg 22 |
| Browser-storage caching | Caching your lookup results so the page is fast on return visits | PECR Reg 6 strictly-necessary exemption — service requested by you |
| Server logs (IP, user agent) | Security, fraud prevention, troubleshooting | Legitimate interests (Art 6(1)(f)) — operating a secure website |
| Responding to data-rights requests | Verifying your identity and acting on your request | Legal obligation (Art 6(1)(c)) — UK GDPR Articles 15-22 |
4. Who we share your data with
We do not sell your personal data and we do not share it for any third party's marketing. We only use the processors below, each contracted under UK GDPR Article 28:
4.1 Sub-processors and joint controllers
- postcodes.io (Ideal Postcodes Ltd, UK) — receives the postcode you enter, returns coordinates and LPA. Their terms.
- planning.data.gov.uk (Department for Levelling Up, Housing & Communities, UK gov) — receives a coordinate point, returns Article 4 boundaries.
- HM Land Registry — Open Data SPARQL (UK gov) — receives postcode, returns historical sold-price transactions. Data used under the Open Government Licence v3.0.
- Kit (formerly ConvertKit) — Seva Inc., USA — stores subscriber emails when you request the lead-magnet spreadsheet. Their privacy policy.
- YouTube (privacy-enhanced mode via youtube-nocookie.com) — Google LLC, USA — only loads if you scroll to the educational video; even then, no tracking until you click play.
- jsDelivr CDN — Prospect One, Poland — serves the Chart.js library to your browser. No personal data sent beyond standard HTTP request metadata.
- [Hosting provider — fill in: e.g. Cloudflare, AWS, your shared host] — UK / EEA — hosts the static files. May log IP addresses transiently for security.
4.2 Disclosure required by law
We may disclose personal data if we are legally required to (e.g. by court order, ICO request, or to comply with the Data Protection Act 2018, Proceeds of Crime Act 2002, or other UK statute), provided we are satisfied the request is lawful and proportionate.
5. International transfers
Two of our processors (Kit, YouTube) are based in the United States. Your data is transferred under one of:
- The UK Extension to the EU-US Data Privacy Framework (DPF), where the recipient is DPF-certified; or
- The ICO's International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, where the recipient is not DPF-certified.
You can request a copy of the transfer mechanism in place for any specific processor by emailing [email protected].
6. How long we keep your data
| Data | Retention |
|---|---|
| Postcode/house number entered into the Tool | Browser cache only — postcodes 30 days, Article 4 result 7 days, sold prices 30 days. Cleared by you any time via the cookie banner "Disable storage" button or by clearing site data. |
| Lead-magnet subscriber email + name | Until you unsubscribe or request deletion. Inactive subscribers (no opens or clicks for 24 months) are reviewed and may be removed. |
| Consent records | For the duration of the subscription plus 6 years thereafter (Limitation Act 1980), so we can demonstrate consent under UK GDPR Art 7(1). |
| Server access logs | 14-30 days, depending on hosting provider configuration. |
| Data-rights request correspondence | 3 years from the date of resolution, for accountability. |
7. Your rights under UK GDPR
You have the following rights, free of charge in most cases (we may charge a reasonable fee or refuse if a request is manifestly unfounded or excessive — Art 12(5)):
- Right to be informed (Art 13/14) — this notice fulfils that.
- Right of access (Art 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art 16) — ask us to correct inaccurate data.
- Right to erasure / "right to be forgotten" (Art 17) — ask us to delete your data, subject to legal-retention exceptions.
- Right to restrict processing (Art 18) — ask us to pause processing while we investigate a query.
- Right to data portability (Art 20) — receive your data in a structured, machine-readable format.
- Right to object (Art 21) — object to processing based on legitimate interests, including direct marketing (which we will always honour).
- Rights related to automated decision-making and profiling (Art 22) — we do not perform any automated decision-making with legal or similarly significant effects.
- Right to withdraw consent (Art 7(3)) — at any time, with no detriment, by clicking "unsubscribe" in any email or via our data-deletion form.
To exercise any of these rights, use our request form or email [email protected]. We will respond within 30 days as required by Art 12(3), or extend by up to two months for complex or numerous requests with notification.
8. Right to complain to the ICO
If you believe we have mishandled your personal data, please give us the chance to put it right by contacting our DPO first. You also have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
ico.org.uk/concerns
9. Cookies and similar storage technologies
The Tool uses your browser's localStorage to cache lookup results so repeat visits load fast. We do not use:
- Advertising cookies
- Third-party tracking pixels
- Analytics cookies (Google Analytics, Hotjar, etc.)
- Cross-site tracking technologies
Under PECR (as amended by the Data (Use and Access) Act 2025, in force from 5 February 2026), the storage we use falls under the strictly-necessary exemption (Reg 6(4)) — without it the Tool cannot deliver the lookup service you requested. We still offer an opt-out via the cookie banner for transparency.
The cookie banner allows you to accept storage or disable it. Both options are presented with equal prominence per ICO guidance. Disabling storage means we won't cache results — every lookup will hit the live APIs afresh.
10. Security
We protect personal data with appropriate technical and organisational measures (UK GDPR Art 32):
- HTTPS (TLS 1.2+) for all communications
- Subscriber data encrypted at rest by Kit
- Access to subscriber data restricted to named directors and contractors with a legitimate business need
- Two-factor authentication on all admin accounts
- Regular review of third-party processors' security posture
11. Personal data breaches
If a breach poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it (UK GDPR Art 33). If the risk is high, we will notify affected individuals directly without undue delay (Art 34).
12. Profiling and automated decision-making
We do not perform any automated decision-making with legal or similarly significant effects. The Tool's lookups are public-data lookups based on a postcode; they do not profile you and do not affect any decision made about you.
13. Changes to this Privacy Policy
We will post material changes on this page and update the "Last updated" date at the top. If the change is significant and you are subscribed, we will email you in advance.
14. Contact
For any privacy question, complaint or rights request: [email protected] or write to our registered address listed in section 1.