Legal

Privacy policy

Version 1.0 · Last updated 24 April 2026

This privacy policy explains how HAIVN Property Management Ltd ("HAIVN", "we", "us") collects, uses, shares, and protects personal data. It applies to our website haivn-property.ai, the HAIVN web application, and any related services.

HAIVN is registered in England and Wales and registered with the UK Information Commissioner's Office (ICO). For the purposes of the UK GDPR and the Data Protection Act 2018, HAIVN is a data controller for the personal data we collect directly from you, and a data processor for personal data we process on behalf of letting agents and landlords who use our platform.

Who to contact

For any data-protection question or to exercise your rights:

Email: privacy@haivn-property.ai
Interim Data Protection Officer: Alex Johnstone
Post: HAIVN Property Management Ltd, United Kingdom (full registered-office address available on request)

You also have the right to complain to the UK Information Commissioner's Office if you believe we have mishandled your data.

Personal data we collect

Depending on your relationship with HAIVN we may collect:

Identity: name, email, phone, date of birth, residential address, profile photos.
Account: email + hashed password, two-factor secret (encrypted), session cookies.
Tenant-specific: National Insurance number, passport / BRP scans, Right-to-Rent evidence, employment + income references, bank-statement extracts (for referencing), previous addresses, guarantor details — where you are a tenant or prospective tenant.
Landlord / agent-specific: company details, bank-account details (encrypted), KYB documents, tax references, property portfolio, tenancy documents.
Financial: rent transactions, deposits, expenses, landlord-payout details, subscription payment metadata.
Bank-transaction data — only where you voluntarily connect a UK bank account via Open Banking for bookkeeping / MTD submission purposes. We never see your online- banking login; we receive transaction data via an FCA-authorised Account Information Service Provider.
Communications: messages you send us or via the platform, maintenance reports, support tickets.
Technical: IP address, browser, device fingerprint, cookies, pages viewed, timestamps — for security, fraud prevention, and for HMRC Fraud Prevention Headers where required by UK tax authorities.
Automated decision-making / profiling: AI- generated categorisation of your transactions, maintenance triage, and compliance risk scoring. You can request human review of any automated decision that significantly affects you (see "Your rights" below).

How we use your data (lawful basis)

Under UK GDPR Article 6 (and Article 9 for special-category data) we rely on the following lawful bases, depending on the purpose:

Contract — to provide the services you or your agent/landlord have signed up for (account creation, property management, rent collection, MTD submissions).
Legal obligation — Right-to-Rent checks (Immigration Act 2014), Anti-Money-Laundering checks (MLR 2017), HMRC record-keeping (6 years post-tax-year), deposit protection (Housing Act 2004).
Legitimate interests — platform security, fraud prevention, service improvement, defending legal claims (Limitation Act 1980). We balance these against your rights and freedoms and will not use legitimate interests where your rights override ours.
Consent — optional marketing emails, non- essential cookies, and any special-category data we process (e.g. biometric data captured during identity verification). You can withdraw consent at any time without affecting processing that happened before withdrawal.

We share personal data only where necessary, with the following categories of recipient:

Letting agents and landlords who you are a tenant of — where HAIVN acts as their processor for your data.
Processors and sub-processors (contractual DPAs in place, UK / EU / adequate-country hosting or appropriate safeguards for third-country transfers):
- Amazon Web Services (via Neon) — application database (us-east-1, see "International transfers"). Provider: Neon.
- Vercel — application hosting + edge compute.
- Cloudflare — object storage (R2) for documents + images, and bot-protection (Turnstile).
- Stripe — subscription payments, customer billing.
- Anthropic — AI models for transaction categorisation, maintenance triage, drafting communications.
- Resend — transactional email delivery.
- Sentry — application error monitoring.
- CREDAS — identity verification, Right-to- Rent checks, tenancy referencing, landlord KYB.
- Tink / TrueLayer (or another FCA-authorised AISP) — reading bank-account data under Open Banking, only where you have given explicit consent.
- FreeAgent — accounting ledger for legacy landlord accounts (being phased out in favour of HAIVN- native + Xero for incorporated landlords).
HMRC — Self-Assessment and MTD ITSA submissions, where you have authorised us to file on your behalf.
Tenancy-deposit protection schemes (TDS / DPS / MyDeposits).
Legal, regulatory, law-enforcement bodies where required by law (e.g. Section 45 MLR disclosure, court orders).
Professional advisers — lawyers, accountants, insurers, under duties of confidentiality.
Buyers / successors — in the event of a business sale, merger, or insolvency, personal data may transfer to the acquirer subject to the same protections.

