Privacy Policy

1. Introduction

This Privacy Policy explains how MustardTree Partners Ltd ("we", "us" or "our"), trading as PropertyManager360, collects, uses, discloses and safeguards your personal information when you:

• visit our marketing website at propmgr360.com;
• join our early-access waitlist;
• contact us by email or through any of our online forms; or
• otherwise interact with our brand or services.

This policy is written to meet our obligations under the UK GDPR, the Data Protection Act 2018 (the "DPA 2018") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the "PECR").

Please read this policy carefully. If you do not agree with any part of this policy, please do not use our website or services.

2. Who we are (the data controller)

The data controller responsible for your personal information is:

We are not required under UK GDPR to appoint a Data Protection Officer ("DPO"), but you can reach our designated privacy contact at the email address above for any questions about how we handle your data.

3. Personal data we collect

We only collect personal data that we genuinely need. The categories below cover everything we collect from visitors to our marketing site and prospects on our early-access waitlist. When you become a paying customer of the PropertyManager360 platform, a separate Data Processing Agreement will apply to the data you process through the platform.

3.1 Information you give us directly

• Waitlist signup: your email address when you submit our early-access form.
• Correspondence: any information you choose to share when you email us, reply to our emails or contact us through a form — including your name, email address, company and the content of your message.

3.2 Information collected automatically

• Technical data: your IP address, approximate location derived from that IP, browser type, operating system, device type and language preference.
• Usage data: pages visited, referring URL, time spent on pages, links clicked and similar interaction events.
• Security data: rate-limit counters keyed to your IP address, used to protect our forms from abuse.

3.3 Information from third parties

We may receive limited information about you from the service providers we use to run our site and deliver emails, including:

• Cloudflare — request logs, bot-detection signals and security analytics for our website and API.
• Resend — email delivery status (delivered / bounced / complained) for messages we send you.

4. How we use your personal data

The tables below set out each purpose for which we process personal data, the data categories involved and the lawful basis we rely on under Article 6 UK GDPR.

We do not engage in "soft opt-in" marketing to contacts who have not explicitly asked to hear from us. You can withdraw consent at any time — see Section 11 (Your rights).

5. Our legal bases explained

The lawful bases we rely on (from Article 6 UK GDPR) are:

• Consent — where you have given us clear consent to process your personal data for a specific purpose. You can withdraw consent at any time.
• Contract — where processing is necessary to perform a contract with you, or to take steps at your request before entering into one (for example, responding to a sales enquiry).
• Legal obligation — where we need to process data to comply with a legal or regulatory obligation under UK law (for example, keeping accounting records under the Companies Act 2006).
• Legitimate interests — where processing is necessary for our or a third party's legitimate interests and those interests are not overridden by your rights and freedoms. Before relying on this basis we balance our interests against your rights and only proceed where we think a reasonable person would expect the processing.

6. Cookies and similar technologies

Cookies are small text files placed on your device when you visit a website. The Privacy and Electronic Communications Regulations 2003 require websites to obtain your consent before setting any cookies or similar technologies that are not strictly necessary for the service you have asked for.

Our marketing website at propmgr360.com does not currently set any analytics, advertising or tracking cookies. We do not use Google Analytics, Meta Pixel, LinkedIn Insight Tag or any similar third-party tracker on this site.

Cloudflare may set a short-lived technical cookie (for example __cf_bm) to distinguish humans from bots. This is a "strictly necessary" cookie under PECR, does not identify you and does not require consent.

If we introduce analytics or marketing cookies in future we will update this policy and display a cookie banner asking for your consent first.

7. Who we share your data with

We never sell your personal data. We share personal data only in the limited circumstances below:

7.1 Our service providers (processors)

We use the following data processors to run our business. Each is bound by a written data processing agreement that reflects the requirements of Article 28 UK GDPR.

7.2 Professional advisers

We may share personal data with our accountants, auditors and lawyers where it is necessary for them to provide their services to us, subject to confidentiality.

7.3 Law enforcement and regulators

We may share personal data where we are required to do so by law, court order or by a regulator (such as HMRC, the police or the ICO), or where we believe disclosure is necessary to protect our rights, property or safety, or those of our users or the public.

