If Walls Could Talk — Privacy Policy
Version: 0.2 (pre-launch draft — awaiting solicitor review) Jurisdiction: England and Wales Last reviewed: 2026-04-20
Status markers used below:
[TODO: user - ...]— blocked on a fact only the founder can supply (company details, ICO reg, emails)[TODO: solicitor - ...]— requires qualified legal review before publicationPre-launch release requires all
[TODO: ...]markers to be resolved. Do not publish this document until every marker is cleared.
1. Who we are (controller identity)
If Walls Could Talk is operated by If Walls Could Talk CIC, registered in England and Wales (company number [TODO: user - insert on CIC Regulator approval]), registered address First Floor, Swan Buildings, 20 Swan Street, Manchester M4 5JW ("we", "us", "the Platform").
We are the data controller for personal data processed in connection with the Platform, as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
ICO registration: We are registered with the Information Commissioner's Office (ICO) as a data controller. Our registration number is [TODO: user - register at ico.org.uk/registration (£40/year Tier 1), paste number here]. Registration must be completed before the Platform processes any personal data from users.
Data Protection contact: privacy@ifwallscouldtalk.uk.
Based on MVP scale and the fact we do not process special-category data (UK GDPR Article 9) or conduct large-scale monitoring, a formal Data Protection Officer is not mandatory under UK GDPR Article 37. A named Privacy Contact fulfils the equivalent function. We will revisit this if processing volumes, jurisdictions, or data types change materially. [TODO: solicitor - confirm DPO is not required based on processing profile at launch]
1.1 Compliance framework
This Privacy Policy operates within:
- UK GDPR and the Data Protection Act 2018 — data-controller obligations.
- ICO Content Moderation Guidance (February 2024) — because we moderate user-submitted reviews, a Data Protection Impact Assessment (DPIA) is maintained internally; content moderation is classified as high-risk processing requiring documented transparency, data-minimisation, and fairness safeguards. [TODO: solicitor - review DPIA before launch]
- Privacy and Electronic Communications Regulations 2003 (PECR) — cookies (see section 9).
- UK Data (Use and Access) Act 2025 — we monitor ongoing ICO guidance updates and will reflect material changes in this policy.
A comprehensive analysis of the legal regime is maintained internally in legal-context.md.
2. What personal data we collect
2.1 Account data
| Data item | When collected | Why |
|---|---|---|
| Email address | Account registration | Account management, verification, notifications |
| Password (hashed — never stored in plain text) | Account registration | Authentication |
| Tenancy year range (e.g. "2019–2021") | Review submission | Authenticity context for the review |
| Display name or "Anonymous" preference | Account settings | Controls what appears next to a review |
2.2 Review content
| Data item | When collected | Why |
|---|---|---|
| Star ratings (5 categories) | Review submission | Core product data |
| Free-text review comment | Review submission | Core product data |
| Property postcode | Review submission | Linking review to a property record |
| Submission timestamp | Review submission | Audit and moderation |
Review content is associated with your account internally. If you post under the anonymous option, your display identity is hidden from other users — but the review is still linked to your account in our internal records.
2.3 Technical data
| Data item | When collected | Why |
|---|---|---|
| IP address at submission | Each review submission | Fraud detection, duplicate-review prevention, defamation hold obligations |
| IP address at login | Each account login | Security, fraud detection |
| Device / browser type (User-Agent) | Each session | Security and debugging |
| Session cookies | Active session | Authentication |
At MVP launch, the Platform does not use analytics or tracking cookies — only strictly-necessary session cookies for authentication, which do not require consent under PECR. If analytics tooling is introduced in future (e.g. Plausible, PostHog), a cookie-consent mechanism compliant with the Privacy and Electronic Communications Regulations 2003 will be deployed first, and this section will be updated. [TODO: solicitor - confirm analytics posture and cookie banner trigger points before launch]
2.4 Data we deliberately do not collect
We do not ask for or store:
- Your full legal name (unless you choose to use it as your display name)
- Your home address
- Payment information (the Platform is free at MVP stage)
- Any special-category data (health, ethnicity, religion, etc.) under UK GDPR Article 9
3. Lawful basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
3.1 Contract (Article 6(1)(b))
Processing your email address and account data is necessary to perform the contract between you and us (the Terms of Service). Specifically: creating your account, verifying your email, sending you notifications about your reviews, and allowing you to log in.
3.2 Legitimate interests (Article 6(1)(f))
We rely on legitimate interests for:
-
Storing your identity linked to your review, even when you post anonymously. Our legitimate interest is: (a) preserving our ability to respond to valid legal complaints and defamation notices under Defamation Act 2013, Section 5; (b) preventing platform abuse and duplicate reviews; and (c) maintaining the integrity of the review record.
