Privacy Policy

Last updated: 16 April 2026

This Privacy Policy explains how PortfolioHub (“we”, “us”, “our”) collects, uses, and looks after your personal data when you visit www.portfoliohub.uk or use the PortfolioHub application. We are committed to protecting your privacy and handling your data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Who we are & data controller details

PortfolioHub is a technology platform for UK mortgage brokers, property landlords, and their tenants. For the purposes of UK data-protection law, the data controller is:

  • Data controller: Waqas Naz Ali
  • Trading as: PortfolioHub
  • Address: 60 Beaufort Road, Woking GU22 8BZ, United Kingdom
  • Email: waqas.ali@portfoliohub.uk

ICO registration

We are registered with the UK Information Commissioner’s Office (ICO) as a data controller:

  • Registration reference: ZB060059
  • Date registered: 11 May 2021
  • Registration expires: 10 May 2026

You can verify this entry on the ICO public register at ico.org.uk.

2. What personal data we collect

Depending on how you interact with us, we may collect the following categories of personal data:

  • Identity & contact data — your name, business name, email address, phone number, job role, date of birth, and (for brokers) your Financial Conduct Authority (FCA) Firm Reference Number.
  • Account data — login credentials, account preferences, and your activity within the PortfolioHub application.
  • Property & portfolio data — addresses, UPRNs, title numbers, EPC ratings, valuations, mortgage details, and compliance certificates for properties you own or manage.
  • Tenancy & tenant data — tenant names, contact details, tenancy agreements, deposit references, rent schedules, and the results of Right-to-Rent / Right-to-Work checks (pass / refer / fail).
  • Document data — PDFs, images and other files you upload (mortgage offers, EPCs, gas safety certificates, tenancy agreements, etc.).
  • Financial data — rent payments, mortgage balances, service charges, and related property-finance information you enter into the platform.
  • Technical data — IP address, browser type, device information, operating system, and pages you visit. (We do not currently run analytics or advertising cookies — see our Cookie Policy.)
  • Marketing & communications preferences — your choices about receiving updates from us.

3. How we collect personal data

We collect personal data in the following ways:

  • Directly from you when you sign up, invite a landlord or tenant, upload a document, or contact us.
  • From UK public registers when we enrich your data via the FCA Financial Services Register, Companies House, HM Land Registry, or the UK Government EPC Register.
  • From property-data providers such as PropertyData.co.uk and UPRN lookup services, which we use to return valuation, rent and property-attribute estimates based on the address or UPRN you submit.
  • Automatically when you use the platform — technical data captured by our servers and our hosting provider (Supabase / Vercel).

4. How we use your data

We process personal data for the following purposes:

  • To provide, maintain and secure the PortfolioHub platform and its features.
  • To create and manage your account and authenticate you.
  • To process mortgage documents using AI-assisted data extraction (for example, reading a mortgage offer PDF to populate the correct fields).
  • To facilitate tenancy operations — drafting agreements, running identity / Right-to-Rent checks, and obtaining electronic signatures.
  • To send transactional email such as invites, compliance alerts, signing requests and service updates.
  • To respond to enquiries, support requests and feedback.
  • To send product announcements, where you have not opted out.
  • To improve our website, services and user experience.
  • To comply with legal, regulatory and tax obligations.

5. Lawful bases for processing

We rely on the following lawful bases under Article 6 UK GDPR:

  • Contract — to provide the services you have signed up for and take steps at your request before entering into a contract.
  • Legitimate interests — to operate, secure, improve and market our platform to business users in a way they would reasonably expect. We balance our interests against your rights and freedoms before relying on this basis.
  • Consent — for marketing emails where required, and for non-essential cookies. You may withdraw consent at any time.
  • Legal obligation — where we are required to process data to comply with applicable law (for example, keeping accounting records).

6. Sub-processors we share data with

We do not sell your personal data. We share it only with the vetted service providers listed below, who process data on our instructions under written data-processing terms. Where a provider is outside the UK we rely on appropriate safeguards (see section 7).

6.1 Core platform infrastructure

  • Supabase — authentication, database and file storage for the PortfolioHub application. Hosted in the EU (Ireland). Receives: everything you enter into the platform.
  • Vercel — hosting and delivery of the website and application. Global CDN with US origin. Receives: request metadata, IP addresses and server logs.
  • Resend — transactional email delivery. Based in the US. Receives: recipient email address, recipient name, and the content of each email we send (invites, alerts, signing notifications).

6.2 AI-assisted document processing (Anthropic Claude API)

We use Anthropic’s Claude API — the commercial developer API, not the Claude consumer apps (Claude Free, Pro or Max) — to extract structured information from documents you upload. A typical use case is reading a mortgage-offer PDF and returning the lender name, loan amount, interest rate and product code so you don’t have to type them in by hand.

What we send to Anthropic: only the content of the specific document you asked us to process (as a base64-encoded PDF or image), along with a short prompt describing which fields to return. We do not send your login credentials, your wider portfolio, or data from documents you have not initiated extraction on.

