隐私政策

Privacy Policy

This Privacy Policy explains how Harvey W James LTD collects, uses and protects personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It supersedes any earlier policy on this website. We review it at least annually and whenever our processing changes materially.

This policy applies to everyone whose personal data we hold: prospective and current tenants, guarantors, landlords, contractors and suppliers, website visitors, enquirers, and newsletter subscribers.

1. Who we are and how to contact us

Harvey W James is a trading name of Harvey W James LTD, the data controller for the personal data described in this policy.

Companies House registration: 11169043 (England & Wales)
Registered office: 1st Floor, 415 High Street, Stratford, London, E15 4QZ
ICO registration: ZA312485 — verify at ico.org.uk/ESDWebPages/Entry/ZA312485
Telephone: 020 3865 1500
Email for data protection enquiries: info@harveywjames.com

For any question about this policy, how we handle your personal data, or to exercise any of the rights in section 8 below, contact us using the details above.

2. The personal data we collect

We collect personal data only where we need it for a specified, lawful purpose. The categories vary by the relationship you have with us.

2.1 Prospective tenants

When you enquire about a property, attend a viewing, or apply to rent we collect:

Name, contact details (telephone, email, current address), date of birth
Identification and Right to Rent documentation (passport, biometric residence permit, share code, visa, driving licence)
Employment and income evidence (employer name, role, salary, payslips, employment reference)
Affordability and credit reference data (previous addresses, credit history, county court judgments, bankruptcy records)
Previous landlord reference (rental history, conduct, arrears)
Bank statements where required to evidence affordability
Guarantor details (where a guarantor is offered)
Anti-fraud and sanctions screening results
Property preferences and viewing history
Communications between you and Harvey W James about the property

2.2 Current and former tenants

During and after a tenancy we hold the data above plus:

The signed tenancy agreement and any addenda
Deposit registration details and the prescribed information
Rent ledger and payment history
Repairs, maintenance and inspection records
Correspondence about the tenancy (including any complaints)
Move-in and check-out inventory and condition reports
End-of-tenancy financial reconciliation, including deposit deductions where applicable

2.3 Guarantors

Where a guarantor is required we collect the same identity, contact, employment and affordability evidence as for a tenant, plus the signed guarantor deed.

2.4 Landlords and prospective landlords

When you instruct us to let or manage a property we collect:

Name, contact details, registered address (or residential address where the landlord is an individual)
Proof of ownership and authority to let (title documents, mortgage consent where required, head-lessor consent where required)
Bank account details for rent transfers
Tax status, including Non-Resident Landlord (NRL) scheme status where relevant
Where Anti-Money Laundering checks are engaged: identification documents and source-of-funds evidence
Property compliance documentation (Gas Safety, EPC, EICR, smoke and carbon-monoxide alarm certificates, PRS Database registration, selective licensing where applicable)
Insurance documentation
Communications about the property and our service

2.5 Contractors, suppliers and professional partners

Name, business contact details, qualifications, insurance details (public liability, professional indemnity), trade body memberships, invoices and payment records.

2.6 Website visitors

When you visit www.harveywjames.com we may receive technical data through cookies and analytics tools: IP address (truncated for analytics), browser type and version, device type, pages viewed, referring URL, and session duration. See section 10 on cookies.

2.7 Enquirers and newsletter subscribers

Where you submit an enquiry form or sign up to our newsletter we collect the name, email address and any free-text message you provide, plus a record of your consent (where consent is the lawful basis).

3. Special category data (UK GDPR Article 9)

Some categories of personal data are treated as "special category" under UK GDPR Article 9. We process special category data only where one of the conditions in Article 9(2) is satisfied alongside an Article 6 lawful basis. The cases that arise in our work:

Immigration and nationality status (Right to Rent). Required to operate the statutory Right to Rent regime under the Immigration Act 2014 ss.20-37. Article 9 condition: substantial public interest with a basis in law (Schedule 1 Part 2 paragraph 6, Data Protection Act 2018 — statutory and government purposes).
Health data (reasonable adjustments). A tenant or applicant may volunteer health information when requesting a reasonable adjustment under the Equality Act 2010 (for example, an accessible property feature). Article 9 condition: substantial public interest (Schedule 1 Part 2 paragraph 8, Data Protection Act 2018 — equality of opportunity or treatment). We process only what is necessary to consider the adjustment.

