Privacy Policy
Last updated: 26 March 2025
1. Who we are
AgentOS Ltd(“we”, “our”, “us”) is the data controller for personal data processed through the MTD for Landlords service (“the Service”). We are based in the United Kingdom and subject to UK GDPR and the Data Protection Act 2018.
Data Protection contact: privacy@agentos.com
2. Personal data we collect
- Account data — name, email address, hashed password, organisation name.
- Tax profile data — National Insurance Number (NINO), HMRC OAuth tokens (stored encrypted), self-assessment status.
- Property data — property addresses, descriptions, and portfolio metadata.
- Financial transaction data — income and expense records imported from your letting agent or bank, and manual entries.
- Bank account data (opted-in users only) — account number, sort code, IBAN, and transaction history imported via Open Banking (TrueLayer).
- Communication data — email address (for transactional notifications); mobile number (if you opt in to SMS/WhatsApp alerts).
- Technical data — IP address, user ID, browser/device metadata collected for security monitoring and rate limiting.
3. Why we process your data
| Purpose | Legal basis |
|---|---|
| Providing the MTD ITSA submission service | Contract (Art. 6(1)(b)) |
| Submitting quarterly updates to HMRC on your behalf | Legal obligation (Art. 6(1)(c)) |
| Sending service notifications (confirmations, deadline reminders) | Contract (Art. 6(1)(b)) |
| Security monitoring, rate limiting, and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Audit logging for security and dispute resolution | Legitimate interests (Art. 6(1)(f)) |
| Connecting to your bank account (Open Banking) | Consent (Art. 6(1)(a)) |
| Sending SMS/WhatsApp alerts | Consent (Art. 6(1)(a)) |
4. How long we keep your data
- Account data: duration of account + 30 days after deletion.
- Financial records and HMRC submissions: 7 years from the transaction date (HMRC statutory requirement).
- Audit logs: 3 years.
- Rate-limit counters (Vercel KV / Upstash): automatic TTL of 2–10 minutes — no long-term retention.
- Incident alerts (Slack): subject to Slack's own retention policy; we recommend enabling automatic message deletion after 90 days on the alerts channel.
5. Recipients and sub-processors
Under UK GDPR Article 13(1)(e), we are required to inform you of all recipients of your personal data. The table below lists every sub-processor and third-party recipient we use, why they receive your data, where they are located, and the transfer mechanism that protects your data when it leaves the UK.
| Sub-processor | Role | Location | Transfer basis | DPA |
|---|---|---|---|---|
| Neon Inc. | Managed PostgreSQL database — stores all account, property, and financial data | US (AWS us-east-1) | SCCs / UK IDTA | View ↗ |
| Vercel Inc. | Application hosting, edge compute, CDN | US / EU edge PoPs | SCCs / UK IDTA | View ↗ |
| TrueLayer Ltd. | Open Banking connectivity (bank account import — opted-in users only) | UK / EEA | No restricted transfer | View ↗ |
| Resend Inc. | Transactional email delivery | US | SCCs / UK IDTA | View ↗ |
| Twilio Inc. | SMS and WhatsApp notifications (opted-in users only) | US | SCCs / UK IDTA | View ↗ |
| Inngest Inc. | Background job orchestration (submission processing, reminders) | US | SCCs / UK IDTA | View ↗ |
| Upstash Inc. / Vercel KV | Distributed rate limiting — receives user IDs and IP addresses as short-lived rate-limit keys on every authenticated API request to prevent abuse | US (AWS us-east-1) | SCCs / UK IDTA | View ↗ |
| Salesforce / Slack Inc. | Incident alerting — receives organisation IDs and operational error metadata via the engineering on-call webhook for P0/P1 security incidents | US (Slack infrastructure) | SCCs / UK IDTA | View ↗ |
| AgentOS Ltd. | Letting agent data source (property, tenancy, and transaction imports) | UK | No restricted transfer | In service agreement |
| HMRC | Statutory recipient of MTD quarterly income and expense updates | UK | No restricted transfer — statutory obligation | View ↗ |
SCCs = Standard Contractual Clauses (UK-approved version). IDTA = UK International Data Transfer Agreement. A copy of any executed DPA is available on request at privacy@agentos.com.
6. International transfers
Some sub-processors are based in the United States. Where personal data is transferred outside the UK we rely on Standard Contractual Clauses (UK-approved) and/or the UK International Data Transfer Agreement (IDTA) as the lawful transfer mechanism. Details are listed in the sub-processor table above and in our full ROPA.
7. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data (Subject Access Request)
- Rectify inaccurate data
- Erase your data (“right to be forgotten”) — subject to legal retention obligations
- Restrict processing in certain circumstances
- Data portability (structured, machine-readable export)
- Object to processing based on legitimate interests
- Withdraw consent at any time (where processing is consent-based)
- Lodge a complaint with the ICO at ico.org.uk
To exercise any of these rights, contact privacy@agentos.com. We will respond within one calendar month.
8. Security
We protect your data using AES-256-GCM encryption at rest for all sensitive fields (NINO, HMRC tokens, bank account details), TLS 1.2+ in transit, row-level security on the database, and bcrypt password hashing. Rate limiting is enforced on all authenticated API endpoints using Vercel KV (Upstash) to prevent abuse. Security events are monitored and critical incidents trigger immediate engineering escalation.
9. Cookies
We use strictly necessary session cookies for authentication (Auth.js / NextAuth). No advertising or analytics third-party cookies are set. You can manage cookies through your browser settings; disabling session cookies will prevent you from signing in.
10. Changes to this policy
We may update this policy when we add new sub-processors or change how we process data. Material changes will be notified by email. The “Last updated” date at the top of the page always reflects the most recent revision. For a full audit trail of processing activities see our Article 30 ROPA.