Privacy policy

Last updated 22 November 2023

This privacy notice for Capital Letters (‘we‘, ‘us‘, or ‘our‘), describes how and why we might collect, store, use, and/or share (‘process‘) your personal information.

What information do we collect?

The personal information that we collect depends on the context of your interactions with us, the services we provide you with, the choices you make and the features you use when you visit our website. The personal information we collect may include the following:

  • names
  • phone numbers
  • email addresses
  • mailing addresses
  • authentication data and identifiers
  • date of birth
  • job titles

Special categories of data

We may collect special categories of data such as health and ethnicity information to provide certain services, such as our tenancy support services.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

We automatically collect certain information when you visit, use, or navigate our website. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our website, and other technical information. This information is primarily needed to maintain the security and operation of our website, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar tracking technologies (like web beacons and pixels). Specific information about how we use such technologies and how you can refuse certain cookies is set out in our You can find out more about this in our Cookie Notice:

The information we automatically collect includes:

  • Log and usage data
    Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our website and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the website (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called ‘crash dumps’), and hardware settings).
  • Device data
    We collect device data such as information about your computer, phone, tablet, or other device you use to access the website. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
  • Location data
    We collect location data such as information about your device’s location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the website. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the website.

How do we process your information?

When we ask you for personal data, we will make clear to you why the data is needed. We process your personal information for a variety of reasons, depending on what services you receive and how you interact with us, including:

  • To deliver and facilitate the delivery of our services
    We may process your information to provide you with the requested service.
  • To respond to enquiries or offer support
    We may process your information to respond to your enquiries and solve any potential issues you might have with the requested service.
  • To send administrative information to you
    We may process your information to send you details about our services, changes to our terms and policies, and other similar information.
  • To save or protect an individual’s vital interest
    We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.

What legal bases do we rely on to process your information?

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing your information are:

  • Consent
    We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time by contacting us at You can also unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send.
  • Performance of a Contract
    We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our services or at your request prior to entering a contract with you.
  • Legal Obligations
    We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Legitimate interests
    We may process your personal information when we believe that it is necessary for your legitimate interests.
  • Vital Interests
    We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

When and with whom do we share your personal information?

Depending on the service(s) we provide you with, we may share your personal information with our member boroughs, our contractors (such as our repairs & maintenance provider), or our business partners (such as the insurance provider we partner with).

We will also share personal data where we have a requirement to store your data on a hosted system that we use for the day-to-day operation of our business. An example of this is our Office 365 tenancy with Microsoft and our CRM system hosted by HubSpot. We maintain a register of such service providers in accordance with Article 30 of the GDPR and review the data privacy safeguards that the suppliers implement and the data processing agreements between our organisation and the service provider on an annual basis.

How long do we keep your information?

We keep your information for as long as necessary to fulfil the purpose for which it was obtained, unless otherwise required by law, and we will safely dispose of it once no longer required.

The length of time we will retain your information depends on the nature of our engagement with you and the service(s) provided.

Your contact information may be stored for a longer period in order for us to contact you with information about a product or service that we have reasonable grounds to believe that you will be interested in. You may ask us to remove your contact details, however in this case we will typically retain a record of your contact details in order to ensure that you are not contacted via these methods in the future. Your details will be recorded with a tag that states “Do not contact”.

How do we keep your information safe?

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

Do we collect information from minors?

We may collect information for children under 18 years of age, such as names and date of birth, in order to process universal credit claims. We will take reasonable measures to promptly delete such data from our records as soon as no longer necessary for the purpose it was obtained.

What are your privacy rights?

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. Please contact us at if you wish to make a request.

How can you contact us about this notice?

If you have questions or comments about this notice, you may contact us at, by phone at 0203 874 4460, or by post at:

Capital Letters
FAO the Data Protection Officer
Sierra Quebec Bravo
77 Marsh Wall
London E14 9SH
United Kingdom









This website is tracked using Google analytics. Their policy can be found here.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.