We do not collect biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

4. Why we collect it, and the lawful basis (UK GDPR Article 6)

We rely on the following lawful bases. Most processing falls under more than one of these, in which case the strongest applicable basis governs.

Purpose	Lawful basis	Whose data
Marketing a property, conducting viewings, and matching applicants to properties	Legitimate interests — carrying on our letting business	Prospective tenants, landlords
Negotiating and performing a tenancy agreement	Contract	Tenants, guarantors, landlords
Right to Rent checks	Legal obligation (Immigration Act 2014)	All occupiers aged 18+
Referencing and credit checks before granting a tenancy	Contract (pre-contractual steps at your request) and legitimate interests	Prospective tenants, guarantors
Anti-Money Laundering checks where statutory thresholds engage	Legal obligation (Money Laundering Regulations 2017)	Landlords
Deposit protection and deposit dispute handling	Legal obligation (Housing Act 2004 ss.212-215)	Tenants, landlords
Rent collection, accounting and statements	Contract	Tenants, landlords
Repairs, maintenance and contractor coordination	Contract; legitimate interests (managing the property safely)	Tenants, landlords, contractors
Compliance maintenance — Gas Safety, EPC, EICR, smoke and CO alarms, Awaab's Law tracking	Legal obligation; legitimate interests	Landlords, tenants
Property Redress Scheme and PRS Ombudsman compliance	Legal obligation	Landlords, tenants
HMRC reporting — Non-Resident Landlord scheme, Making Tax Digital where engaged	Legal obligation	Landlords
Internal complaint handling	Legal obligation (Property Redress Scheme membership rules); contract	All complainants
Court and tribunal proceedings (possession, deposit, rent disputes)	Legal obligation; legitimate interests	All parties to the proceedings
Direct marketing and newsletter	Consent (UK GDPR Article 6(1)(a) and PECR Reg 22)	Opted-in subscribers only
Website analytics (non-strictly-necessary cookies)	Consent (PECR Reg 6)	Website visitors who opt in
Detection and prevention of fraud and money laundering	Legitimate interests; legal obligation where engaged	All categories

Where our lawful basis is legitimate interests, you have a right to object to the processing (see section 8.6).

5. Who we share your personal data with

We share personal data only with the recipients listed below, only for the purposes set out above, and only to the extent each recipient needs the data to perform its role.

5.1 Service providers we use to deliver lettings and property management

Goodlord (goodlord.co) — referencing platform and tenancy management; UK-based.
Credas (credas.com) — digital identity verification, including Right to Rent and Anti-Money Laundering checks; DIATF-certified; UK-based.
Inventory Base (inventorybase.co.uk) — digital inventory and inspection reports; UK-based.
Kamma (kammadata.com) — regulatory compliance data and licensing intelligence; UK-based.
Street.co.uk (street.co.uk) — customer relationship management and report-a-repair system; UK-based.
LettsPay (lettspay.co.uk) — FCA-authorised client accounting and rent processing; UK-based.
KeyNest (keynest.com) — key custody for properties without 24/7 concierge access; UK-based.
Viewber (viewber.co.uk) — UK-vetted member network for hosted viewings and inspections; UK-based.
Giraffe360 (giraffe360.com) — virtual tours and floor plans; UK / EU based.
PropServe (propserv.co) and Checkatrade (checkatrade.com) — repair contractor sourcing and vetted-trade networks; UK-based.
Flatfair (flatfair.co.uk) and Reposit (reposit.co.uk) — deposit-alternative products, where offered to the tenant.

5.2 Statutory schemes and regulators

Tenancy Deposit Scheme (TDS) — statutory scheme for deposit protection.
Property Redress Scheme (PRS) (propertyredress.co.uk) — our consumer redress scheme; from late 2026 the new statutory PRS Ombudsman.
Propertymark (propertymark.co.uk) — Client Money Protection provider and trade body.
Information Commissioner's Office (ICO) — where required.
HMRC, local authorities and licensing bodies — where legally required (NRL scheme, Making Tax Digital, council tax notifications, selective licensing schemes).
Courts and tribunals — where required by court order or in connection with possession, deposit or rent proceedings.

