GDPR Compliance
Last updated: 7 April 2026
1. Our commitment
Esta AI Ltd is committed to protecting the personal data of our users, their tenants, and their applicants. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This page provides an overview of our data protection practices. For full details on what data we collect and how we use it, please see our Privacy Policy.
2. Data controller details
- Data controller: Esta AI Ltd
- Registered in: England and Wales
- Contact email: privacy@estaai.co.uk
- General enquiries: hello@esta.ai
Esta AI is the data controller for personal data collected directly from agency users (letting agents who register for accounts). For tenant and applicant data submitted through agency-branded forms, the agency is the data controller and Esta AI acts as a data processor.
3. Controller vs processor responsibilities
When Esta AI is the data controller
- Agency registration and account data
- Website visitor data (contact forms, cookie data)
- Billing and subscription data
- Usage data for service improvement
When Esta AI is the data processor
- Tenant application data submitted through agency forms
- Maintenance requests submitted by tenants
- Open banking data collected via TrueLayer for tenant vetting
- Tenant documents uploaded for referencing
- Enquiry and lead data imported from property portals
As a data processor, Esta AI processes tenant data strictly in accordance with agency instructions and does not use tenant data for any purpose other than providing the Service. Agencies are responsible for ensuring they have the appropriate legal basis to collect tenant data and for providing tenants with adequate privacy notices.
4. Sub-processors
We use the following sub-processors to deliver our service. Each has been assessed for GDPR compliance and appropriate data protection measures:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All platform data | United Kingdom |
| Stripe | Payment processing | Billing details, payment methods | EU / US |
| Anthropic | AI processing | Property details, documents, enquiry text (for AI analysis) | United States |
| TrueLayer | Open banking | Banking data for income verification (with tenant consent) | United Kingdom |
| Rightmove | Portal integration | Property listings, enquiry leads | United Kingdom |
| Zoopla (ZPG) | Portal integration | Property listings | United Kingdom |
| Resend | Email delivery | Email addresses, notification content | United States |
| Twilio | SMS delivery | Phone numbers, SMS content | United States |
| Calendar integration | Viewing appointments (with user authorisation) | EU / US | |
| Inngest | Background jobs | Job metadata and payloads | United States |
For sub-processors located outside the UK, we rely on UK International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or adequacy decisions to ensure an adequate level of data protection. We will notify agencies of any changes to our sub-processor list.
5. Security measures
We implement appropriate technical and organisational measures to protect personal data:
- UK-hosted infrastructure: Core data is stored on Supabase servers in the United Kingdom
- Encryption in transit: All data is transmitted over TLS/HTTPS encrypted connections
- Encryption at rest: Database storage is encrypted at rest
- Row-level security: Database access policies ensure agencies can only access their own data
- Authentication: Secure session management via Supabase Auth with password complexity requirements
- Security headers: Content Security Policy, HSTS, X-Content-Type-Options, X-Frame-Options, and other protective HTTP headers
- Access control: Role-based access within agency accounts (owners and team members)
- Password security: Passwords are hashed using industry-standard algorithms and never stored in plain text
- Secure payment handling: Payment data is handled by Stripe (PCI-DSS Level 1 certified) and never touches our servers
6. Tenant and applicant data
Esta AI processes sensitive personal data as part of the tenant vetting workflow. This includes:
Document analysis
Tenants may upload payslips, bank statements, and employment letters. These documents are analysed using AI to extract income and employment data for affordability assessment. Documents are stored securely and access is restricted to the relevant agency.
Open banking (TrueLayer)
With the tenant's explicit consent, we connect to their bank via TrueLayer to verify income, assess affordability, and identify financial risk indicators. This data is:
- Collected only with explicit, informed consent via TrueLayer's OAuth flow
- Used solely for affordability and income verification
- Retained for a limited period (90 days after the vetting decision)
- Not shared with any party other than the requesting agency
Right-to-rent checks
Agencies may use Esta AI to record right-to-rent verification data as required under the Immigration Act 2014. This data is processed under the legal obligation lawful basis.
7. Data subject rights
Under UK GDPR, individuals have the following rights:
| Right | Description | How to exercise |
|---|---|---|
| Access | Request a copy of your personal data | Email privacy@estaai.co.uk |
| Rectification | Correct inaccurate or incomplete data | Via platform settings or email us |
| Erasure | Request deletion of your data | Email privacy@estaai.co.uk |
| Restriction | Limit how we process your data | Email privacy@estaai.co.uk |
| Portability | Receive your data in a portable format | Email privacy@estaai.co.uk |
| Objection | Object to processing based on legitimate interests | Email privacy@estaai.co.uk |
| Withdraw consent | Withdraw consent at any time where consent is the lawful basis | Email privacy@estaai.co.uk or via platform |
We respond to all data subject requests within one month. In complex cases, we may extend this by a further two months, with notification.
Tenants: If your data was submitted through an agency's application form, the agency is the data controller. Please contact the agency directly. We will assist the agency in fulfilling your request.
8. Data breach procedures
In the event of a personal data breach, we follow a structured response process:
- Detection and containment: Identify and contain the breach as quickly as possible
- Assessment: Assess the risk to affected individuals, including the nature of the data, number of people affected, and likely consequences
- Notification to ICO: If the breach is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office within 72 hours
- Notification to affected individuals: If the breach is likely to result in a high risk to individuals, we will notify them without undue delay
- Notification to agencies: Where we act as a data processor, we will notify the affected agency without undue delay so they can fulfil their own notification obligations
- Documentation: We document all breaches, their effects, and remedial actions taken
9. Data protection impact assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals, including:
- Open banking integration and financial data processing
- AI-powered document analysis and tenant vetting
- Large-scale processing of tenant personal data
DPIAs help us identify and minimise data protection risks. We review and update them as our processing activities change.
10. Contact
For data protection enquiries, contact us:
- Email: privacy@estaai.co.uk
- General: hello@esta.ai
To lodge a complaint with the supervisory authority:
- Information Commissioner's Office (ICO): ico.org.uk
- Helpline: 0303 123 1113