.png)
DATA PROTECTION & WEBSITE COMPLIANCE POLICY
Tier One Real Estate Ltd
Company Number: 16459872
Registered Address: SA12 Business Centre, Unit 13/14 Seaway Parade, Baglan Energy Park, SA12 7BR
Email: comms@tieronerealestate.co.uk
Telephone:
Last Updated: 11/12/2025
1. Introduction
1.1 Tier One Real Estate Ltd (“the Company”) is committed to safeguarding the privacy, confidentiality, and lawful handling of all personal data processed in the course of its operations.
1.2 This Data Protection & Website Compliance Pack outlines the Company’s policies and procedures relating to:
a) Data Protection (internal and client-facing)
b) Website Privacy Policy
c) Cookie Policy
d) Lawful Basis for Data Processing
e) Data Retention Policy
f) Subject Access Requests (SARs)
g) Data Breach Response Procedure
h) Third-Party Processors
i) Marketing Communications Policy
j) Website Terms & Conditions
1.3 This document ensures compliance with:
-
UK General Data Protection Regulation (“UK GDPR”)
-
Data Protection Act 2018
-
Privacy & Electronic Communications Regulations (PECR)
-
ICO registration obligations
2. Data Protection Policy
2.1 Purpose
This policy outlines how the Company collects, processes, stores, shares, and protects personal data in accordance with UK GDPR.
2.2 Types of Personal Data Collected
The Company may collect the following information:
a) Full name
b) Residential address and address history
c) Email address and telephone number
d) Proof of identity documents
e) Date of birth
f) AML screening data via Credas
g) Proof of Funds and Source of Funds documents
h) Signed agreements and NDAs
i) Payment information and transaction records
j) Complaint correspondence
k) Email mailing list data (email address only unless additional voluntary data is supplied)
2.3 Lawful Basis for Processing
The Company processes personal data based on the following lawful bases:
Processing Activity
Lawful Basis
AML verification
Legal Obligation
Investor onboarding and agreements
Contract
Processing and recording sourcing fee payments
Contract
Communicating deal information
Contract
Mailing list marketing emails
Consent
Complaint handling
Legal Obligation
Website enquiries
Legitimate Interest
Data retention for HMRC purposes
Legal Obligation
2.4 Data Collection Principles
Personal data will be:
a) Collected lawfully and transparently
b) Limited to what is necessary
c) Stored securely
d) Retained only for required periods
e) Processed for specified lawful purposes
f) Accessible only by authorised personnel
2.5 Data Sharing and Disclosure
Personal data may be shared with:
-
Credas (AML verification provider)
-
Solicitors acting for the Client
-
PRS (upon complaint escalation)
-
HMRC or law enforcement (where legally required)
-
Cloud service providers (data storage)
The Company will never sell or rent personal data.
2.6 International Transfers
Where data is processed outside the UK by third-party platforms, such transfers shall only occur where adequate safeguards are in place in accordance with UK GDPR.
2.7 Data Security Measures
Security measures include:
-
Encrypted digital storage
-
Password-protected devices
-
Limited internal access
-
Secure cloud-based document systems
-
Encrypted communication where appropriate
-
Two-factor authentication where available
3. Data Retention Policy
The Company retains personal data in accordance with statutory requirements:
Data Type
Retention Period
Basis
AML verification records
5 years
HMRC / MLR 2017
Investor Agreements
6 years
Contract / HMRC
NDAs
6 years
Contract
Complaint files
6 years
PRS requirement
Payment and tax records
6 years
HMRC
General enquiries
2 years
Legitimate Interest
Mailing list data
Until unsubscribe
Consent
All expired data is securely deleted or anonymised.
4. Subject Access Request (SAR) Procedure
4.1 Individuals have the right to request access to their personal data.
4.2 Requests must be made in writing to:
Email: comms@tieronerealestate.co.uk
4.3 The Company must:
a) Verify the requester’s identity
b) Respond within 30 calendar days
c) Provide a copy of relevant personal data
d) Explain how and why the data was processed
e) Confirm the lawful basis for processing
4.4 SAR requests may be refused if:
-
The request is excessive
-
The request is manifestly unfounded
-
Providing data would infringe another individual’s privacy
All refusals will be justified in writing and recorded.
5. Data Breach Response Procedure
A data breach includes:
-
Loss of personal data
-
Unauthorised access
-
Cyberattack
-
Accidental disclosure
-
Theft of devices or documents
In the event of a breach, the Company shall:
-
Identify and contain the breach
-
Assess the severity and risks
-
Notify the ICO within 72 hours if the breach poses risk to individuals
-
Notify affected individuals where required
-
Record the breach in the Data Breach Log
-
Review internal systems to prevent recurrence
6. Third-Party Processors
The Company uses the following third-party processors:
-
Credas — AML and identity verification
-
Google — email services, document storage
-
WIX Website hosting provider — secure website operation
-
PRS — redress scheme for complaints
All processors must comply with UK GDPR.
7. Marketing Communications Policy
7.1 The Company operates an Investor Mailing List, which individuals may voluntarily join.
7.2 The lawful basis for this marketing activity is Consent.
7.3 Mailing list subscribers may receive:
-
Deal alerts
-
Investment opportunities
-
Company updates
Deal addresses will not be disclosed until the Client has executed a Non-Disclosure Agreement (NDA).
7.4 Each email will contain an “unsubscribe” option, allowing individuals to withdraw consent at any time.
7.5 Upon unsubscribing, the individual’s email address will be removed immediately and securely.
7.6 No third-party advertising or external marketing will be sent.
8. Website Privacy Policy
This section applies to all users of the Company’s website.
8.1 Data collected through the website may include:
-
Contact form submissions
-
Email newsletter opt-ins
-
Essential website cookies only
8.2 No advertising pixels, analytics cookies, or third-party tracking tools are used.
8.3 The Company does not collect precise location or behavioural tracking data.
8.4 By submitting a contact form, users consent to the Company processing their data for the purposes of responding to their enquiry.
8.5 Users may request deletion of contact form data at any time.
9. Cookie Policy
The Company’s website uses essential cookies only.
9.1 No analytics (Google Analytics), marketing pixels, or behavioural tracking cookies are used.
9.2 Users will be informed:
“This website uses essential cookies only. No tracking, analytics, or advertising cookies are used.”
9.3 Because no non-essential cookies are used, a full opt-in cookie banner is not legally required, but a notice is recommended.
10. Website Terms & Conditions
10.1 Users agree not to:
-
Use the website for unlawful purposes
-
Attempt to gain unauthorised access
-
Copy or reproduce content without permission
-
Misrepresent their identity
10.2 All website content, text, images, and materials are the intellectual property of the Company.
10.3 The Company provides no warranty that information on the website is complete or error-free.
10.4 The Company is not liable for losses arising from website use, except where required by law.
10.5 The website is governed by the laws of England and Wales.
11. Confidentiality & NDA Requirements
11.1 Property addresses and sensitive deal-related information will only be disclosed to Investors who have executed a valid Non-Disclosure Agreement (NDA).
11.2 Mailing list subscribers will receive high-level deal summaries with no address or identifiable property details unless the NDA has been signed.
11.3 Breach of NDA terms may result in legal action and termination of services.
12. Acceptance of Policies
By using the Company’s website, submitting enquiries, joining the mailing list, or entering into contractual agreements, individuals acknowledge and accept the terms of this Data Protection & Website Compliance Pack.