Privacy Policy

Havebury Homes (“we”, “us”, “our”) is a non-profit organisation registered under the Co-operative and Community Benefit Societies Act 2014 (7648), regulated by the Regulator of Social Housing (LH4339). Our registered office is:

Havebury House, Western Way, Bury St. Edmunds, Suffolk, IP33 3SP

We’re registered with the Information Commissioner’s Office under number ZA295927.

This notice reflects our responsibilities under the UK GDPR, the Data Protection Act 2018, and as amended by the Data Use and Access Act 2025 (DUAA), which introduces new standards for transparency, lawful data sharing, and individual rights.

As the Data Controller, we control the way your personal data is collected and the purposes for which your personal data is used.

All personal data collected by Havebury Homes is processed in compliance with the requirements of the UK General Data Protection Regulation, the UK Data Protection Act 2018, Data Use and Access Act 2025 (DUAA), and any other relevant legislation.

We collect and use your personal data to help us deliver our services as a housing provider. This includes:

• Meeting our legal and regulatory responsibilities;
• Managing your tenancy or housing application;
• Providing services such as repairs, support, and community engagement;
• Protecting our legitimate interests, such as ensuring the safety and wellbeing of our residents and staff;
• Where you have given us your consent, for example, to receive newsletters or participate in surveys.

We may collect this information when you:

• Contact us by phone, email, post, in person, or through our website or app;
• Apply for housing or related services;
• Request repairs or support;
• Take part in consultations, surveys, or community events.

Our Legitimate Interests

In most cases, we process your personal data because it is necessary for our legitimate interests as a housing provider. These include:

• Managing tenancies, leases, and housing applications effectively;
• Maintaining the safety, wellbeing, and security of our residents, staff, and communities;
• Communicating with residents and service users about services, updates, and opportunities to provide feedback;
• Understanding how our services are used so we can improve them;
• Promoting community engagement and supporting resident involvement;
• Ensuring compliance with our legal and regulatory responsibilities;
• Preventing and detecting fraud, anti-social behaviour, or other unlawful activity;
• Managing and resolving complaints, queries, or disputes;
• Protecting Havebury’s assets and reputation;
• Supporting good governance and accountability to our stakeholders.

Our Data Protection Officer (DPO) ensures that we apply the best standards to protecting your personal information and comply with our responsibilities for data protection. If you have any questions about how we handle your personal information or concerns, please contact us using the information provided under ‘Contact Us’.

We collect and use different types of personal data about you, including:

• Identity Data: Your name, date of birth, and gender.
• Contact Data: Your address, email, and phone number.
• Financial Data: Your bank account details.
• Transaction Data: Details about your payments and transactions with us.
• Profile Data: Your username, password, and preferences.
• Usage Data: Information about how you use our services.
• We only collect the data we need to provide our services to you.
• Marketing and Communications Data: includes your preferences in receiving marketing from us and your communication preferences.

The type of personal data we collect and the reasons we process it depend on your relationship with Havebury Homes.

Whose personal data we collect

We process personal data about a range of individuals connected to our housing and related services. This may include:

• Tenants, residents, and occupants – individuals who currently rent or occupy one of our homes, have previously done so, or are joint tenants or household members.
• Supported or independent living residents – individuals receiving additional support or care services through our supported housing schemes.
• Garage tenants, leaseholders, and shared owners – those who rent garages, hold leases, or part-own properties with Havebury.
• Applicants and prospective residents – people applying for housing, shared ownership, or garage rentals.
• Household members and next of kin – individuals linked to a tenancy or application, often for emergency contact or safeguarding reasons.
• Complainants, enquirers, and service users – people contacting us with feedback, queries, or service requests.
• Contractors, suppliers, and partners – individuals or sole traders working with Havebury to deliver property maintenance, services, or repairs.
• Visitors and portal users – including anyone visiting our offices, attending events, or using the MyHavebury online services.

Different categories of people will have different types of data collected, depending on their relationship with Havebury.

Personal data we collect and how we use it

We collect and use personal data to provide housing, manage tenancies, and meet our legal and social responsibilities.