We have assessed that this interest is not overridden by your privacy interests because: (i) your identity is never displayed to other users when you choose anonymous posting; (ii) it is disclosed only when legally required under the Defamation (Operators of Websites) Regulations 2013; and (iii) you are informed of this at the point of choosing the anonymous option. A formal Legitimate Interests Assessment (LIA) is retained internally as required by Article 6(1)(f). [TODO: solicitor - confirm LIA content and retention process meet ICO expectations]
-
Storing IP addresses at submission and login for fraud detection and security purposes.
-
Retaining anonymised review content after account deletion, to preserve the integrity of the property review record (see section 6).
3.3 Legal obligation (Article 6(1)(c))
We may process personal data where required to comply with a legal obligation, for example: responding to a valid court order, a request from a law enforcement authority with appropriate legal authority, or complying with our obligations under the Defamation (Operators of Websites) Regulations 2013.
4. How we use your data
| Purpose | Data used | Lawful basis |
|---|---|---|
| Creating and managing your account | Email, password hash | Contract |
| Verifying your email | Contract | |
| Publishing your review (anonymously or attributed) | Review content, display name | Contract |
| Responding to defamation complaints / Section 5 notices | Email, IP, review content | Legitimate interests / Legal obligation |
| Detecting duplicate or fake reviews | Email, IP, tenancy year range | Legitimate interests |
| Sending you moderation decisions about your review | Contract | |
| Security monitoring and fraud prevention | IP, User-Agent | Legitimate interests |
| Anonymised aggregate reporting (e.g. property score summaries) | Aggregated review ratings (no personal data) | N/A — not personal data once aggregated |
We do not use your data for:
- Advertising or marketing to third parties
- Automated decision-making that produces legal or similarly significant effects on you
- Sale or licensing of individual personal data to third parties
Anonymised aggregate data (property-level scores, neighbourhood benchmarks, market trends — with no personal data attached) may be licensed or shared with researchers, journalists, housing charities, councils, and policymakers in furtherance of the public-good mission stated in our mission. Once properly anonymised, this data is outside the scope of UK GDPR. [TODO: solicitor - confirm aggregation thresholds and anonymisation standard meet UK GDPR "truly anonymous" test]
If a future product introduces individual-data use cases (e.g. personalised recommendations that rely on preference data beyond the user's own session), we will seek explicit consent first and update this Privacy Policy accordingly.
5. Who we share your data with
5.1 Infrastructure providers
We use the following third-party services to operate the Platform. Each is a data processor acting under a data processing agreement:
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Web hosting, serverless functions, CDN | US-headquartered; UK/EU edge nodes |
| Supabase (Supabase Inc.) | Authentication, database (project region: eu-west-1, Ireland), storage | Ireland (EU) for our project data |
| Ideal Postcodes (ideal-postcodes.co.uk) | Address lookup / autocomplete — no personal data transmitted (only the text fragments users type) | UK |
| Resend Inc. | Transactional email (pending integration) | US |
[TODO: user - confirm this list matches the actual services wired up at launch; add analytics, Sentry, etc. when enabled]
International transfers. Supabase stores our project data in Ireland (EU, covered by UK adequacy). For US-based processors (Vercel, Resend), transfers rely on either:
- the UK Extension to the EU-US Data Privacy Framework where the processor is certified under it; or
- the UK International Data Transfer Addendum to EU Standard Contractual Clauses where not.
A Transfer Impact Assessment is maintained internally for each US transfer. [TODO: solicitor - complete and retain TIA for Vercel and Resend before launch, and advise whether additional safeguards are required]
5.2 Disclosure under legal compulsion
We will disclose personal data to law enforcement, courts, or regulatory authorities if required by a valid legal order or where we are otherwise under a legal obligation to do so. We will notify you of such a disclosure if we are legally permitted to do so.
5.3 Defamation complaints — reviewer identity
Where we receive a valid notice of complaint under the Defamation (Operators of Websites) Regulations 2013, we may disclose a reviewer's identity to the complainant only if the reviewer has consented to disclosure, or if a court order requires it. See the Moderation Policy and Terms of Service for the full procedure.
6. Retention
| Data category | Retention period | Reason |
|---|---|---|
| Email address | 2 years from account closure | Allows re-registration; satisfies legal hold for outstanding complaints |
| Password hash | Deleted on account closure | No further purpose |
| IP address (submission and login) | 2 years from the relevant event | Fraud detection; legal hold for defamation complaints (Defamation Act 2013 s.8 gives a 1-year limitation, we retain a safety margin) |
| Tenancy year range | Retained with the review; anonymised on account closure | Part of the published review record |
| Review content (published) | Indefinitely, in anonymised form after account closure | Preserves integrity of the property review record; no personal data remains once identity is severed |
| Review content (rejected / unpublished) | 90 days from rejection | Allows the reviewer to appeal; then deleted |
| Moderation decision logs | 3 years from decision date | Legal hold for potential defamation claims |
| Session cookies | Session duration (cleared on logout or after 30 days inactive) | Authentication only |
On account closure: your email address is flagged for deletion after the 2-year retention window. Your published reviews are anonymised — the link between your account and the review is severed. The review text and ratings remain live on the Platform because they form part of the historical record of the property and were published to other users in reliance on your submission.
