Privacy

Privacy Policy

How HSE Property Checks Ltd collects, uses, stores, protects and shares your personal data, in plain English, under the UK GDPR and the Data Protection Act 2018.

Effective from21 April 2026

Data controllerHSE Property Checks Ltd

Company no.13723060

1.Who we are

HSE Property Checks Ltd ("HSE", "we", "us", "our") is a company registered in England and Wales under company number 13723060, with its registered office at 28 Skylines Village, Limeharbour, London E14 9TS. We are the data controller for the personal data described in this policy.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, our Data Protection point of contact is info@hsepropertychecks.co.uk.

ICO registration. HSE Property Checks Ltd is in the process of registering with the Information Commissioner's Office (ICO) as required under the Data Protection (Charges and Information) Regulations 2018. Our ICO registration number will be published here once issued: [ICO registration number, pending]. In the interim, the rights and protections set out in this policy apply in full.

2.What this policy covers

This policy applies when you:

visit our website at hsepropertychecks.co.uk;
request a quote, book a service or ask us a question by telephone, email, WhatsApp, web form or any third-party directory (such as Bark);
engage us to deliver a fire safety or property compliance service at a premises you own, control or manage;
are a resident, tenant, employee or visitor at a property where we carry out an inspection or assessment.

It does not cover the internal privacy practices of third-party websites we link to, or of managing agents / landlords who commission us, they are responsible for their own privacy notices to their residents and tenants.

3.What personal data we collect

The personal data we process depends on how you interact with us. In most engagements this is limited to ordinary contact data and information about the premises; it is not sensitive.

Enquirers and clients

Name, job title and organisation;
Contact details, postal address, email address, telephone and mobile numbers;
Property address(es) and access details relevant to the requested service;
Information you volunteer in the body of an enquiry (for example: building type, number of units, deadlines, enforcement correspondence you share with us);
Billing information, invoice address, purchase order references, and payment records. We do not store payment card numbers; card payments are processed by our payment provider.

Residents, tenants, employees and visitors at inspected premises

Names where recorded on door numbers, access logs or Personal Emergency Evacuation Plan (PEEP) records;
Mobility, evacuation and accessibility information, only where this is necessary to the fire strategy or PEEP and has been shared with us by the Responsible Person;
Photographs taken inside common parts and, where commissioned, inside individual dwellings or rooms, limited to what is needed to evidence a finding (we avoid capturing people in photographs wherever possible).

Special category data

We do not routinely collect "special category" personal data (health, ethnicity, religion, political opinions, trade union membership, biometric or genetic data, sex life or sexual orientation). Where PEEP information unavoidably includes health or disability information, we treat it as special category data and apply the additional safeguards set out in section 9.

Website technical data

When you browse the site, our hosting provider automatically logs technical data such as your IP address, browser type, operating system, referring URL, pages visited and the date and time of each request. This is used for security, abuse-prevention and aggregate analytics only, and is retained for short periods (see section 8).

4.How we collect it

Directly from you, through our web forms, emails, phone calls, WhatsApp messages, engagement letters, and at the point of site attendance.
From the person who commissioned us, for example, a managing agent who shares a resident's PEEP or access information so that we can carry out an inspection.
From third-party directories and introducers, such as Bark, Google, or a professional referral, when you use their quote-request form.
Automatically, through server logs when you visit our website.

5.Why we use it & our lawful bases

We only use personal data where we have a valid lawful basis under Article 6 (and, for special category data, Article 9) of the UK GDPR. The table below sets out our main purposes and the lawful basis for each.

Purpose	Lawful basis (Article 6)
Responding to your enquiry and preparing a quote	Steps taken at your request prior to entering a contract
Delivering the service you commission (FRA, fire door inspection, EICR, compliance package, remedial works, and so on)	Performance of a contract
Issuing certificates, reports and engagement letters; maintaining technical records	Performance of a contract; compliance with a legal obligation; legitimate interests in maintaining a defensible record of work
Evidencing compliance with the Regulatory Reform (Fire Safety) Order 2005, the Fire Safety Act 2021, the Building Safety Act 2022, the Housing Act 2004 and related statutory regimes	Compliance with a legal obligation; legitimate interests
Invoicing, payment collection, accounting and tax records	Compliance with a legal obligation (Companies Act 2006, Finance Acts, HMRC rules)
Defending legal claims; responding to regulators, fire and rescue services, insurers, enforcement officers, the Housing Ombudsman, the Regulator of Social Housing or the CQC where a premises we worked at is involved	Legitimate interests; compliance with a legal obligation
Writing to you about comparable services or renewal reminders we reasonably believe are useful to an existing or former client	Legitimate interests, with a clear opt-out in every message
Improving our services, internal training, reviewing anonymised findings	Legitimate interests

Where we rely on legitimate interests we carry out a balancing assessment to confirm our interest is not outweighed by your rights and freedoms. You can ask us for a copy of that assessment at any time.

We do not sell personal data, ever. We do not use personal data for automated decision-making with legal or similarly significant effects.