7.4 Business transactions

If we are involved in a merger, acquisition or sale of all or part of our business or assets, personal data may be transferred to the acquiring entity. Where this happens, we will notify you and make sure the recipient is bound by equivalent data protection commitments.

8. International transfers of personal data

Some of our service providers (notably Resend, which is based in the United States) process data outside the UK. Where personal data is transferred outside the UK we ensure at least one of the following safeguards is in place:

• An adequacy regulation made by the UK government, meaning the recipient country provides an essentially equivalent level of protection;
• The UK's International Data Transfer Agreement (IDTA), or the European Commission's Standard Contractual Clauses together with the UK Addendum; or
• Another valid transfer mechanism permitted under Chapter V of the UK GDPR.

You can request a copy of the specific safeguards applying to a transfer by contacting us at privacy@propmgr360.com.

9. How long we keep your data

We only keep personal data for as long as is necessary for the purposes we collected it for, or for a legal or regulatory reason. Typical retention periods:

When retention periods expire we either delete the data or irreversibly anonymise it so that it can no longer be associated with you.

10. How we protect your data

We use industry-standard technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration and disclosure. These include:

• TLS (HTTPS) encryption for all data in transit.
• Encrypted storage for personal data at rest.
• Strict access controls — only authorised personnel can access personal data, and only on a need-to-know basis.
• Multi-factor authentication on administrative accounts.
• Application-layer rate limiting and abuse protection.
• Regular security reviews and dependency patching.

No online service can be guaranteed to be 100% secure, but we take our security obligations seriously. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms we will notify the ICO within 72 hours and you without undue delay, as required by Articles 33 and 34 UK GDPR.

11. Your rights under UK data protection law

Under the UK GDPR and the DPA 2018 you have the following rights in relation to your personal data:

• Right to be informed — to be told how your data is used, which this policy is designed to do.
• Right of access — to request a copy of the personal data we hold about you (a "subject access request" or "SAR").
• Right to rectification — to have inaccurate data corrected, or incomplete data completed.
• Right to erasure — the "right to be forgotten", where a number of conditions apply.
• Right to restrict processing — to ask us to stop actively using your data in certain circumstances, while still storing it.
• Right to data portability — to receive data you have provided to us in a structured, machine-readable format.
• Right to object — to object to processing we carry out based on legitimate interests, and an absolute right to object to direct marketing.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of earlier processing.
• Rights relating to automated decisions and profiling — see Section 13.

To exercise any of these rights, email privacy@propmgr360.com. We aim to acknowledge requests within 5 working days and respond substantively within one month (extendable by up to two further months for complex requests, as permitted by Article 12(3) UK GDPR — we will tell you if that applies).

We may need to verify your identity before acting on a request. Requests are free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request (as allowed under Article 12(5)).

12. Children's data

Our services are aimed at UK landlords, letting agents and their authorised staff. They are not directed at children. We do not knowingly collect personal data from anyone under the age of 18 on the marketing website. If you believe a child has provided us with personal data, please contact us and we will delete it.

13. Automated decision-making and profiling

We do not carry out any solely automated decision-making within the meaning of Article 22 UK GDPR on our marketing website (i.e. decisions that produce legal or similarly significant effects on you without any meaningful human involvement).

The PropertyManager360 platform may use automated features such as AI-assisted triage of maintenance requests, but any decision with significant effects on a data subject is reviewed by a human. Full details are provided in the customer-facing Data Processing Agreement.

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we do so we will update the "Last updated" and "Version" fields at the top of this page.

For material changes we will take reasonable steps to notify you in advance — for example by email (where we have a relationship with you) or by a prominent notice on the site. Continuing to use our website after a change takes effect means you accept the updated policy.

15. Complaints and the ICO

If you are unhappy with the way we have handled your personal data we would like to hear from you first — please email privacy@propmgr360.com and we will do our best to resolve the matter.

You always have the right to lodge a complaint with the Information Commissioner's Office ("ICO"), the UK's independent supervisory authority for data protection:

16. Contact us

For any questions about this policy or your personal data, please contact:

This Privacy Policy is governed by the laws of England and Wales.