Privacy Policy

1. Introduction

QUALISYNC LIMITED (trading as “Lettie”) is committed to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy covers our website (asklettie.com) and our AI-powered WhatsApp chatbot service.

2. Who This Policy Applies To

This policy covers landlords, tenants whose landlords have enrolled them, website visitors, and prospective customers.

3. Data Controller vs Data Processor

For landlord data, Lettie acts as Data Controller. For tenant data, we function as Data Processor on behalf of landlords (who are the Data Controllers).

Landlords bear responsibility for obtaining tenant consent and maintaining consent records.

4. What Personal Data We Collect

From Landlords

• Account information (name, email, phone, company, encrypted password).
• Billing information (processed via Stripe; we do not store full card details).
• Property addresses and management details.
• Communication preferences and support interactions.
• Usage data (IP address, browser type, device information).

About Tenants

• First name and phone number (for WhatsApp).
• All chat messages with the AI chatbot.
• Message timestamps and escalation records.
• WhatsApp metadata.

From Website Visitors

• Technical information (IP, browser, device).
• Usage patterns (pages viewed, time spent, clicks).
• Cookie data.

Voluntary Information

Demo interactions, newsletter subscriptions, feedback, and support requests.

5. How We Collect Personal Data

Data is collected directly from users during registration, account management, and support interactions; automatically through cookies and service usage; and from third parties including Stripe, WhatsApp, and landlords (for tenant data with consent).

6. Legal Basis for Processing

For Landlords

• Contract Performance: Providing service, processing payments, account management.
• Legitimate Interests: Service improvement, fraud detection, usage analysis, security maintenance.
• Consent: Marketing emails, certain cookies.
• Legal Obligation: Tax and accounting compliance.

For Tenants

• Consent: Obtained by landlord before onboarding.
• Legitimate Interests: AI accuracy improvement using anonymised data.

Children

Parental/guardian consent is required for those under 18.

7. How We Use Personal Data

• Service provision: Account management, chatbot processing, escalations, payment processing.
• Service improvement: AI training, usage analysis, feature development.
• Communications: Service emails, support responses, marketing (with consent).
• Business operations: Fraud prevention, legal compliance, security.
• AI training: Using anonymised chat logs where possible.

8. Who We Share Data With

Service Providers

• Payment: Stripe
• AI/Technology: Google AI, Perplexity AI, WhatsApp Business API, Twilio
• Infrastructure: Vercel, Hostinger, Neon
• Communications: Resend, Crisp, Canny
• Analytics: Google Analytics, Tinybird

Legal/Compliance

Law enforcement, regulatory authorities, legal advisors, and government bodies as required.

Business Transfers

Data may transfer to new owners in mergers or acquisitions.

We do not sell data to third parties or share tenant data beyond landlords and service providers.

9. International Data Transfers

Data transfers to the United States occur with service providers. Safeguards include:

• Standard Contractual Clauses (SCCs).
• Adequacy decisions.
• Certifications.
• Data Processing Agreements.

10. Cookie Policy

Types Used

• Strictly Necessary: Required for functionality, cannot be disabled.
• Analytics: Google Analytics tracking (consent required).
• Functional: Preference/settings retention.
• Marketing: Future implementation for ads (consent required).

Management

Users control cookies via browser settings or website banner. Third-party cookies follow their own policies (e.g., Google Analytics).

Duration

Session cookies delete upon browser closure; persistent cookies remain 12–24 months typically.

11. Data Retention

• Active accounts: Retained while account is active or necessary for service.
• Cancelled subscriptions: Retained until account deletion.
• Deleted accounts: All data deleted immediately; backups overwritten within 30 days.
• Tenant removal: Immediate deletion from active systems; backups within 30 days.
• Legal retention: Longer retention (e.g., tax records ~6 years) when required.
• Anonymised data: Retained indefinitely for AI training and analysis.

12. Data Security

Technical Measures

• HTTPS/TLS encryption.
• Encryption at rest for sensitive data.
• Secure authentication.
• Regular updates, firewalls, secure API integrations, and secure backups.

Organisational Measures

• Access controls and staff training.
• Confidentiality agreements.
• Data Protection Impact Assessments.
• Incident response procedures and security audits.

User Responsibilities

Keep passwords confidential, use strong passwords, notify us of unauthorised access, and log out from shared devices.

Breach Notification

ICO notification within 72 hours; affected individuals notified without undue delay.

13. Your Data Protection Rights

• Right of Access (Article 15): Request confirmation of processing, obtain a data copy, and understand usage. Response within 1 month.
• Right to Rectification (Article 16): Correct inaccurate or incomplete data via account settings or by contacting us.
• Right to Erasure (Article 17): Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful. Limitations apply for legal retention requirements.
• Right to Restriction (Article 18): Request processing limitation when contesting accuracy, processing is unlawful, data is no longer needed, or objection is pending verification.
• Right to Data Portability (Article 20): Request data in structured format (CSV/JSON) for transfer to another controller. Applies to automated processing with consent or contract basis.
• Right to Object (Article 21): Object to legitimate interest processing, direct marketing, or research/statistical processing.
• Automated Decision-Making (Article 22): For AI escalation decisions, request information about logic, express viewpoint, contest decisions, or request human intervention.
• Withdraw Consent: Stop processing based on consent at any time without affecting prior lawfulness.
• Lodge Complaint: Contact the Information Commissioner's Office (ICO) at ico.org.uk, 0303 123 1113, or Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Landlords may contact support@asklettie.com or use account settings. Tenants may contact via the website or their landlord. Response within 1 month; verification of identity required.

14. Marketing Communications

Content may include product updates, usage tips, industry news, special offers, newsletters, and webinar invitations.

• Legal Basis: Soft opt-in (legitimate interest) or explicit consent; compliance with Privacy and Electronic Communications Regulations (PECR).
• Frequency: Typically no more than twice monthly.
• Management: Unsubscribe via email links, manage preferences in account settings, or contact support for complete opt-out.

Service communications (account confirmations, password resets, billing notices, security alerts, policy changes, and support responses) cannot be opted out of.

15. Third-Party Links

This policy applies only to Lettie. Third-party websites have separate privacy policies. Integration partners include Stripe, WhatsApp, and Google, each with their own privacy policies.

16. Children's Privacy

The Service is not intended for individuals under 13. We do not intentionally collect data from this age group. For ages 13–17, landlords must obtain parental/guardian consent.

Parents/guardians may exercise data rights on behalf of minors. Immediate deletion occurs if unlawful collection is discovered; landlord accounts may be suspended for systematic non-compliance.

17. Changes to This Privacy Policy

Updates reflect practice changes, legal requirements, new features, or user feedback. Material changes receive email notification 7+ days prior, updated timestamps, website prominence, and in-app notifications.

Material changes include new processing purposes, data categories, retention periods, third-party recipients, rights modifications, or new transfer countries. Non-material changes (clarifications, formatting) may proceed without notice.

Continued service use after changes indicates acceptance.

18. Data Protection Officer

Contact regarding policy questions, rights exercises, handling concerns, breaches, or complaints.

19. Legal Framework

We comply with UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations (PECR) 2003, Human Rights Act 1998, and other applicable UK data protection laws.

20. Contact Information