Our anonymisation process removes the account-to-review link, the IP address, and any free-text content that could reasonably identify the reviewer. Tenancy year range and property postcode remain with the review (these are not themselves personal data). [TODO: solicitor - confirm this process meets the UK GDPR / ICO "truly anonymous" test and that residual re-identification risk from narrow combinations of postcode × tenancy year × review content is acceptable]
7. Your rights
Under UK GDPR Chapter III, you have the following rights:
| Right | What it means in practice |
|---|---|
| Access (Article 15) | You can request a copy of all personal data we hold about you |
| Rectification (Article 16) | You can ask us to correct inaccurate data (e.g. wrong email on file) |
| Erasure (Article 17) | You can ask us to delete your personal data — see the important nuance below |
| Restriction (Article 18) | You can ask us to pause processing while a dispute is resolved |
| Portability (Article 20) | You can ask for your data in a machine-readable format — applies to data you provided under contract or consent |
| Object (Article 21) | You can object to processing based on legitimate interests — we must stop unless we have compelling legitimate grounds that override your interests |
| Withdraw consent | Not currently applicable — we do not rely on consent as a lawful basis for any processing |
7.1 Right to erasure — the anonymisation nuance
If you close your account or submit an erasure request, we will delete your identifying data (email, IP, password hash) in accordance with the retention periods in section 6. We will anonymise your published reviews rather than delete them.
We do this because:
- The reviews were published to other users and form part of the public record of a specific property.
- Deleting anonymised reviews would deprive future tenants of legitimate information they may rely on.
- Once properly anonymised, the review content is no longer "personal data" under UK GDPR and the right to erasure does not apply to it.
If you have a specific reason why you believe your review must be deleted (not merely anonymised) — for example, because the review content itself reveals your identity in a way that cannot be redacted — contact us at privacy@ifwallscouldtalk.uk and we will assess your request. [TODO: solicitor - confirm the anonymisation-not-deletion position is defensible in the specific factual context of this platform]
7.2 How to exercise your rights
Submit requests to privacy@ifwallscouldtalk.uk. We will respond within one calendar month of receiving a valid and complete request (UK GDPR Article 12(3)). We may extend this by a further two months for complex requests, with notification.
We will not charge a fee for routine requests. We may charge a reasonable administrative fee for manifestly unfounded or excessive requests (UK GDPR Article 12(5)).
We may ask you to verify your identity before fulfilling a request.
7.3 Right to complain to the ICO
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
8. Security
We take the following measures to protect your personal data:
- Passwords are hashed using bcrypt via Supabase Auth (industry-standard work factor). Plain-text passwords are never stored, logged, or transmitted in logs.
- Data in transit is encrypted using TLS 1.2 or higher (enforced at the Vercel edge and in Supabase client connections).
- Database access is controlled by Supabase row-level security (RLS) policies at the Postgres level: users can only read and modify their own records, except for published reviews which are publicly readable by design. Administrative access requires a separate admin flag and is restricted to named operators.
- Application credentials (Supabase service keys, Ideal Postcodes API key, etc.) are stored as environment variables in Vercel, never committed to the repository, and scoped per-environment.
- [TODO: user - draft a short Information Security Policy covering access control, incident response, provider due diligence, and breach notification before launch. Keep internally retained; reference here]
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it (UK GDPR Article 33), and will notify affected individuals without undue delay where the risk is high (UK GDPR Article 34).
9. Cookies and tracking
At MVP launch, the Platform uses only strictly-necessary cookies for session authentication. These do not require consent under PECR.
We do not currently use:
- Analytics cookies (Plausible, PostHog, Google Analytics, etc.)
- Advertising or remarketing cookies
- Third-party embed cookies that would collect data about visitors
If any of these change, we will update this section and deploy a cookie-consent mechanism first.
10. Children
The Platform is not directed at children under 18. We do not knowingly collect personal data from anyone under 18.
Account creation requires users to confirm they are 18 or over. If we become aware that we have collected data from a person under 18, we will delete it promptly. [TODO: solicitor - confirm whether stronger age-assurance (beyond a self-declared checkbox) is required for a platform of this profile]
11. Changes to this policy
We will notify registered users by email of any material changes to this Privacy Policy at least 30 days before changes take effect, or as soon as reasonably practicable where a change is required by law on shorter notice. The "Last reviewed" date at the top of this document will always reflect the most recent update.
12. Contact
All privacy and data protection queries: privacy@ifwallscouldtalk.uk Postal address: First Floor, Swan Buildings, 20 Swan Street, Manchester M4 5JW