5.3 Property advertising platforms

Rightmove (rightmove.co.uk) and Zoopla (zoopla.co.uk) — where instructed by the landlord to advertise a property. The property's address and features are shared; applicants then enquire through the platform or directly with us.

5.4 Professional advisors

Our solicitors, accountants (including our strategic accountancy partner YWC London LLP for overseas-landlord tax matters), tax advisors, insurance brokers and our professional indemnity insurer Hiscox (hiscox.co.uk). Each is engaged on a need-to-know basis under their own professional duties of confidence and their own UK GDPR obligations.

5.5 What we do not do

We do not sell personal data. We do not share personal data with advertisers, data brokers or marketing list providers. We do not use personal data for any purpose materially different from those described in this policy.

6. International transfers

Most of our processing takes place in the United Kingdom. Where a service provider listed in section 5 stores or processes personal data outside the UK — typically because a cloud sub-processor sits in the European Economic Area or, less commonly, the United States — we rely on one of the safeguards permitted by UK GDPR Article 46:

An adequacy decision (the EEA, for example).
A UK International Data Transfer Agreement.
A UK Addendum to the EU Standard Contractual Clauses.

We do not transfer personal data to any country without a recognised lawful safeguard in place.

7. How long we keep your personal data

We hold personal data only for as long as we need it for the purposes set out above, or for as long as the law requires us to retain it. The anchors below are our standard retention periods. Specific records may be retained for longer where required by a legal hold (active dispute, regulatory investigation, court order).

Category	Retention period	Anchor
Tenancy agreements, rental ledgers, deposit records	7 years from end of tenancy	Limitation Act 1980 (6-year contract claims) + 1-year buffer; HMRC record-keeping
Right to Rent documentation	Duration of tenancy plus 1 year	Immigration Act 2014 statutory minimum
Referencing and credit-check data for unsuccessful applicants	12 months from application decision	Defence to discrimination and dispute claims
Anti-Money Laundering records	5 years from end of business relationship	Money Laundering Regulations 2017, regulation 40
Repairs, maintenance and inspection records	7 years from end of tenancy	Aligned with tenancy records and contractor dispute window
Compliance certificates — Gas Safety, EPC, EICR, smoke and CO alarms	For the regulatory currency of the certificate plus 6 years	Statutory currency + Limitation Act 1980
Marketing and newsletter consent records	Until consent is withdrawn, plus 6 months audit trail of the withdrawal	PECR Regulation 22
General email correspondence	6 years from last contact	Limitation Act 1980
Website analytics data	Aggregated and anonymised after 14 months	UK GDPR data minimisation principle
Complaint files (Internal Complaints Procedure)	6 years from closure	Property Redress Scheme member rules and Limitation Act 1980

We do not operate CCTV at our registered office and we do not collect CCTV or video data from managed properties.

8. Your rights under UK GDPR

You have the following rights in respect of your personal data. All are free to exercise. We may need to verify your identity before responding and we will normally respond within one month, extendable by up to two further months where the request is complex (and we will tell you within the first month if we need to extend).

8.1 The right of access (Article 15)

You have the right to a copy of the personal data we hold about you and information about how it is processed. This is the Subject Access Request — see section 9 below.

8.2 The right to rectification (Article 16)

You have the right to ask us to correct personal data that is inaccurate or incomplete.

8.3 The right to erasure (Article 17)

You have the right to ask us to delete personal data we hold about you. We can refuse where we are required by law to retain the data (see section 7) or where we need it to establish, exercise or defend a legal claim. Where retention is required, we will tell you which obligation applies.

8.4 The right to restriction (Article 18)

You have the right to ask us to limit how we process your personal data in specific circumstances — for example while we resolve a query about accuracy.

8.5 The right to data portability (Article 20)

Where we process personal data on the basis of contract or your consent, and we hold it electronically, you have the right to receive it in a structured, commonly used and machine-readable format, or to have it transmitted directly to another controller where technically feasible.

