Version 1.0 · Effective 25 May 2026

Data Processing Agreement (DPA)

Legal entity: UNIVERSALHOMEANDTECH LTD
Company number: 16534780
Place of registration: England and Wales
Registered office: 15a Shrubbery Road, London, SW16 2AS, United Kingdom
ICO registration: ZC044007
VAT position: Not VAT registered
Brand: Estate-HQ
Contact: [email protected]

Estate-HQ is a trading name of UNIVERSALHOMEANDTECH LTD. UNIVERSALHOMEANDTECH LTD is registered in England and Wales under company number 16534780. Registered office: 15a Shrubbery Road, London, SW16 2AS, United Kingdom. ICO registration reference: ZC044007. Not VAT registered.

This Data Processing Agreement (DPA) forms part of the Terms of Service between UNIVERSALHOMEANDTECH LTD (trading as Estate-HQ) and the subscribing letting agent (the Customer). It governs the processing of personal data by Estate-HQ on behalf of the Customer in connection with the Estate-HQ platform. This DPA is required under UK GDPR Article 28.

Definitions

Term	Meaning
Controller	The Customer (the letting agent) who determines the purposes and means of processing personal data entered into the platform
Processor	UNIVERSALHOMEANDTECH LTD trading as Estate-HQ
Data subjects	Tenants, landlords, contractors and other individuals whose personal data the Customer enters into the platform
Personal data	Any information relating to an identified or identifiable natural person as defined in UK GDPR
Processing	Any operation performed on personal data including collection, storage, retrieval, use, disclosure and deletion
UK GDPR	The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018

Subject matter and nature of processing

Field	Detail
Subject matter	Provision of the Estate-HQ CRM platform to the Customer
Nature of processing	Storage, retrieval, display, export, backup, and deletion of personal data entered by the Customer
Purpose	Enabling the Customer to manage their letting agency operations including tenancies, compliance, rent collection and communications
Duration	For the term of the subscription plus 90 days after cancellation for data retention
Types of personal data	Tenant: name, contact details, tenancy data, right-to-rent status, rent and payment records, deposit records, maintenance requests, e-signature records, Tenant Passport data where submitted. Landlord: name, contact number, email address, property and financial records. Contractor: name, contact number, email address, job records.
Categories of data subjects	Tenants, landlords, contractors, and any other individuals whose data the Customer enters

Processor obligations

UNIVERSALHOMEANDTECH LTD (as Processor) shall:

Process personal data only on documented instructions from the Customer (the Terms of Service and this DPA constitute those instructions), except where required by law to act otherwise.
Ensure that all staff with access to personal data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational security measures as described in this DPA.
Not engage sub-processors without the Customer's general authorisation. The current Sub-processor List constitutes general authorisation for those listed. We will give 30 days notice of any new sub-processor and the Customer may object in that period.
Assist the Customer in responding to data subject rights requests (access, erasure, rectification, portability, restriction, objection) by making available the tools in the platform and responding to written requests within a reasonable period.
Notify the Customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Customer data.
At the Customer's choice, delete or return all personal data on termination of the subscription. Data is retained for 90 days after cancellation then deleted. Export is available at any time from the platform. A deletion certificate is available on written request to [email protected].
Make available all information reasonably necessary to demonstrate compliance with this DPA. Audits by the Customer or an auditor appointed by the Customer are permitted no more than once per calendar year, on at least 30 days' written notice, conducted during normal business hours, at the Customer's reasonable expense, and subject to confidentiality protection for anything that would compromise the security of other customers' data. Additional audits are permitted at any time following a confirmed personal data breach affecting the Customer's data.
Not transfer personal data outside the United Kingdom without an appropriate safeguard in place under UK data protection law.

Controller obligations

The Customer (as Controller) shall:

Ensure it has a lawful basis for all personal data it enters into the platform.
Provide adequate privacy notices to data subjects (tenants, landlords, contractors) explaining that their data is processed using Estate-HQ.
Respond to data subject rights requests that it receives directly.
Not instruct the Processor to process data in a way that would violate applicable law.
Notify the Processor promptly if it becomes aware of any security incident relating to its account.

Security measures

Measure	Detail
Encryption at rest	All database data encrypted at rest using AES-256 or equivalent
Encryption in transit	All data in transit protected by TLS 1.2 or higher
Access controls	Role-based access control; staff access limited to what is needed for the job
Backups	Daily encrypted backups retained on UK-based infrastructure
Hosting	UK-based servers
Vulnerability management	Security patches applied promptly; responsible disclosure via [email protected]
Incident response	Written incident response process; notification to Customer within 72 hours of confirmed breach

Sub-processors

The current list of approved sub-processors is published in the Sub-processor List and updated from time to time. Before engaging a new sub-processor, we will give 30 days written notice to all active subscribers. A Customer who reasonably objects may terminate their subscription and receive a pro-rata refund of any unused annual subscription.

Data subject rights

The platform includes tools for data export, correction and deletion. If a data subject contacts us directly exercising a right, we will forward the request to the Customer within 5 business days. We will assist the Customer technically in fulfilling the request. Where we are required by law to respond directly, we will notify the Customer.

Personal data breaches

In the event of a confirmed personal data breach affecting Customer data, we will notify the Customer by email to their registered address without undue delay and within 72 hours where feasible. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Governing law

This DPA is governed by the laws of England and Wales.

Contact

DPA queries and data subject rights requests: [email protected]. UNIVERSALHOMEANDTECH LTD, 15a Shrubbery Road, London, SW16 2AS, United Kingdom.

Index · Privacy · Cookies · Terms · DPA · Refunds · Acceptable Use · Sub-processors · Tenant Passport · Tenant Consent