Privacy Policy for Doorap

Last Updated: 23 June 2026

1. Introduction

Welcome to Doorap. This Privacy Policy explains how we collect, use, and protect personal data across our property management operating system and website (doorap.com). Our privacy practices are fully aligned with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the updated provisions of the Data (Use and Access) Act 2026 (DUAA), which received Royal Assent and came into force on 19 June 2026.

2. Our Role: Controller vs. Processor

• Data Controller: When collecting information directly from our business customers (e.g., property directors and letting agencies across London and the UK) for account management, billing, and system access, Doorap acts as the Data Controller.

• Data Processor: When our platform is used to store and manage tenant communications, lease agreements, or property owner details, Doorap acts as the Data Processor. The property agency or landlord remains the Data Controller responsible for obtaining lawful consent from their tenants.

3. Information We Collect

We collect data strictly necessary to unify your property operations:

• Customer Information: Names, business emails, company addresses, and payment details processed via Stripe.

• Operational Data: Tenant correspondence, maintenance dispatch histories, and financial records parsed through our Open Banking integrations.

• Technical Data: IP addresses, browser types, and user interaction metrics with the platform dashboard.

4. Lawful Bases for Processing

We rely on the following legal grounds to process your information:

• Contractual Necessity: To provide the core functionality of the platform, including dashboard access and customer support.

• Recognised Legitimate Interests: As defined under the DUAA 2026, we process data to safeguard our systems, prevent fraudulent activity, and ensure the ongoing security of our network.

• Consent: For direct marketing or promotional communications, where explicit consent has been provided.

5. Artificial Intelligence & Automated Decision-Making

Our platform utilises the AI assistant, Dori, to triage incoming tenant queries, coordinate maintenance repairs, and automate routine administrative workflows.

• DUAA 2026 Compliance: In line with updated UK law, we deploy these automated systems based on legitimate operational interests for non-sensitive personal data.

• Safeguards: We ensure appropriate safeguards are actively maintained; users retain the right to contest automated categorisations and may easily obtain human intervention upon request.

6. Data Sharing & Third Parties

We do not sell personal information. We share data solely with trusted third-party providers essential to unifying your tech stack:

• Financial Infrastructure: Stripe for secure subscription billing, and Open Banking APIs for live rent reconciliation.

• Hosting Providers: Secure cloud infrastructure partners located within the UK or European Economic Area (EEA).

7. Cookies & Tracking

Following the amended Privacy and Electronic Communications Regulations (PECR) under the DUAA 2026, our cookie practices are structured as follows:

• Strictly Necessary: Essential cookies for session management and platform security remain active by default.

• First-Party Analytics & Functionality: Cookies used solely for statistical purposes to improve the service, as well as those used to adapt the platform to user preferences, no longer require active opt-in consent; however, full transparency and clear opt-out mechanisms are provided.

• Advertising: Explicit opt-in consent is strictly required before any targeted marketing or cross-site tracking cookies are deployed.

8. Data Retention

We retain customer account data for the duration of the active subscription, plus a standard period of up to six years to satisfy UK tax and legal obligations. Tenant data processed on behalf of our B2B customers is retained strictly according to the customer's documented instructions or until the termination of the overarching service agreement.

9. Your Data Protection Rights

Under UK law, you maintain several rights regarding your personal data, including the right of access, rectification, erasure, and data portability.

• Data Subject Access Requests (DSARs): In response to a DSAR, we are legally required to conduct a "reasonable search" for the requested information. If your request is particularly broad or complex, the statutory one-month response period may be paused (the clock is stopped) while we seek necessary clarification from you.

10. Mandatory Complaints Procedure

In accordance with the DUAA 2026 reforms designed to streamline dispute resolution, we maintain a formal internal data protection complaint-handling process.

• Raising a Concern: Individuals have the right to raise data protection complaints directly with our organisation. You can submit a formal complaint by contacting our Data Protection Officer at [Insert Email Address].

• Investigation: We will acknowledge receipt, take appropriate steps to investigate the matter without undue delay, and keep you informed of the outcome.

• Escalation: You retain the continuing, independent right to escalate unresolved complaints directly to the Information Commissioner's Office (ICO) at ico.org.uk.

11. Security Measures

We maintain rigorous technical and organisational controls to ensure the integrity and confidentiality of all stored data. This includes encryption at rest and in transit, multi-factor authentication for administrative access, and regular security reviews. Furthermore, we maintain comprehensive breach registers documenting all security incidents, regardless of whether they meet the 72-hour threshold for mandatory ICO notification.

12. Contact Information

For privacy-related inquiries, to exercise your data rights, or to submit a formal data protection complaint, please reach out to us:

• Email: team@doorap.com