EstateHQ
Compliance-First Estate Agency
Legal

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of your subscription agreement with EstateHQ and governs how we process personal data on your behalf as required by Article 28 of UK GDPR.

Last updated: May 2026 · Governing law: England and Wales

Note: By accepting our Terms of Service, you also accept this DPA. No separate signature is required. If your organisation requires a signed DPA, contact hello@estatehq.co.uk.

1. Parties

This DPA is between:

Data Processor

EstateHQ, trading name of the company operating the EstateHQ platform. Company registration number: 17209704, registered in England and Wales.

Email: hello@estatehq.co.uk

Data Controller

The estate agency or individual who creates an account and accepts the Terms of Service (“Customer”). The Customer determines the purposes and means of processing personal data entered into the Platform.

2. Definitions

"UK GDPR": The UK General Data Protection Regulation as retained in UK domestic law by the European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
"DPA 2018": The Data Protection Act 2018.
"Personal Data": Any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
"Processing": Any operation or set of operations performed on Personal Data, including storage, retrieval, consultation, and deletion.
"Platform": The EstateHQ SaaS application and all associated services.
"Sub-Processor": Any third party engaged by EstateHQ to process Personal Data on behalf of the Customer.

3. Subject matter, duration, and nature of processing

Subject matter: EstateHQ processes Personal Data to provide the Platform and associated services to the Customer under the Terms of Service.

Duration:Processing continues for the term of the Customer’s subscription, plus up to 90 days after account closure during which the Customer may request a data export.

Nature of processing:Storage, retrieval, display, organisation, and transmission of Personal Data within the Platform, including generating reports and sending transactional emails on the Customer’s behalf.

Purpose of processing: To provide a compliance management and estate agency operations platform to UK estate agencies.

4. Types of personal data and categories of data subjects

Types of personal data processed

  • Names, email addresses, and telephone numbers of landlord clients and staff
  • Property addresses and location data
  • AML risk assessment records and compliance documentation
  • Sales and lettings pipeline data including offer and viewing records
  • Staff member account details and role information
  • Certificate and compliance document metadata
  • Transaction records and instruction history

Categories of data subjects

  • Landlord clients of the estate agency
  • Buyers, sellers, tenants, and applicants whose details are entered by the Customer
  • Staff members and users of the Platform
  • Contacts referenced in instructions, viewings, or offers

5. Processor obligations (Article 28(3) UK GDPR)

(a) Process only on documented instructions

EstateHQ will process Personal Data only on documented instructions from the Customer — which include the Terms of Service, this DPA, and any further written instructions the Customer provides. If EstateHQ is required by applicable law to process Personal Data for another purpose, it will inform the Customer before doing so (unless prohibited by law).

(b) Confidentiality of authorised persons

EstateHQ will ensure that persons authorised to process Personal Data are subject to an obligation of confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Security measures

EstateHQ will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 UK GDPR. These measures include: encryption of personal data in transit (TLS) and at rest, access controls and row-level security policies, regular security reviews, and incident response procedures.

(d) Sub-processors

EstateHQ will not engage a new Sub-Processor without informing the Customer. Customers who subscribe to this DPA give general authorisation to EstateHQ to engage Sub-Processors listed in the Privacy Policy (currently: Supabase, Stripe, Resend, Vercel). EstateHQ will update its Privacy Policy with at least 14 days' notice before adding a new Sub-Processor. If the Customer objects to a new Sub-Processor, they may terminate their subscription within the notice period. All Sub-Processors are bound by data processing agreements imposing equivalent obligations.

(e) Assistance with data subject rights

EstateHQ will assist the Customer in fulfilling its obligations to respond to requests from data subjects exercising their rights under UK GDPR (Articles 12–22), taking into account the nature of the processing and the information available to EstateHQ.

(f) Assistance with security, breach notification, DPIAs, and prior consultation

EstateHQ will assist the Customer with: (i) Article 32 security obligations; (ii) notification of personal data breaches to supervisory authorities and data subjects under Articles 33–34; (iii) data protection impact assessments under Article 35; and (iv) prior consultation under Article 36. EstateHQ will notify the Customer of any Personal Data breach without undue delay and in any event within 48 hours of becoming aware of it.

(g) Deletion or return of data

At the choice of the Customer, EstateHQ will delete or return all Personal Data at the end of the service provision. Customer data is retained for 90 days after account closure to allow export; thereafter it is permanently deleted. All copies held by Sub-Processors will be deleted in accordance with their respective data retention policies.

(h) Audit rights

EstateHQ will make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28 UK GDPR. EstateHQ will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable notice (14 days minimum) and agreement on scope. EstateHQ may satisfy audit obligations by providing up-to-date third-party audit reports (such as SOC 2 Type II) where applicable.

6. International transfers

Personal Data is primarily stored on Supabase infrastructure located in the EU (London, eu-west-2 region). Where Personal Data is transferred outside the UK to Sub-Processors located in the United States (Stripe, Resend, Vercel), such transfers are made subject to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as applicable, ensuring an equivalent level of protection to that provided under UK GDPR.

EstateHQ will not transfer Personal Data to a country outside the UK unless appropriate safeguards are in place.

7. Controller responsibilities

The Customer, as data controller, is responsible for:

  • Ensuring it has a lawful basis for entering Personal Data into the Platform under UK GDPR
  • Providing privacy notices to data subjects (landlord clients, tenants, buyers, and sellers) whose data is entered into the Platform
  • Complying with all applicable data protection legislation, including the Money Laundering Regulations 2017 in respect of AML records
  • Ensuring that data subject requests exercised against the Customer are handled within statutory timescales
  • Maintaining its own ICO registration as a data controller

8. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. EstateHQ will not be liable for any processing carried out by the Customer in breach of UK GDPR.

Where both parties are held liable for damage caused by processing, liability between the parties shall be apportioned in accordance with their respective fault.

9. Term and termination

This DPA is effective from the date the Customer accepts the Terms of Service and remains in force for the duration of the subscription. This DPA automatically terminates on termination of the Terms of Service.

On termination, the data deletion provisions in clause 5(g) apply.

10. Governing law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

11. Contact and signed DPA requests

For questions about this DPA, or to request a separately signed DPA document, contact our data protection team:

EstateHQ — Data Protection

Email: hello@estatehq.co.uk

Subject line: “DPA request — [your agency name]”

Questions about data processing?

We take our obligations as your data processor seriously. Get in touch with any questions about how we handle your data.

Contact us