Privacy Policy

Young & Gilling Ltd are committed to ensuring that your privacy is protected. This notice explains how we will collect your personal data and how we use your personal data.

Young & Gilling Ltd is a data controller in respect of the personal data processed when you use our services.

1. WHAT INFORMATION WE MAY COLLECT AND HOW WE USE IT

As a business we collect, use, store and transfer different types of personal data depending on who you are.

If you are purchasing, renting, selling or letting a property through Young & Gilling Ltd, or purchasing, renting, selling or letting a property from one of our clients, we collect and use your personal data in order for us to provide you with our services. The personal data we collect and use may include:

• Identity Data: Name, date of birth, nationality, marital status, and government-issued ID (Passports/Visas).
• Contact Data: Current residential address, email address, and telephone numbers.
• Compliance & Regulatory Data: Right to Rent share codes, AML/Sanctions screening results, and proof of funds/wealth. 
• Financial & Referencing Data: Bank statements, payslips, employment history, and credit reports. 
• Property & Visual Data: Photographs, floorplans, LiDAR scans, and inventory reports of your property. 
• Transaction Data: details about payments to and from you and other services you have purchased through us.
• Technical Data: IP address, browser type, and location data when using our website or digital signing platforms. 

If you have a concern about how we handle your data, please contact our Data Compliance Officer at property@youngandgilling.com. We will acknowledge your complaint within 30 days. You also have the right to lodge a complaint with the Information Commission (formerly the ICO), though the Commission usually expects you to have attempted to resolve the matter with us first.

2. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

Direct interactions

You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

• apply for our services;
• register an account on our website;
• subscribe to our service or publications;
• request marketing to be sent to you;
• walk-in to or telephone our office;
• give us some feedback.

Third parties or publicly available sources

We may receive personal data about you from various third parties and public sources as set out below:

• Property Portals: Identity and Contact Data when you enquire about a property via portals such as Rightmove, Zoopla, or OnTheMarket (based in the UK).
• Referencing & Credit Agencies: Financial, Transaction, and Identity Data from third-party referencing providers and credit bureaus used to assess your suitability for a tenancy.
• Digital Identity Providers: Verified identity documentation and "share codes" provided via certified Digital Identity Service Providers (IDSPs) for statutory Right to Rent checks.
• Payment Services: Financial and Transaction Data from providers of payment and banking services (e.g., PayProp, or your bank) based in the UK or EEA.
• Public Sources: Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register (based in the UK).
• The National PRS Database: Compliance and Identity Data from the government's Private Rented Sector Database (commencing late 2026) to verify landlord and property status.

3. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Performance of a Contract: To carry out our obligations arising from any contracts entered into between you and us (e.g., managing your tenancy or selling your property).
• Legal Obligation: To comply with statutory requirements, including Right to Rent checks, Anti-Money Laundering (AML) regulations, and mandatory registration of property data with the National PRS Database (as required by the Renters’ Rights Act 2025).
• Recognised Legitimate Interests: For our internal administrative functions, debt recovery, fraud prevention, and maintaining the security of our services. Under the Data (Use and Access) Act 2025, these are recognized as "legitimate interests" that do not always require a separate balancing test.

3.1 Marketing and Third Parties

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

• Internal Marketing: We may use your Identity and Contact Data to form a view on what we think you may want or need. You will receive marketing communications from us if you have requested information from us and have not opted out.
• Third-Party Marketing: We will obtain your express opt-in consent before we share your personal data with any third party (such as utility switching services or insurance providers) for their own marketing purposes.
• Opting Out: You can ask us to stop sending you marketing messages at any time by clicking the unsubscribe link in our emails or contacting us at property@youngandgilling.com.

3.2 Our Website and Analytics

When you visit www.youngandgilling.com, we use Google Analytics 4 (GA4) to collect standard internet log information and details of visitor behavior patterns.

• Anonymization: GA4 is configured by default to anonymize IP addresses. We do not make any attempt to find out the identities of those visiting our website.
• Purpose: This data helps us understand site traffic and improve user experience. This processing is based on our legitimate interest in improving our digital services.

3.3 Cookies

Our website uses cookies to distinguish you from other users.