6.Who we share it with

We share personal data only with the following categories of recipient, and only to the extent necessary:

Our team and directly engaged associates, our named fire risk assessors, fire door inspectors, electrical engineers, installers and administrative staff, each bound by written confidentiality obligations.
Our processors (data processors acting on our instructions), our website host, our email and CRM provider, our accounting provider and our payment provider. Each is contracted under an Article 28 data processing agreement and may only process personal data in accordance with our written instructions.
The person who commissioned the work, for example, the managing agent or freeholder who receives the report on a block-of-flats engagement.
Regulators, enforcement authorities and public bodies, Fire and Rescue Services, local authority licensing teams, the Building Safety Regulator, the Housing Ombudsman, the Regulator of Social Housing, the CQC, HMRC, the ICO and the courts, where we are required or entitled by law to do so.
Our professional indemnity insurers and legal advisors, where necessary to defend a claim, respond to a complaint or obtain advice.
A successor organisation, in the event of a sale, merger, restructure or business transfer, in which case personal data is transferred under confidentiality and only to the extent necessary.

We do not share personal data with third parties for their own marketing purposes.

7.International transfers

We store and process personal data within the United Kingdom and the European Economic Area (EEA) wherever practicable. Where a processor we use (for example, an email or CRM platform) operates servers or support functions outside the UK/EEA, we put in place one of the transfer safeguards permitted by the UK GDPR, a UK adequacy regulation, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures needed.

We can tell you which processors we currently use and where they are based on request.

8.How long we keep it

We do not keep personal data longer than we need it. Our default retention periods are set out below. Where a statutory, regulatory or insurance requirement demands longer retention, the longer period applies.

Category	Retention period
Enquiries that do not become engagements	12 months from last contact, then deleted
Client contact and billing records (contracts, invoices, payment records)	6 years from the end of the relevant accounting period (Companies Act 2006; Finance Acts)
Inspection and assessment reports (FRA, fire door, EICR, emergency lighting, legionella, FRAEW and remedial works records)	Minimum 6 years from issue; retained for the longer of (i) the lifetime of the building safety case or (ii) the limitation period under the Defective Premises Act 1972 (currently 30 years for works completed from 28 June 2022)
Photographs and site evidence attached to reports	Retained for the same period as the associated report
PEEP information received for a specific inspection	Retained only for as long as needed for that inspection cycle; superseded copies securely destroyed
Marketing email list	Until you unsubscribe, or 3 years of inactivity, whichever is sooner
Website server logs	Up to 90 days, then aggregated or deleted

When a retention period expires we securely delete electronic records and securely shred or pulp paper records.

9.How we protect it

We take the security of personal data seriously. Our safeguards include:

Encrypted laptops, mobile devices and backups; device-level passcodes and automatic lockout;
Cloud services selected for UK/EEA hosting and UK GDPR compliance, with two-factor authentication on all business accounts;
Role-based access, staff and associates only access data they need for the job they are carrying out;
Written confidentiality and data protection clauses in every engagement letter and contractor agreement;
Secure destruction at end of retention (cryptographic erasure for electronic records; cross-cut shredding or external certified destruction for paper records);
Regular review of who has access to which systems, and of any processor we use.

Despite these measures, no transmission over the internet is ever completely secure. If we ever become aware of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, we will notify affected individuals without undue delay.

10.Your rights

Under the UK GDPR you have the following rights in respect of your personal data. All are free of charge except in clearly unfounded or excessive cases.

Right of access, ask us for a copy of the personal data we hold about you (a "subject access request").
Right to rectification, ask us to correct information that is inaccurate or incomplete.
Right to erasure ("right to be forgotten"), ask us to delete your personal data where we no longer have a lawful basis to keep it. This right is not absolute, for example, we cannot delete inspection records we are required to keep under building safety, insurance or tax law.
Right to restrict processing, ask us to stop using your data while a question about it is resolved.
Right to data portability, ask us to provide data you gave us in a commonly-used machine-readable format, where we are processing it under consent or contract and by automated means.
Right to object, object to processing we carry out on the basis of legitimate interests, including direct marketing. Where you object to direct marketing we will stop immediately, always.
Right to withdraw consent, where consent is the lawful basis, you can withdraw it at any time.
Rights related to automated decision-making, we do not carry out automated decision-making with legal or similarly significant effects, so this right is not typically engaged.

To exercise any of these rights, email info@hsepropertychecks.co.uk with "Data rights request" in the subject line. We respond within one month; we may extend that by a further two months for complex requests, and we will always tell you if we do. We may ask you for reasonable proof of identity so that we do not disclose your data to someone else.

11.Cookies & tracking

Our website uses only strictly-necessary cookies for session management and to remember your consent choices. We do not currently deploy analytics, advertising or cross-site tracking cookies. If that changes we will update our Cookies Policy and, where required, ask for your consent first.

12.Changes to this policy

We may update this policy from time to time, for example, to reflect changes in our practice, the services we offer, or the law. When we make a material change we will update the "Effective from" date at the top of this page and, where appropriate, notify active clients by email. Earlier versions are retained and available on request.

13.Contact & complaints

For any question about this policy or the personal data we hold about you, contact us at:

Email, info@hsepropertychecks.co.uk
Telephone, 020 3488 2247
Post, Data Protection, HSE Property Checks Ltd, 28 Skylines Village, Limeharbour, London E14 9TS

If you are not satisfied with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office, the UK's independent data protection regulator:

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 · ico.org.uk

We would always prefer the chance to put things right first, so please contact us before lodging a complaint with the ICO where possible.