← LetTrack
Draft — not legally reviewed. This document is a placeholder only and has not been reviewed by a solicitor. Do not rely on it as legal advice.

Data Processing Agreement

Last updated: 10 June 2026

This Data Processing Agreement ("DPA") forms part of your agreement with LetTrack Ltd and governs our processing of personal data on your behalf as required by UK GDPR Article 28.

1. Definitions

  • "Controller": you (the landlord or agency using LetTrack)
  • "Processor": LetTrack Ltd
  • "Data Subjects": your tenants and any other individuals whose personal data you upload
  • "UK GDPR": the UK General Data Protection Regulation as retained in UK law

2. Scope of processing

We process personal data only on your documented instructions for the purpose of providing the LetTrack service. We will not use tenant personal data you upload for our own marketing or analytics purposes.

3. Data security

We implement appropriate technical and organisational measures including: TLS encryption in transit, encryption at rest, row-level security at the database layer, access controls, audit logging, and incident response procedures.

4. Sub-processors

We use the following sub-processors. We will notify you of changes with at least 14 days notice.

  • Supabase Inc — database, authentication, storage (servers in EU)
  • Resend Inc — transactional email
  • Stripe Inc — payment processing (no tenant data shared)
  • Sentry Inc — error monitoring (anonymised)
  • Vercel Inc — application hosting (UK/EU regions available)

5. Data subject rights

We will assist you in fulfilling data subject access requests, erasure requests, and other rights within 5 business days of your request.

6. Breach notification

We will notify you of personal data breaches affecting your data within 48 hours of becoming aware of the breach, to enable you to meet your 72-hour ICO notification obligation.

7. Data transfers

Data is processed in the UK and EEA. We will not transfer personal data to third countries without adequate safeguards.

8. Deletion

On termination we will delete your personal data within 30 days, except where we are required to retain it by law.

9. Governing law

This DPA is governed by the laws of England and Wales.

Contact your DPO

dpo@lettrack.co.uk · [ICO registration pending] · This DPA requires legal review before production use.

LetTrack · All documents are drafts pending legal review · 2026