Skip to main content
Effective date: 5 April 2026
Last updated: 5 April 2026

1. Our Commitment

PropOps Technologies Ltd is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This statement outlines how PropOps products fulfil data protection obligations. PropOps Technologies Ltd develops two separate products:
  • PropOps Web — a self-hosted property-operations platform for SMBs, distributed as a Docker image.
  • PropOps iOS — a native iOS application for solo contractors, distributed via the Apple App Store.
PropOps Technologies Ltd does not collect, store, or have access to personal data from either product. PropOps Web data resides on the operator’s own infrastructure. PropOps iOS data resides in the user’s personal Apple CloudKit / iCloud account.

2. Roles

ProductRoleControllerNotes
PropOps WebOperatorThe organisation operating the instance is the data controller for all personal data within itPropOps Technologies Ltd acts as a processor only when explicitly processing data on behalf of the operator (e.g. support tickets involving personal data)
PropOps iOSUserThe individual user is the data controller for their own data stored in Apple CloudKit / iCloudPropOps Technologies Ltd does not access, process, or store any user data
BothPropOps Technologies LtdPropOps is only a data controller for data it directly manages (e.g. licence records, support interactions)
For processing where we act as a processor, our obligations are formalised in our Data Processing Agreement.

3. Data Protection Principles

We adhere to the seven key principles of the UK GDPR:

Lawfulness, Fairness & Transparency

Data is processed lawfully, fairly, and transparently. Our Privacy Policy explains how and why we process data.

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes and not further processed in an incompatible manner.

Data Minimisation

We collect only the data necessary for the stated purpose. Optional fields are clearly marked.

Accuracy

Users can update their data at any time through the Service. Administrators can correct records on behalf of data subjects.

Storage Limitation

Retention periods are defined per data category (see Privacy Policy § 6). Expired data is purged automatically.

Integrity & Confidentiality

Technical and organisational measures protect data against unauthorised access, loss, or destruction.

Accountability

We maintain records of processing activities, conduct impact assessments where required, and can demonstrate compliance on request.

4. Lawful Bases for Processing

We rely on the following legal bases:
  • Performance of a contract — processing necessary to deliver the Service (Art. 6(1)(b)).
  • Legitimate interests — analytics, security monitoring, and product improvement where these do not override data subject rights (Art. 6(1)(f)).
  • Legal obligation — compliance with tax, regulatory, and law-enforcement requirements (Art. 6(1)(c)).
  • Consent — optional marketing communications and non-essential cookies (Art. 6(1)(a)).

5. Data Subject Rights

PropOps Web includes built-in tools that enable the operating organisation to fulfil data-subject rights:
RightHow the Software Supports It
Right of access (Art. 15)Users can view their data in-app. Administrators can generate Subject Access Request reports.
Right to rectification (Art. 16)Users and administrators can update records directly.
Right to erasure (Art. 17)Account deletion and data purge tools are available, subject to legal retention obligations.
Right to restrict processing (Art. 18)Processing can be restricted on request while a dispute is resolved.
Right to data portability (Art. 20)GDPR data export is available from the tenant management section, generating a machine-readable report.
Right to object (Art. 21)Users may object to processing based on legitimate interest.
Rights related to automated decision-making (Art. 22)AI-powered features produce recommendations only — no solely automated decisions with legal effect are made.
PropOps Technologies Ltd does not hold, store, or have access to any personal data within your PropOps Web instance. This includes data relating to users, tenants, landlords, letting agents, contractors, and any other individuals.To exercise any data subject right — including the right to be forgotten, subject access requests, or data portability — you must contact the company or organisation operating the PropOps Web instance that holds your data, not PropOps Technologies Ltd.PropOps Technologies Ltd cannot retrieve, modify, export, or delete data from any customer instance.

6. Technical & Organisational Measures

6.1 Encryption

  • At rest — PII fields are encrypted with XSalsa20-Poly1305 (libsodium). Encryption keys are stored separately from encrypted data.
  • In transit — All connections use TLS 1.2 or higher.

