Skip to main content
Effective date: 5 April 2026
Last updated: 5 April 2026

1. Overview

This Data Processing Agreement (“DPA”) sets out the data processing responsibilities that apply to users of PropOps products. It supplements and forms part of the Terms of Service and is governed by the UK GDPR and Data Protection Act 2018. PropOps Technologies Ltd develops two separate products:
  • PropOps Web — a self-hosted property-operations platform for SMBs, distributed as a Docker image.
  • PropOps iOS — a native iOS application for solo contractors, distributed via the Apple App Store.
PropOps Technologies Ltd is not a data processor for either product. PropOps Web data is managed entirely by the Licensee on their own infrastructure. PropOps iOS data is stored exclusively in the user’s personal Apple CloudKit / iCloud account. PropOps Technologies Ltd has no access to data from either product.

2. Definitions

TermMeaning
Personal DataAny information relating to an identified or identifiable natural person processed through PropOps Web
ProcessingAny operation performed on Personal Data — collection, storage, retrieval, use, disclosure, erasure, etc.
Data ControllerThe Licensee — the organisation that determines the purposes and means of processing Personal Data within their PropOps Web instance
Data SubjectThe individual to whom Personal Data relates
Supervisory AuthorityThe UK Information Commissioner’s Office (ICO)

3. PropOps Technologies Ltd’s Position

PropOps Technologies Ltd:
  • Develops and distributes PropOps Web as a self-hosted Docker image.
  • Does not host, access, manage, process, or store any personal data from any customer instance.
  • Does not act as a data processor on behalf of the Licensee.
  • Has no technical access to any PropOps Web instance or its database.
  • Receives only a licence key, domain, and instance identifier during periodic licence validation — no personal data is transmitted.
The only personal data PropOps Technologies Ltd holds directly is limited to:
  • Licence holder contact details — name, email address, and organisation name for licence administration.
  • Support correspondence — any data voluntarily provided by the Licensee when contacting support.
For this limited data, PropOps Technologies Ltd acts as an independent data controller under its own Privacy Policy.

4. Licensee Obligations as Data Controller

As the data controller for all personal data within their PropOps Web instance, the Licensee is responsible for:

4.1 ICO Registration

All PropOps Web Licensees that process personal data are required to register with the Information Commissioner’s Office (ICO) as a data controller. This is a legal requirement under UK data protection law.Registration can be completed at ico.org.uk/registration.

4.2 Lawful Processing

  • Ensuring there is a lawful basis (Art. 6 UK GDPR) for all processing of personal data within the Service.
  • Maintaining a Record of Processing Activities (ROPA) as required under Art. 30 UK GDPR.
  • Conducting Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk to data subjects.

4.3 Data Subject Rights

  • Responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by law.
  • Using the built-in tools within PropOps Web to fulfil these requests (data export, account deletion, record correction).
  • Providing a clear privacy notice to all individuals whose data is processed within the Service.
PropOps Technologies Ltd cannot assist with data subject requests as it has no access to instance data. All requests must be handled by the Licensee directly.

4.4 Data Security

  • Deploying PropOps Web behind HTTPS with a valid TLS certificate.
  • Keeping the host operating system, Docker, and all dependencies up to date.
  • Applying PropOps Web security patches promptly.
  • Using strong, unique passwords for all accounts.
  • Configuring firewalls and network security appropriate to the deployment.
  • Using the built-in role-based permission system to enforce least-privilege access.
  • Maintaining the encryption of PII fields (XSalsa20-Poly1305) as provided by the Software.

4.5 Data Breach Management

  • Detecting and investigating personal data breaches within their infrastructure.
  • Notifying the ICO within 72 hours of becoming aware of a breach that poses a risk to data subjects (Art. 33 UK GDPR).
  • Notifying affected data subjects without undue delay where the breach is likely to result in high risk (Art. 34 UK GDPR).
  • Maintaining a breach register.

4.6 Data Retention & Deletion

  • Defining and enforcing data retention periods appropriate to their business and legal obligations.
  • Using the retention and deletion tools built into PropOps Web.
  • Managing their own backups, including secure storage, retention schedules, and restoration testing.