• Session Cookies: These are temporary and are deleted when you close your browser. They allow us to link your actions during a single browser session.
• Persistent Cookies: Unlike your previous policy stated, some cookies (such as those used by Google Analytics) are persistent. They remain on your device for a set period (e.g., 2 to 14 months) to recognize you on return visits.
• Control: Under the Data (Use and Access) Act 2025, we may use "low-risk" cookies for basic website functionality and analytics without explicit consent, provided we offer a clear opt-out. You can block cookies by activating the setting on your browser, but this may limit your access to certain parts of our site.

4. DISCLOSURES OF YOUR PERSONAL DATA

We may share your personal data with the parties set out below for the purposes set out in section 3. We require all third parties to respect the security of your personal data and to treat it in accordance with the law.

4.1 External Third Parties

• Service Providers: Processors based in the UK who provide IT and system administration services, including cloud storage for spatial data and LiDAR scans, and digital signature platforms.
• Property Management & Maintenance: Professional contractors (e.g., plumbers, gas engineers, and inventory clerks) who require your contact details to arrange access for essential repairs and safety inspections.
• Compliance & Financial: Anti-money laundering service providers, digital identity service providers (IDSPs), and tenancy deposit administrators (e.g., TDS).
• Utilities & Council Tax: Energy, water, and broadband providers, as well as Local Authorities, to ensure correct billing and the pursuit of outstanding debts.

4.2 Mandatory Regulatory Disclosures (2026 Update)

As required by the Renters’ Rights Act 2025, we are legally obligated to share landlord and property compliance data with:

• The National PRS Database: A central government register for all private landlords and rental properties in England.
• The Private Landlord Ombudsman: To facilitate the mandatory redress and dispute resolution services.
• Law Enforcement & Regulators: Including HMRC and the National Crime Agency (NCA) for the prevention of financial crime.

4.3 Professional Advisers

Lawyers, bankers, auditors, and insurers based in the UK who provide consultancy, legal, insurance, and accountancy services. This includes sharing referencing data with Rent Guarantee Insurance providers to validate policy coverage.

4.4 Business Transfers

Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

ANTI-MONEY LAUNDERING (AML) & FINANCIAL CRIME

Young & Gilling Ltd operates a zero-tolerance policy regarding financial crime. We comply with the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017 (as amended), and the Data (Use and Access) Act 2025.

• Electronic Verification: We use "safe harbor" digital identity technology to verify your identity. These checks may leave a "soft footprint" on your credit file which does not affect your credit score.
• Retention: In accordance with HMRC requirements and the Limitation Act 1980, we retain all AML evidence (including ID copies and proof of funds) for a period of seven (7) years after our business relationship ends.
• Obligation to Report: We are legally bound to report any suspicious activity to the NCA. Under "tipping-off" provisions, we may be prohibited from informing you if such a report has been made.

5. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way.

• Technical Standards: Our systems use enterprise-grade encryption for all data at rest and in transit. This includes the secure processing of high-resolution spatial data (LiDAR scans) captured via mobile devices during property inspections.
• Access Control: We limit access to your personal data to those employees, agents, contractors (such as maintenance professionals), and other third parties who have a business "need to know."
• Breach Notification: We have procedures to deal with any suspected personal data breach. In accordance with the Data (Use and Access) Act 2025, we will notify the Information Commission (formerly the ICO) within 72 hours of becoming aware of a breach that poses a risk to your rights. We will notify you directly if we determine the breach is likely to result in a high risk to you.

6. INTERNATIONAL TRANSFERS

As a UK-based business, we primarily store and process data within the United Kingdom. However, some of our service providers (such as cloud storage or software platforms) may process data outside the UK.

• The Data Protection Test: Under the Data (Use and Access) Act 2025, we only transfer data to countries that pass the "Data Protection Test"—meaning the standard of protection is not materially lower than that of the UK.
• EU Adequacy: On 19 December 2025, the European Commission renewed the UK’s adequacy decision. This allows for the continued free flow of data between Young & Gilling Ltd and any partners or clients based in the European Economic Area (EEA) until 2031.
• Safeguards: For transfers to countries without an adequacy regulation (such as the USA), we use the UK's International Data Transfer Agreement (IDTA) to ensure your data remains protected.

