NOW LIVE Making Tax Digital is now live. Landlords earning £50k+ must be using MTD software. Check your compliance →
For Agents For Investors Pricing FAQ Contact Us
Log InSign Up
Portfolio Health Check
Back to homeContact Us
Legal

Privacy Policy

Last updated: 1 April 2026. This policy explains how Proxera Ltd collects, uses and protects your personal data in accordance with the UK GDPR and Data Protection Act 2018.

1. Data Controller Identity

Proxera Ltd (referred to herein as "the Company", "we", "us" or "our") is a private limited company incorporated and registered in England and Wales under company registration number 12583682. Our registered office is situated at 39th Floor, One Canada Square, Canary Wharf, London E14 5AB.

The Company acts as data controller in respect of personal data processed in connection with the digital services, tools and platform infrastructure operated under the domain names proxera.co.uk and proxera.com (collectively, "the Services").

The Company is registered as a data controller with the Information Commissioner's Office (ICO) in accordance with its obligations under the Data Protection Act 2018. Correspondence relating to data protection matters may be directed to [email protected].

2. Categories of Personal Data Processed

In the course of delivering the Services, the Company may collect, receive or otherwise process personal data falling within the following categories:

Identity and contact information

  • Full legal name, electronic mail address and telephone contact details
  • Authentication credentials, stored exclusively in irreversibly hashed or otherwise cryptographically protected form
  • Voluntary profile attributes including, but not limited to, occupational role, professional designations and relevant portfolio or asset characteristics

Asset and financial information

  • Property-related details provided voluntarily by the data subject in connection with their use of the Services, including but not limited to acquisition costs, financing arrangements and rental receipts
  • Income, expenditure and related financial calculations generated within or imported into the Services
  • Statutory and contractual documentation uploaded by the data subject, retained in accordance with section 6 of this Policy

Payment account and transactional information

  • Transactional and balance data obtained from financial institutions where the data subject has provided express authorisation through a regulated open banking channel in accordance with the Payment Services Regulations 2017
  • Derived categorisation and reconciliation data generated from the above in the course of providing automated record-keeping functionality

Statutory reporting information

  • Financial records and associated documentation prepared in connection with applicable digital tax administration requirements, processed and transmitted to the relevant statutory authority exclusively upon receipt of the data subject's express prior authorisation

Technical and device information

  • Network identifiers including Internet Protocol (IP) addresses, device type and browser environment data
  • Interaction metadata comprising session identifiers, feature utilisation records, navigation sequences and diagnostic log data

Correspondence and communication records

  • Content of communications initiated by the data subject via any supported channel, together with associated metadata
  • Records arising from scheduled consultations or advisory interactions with members of the Company's personnel

3. Purposes and Lawful Bases for Processing

The Company processes personal data only where a valid lawful basis exists under Article 6 of the UK GDPR. The purposes for which personal data is processed, together with the corresponding lawful bases, are set out below:

  • Service performance and account administration (lawful basis: contract performance, Article 6(1)(b)): Processing necessary for the establishment and ongoing administration of the data subject's account, the delivery of the contracted Services, and the fulfilment of associated ancillary functionality made available within the platform infrastructure.
  • Statutory and regulatory obligations (lawful basis: legal obligation, Article 6(1)(c)): Processing required for the purposes of complying with applicable statutory obligations, including obligations arising under digital tax administration legislation and associated regulations promulgated by His Majesty's Revenue and Customs ("HMRC"), where the data subject has provided express written authorisation for the Company to act in an agency or facilitative capacity for such purposes.
  • Regulated financial data integration (lawful basis: contract performance, Article 6(1)(b)): Processing of transactional and account data received via regulated open banking infrastructure, conducted in accordance with applicable payment services legislation and Financial Conduct Authority requirements, for the purpose of automated financial record management within the Services.
  • Service communications (lawful basis: contract performance, Article 6(1)(b)): Processing required to respond to data subject enquiries, issue service-related operational notices, communicate material changes to the Services, and transmit time-sensitive regulatory or compliance-related alerts.
  • Analytical processing and service development (lawful basis: legitimate interests, Article 6(1)(f)): Processing of aggregated, pseudonymised or de-identified interaction data undertaken in furtherance of the Company's legitimate interest in maintaining and improving the quality, stability and functionality of the Services, subject to an assessment that such processing does not override the rights and freedoms of data subjects.
  • Direct marketing communications (lawful basis: consent, Article 6(1)(a)): The transmission of commercial electronic communications relating to the Company's products, services and relevant sector developments, conducted exclusively upon receipt of the data subject's prior, freely given, specific, informed and unambiguous consent as required by the Privacy and Electronic Communications Regulations 2003 (as amended) ("PECR"), and revocable at any time without detriment to the provision of the Services.
  • Legal claims and compliance (lawful basis: legal obligation / legitimate interests, Article 6(1)(c) and (f)): Processing necessary for the purposes of establishing, exercising or defending legal claims, satisfying the requirements of competent regulatory or judicial authorities, and fulfilling the Company's obligations under applicable law.

4. Special Category Data

The Company does not intentionally collect or process special category personal data as defined under Article 9 of the UK GDPR. Data subjects are requested not to upload or submit information falling within special categories in the course of using the Services. Should such data be received inadvertently, it will be deleted promptly upon identification.