6.2 Access Control

  • 402 API permission keys controlling endpoint access.
  • 103 page permission keys controlling UI access.
  • 45 document permission keys controlling file access.
  • Five staff roles with principle-of-least-privilege defaults.

6.3 Session Security

  • Sessions are bound to IP address and user agent.
  • Session blacklisting and forced logout are available.
  • Idle sessions are terminated automatically.

6.4 Monitoring & Integrity

  • File integrity monitoring with hash-based detection.
  • Activity and audit logging (encrypted, 84-month retention).
  • Password breach scanning against known databases.
  • API health monitoring and rate limiting.

7. Data Breach Procedures

In the event of a personal data breach:
  1. Detection — automated monitoring and manual reporting channels.
  2. Assessment — severity and scope evaluated within 24 hours.
  3. Notification — the ICO is notified within 72 hours if the breach poses a risk to data subjects. Affected data subjects are notified without undue delay if the risk is high.
  4. Remediation — root cause analysis and corrective measures.
  5. Documentation — all breaches are recorded in the breach register regardless of severity.

8. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) before introducing:
  • New processing activities involving large-scale personal data.
  • AI or automated profiling features.
  • Processing of special category data.
  • Systematic monitoring of publicly accessible areas.

9. International Transfers

9.1 PropOps Web

PropOps Web is self-hosted — all data resides on the operator’s infrastructure. If you deploy outside the United Kingdom, it is your responsibility to ensure appropriate safeguards are in place. The only data transmitted to PropOps Technologies Ltd is a periodic licence validation check, which contains no personal data. Where PropOps Web integrates with third-party services configured by the operator (e.g. AI analysis via Google Gemini), data transfers to those services are the operator’s responsibility.

9.2 PropOps iOS

PropOps iOS data is stored in Apple CloudKit. Apple may store data in data centres globally in accordance with Apple’s own GDPR commitments and data processing practices. PropOps Technologies Ltd does not control where Apple stores your data. For details on Apple’s international data transfers, see Apple’s Privacy Policy.

10. PropOps iOS — GDPR Compliance

10.1 Data Architecture

PropOps iOS stores all user data exclusively in the user’s personal Apple CloudKit container:
  • PropOps Technologies Ltd does not operate servers, databases, or backend systems for PropOps iOS.
  • PropOps Technologies Ltd has no access to any data created, stored, or managed within PropOps iOS.
  • All data is secured by Apple’s infrastructure, including encryption at rest and in transit.

10.2 Data Subject Rights (PropOps iOS)

Since PropOps Technologies Ltd holds no personal data from PropOps iOS users:
RightHow It Is Supported
Right of access (Art. 15)Users can view all their data directly within the app.
Right to rectification (Art. 16)Users can edit any record within the app.
Right to erasure (Art. 17)Users can delete data within the app or via iCloud settings. Deleting the app and clearing iCloud data removes all data.
Right to data portability (Art. 20)Data can be exported from within the app.
Right to object (Art. 21)No data is processed by PropOps Technologies Ltd, so there is no processing to object to.
PropOps Technologies Ltd does not hold, store, or have access to any data from PropOps iOS. All data resides in your personal Apple iCloud / CloudKit account. To exercise any data subject right, manage your data directly within the app or through your Apple iCloud settings.

10.3 Security Measures (PropOps iOS)

  • Encryption at rest — provided by Apple CloudKit.
  • Encryption in transit — all CloudKit communication uses TLS.
  • Access control — only your Apple ID can access your CloudKit data.
  • Device security — iOS device encryption, Face ID / Touch ID, and passcode protection.
  • App security — PropOps iOS is distributed exclusively via the App Store and subject to Apple’s app review process.

11. Contact

For enquiries about PropOps products’ data protection features or GDPR capabilities:

PropOps Technologies Ltd
Email: privacy@propops.app
This contact is for enquiries about PropOps products. If you are a user of PropOps Web seeking to exercise data subject rights over your personal data, contact the organisation operating the PropOps Web instance that holds your data — not PropOps Technologies Ltd. If you are a PropOps iOS user, manage your data directly within the app or through your Apple iCloud settings.