Back to Home

Privacy & Data Security

Security-first infrastructure for professional portfolio landlords

High-level overview only. For legal terms, see our Privacy Policy and Data Processing Addendum.

At a Glance

Secure, session-based authentication via Supabase Auth

All data transmitted over TLS 1.2+ encryption

Role-based access: your data is never shared between landlord accounts

Payment processing handled entirely by Stripe — no card data touches our servers

Documents stored in access-controlled, encrypted object storage

Audit logs maintained for compliance-critical actions within your account

Data Controller & Processor Roles

Under UK GDPR, Lease Ward operates as a data processor on your behalf. You, the landlord, are the data controller for the personal data of your tenants that you enter into the platform.

This distinction matters: you remain responsible for the lawful basis under which you collect and process tenant data. Lease Ward provides the infrastructure and tooling to manage that data securely, in accordance with your instructions.

Our Data Processing Addendum (DPA) formalises this relationship and sets out the obligations of each party. It is available on request and forms part of our Terms of Service for all subscribers.

Access Control & Authentication

All accounts are protected by secure email/password authentication managed through Supabase Auth, which uses industry-standard JWT-based sessions with short expiry windows.

Row-level security (RLS) policies are enforced at the database layer, meaning each landlord can only ever read and write their own data. There is no shared data model between accounts — isolation is structural, not just application-level.

  • Password reset flows use time-limited, single-use email tokens
  • Sessions are invalidated on logout and after inactivity periods
  • Admin access is restricted to named Lease Ward staff only, with audit logging
  • No shared credentials or API keys are exposed client-side

Encryption in Transit & At Rest

All communication between your browser and Lease Ward servers occurs over HTTPS using TLS 1.2 or higher. Plain HTTP connections are rejected at the infrastructure level.

Data at rest — including database records, uploaded documents, and compliance files — is encrypted using AES-256 by our storage and database providers. This includes property data, tenancy agreements, and all uploaded compliance documentation.

Encryption keys are managed by Supabase and Vercel, both of which maintain their own security certifications and key management practices.

Payment Data Handling

Lease Ward does not store, process, or have access to your card or banking details. All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.

When you subscribe, you are redirected to a Stripe-hosted checkout or billing portal. Lease Ward receives only a subscription status token — never raw payment credentials.

  • Stripe manages all card tokenisation and 3D Secure authentication
  • Invoices and receipts are accessible directly from your billing dashboard
  • Subscription changes and cancellations are processed via the Stripe portal

Infrastructure Providers

Lease Ward is built on a carefully selected stack of enterprise-grade providers, each chosen for their security posture and compliance track record.

Supabase — Database & Authentication

Managed PostgreSQL with row-level security, encrypted storage, and SOC 2 Type II compliance. EU region hosting available.

Vercel — Application Hosting

Globally distributed edge network with automatic HTTPS, DDoS mitigation, and SOC 2 Type II certification.

Stripe — Payment Processing

PCI DSS Level 1 certified. The gold standard for subscription billing and payment security.

No personal data is transferred outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions) in place with each provider.

Data Minimisation

Lease Ward collects only what is necessary for the platform to function. We do not build advertising profiles, sell data to third parties, or use tenant data for any purpose other than providing the service to you.

Fields you populate — tenant names, addresses, rent amounts, compliance document metadata — are stored solely to power the risk management and compliance features you have signed up for.

  • No third-party analytics SDKs with persistent tracking
  • Error logging captures stack traces only — no personal field values
  • Support communications are handled via a separate channel, not in-app

Audit Trails & Evidence Integrity

For landlords operating in a regulated environment, evidence of compliance actions is often as important as the actions themselves. Lease Ward maintains internal audit logs for key events within your account.

These logs record what changed, when it changed, and which user session triggered the change. They are used to support dispute resolution and regulatory enquiries.

Audit Trails and Evidence Integrity

Audit logs within Lease Ward record compliance document uploads, notice generation events, lease agreement changes, and task completions. This creates a structured timeline of your compliance activity — valuable in the event of a tenant dispute, local authority inspection, or legal proceeding.

  • Logs are immutable once written — they cannot be edited or deleted by users
  • Timestamps are server-side, not client-controlled
  • Audit records are retained for the duration of your subscription

Data Retention & Deletion

Active account data is retained for as long as your subscription remains live. If you cancel your subscription, your data is retained for a short grace period to allow for reactivation or export.

Following the grace period, personal data is deleted from production systems in accordance with our retention schedule. Backups are rotated on a rolling basis and do not persist indefinitely.

  • You can request an account data export at any time via contact
  • Deletion requests are fulfilled within 30 days of confirmation
  • Certain records (e.g. billing history) may be retained longer where legally required

Cookies & Tracking

Lease Ward uses only the cookies necessary for the platform to function — primarily session authentication cookies managed by Supabase Auth.

We do not use cross-site tracking cookies, advertising pixels, or third-party retargeting scripts. Your browsing behaviour within Lease Ward is not shared with external marketing platforms.

For full details on cookies used, see our Cookie Policy.

Transparency & Your Rights

Under UK GDPR, you have rights over your personal data including the right to access, rectify, erase, restrict processing, and data portability.

To exercise any of these rights, contact us via the address listed in our Privacy Policy. We aim to respond to all data rights requests within 30 days.

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — correct inaccurate personal data
  • Right to erasure — request deletion of your personal data
  • Right to restrict processing — limit how we use your data
  • Right to data portability — receive your data in a structured format
  • Right to complain — you may lodge a complaint with the ICO at ico.org.uk

Important Clarification

This page provides a high-level summary of Lease Ward's security and privacy practices. It is not a legal document and does not constitute legal advice. For binding terms, refer to our Privacy Policy and Data Processing Addendum. If you have specific compliance requirements or due diligence questions, please contact us.

Protect your portfolio with confidence

Lease Ward is built for landlords who take compliance and risk seriously. Secure infrastructure, structured data, and full auditability — out of the box.

Request Founding Member Access

Founding member pricing locked for life. Limited to 20 landlords.