8.6 The right to object (Article 21)

You have the right to object to processing based on legitimate interests (including direct marketing). For direct marketing, the objection is absolute and we will stop on receipt of your request. For other legitimate-interests processing, we will balance the request against the interests we are pursuing.

8.7 Rights in relation to automated decision-making (Article 22)

We do not make decisions about you based solely on automated processing where those decisions have legal or similarly significant effects. Credit and referencing decisions involve human review.

8.8 The right to withdraw consent (Article 7(3))

Where we process personal data on the basis of your consent (direct marketing, non-essential cookies), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

To exercise any of these rights, contact us using the details in section 1.

9. Subject Access Requests

A Subject Access Request is a written request for a copy of the personal data we hold about you. It is free in most cases. We may charge a reasonable fee or refuse to act only where a request is manifestly unfounded or excessive, and we will explain our reasoning if we do.

To make a Subject Access Request:

Write to us at info@harveywjames.com or by post to the registered office at section 1.
Tell us who you are, with enough information for us to identify your records.
Tell us what data you want — a complete record, or a specific category (for example, the rent ledger for a particular property, or all email correspondence in a specific year).
We may ask for proof of identity before disclosing personal data, to protect against impersonation.

We will respond within one month, extendable by up to two further months for complex requests with notice. Where releasing data would prejudice the rights of a third party (for example, another tenant in a shared property, or a contractor), we may redact those parts and explain the redaction.

10. Cookies and similar technologies

Our website uses cookies in three categories, governed by the Privacy and Electronic Communications Regulations 2003 (PECR):

Strictly necessary cookies are required for the website to function — session management, security, fraud prevention and CSRF protection. No consent is needed under PECR Regulation 6(4).
Functional cookies remember preferences such as language or display settings. Optional; controlled by the cookie banner.
Analytics cookies measure aggregate website usage so we can improve the site. Loaded only with your consent through the cookie banner.

We do not use advertising cookies and we do not allow third-party advertising or behavioural tracking on the site.

You can withdraw consent at any time by clearing your browser cookies for www.harveywjames.com, or by adjusting cookie preferences through the cookie banner. Most browsers also allow you to refuse or delete cookies through browser settings; refusing strictly-necessary cookies may stop parts of the site from working.

11. How we protect your personal data

We use technical and organisational measures proportionate to the risk of the processing, including:

Encryption-at-rest on the platforms and devices we use.
Multi-factor authentication on all staff accounts and on the partner systems listed in section 5.
Role-based access controls — staff see only the data they need to perform their role.
Locked physical access to the registered office, and locked storage for any paper records that must be retained.
Staff training on data protection at induction and at least annually.
Regular review of the security posture of the third-party processors we rely on, as part of our standard supplier due diligence.

We have a documented procedure for personal-data-breach response. Where a breach occurs and is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours under UK GDPR Article 33 and, where the risk is high, we will inform the affected individuals directly.

12. Changes to this policy

We review this policy at least annually and whenever our processing changes materially (a new partner introduced into section 5, a new statutory obligation, a new product). The "Last reviewed" date at the foot of this page records the most recent review. Where a change is material we will draw attention to it via the website or by direct notification where appropriate.

13. Complaints

If you are not satisfied with how we have handled your personal data:

Stage 1 — Internal review. Contact us first using the details in section 1, or via our Internal Complaints Procedure. We will acknowledge in writing within 3 working days and respond substantively within 15 working days.

Stage 2 — Information Commissioner's Office. If you remain dissatisfied, you have the right to complain to the ICO at any time:

Website: ico.org.uk
Helpline: 0303 123 1113
Reference our registration: ZA312485

You do not need to come to us first before complaining to the ICO. We would prefer the chance to put things right, but the choice is yours.

14. Contact us

Harvey W James LTD, 1st Floor, 415 High Street, Stratford, London, E15 4QZ
Telephone: 020 3865 1500
Email: info@harveywjames.com
Companies House: 11169043
ICO registration: ZA312485
Client Money Protection: Propertymark CMP
Redress: Property Redress Scheme (membership PRS010914)

This Privacy Policy is governed by the laws of England and Wales. References to UK GDPR are to the United Kingdom General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

Last reviewed: 25 May 2026