How Anthropic handles the data we send:

  • Model training: Anthropic does not use inputs or outputs from its commercial API traffic to train or fine-tune its models. Our extraction calls do not feed model training.
  • Retention: by default, Anthropic retains API inputs and outputs for up to 30 days for Trust & Safety and abuse-detection purposes, after which the data is deleted. Shorter zero-retention arrangements may apply where we have enabled them for specific endpoints.
  • Access: Anthropic employees cannot access API payloads unless a legitimate Trust & Safety review is triggered (for example, suspected misuse of the platform), and any such access is limited to designated team members acting on a need-to-know basis.
  • Encryption & security: data is encrypted in transit (TLS) and at rest. Anthropic applies industry-standard controls including network segmentation, multi-factor authentication for administrative access, least-privilege access reviews, regular vulnerability scanning, anti-malware protection, and annual security and privacy training for employees.
  • International transfer: Anthropic is a US-headquartered company and may process data in the United States. For transfers out of the UK we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum, and on adequacy decisions where they apply. Anthropic publishes its cross-border transfer safeguards in its processor terms.
  • Sub-processors: Anthropic itself relies on a small number of sub-processors (principally cloud infrastructure and security vendors) under written data-processing terms. The current list is published by Anthropic.

Full details are in the Anthropic Privacy Policy, the Anthropic Commercial Terms of Service, and the Anthropic Usage Policy, which together govern our use of the Claude API on your behalf.

6.3 Tenancy, e-signature & identity verification

  • DocuSeal — generates and hosts signing flows for tenancy and service agreements. Receives: landlord and tenant names, email addresses, the agreement content, and signing status. Cookies may be set by the signing iframe during a signing session.
  • Credas — runs Right-to-Rent / Right-to-Work checks. Receives: applicant name, email, applicant ID and returns a pass / refer / fail result. UK / EU based.

6.4 UK public registers and property-data lookups

  • FCA Financial Services Register — broker authorisation lookups by Firm Reference Number. UK.
  • Companies House — company searches and director checks during broker and limited-company landlord onboarding. UK.
  • UK Government EPC Register — energy-performance certificate lookups by postcode, UPRN or address. UK.
  • HM Land Registry (Price Paid data) — historic sale-price lookups by postcode. UK.
  • PropertyData.co.uk — valuation and rent estimates based on property attributes. UK / EU.
  • UPRN lookup provider — property-attribute and historic sales enrichment keyed by UPRN.
  • Ideal Postcodes — UK postcode and address validation where used.
  • Google Maps Platform — renders maps of property locations within the signed-in application. Based in the US.

6.5 Sales & scheduling

  • Pipedrive — our CRM for tracking broker and landlord onboarding. Based in the US / EU. Receives: broker / landlord name, email, company name and engagement metrics (e.g. number of landlords, number of properties).
  • Calendly — onboarding call scheduling. Based in the US. Receives: name, email and the scheduled time slot.

We keep this list up to date. If we add, replace or materially change a sub-processor we will reflect it on this page.

7. International data transfers

Some of the providers listed above are based outside the United Kingdom (most commonly in the United States or the European Economic Area). Where we transfer personal data outside the UK we rely on one of the following safeguards recognised under UK GDPR:

  • An adequacy decision (for example, the UK’s adequacy decision for the EEA, or the UK Extension to the EU–US Data Privacy Framework where applicable).
  • The UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses together with the UK Addendum, backed by a transfer risk assessment.

You can ask us for a copy of the safeguards we rely on by contacting waqas.ali@portfoliohub.uk.

8. How long we keep your data

We keep personal data only for as long as necessary for the purposes set out in this policy, to comply with our legal and accounting obligations, or to resolve disputes. Indicative retention periods:

  • Account and platform data — for the life of your account, and up to 12 months after closure to allow reactivation and to resolve residual issues.
  • Signed tenancy agreements and related documents — for at least 7 years after the end of the tenancy, in line with common landlord / HMRC record-keeping guidance.
  • Right-to-Rent / identity-check results — for the statutory retention period applicable to the check (currently at least 1 year after the tenancy ends).
  • Billing and accounting records — 6 years from the end of the relevant accounting period, per HMRC rules.
  • Marketing preferences — until you unsubscribe or object.

When we no longer need personal data we delete it securely or irreversibly anonymise it.

9. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • The right to be informed about how we use your data (this policy).
  • The right to access the personal data we hold about you.
  • The right to have inaccurate or incomplete data corrected.
  • The right to request deletion of your data, where applicable.
  • The right to restrict or object to our processing.
  • The right to data portability for data you have provided to us.
  • The right to withdraw consent at any time, where we rely on consent.
  • The right not to be subject to a decision based solely on automated processing that produces significant effects. PortfolioHub does not make any such decisions about you.

To exercise any of these rights please email waqas.ali@portfoliohub.uk. We will respond within one month. There is normally no fee, although we may charge a reasonable fee or refuse a request that is clearly unfounded or excessive.

Complaints to the ICO

You have the right to lodge a complaint with the UK Information Commissioner’s Office at any time, although we would appreciate the chance to deal with your concerns first. The ICO’s details are:

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 0303 123 1113
  • Website: ico.org.uk

10. Security

We take reasonable technical and organisational measures to protect personal data from loss, misuse, unauthorised access and disclosure. These include encryption in transit (TLS), role-based access controls, row-level security in our database, strict environment isolation and audit logging for sensitive actions. No online service can be guaranteed to be completely secure, and you use PortfolioHub at your own risk.

11. Cookies

Our website uses a small number of essential and functional cookies and similar technologies. We do not currently run analytics or marketing cookies. For a full list and to manage your preferences, please see our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we use, or the law. When we make a material change we will update the “last updated” date at the top of this page and, where appropriate, notify you by email.

13. Contact us

If you have any questions about this Privacy Policy, about how we handle your data, or if you wish to exercise any of your rights, please use our contact form or reach us directly:

  • Waqas Naz Ali — Data Controller, PortfolioHub
  • 60 Beaufort Road, Woking GU22 8BZ, United Kingdom
  • waqas.ali@portfoliohub.uk
  • ICO registration reference: ZB060059

If you have any questions about this document, please contact us at hello@portfoliohub.uk.