We do not sell personal data to third parties for advertising.

International transfers

Some of our processors are based outside the UK. Where we transfer personal data internationally we rely on one or more of the following safeguards:

UK adequacy decisions — for transfers to the EEA, Switzerland, Canada, and other countries covered by a UK adequacy regulation.
UK-US Data Bridge (Data Privacy Framework, in force 12 October 2023) — for transfers to DPF-certified US organisations (including AWS, which hosts our Neon database in us-east-1).
UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum — for other transfers.

How long we keep your data

We keep personal data only for as long as necessary to fulfil the purpose for which it was collected, including legal, tax, and reporting requirements. Typical retention periods:

Tenancy + rent records — 6 years after the end of the tenancy (Limitation Act 1980, HMRC requirements).
AML / KYC records — 5 years from the end of the customer relationship (Money Laundering Regulations 2017).
Right-to-Rent evidence — at least 2 years after the tenancy ends.
HMRC Self-Assessment evidence — 6 years after the end of the relevant tax year.
MTD submission payloads + fraud-prevention headers — 7 years (HMRC audit requirement).
Account records (inactive users) — 7 years after account closure.
Marketing contact data — until you unsubscribe or 2 years without engagement, whichever is sooner.
Technical / security logs — up to 18 months.

At the end of a retention period we either delete the data or pseudonymise it so you can no longer be identified. Full detail is in our internal HAIVN GDPR Retention Policy, available on request.

Your rights

Under UK GDPR you have the right to:

Access a copy of your personal data (Article 15).
Rectify inaccurate or incomplete data (Article 16).
Erase your data where the legal basis for holding it no longer applies (Article 17) — subject to our retention obligations.
Restrict or object to our processing (Articles 18, 21).
Data portability — receive your data in a structured, commonly-used, machine-readable format (Article 20).
Withdraw consent at any time, where the processing was based on consent.
Not be subject to automated decision-making that significantly affects you (Article 22) — you can request human review of AI-driven categorisation or assessment.
Complain to the ICO — see contact details above.

To exercise any of these rights, email privacy@haivn-property.ai. We will respond within one month (UK GDPR Article 12) and may ask for proof of identity before acting on a request.

Security

We protect personal data using organisational and technical measures including: AES-256-GCM encryption at rest for sensitive fields (bank details, National Insurance numbers, dates of birth, OAuth tokens), TLS 1.2+ in transit, bcrypt for passwords, role-based access controls, detailed audit logging of admin actions, two-factor authentication for staff accounts, and regular security reviews.

No security system is impenetrable. If we suffer a personal-data breach that is likely to pose a risk to your rights, we will notify you and the ICO within 72 hours as required.

Cookies

We use a small set of essential cookies required to provide the service (session authentication, CSRF protection, user preferences). We do not use advertising cookies and we do not share cookie data with third-party advertising networks.

Where we use analytics cookies to understand product usage, we ask for your consent first.

Children

HAIVN is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

Changes to this policy

We may update this policy from time to time. When we make material changes we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. For material changes affecting your rights, we will seek fresh consent where required.

If anything in this policy is unclear or you'd like a plain-English summary of how a specific part of the service handles your data, email privacy@haivn-property.ai and we'll walk you through it.