7. DATA RETENTION & STORAGE

We do not keep your personal data for longer than is necessary. Our retention periods are tiered based on the nature of the data and our legal obligations under the Limitation Act 1980, the Data (Use and Access) Act 2025, and the Renters’ Rights Act 2025.

7.1 Retention Schedule

Data Category	Retention Period	Lawful Basis / Reason
Successful Tenants & Landlords	7 Years after the end of the relationship.	Accounting (HMRC), the Limitation Act (for legal claims), and PRS Database audits.
Unsuccessful Applicants	12 Months from the date of the decision.	To defend against potential discrimination claims under the Equality Act.
Right to Rent Evidence	2 Years after the end of the tenancy.	Statutory requirement under the Immigration Act 2014.
Marketing Data	Until consent is withdrawn or 2 years of inactivity.	Consent / Legitimate Interest.
Spatial/Digital Data (e.g., LiDAR floorplans)	Duration of marketing or tenancy.	Contractual necessity. Personal identifiers are removed/blurred upon archiving.

7.2 Data Sharing & New Legislation (2026 Updates)

Under the Renters’ Rights Act 2025, we are legally required to share certain landlord and property data with the Private Rented Sector (PRS) Database. We may also be required to share data with the Private Landlord Ombudsman for dispute resolution. This is processed under our Legal Obligation and the new "Recognised Legitimate Interests" framework introduced by the Data (Use and Access) Act 2025.

7.3 Data Security (Technical Measures)

Personal data, including high-resolution spatial scans and identity documents, are stored using enterprise-grade encryption. When using mobile devices (such as iPad Pros for property inspections), data is synced to secure cloud servers and wiped from the local device cache immediately after the task is completed.

8. YOUR LEGAL RIGHTS

You have specific rights to protect your personal data. Under the Data (Use and Access) Act 2025, these rights must be exercised in a way that is reasonable and proportionate:

• Request Access (Subject Access Request): You can ask for a copy of the personal data we hold about you. We will conduct a reasonable and proportionate search to fulfill this. We will provide:
• The purpose(s) of processing;
• The categories of data held;
• The specific recipients (or categories of recipients) to whom data has been disclosed;
• The retention period for your data.
• "Stop the Clock" Provision: If you make a request and we require clarification to find your data, we may pause the statutory one-month response period. The "clock" resumes once we receive your clarification.
• Request Correction (Rectification): You can ask us to correct inaccurate or incomplete information.
• Request Erasure (Right to be Forgotten): You can ask us to delete your data. Please note: We may refuse this if we have a legal obligation to retain it (e.g., for 7 years under AML or tax laws).
• Withdraw Consent: You can opt-out of marketing at any time via the "unsubscribe" link in our emails, or by contacting us at property@youngandgilling.com.
• Right to Data Portability: You can ask for your data to be provided in a commonly used, machine-readable format.
• Automated Decision-Making: You have the right to challenge decisions made solely by automated means. Young & Gilling Ltd does not currently use fully automated profiling to make significant decisions about tenancies or sales. Where third-party referencing services use automated tools, you have the right to request a manual review of any declined application. 

COMPLAINTS AND FEEDBACK

If you have a concern about how we handle your data, the Data (Use and Access) Act 2025 requires you to use our internal complaints procedure first:

• Contact Us: Please email our Data Compliance Lead at property@youngandgilling.com.
• Our Response: We will acknowledge your complaint within 30 days and investigate it without undue delay.
• Escalation: If you are dissatisfied with our response, you can complain to the Information Commission (formerly the ICO) at www.ico.org.uk.

INDEMNITY & WEBSITE TERMS

• Responsibility: You are responsible for the use of this website. All warranties and representations are excluded to the fullest extent permitted by law.
• Liability: We disclaim liability for any loss or damage arising from your use of this website, except in cases of death, personal injury caused by negligence, or fraudulent misrepresentation.
• Governing Law: These terms are governed exclusively by English Law.
• Company Details: Young & Gilling Ltd is registered in England and Wales (No. 4105015). Registered Office: First Floor Suite, 1 Royal Crescent, Cheltenham, Glos. GL50 3DA.