Privacy & Security

Last updated: 12 June 2026

This page explains what information we collect, why we collect it, and what we do with it. We've kept the language simple on purpose.

Who we are

Estate Portal ("we", "us") provides lettings management software for letting agencies. You can contact us about anything in this policy at our contact page.

Two kinds of data

It helps to separate two situations:

• Data about you — your name, email, password and activity when you use our site or hold an account. For this data, we are the data controller.
• Data your agency stores in the product — details about landlords, tenants, properties and so on. Your agency owns and controls that data; we only process it to provide the service, on the agency's instructions. If you are a tenant or landlord with a question about your data, please contact the agency that manages your property — they control it.

What we collect about you

• Account details — name, email address, phone (optional), and a securely hashed password.
• Things you submit — support tickets, contact-form messages, and content you add to the product.
• Usage and technical data — sign-in times, actions taken in the product (kept in an audit trail for your agency's security), IP address and browser information in server logs.
• Analytics on the public website only — we use Google Analytics on our marketing pages (this page, the home page, contact). The app itself does not load any analytics.

Why we use it

• To provide and secure the service (our contract with your agency).
• To answer your messages and support requests.
• To send service emails — password resets, support replies, notification digests. We don't send marketing emails without your consent.
• To understand how the public website is used, so we can improve it.

Who we share it with

We never sell personal data. We share it only with the service providers we need to run the platform — hosting, file storage, email delivery and error monitoring — under contracts that limit what they can do with it. Some providers may process data outside the UK; where they do, recognised safeguards (such as standard contractual clauses) apply.

How long we keep it

Account data is kept while the account exists. When an agency's workspace is closed, its data is retained until the agency's deletion is completed, then removed. Backups expire on a rolling schedule. Server logs are kept for a short operational period.

Your rights

Under UK data protection law you can ask us to: show you the personal data we hold about you, correct it, delete it, restrict how we use it, or give you a copy. To exercise any of these, contact us.

Cookies

The app uses strictly necessary cookies only (signing you in, protecting forms). The public website additionally uses Google Analytics cookies. We don't use advertising cookies.

How the platform is protected

• Isolation: every agency's data is separated from every other agency's, enforced in the application's architecture on every request.
• Encryption in transit: all traffic to and from the service uses HTTPS.
• Access control: role-based permissions are enforced on the server — staff can only see and do what their role allows.
• Account protection: passwords are stored hashed (never readable), strong passwords are required, and repeated failed sign-ins lock the account temporarily.
• Uploads: every uploaded file is virus-scanned before it can be downloaded, stored privately, and never publicly accessible.
• Audit trail: actions in the product are recorded — who did what, and when.
• Backups: the database is backed up on a schedule, with copies stored off-site, so data survives a server failure.
• Monitoring: errors are tracked centrally so problems are seen and fixed quickly.

Reporting a vulnerability

If you believe you've found a security weakness, we genuinely want to hear about it.

• Tell us privately via the contact page — include enough detail for us to reproduce the issue.

We'll acknowledge your report, keep you informed, and credit you for the find if you'd like.

Bug bounty

We pay rewards of up to £1,000 for verified reports of major security vulnerabilities. The amount depends on the severity and real-world impact of the issue, judged at our reasonable discretion once we've reproduced and confirmed it. One reward per unique issue, paid to the first person who reports it; an issue we already know about, or one in a third-party service we use, doesn't qualify. We'll tell you what we've assessed and why.

Your part

Security is shared: use a strong, unique password, don't share logins, and remove staff accounts promptly when people leave. Agency admins can manage users from their settings at any time.

Changes

If we change this policy in a way that matters, we'll update this page and the date at the top.