5. Disclosure of Personal Data to Third Parties

The Company does not sell, rent or otherwise transfer personal data to third parties for their independent commercial purposes. Personal data is disclosed only to the categories of recipient described below, and solely to the extent necessary for the delivery of the Services or satisfaction of applicable legal requirements:

  • Statutory authorities: Transmission of data to HMRC or other competent public authorities, exclusively in accordance with applicable legislative requirements and, where relevant, subject to the data subject's prior express authorisation
  • Regulated financial service providers: Engagement of FCA-authorised entities for the purpose of facilitating regulated open banking connections in compliance with the Payment Services Regulations 2017
  • Infrastructure and cloud service providers: Engagement of approved sub-processors providing hosting, storage and processing infrastructure under data processing agreements incorporating standard contractual clauses or equivalent safeguards
  • Customer relationship and communications platforms: Engagement of third-party software providers supporting client communications, scheduling and relationship management operations, subject to binding data processing agreements
  • Analytics service providers: Engagement of providers processing de-identified or pseudonymised data for the purpose of service performance monitoring, where such processing is conducted in accordance with applicable data protection law

All third-party processors engaged by the Company are required to enter into written data processing agreements compliant with Article 28 of the UK GDPR and to implement appropriate technical and organisational security measures. The Company conducts due diligence on processors prior to engagement and reviews such arrangements periodically.

6. Data Retention

Personal data is retained for the minimum period necessary having regard to the purpose for which it was collected and applicable legal requirements. In determining appropriate retention periods, the Company applies the following principles:

  • Account and identity data is retained for the duration of the contractual relationship and deleted within 90 days of account termination, save where retention is required by law
  • Financial and statutory records are retained for a minimum period of seven years from the end of the relevant tax year in accordance with HMRC record-keeping requirements
  • Technical and interaction logs are retained for a period proportionate to their operational purpose and regularly reviewed for deletion
  • Data subjects may request accelerated deletion of personal data not subject to statutory retention obligations by contacting the Company using the details at section 11

7. Rights of Data Subjects

Data subjects whose personal data is processed by the Company hold the following rights pursuant to Chapter III of the UK GDPR and Part 3 of the Data Protection Act 2018, each of which may be exercised by contacting the Company at the details set out in section 11:

  • Right of access (Article 15): The right to obtain confirmation of whether the Company processes personal data concerning you, and, where it does, to receive a copy of that data together with information regarding its processing
  • Right to rectification (Article 16): The right to require correction of inaccurate personal data and completion of incomplete personal data without undue delay
  • Right to erasure (Article 17): The right to require deletion of personal data where one of the specified grounds applies, subject to applicable legal retention obligations
  • Right to restriction of processing (Article 18): The right to require that processing be restricted in the circumstances prescribed by Article 18
  • Right to data portability (Article 20): The right to receive personal data in a structured, commonly used, machine-readable format where processing is carried out by automated means on the basis of consent or contract
  • Right to object (Article 21): The right to object to processing based on legitimate interests or for direct marketing purposes; upon receipt of an objection to direct marketing, the Company shall cease such processing immediately
  • Rights in relation to automated decision-making (Article 22): The right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, save in the circumstances permitted by Article 22(2)

The Company will respond to all verified rights requests within one calendar month of receipt, save where an extension is permitted under applicable law. Data subjects also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or by post to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

8. Technical and Organisational Security Measures

The Company implements and maintains appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the processing activities undertaken, having regard to the nature, scope, context and purposes of processing. Such measures include, without limitation, the application of industry-standard encryption protocols to data in transit and at rest, role-based access controls, internal data handling procedures, staff training on data protection obligations, and periodic security reviews. The Company acknowledges that no electronic transmission or storage mechanism offers absolute security guarantees and accordingly makes no unconditional warranty in this regard.

9. International Data Transfers

Personal data processed by the Company is primarily stored and processed within the United Kingdom and, where applicable, the European Economic Area. Where any transfer of personal data to a third country or international organisation is undertaken, the Company ensures that appropriate safeguards are in place as required by Chapter V of the UK GDPR, including where relevant the application of the International Data Transfer Agreement (IDTA) or standard contractual clauses approved by the Secretary of State, or reliance on an adequacy regulation made under section 17A of the Data Protection Act 2018.

10. Amendments to This Policy

The Company reserves the right to amend this Privacy Policy from time to time to reflect changes in applicable law, regulatory guidance or the Company's data processing activities. The date of the most recent revision is indicated at the top of this document. Where amendments are material, the Company will provide notice to data subjects by electronic communication or by means of a prominent notice within the Services prior to the amendments taking effect.

11. Contact and Correspondence

All enquiries, requests and complaints relating to data protection matters should be directed to:

Proxera Ltd
39th Floor, One Canada Square
Canary Wharf, London E14 5AB
Email: [email protected]
Telephone: +44 (0)204 634 5290

This Privacy Policy was prepared in accordance with the requirements of the UK General Data Protection Regulation (as retained in UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018. It should be read in conjunction with our Cookie Policy and Terms and Conditions.