Privacy Policy
Last updated: 28 June 2026
1. Who we are
STEMHQ is operated by STEMHQ Ltd, a company registered in England and Wales. For the purposes of UK GDPR, STEMHQ Ltd is the data controller of personal data collected through our platform and website.
Contact us regarding this policy at hello@stemhq.co.uk.
2. What personal data we collect
We collect and process the following categories of personal data:
Account and identity data
Your full name, email address, account password (stored as a one-way bcrypt hash), account type, and subscription tier. Collected at registration.
Property and tenancy data
Property addresses, postcodes, rental amounts, tenancy start dates, and other property information you enter. This is your operational data.
Tenant data
Names, contact details (email, phone), national insurance numbers, payment records, arrears history, and case notes for tenants you manage. You are the data controller of your tenants' personal data. STEMHQ processes it as your data processorunder a data processing agreement incorporated into our Terms of Service. You are responsible for having a lawful basis to process your tenants' data.
Compliance and document data
Gas safety certificate dates, EPC ratings, EICR records, deposit protection details, and documents you upload (tenancy agreements, ID copies, legal notices).
Payment and billing data
Subscription status, billing interval, and Stripe customer reference. We do not store card numbers. All payment processing is handled by Stripe Payments Europe Ltd under their own privacy policy.
Usage and technical data
Pages visited, features used, browser type, IP address, and session identifiers. Used to maintain security, diagnose errors, and improve the product.
Communications
If you contact us by email or our contact form, we retain those communications to respond to your enquiry.
3. Legal basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing your account and billing data to provide the service you have signed up for.
- Legitimate interests (Art. 6(1)(f)): Usage analytics and security monitoring to maintain platform integrity and improve the product. We have conducted a legitimate interests assessment and concluded these do not override your rights.
- Legal obligation (Art. 6(1)(c)): Retaining financial records as required by HMRC and applicable law.
- Consent (Art. 6(1)(a)): For optional analytics cookies, where you have given consent via our cookie banner.
4. How we use your data
- To create and manage your STEMHQ account.
- To provide the property management, compliance tracking, and legal document features of the platform.
- To process your subscription payments via Stripe.
- To send transactional emails (account confirmation, password reset, feature notifications) via Resend.
- To maintain platform security and detect fraudulent or abusive activity.
- To improve the platform through aggregated, anonymised usage analysis.
- To comply with legal obligations including responding to lawful requests from regulatory authorities.
We do not sell your personal data. We do not use your data for advertising. We do not profile you for automated decision-making that produces legal or significant effects.
5. Data sharing and third-party processors
We share data only with trusted third-party processors necessary to operate the platform. All processors are bound by data processing agreements and operate under equivalent data protection standards:
| Processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Subscription billing and payment processing | EU / UK |
| Resend Inc. | Transactional email delivery | USA (SCCs) |
| Infrastructure provider | Cloud hosting and database storage | EU |
We may disclose personal data to law enforcement or regulatory authorities where required by law.
6. International data transfers
Where personal data is transferred outside the UK or EU (for example to Resend Inc. in the USA), we rely on Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission, supplemented by transfer impact assessments where appropriate.
7. Data security
- All data is encrypted in transit using TLS 1.2 or higher (HTTPS enforced site-wide).
- Passwords are hashed using bcrypt with a per-user salt. Plain-text passwords are never stored or transmitted.
- Session tokens are cryptographically random and stored in HttpOnly, Secure, SameSite=Lax cookies.
- CSRF protection is enforced on all state-changing API endpoints via the double-submit cookie pattern.
- Your tenant data is isolated from other operators at the database level using row-level security policies. No operator can access another operator's data.
- Database backups are encrypted and stored in a separate geographic region.
- Access to production systems is restricted to authorised personnel via SSH key authentication only.
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33.
8. Data retention
We retain personal data for the following periods:
- Account and operational data: Retained for as long as your account is active.
- On account deletion: Your personal data and tenant data are permanently and irreversibly deleted within 30 days, except where retention is required by law.
- Payment records: Retained for 7 years to comply with HMRC financial record-keeping requirements.
- Security and access logs: Retained for 90 days.
- Support communications: Retained for 2 years after resolution.
9. Your rights under UK GDPR
You have the following rights regarding your personal data. To exercise any right, contact us at hello@stemhq.co.uk. We will respond within one calendar month.
- Right of access: Request a copy of all personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data where there is no compelling reason to continue processing it.
- Right to restriction: Request that we restrict processing of your data while a dispute is resolved.
- Right to data portability: Request a machine-readable export of the personal data you provided to us.
- Right to object: Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
- Rights related to automated decision-making: We do not carry out automated decision-making that produces legal or significant effects.
You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), if you believe we have not handled your data lawfully.
10. Cookies
We use the following types of cookies:
Essential cookies (always active)
Session authentication token, CSRF token. Required for the platform to function. No consent required.
Functional cookies (default on, can be disabled)
Dark mode preference, sidebar collapse state, display settings. These are stored in localStorage, not transmitted to our servers.
Analytics cookies (default off, consent required)
Aggregate usage data to understand how the product is used. No advertising cookies are used. No data is sold or shared with advertising networks.
You can manage cookie preferences at any time via the Cookie Settings option in your account menu.
11. Children
STEMHQ is a professional business tool intended for adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data from a minor, contact us immediately at hello@stemhq.co.uk.
12. Changes to this policy
We may update this Privacy Policy to reflect changes in law, our practices, or the platform. Material changes will be notified to you by email at least 14 days before they take effect. Continued use of STEMHQ after the effective date constitutes acceptance of the revised policy. The date at the top of this page always reflects the most recent revision.
13. Contact and complaints
For any privacy-related queries, requests, or complaints, contact us at hello@stemhq.co.uk.
If you are not satisfied with our response, you have the right to complain to the ICO: ico.org.uk/make-a-complaint or by calling 0303 123 1113.