Privacy Policy

Last updated: 7 April 2026

1. Who we are

Esta AI Ltd (“Esta AI”, “we”, “us”, “our”) is the data controller responsible for your personal data. We are registered in England and Wales.

If you have questions about this policy or how we handle your data, contact us at:

Email: privacy@estaai.co.uk
General enquiries: hello@esta.ai

2. What data we collect

Agency users (letting agents)

When you register for and use Esta AI, we collect:

Full name, email address, and phone number
Agency name and business details
Account credentials (passwords are hashed and never stored in plain text)
Subscription and billing information (payment details are processed by Stripe and not stored on our servers)
Property listings, tenant records, maintenance requests, and other data you input into the platform
Usage data such as features accessed and actions taken within the platform

Tenants and applicants

When tenants or rental applicants interact with Esta AI through agency-branded forms, we may collect:

Full name, date of birth, nationality, email address, and phone number
Current and previous addresses, and current landlord details
Employment information including employer name, job title, annual income, and employment start date
Supporting documents such as payslips, bank statements, and employment letters
Open banking data (via TrueLayer) including income verification, transaction history, debt indicators, and financial patterns, only when you explicitly authorise this through the TrueLayer consent flow
Right-to-rent verification data
Maintenance reports and associated images or descriptions

Website visitors

When you visit our website, we collect:

Contact form submissions (name, email, agency name, message)
Essential cookies required for the site to function (see our Cookie Policy)

3. How we use your data

We use your personal data to:

Provide and maintain the Esta AI platform, including AI-powered features such as property listing generation, enquiry classification, maintenance triage, and tenant vetting analysis
Process tenant applications and referencing on behalf of letting agencies
Publish property listings to portals such as Rightmove and Zoopla
Coordinate viewings and sync with calendar services
Track compliance certificates (EPC, Gas Safety, EICR) and send expiry alerts
Process subscription payments and manage your account
Send transactional emails (account verification, password resets, notifications)
Send SMS notifications for urgent matters (maintenance alerts, viewing reminders)
Respond to your enquiries and provide customer support
Improve our services and develop new features
Comply with legal obligations

AI processing

Esta AI uses artificial intelligence (powered by Anthropic's Claude API) to assist with property descriptions, document analysis, enquiry responses, and tenant vetting summaries. Your data is sent to Anthropic's API for processing. Anthropic does not use your data to train their models. AI outputs are assistive tools. Letting agents remain responsible for all decisions made using AI-generated content.

4. Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

Purpose	Lawful basis
Providing the Esta AI service to agencies	Performance of a contract (Article 6(1)(b))
Processing tenant applications on behalf of agencies	Legitimate interests of the agency (Article 6(1)(f))
Open banking data for tenant vetting	Explicit consent (Article 6(1)(a))
Compliance certificate tracking	Legal obligation (Article 6(1)(c))
Sending marketing communications	Consent (Article 6(1)(a))
Fraud prevention and platform security	Legitimate interests (Article 6(1)(f))
Responding to enquiries	Legitimate interests (Article 6(1)(f))

Where we process data on behalf of letting agencies (e.g. tenant applications, maintenance reports), the agency is the data controller and Esta AI acts as a data processor. Agencies are responsible for ensuring they have the appropriate lawful basis to collect and process tenant data.

5. Who we share your data with

We share your personal data only where necessary to provide our service. We never sell your data. Our sub-processors include:

Provider	Purpose	Location
Supabase	Database hosting, authentication, file storage	United Kingdom
Stripe	Payment processing and subscription billing	EU/US (PCI-DSS compliant)
Anthropic	AI processing (property descriptions, document analysis, enquiry classification)	United States
TrueLayer	Open banking data for tenant income verification	United Kingdom
Rightmove	Property listing publication and lead import	United Kingdom
Zoopla (ZPG)	Property listing publication	United Kingdom
Resend	Transactional email delivery	United States
Twilio	SMS notifications	United States
Google	Calendar integration for viewing coordination	EU/US
Inngest	Background job processing	United States

We may also share data where required by law, to comply with legal proceedings, or to protect our rights.

6. International data transfers

Your core data is hosted in the United Kingdom via Supabase. However, some of our sub-processors are based in the United States (Anthropic, Resend, Twilio, Inngest). Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

UK International Data Transfer Agreement (IDTA) or Addendum
Standard Contractual Clauses (SCCs) approved by the ICO
Adequacy decisions where applicable

Anthropic (our AI provider) processes data sent via API calls in the United States. Data is transmitted over encrypted connections and is not retained by Anthropic for model training purposes.

7. Data retention

We retain personal data only for as long as necessary:

Data type	Retention period
Agency account data	Duration of subscription plus 12 months after cancellation
Tenant application data	Duration of tenancy plus 6 years (limitation period)
Open banking data	90 days after vetting decision, then deleted
Uploaded documents	Duration of tenancy plus 6 years
Contact form submissions	12 months
Compliance certificates	Duration of subscription plus 6 years

When retention periods expire, data is securely deleted or anonymised.

8. Your rights

Under UK GDPR, you have the right to:

Access: request a copy of the personal data we hold about you
Rectification: ask us to correct inaccurate or incomplete data
Erasure: ask us to delete your personal data where there is no compelling reason to continue processing
Restrict processing: ask us to limit how we use your data
Data portability: request your data in a structured, commonly used format
Object: object to processing based on legitimate interests
Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@estaai.co.uk. We will respond within one month.

Note for tenants: If you submitted an application through an agency's form on Esta AI, the agency is the data controller for that data. Please contact the agency directly in the first instance. We will assist where we can.

9. Cookies

We use essential cookies required for the platform to function (authentication sessions). For full details, see our Cookie Policy.

10. Children

Esta AI is a business-to-business service designed for letting agencies. We do not knowingly collect data from children under 18. If you believe a child's data has been submitted to us, please contact us immediately.

11. How to complain

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first at privacy@estaai.co.uk so we can try to resolve your concern directly.

12. Changes to this policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a notice on our platform. We encourage you to review this page periodically.