5. Sub-processors

The Licensee is responsible for any third-party services they configure within their PropOps Web instance. Common sub-processors may include:
Sub-processorPurposeResponsibility
Hosting providerServer infrastructureLicensee selects and manages
Email delivery serviceTransactional email sendingLicensee configures
Google (Gemini)AI-powered analysis and insightsLicensee enables and configures
Push notification serviceWeb and mobile push notificationsLicensee configures
XeroAccounting integration (planned)Licensee configures
The Licensee must:
  • Ensure appropriate data processing agreements are in place with any sub-processors they engage.
  • Assess and document the data protection practices of their chosen sub-processors.
  • Ensure international transfers (where applicable) are covered by appropriate safeguards (UK IDTA, SCCs, or adequacy decisions).
PropOps Technologies Ltd is listed below as it receives limited data during licence validation:
Data ReceivedPurposeLocation
Licence key, domain, instance identifierLicence validationUnited Kingdom
No personal data is included in the licence validation check.

6. International Transfers

PropOps Web is self-hosted — all data resides on the Licensee’s infrastructure. If the Licensee deploys outside the United Kingdom or configures integrations that transfer data internationally, the Licensee is responsible for ensuring appropriate safeguards are in place, such as:
  • UK International Data Transfer Agreement (IDTA).
  • UK Addendum to EU Standard Contractual Clauses.
  • Adequacy decisions by the UK Secretary of State.
PropOps Technologies Ltd does not transfer or have access to any instance data.

7. Audit & Accountability

The Licensee should:
  • Maintain records of processing activities.
  • Be able to demonstrate compliance with UK GDPR to the ICO upon request.
  • Appoint a Data Protection Officer (DPO) where required by Art. 37 UK GDPR.
  • Provide data protection training to staff who access personal data within PropOps Web.

8. Liability

PropOps Technologies Ltd accepts no liability for:
  • Data breaches, data loss, or unauthorised access arising from the Licensee’s infrastructure, configuration, or negligence.
  • The Licensee’s failure to register with the ICO or comply with data protection law.
  • Inadequate backup practices or failure to apply security updates.
  • Processing carried out by the Licensee or their chosen sub-processors.
Liability is subject to the limitations set out in the Terms of Service.

9. Term

This DPA is effective for the duration of the Licensee’s licence (PropOps Web) or subscription (PropOps iOS) and applies for as long as the user processes personal data within the relevant PropOps product.

10. PropOps iOS — Data Processing Position

10.1 PropOps Technologies Ltd’s Position (PropOps iOS)

PropOps Technologies Ltd:
  • Develops and distributes PropOps iOS via the Apple App Store.
  • Does not operate servers, databases, or backend systems for PropOps iOS.
  • Does not collect, receive, store, process, or have access to any data created within PropOps iOS.
  • Does not act as a data controller or data processor for PropOps iOS user data.
All data created within PropOps iOS is stored exclusively in the user’s personal Apple CloudKit container, secured by Apple’s infrastructure.

10.2 User’s Position (PropOps iOS)

The PropOps iOS user is the data controller for any personal data they store within the app. The user is responsible for:
  • Ensuring they have a lawful basis for storing any personal data about third parties (e.g. client contact details).
  • Managing and deleting data within the app or via iCloud settings.
  • Complying with applicable data protection laws relevant to their use.

10.3 Apple’s Position

Apple acts as an infrastructure provider for CloudKit. Apple’s data processing practices are governed by: PropOps Technologies Ltd does not control Apple’s data processing practices and accepts no responsibility for Apple’s handling of CloudKit data.

10.4 Payments (PropOps iOS)

All subscription and purchase payments are processed by Apple via StoreKit. PropOps Technologies Ltd does not receive, process, or store payment card details or Apple ID credentials.

11. Contact

For enquiries about this DPA or PropOps Web’s data protection features:

PropOps Technologies Ltd
Email: privacy@propops.app
This contact is for enquiries about PropOps Web as a product. If you are a data subject seeking to exercise your rights, contact the organisation operating the PropOps Web instance that holds your data.