This Privacy Policy explains what personal data heyzoobie ("we", "us") collects about
you when you use our property-management platform, how we use it, who we share it with,
and the rights you have over it under the UK GDPR and the Data Protection Act 2018.
1. Who we are
The heyzoobie service is operated from the United Kingdom. For questions about this policy, data
requests, or complaints, email hi@heyzoobie.com.
2. What data we collect
Account information
Your email address (used as your login via magic links — we do not store passwords).
The organisation you belong to and the role(s) you hold (admin, landlord, applicant).
Property and tenancy data (landlord accounts)
Property addresses, ownership details, compliance certificates, photos, and documents you upload.
Tenancy records, rent schedules, rent statements, and deposit information for tenants you manage.
Contact details you record for tenants, applicants, contractors, and service providers.
Financial data
Bank transactions imported via GoCardless (our open-banking provider) when you choose to connect a bank account.
Manually entered transactions, bills, rent charges, and accounting categorisations.
HMRC Making Tax Digital
OAuth access and refresh tokens issued by HMRC, so we can submit tax information on your behalf.
Your National Insurance Number, so HMRC can identify you on each Self Assessment call.
Device and browser information (IP address, user-agent, timezone, screen size) that HMRC requires us to send with every call as part of their fraud-prevention headers.
Technical data
Server logs (request URL, timestamp, IP address, user agent) for debugging and abuse prevention.
Session cookies that keep you logged in.
3. How we use your data
To provide the service — store your records, let you log in, send magic-link emails, and generate statements and reports.
To submit information to HMRC on your behalf when you instruct us to file a Self Assessment update.
To send you operational emails (e.g. about your account, a job you raised, or a tenancy action due).
To investigate bugs, diagnose errors, and prevent abuse of the platform.
To comply with our legal obligations (e.g. tax, fraud prevention, responding to lawful requests).
4. Lawful basis
We process your personal data under the following UK GDPR lawful bases:
Contract — to provide the platform you have signed up for.
Legitimate interests — to keep the service secure, detect abuse, and improve the product.
Legal obligation — where we must retain or disclose data under UK law (including HMRC fraud-prevention rules).
Consent — where you explicitly authorise us (e.g. connecting your bank account or your HMRC account).
5. Who we share your data with
HMRC — when you submit Self Assessment information or we call an HMRC API on your behalf. HMRC requires us to include fraud-prevention headers (device, browser, and network data) on every call.
GoCardless Bank Account Data — the open-banking provider we use to read transactions from connected bank accounts, but only when you choose to connect an account.
Our email provider — used solely to deliver operational emails (magic links, notifications).
Hosting and infrastructure providers — the servers the application runs on.
We do not sell your data. We do not share data with advertisers.
6. Where your data is stored
Data is stored on servers located in the United Kingdom or the European Economic Area.
Where a processor we use is located outside the UK/EEA, we rely on the UK's approved
transfer mechanisms (UK-adequacy regulations or Standard Contractual Clauses).
7. How long we keep your data
Account data — for as long as your account is active, plus a reasonable grace period after closure.
Financial and tax data — for at least six years, to comply with HMRC record-keeping requirements.
Server logs — typically 30 to 90 days, unless retained longer for an active investigation.
HMRC OAuth tokens — cleared as soon as you disconnect, or when they expire and are not refreshed.
8. Your rights
Under UK GDPR you have the right to:
Access the personal data we hold about you.
Ask us to correct inaccurate data.
Ask us to delete your data (subject to our legal obligation to keep tax records).
Ask us to restrict or object to our processing of your data.
Receive a copy of your data in a portable format.
Withdraw consent for processing that relies on consent (e.g. disconnect your HMRC or bank account at any time from the app).
To exercise any of these rights, email
hi@heyzoobie.com.
You also have the right to complain to the UK Information Commissioner's Office at
ico.org.uk.
9. Security
We use industry-standard measures to protect your data: encrypted HTTPS connections,
Postgres row-level security to isolate one organisation's data from another, magic-link
authentication (no passwords to leak), and audit logs on sensitive actions.
No system is perfectly secure, and we cannot guarantee absolute security.
10. Cookies
We use strictly necessary cookies to keep you logged in and to protect submissions
from cross-site request forgery. We do not use analytics or advertising cookies.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will
update the "Last updated" date above and, where appropriate, notify you by email.
We use cookies
We use strictly necessary cookies to keep you signed in and to protect forms.
We don't use advertising cookies. If we add analytics cookies in future, we
won't set them without your consent. See our
Cookie Policy.