Tenants, Residents, and Occupants

We collect information such as your name, contact details, tenancy records, rent history, payment details, and information about your household.

We use this data to manage your tenancy, collect rent, arrange repairs, handle complaints, and ensure properties are safe and well-maintained.

Lawful basis:

• Contract (Article 6(1)(b)) – performance of tenancy agreement.
• Legal Obligation (Article 6(1)(c)) – Housing Act 1985, Landlord and Tenant Act 1985, Equality Act 2010, Health and Safety at Work Act 1974.
• Legitimate Interests (Article 6(1)(f)) – efficient property management, fraud prevention, neighbour dispute resolution.
• Special category data (where collected): Article 9(2)(b) and (g) – for social protection and substantial public interest, such as equality monitoring and safeguarding.

Supported and Independent Living Residents

We may collect additional information about your health, care needs, or support plans where this is necessary to deliver appropriate services and ensure your wellbeing.

We use this data to coordinate care, provide support, and work with partner agencies such as health or social care providers.

Lawful basis:

• Contract (Article 6(1)(b)) – supported housing license/tenancy agreement.
• Legal Obligation (Article 6(1)(c)) – Care Act 2014, Safeguarding Vulnerable Groups Act 2006.
• Special category data: Article 9(2)(b) and (g) – to provide social care and safeguarding services.

Garage Tenants

We collect your contact details, licence information, and payment history to manage your garage rental, maintain facilities, and issue invoices.

Lawful basis:

• Contract (Article 6(1)(b)) – garage licence agreement.
• Legitimate Interests (Article 6(1)(f)) – asset management, compliance with usage terms.

Leaseholders and Shared Owners

We process your identity, address, and payment information to manage leasehold or shared ownership agreements, bill for service charges, and handle disputes or maintenance issues.

Lawful basis:

• Contract (Article 6(1)(b)) – lease/shared ownership agreements.
• Legal Obligation (Article 6(1)(c)) – Commonhold and Leasehold Reform Act 2002.
• Legitimate Interests (Article 6(1)(f)) – protecting legal position, maintaining shared property standards.

Applicants and Prospective Residents

We collect identity, contact, financial, and housing history information to assess your eligibility, carry out affordability checks, and prevent fraud.

Lawful basis:

• Contract (Article 6(1)(b)) – pre-contractual steps
• Legal Obligation (Article 6(1)(c)) – Anti-Money Laundering Regulations 2017.
• Legitimate Interests (Article 6(1)(f)) – ensuring fair allocation and fraud prevention.

Insurance Claimants and Legal Matters

If you are involved in an insurance claim or legal case relating to Havebury, we may process information about the incident, your contact details, and any relevant health data.

We use this information to manage and defend claims, liaise with insurers, and meet our legal reporting duties.

Lawful basis:

• Legal Obligation (Article 6(1)(c)) – reporting under insurance policy, Health and Safety requirements.
• Legitimate Interests (Article 6(1)(f)) – managing liabilities and resolving disputes.
• Special category data (where relevant): Article 9(2)(f) – for the establishment or defence of legal claims.

MyHavebury Portal Users

When you register for or use our online services, we collect your username, contact details, login records, and usage data.

This helps us provide secure access, maintain system functionality, and troubleshoot issue

Lawful basis:

• Contract (Article 6(1)(b)) – portal usage terms.
• Legitimate Interests (Article 6(1)(f)) – maintaining system security and functionality.

Children and Vulnerable Persons

We may process names, dates of birth, parent/guardian contacts, and relevant support data.

Purposes: Safeguarding, abuse prevention, family tenancy support, referrals to statutory services.

Lawful bases:

• Legal Obligation (Article 6(1)(c)) – Children Act 1989 and 2004.
• Legitimate Interests (Article 6(1)(f)) – protecting vulnerable minors.
• Special category data: Article 9(2)(g) – substantial public interest for safeguarding.

How We Collect Your Personal Data

We typically collect your personal data directly from you in order to provide you with our services. For example, when you respond to a survey, apply for one of our properties or signup to our newsletter, we will ask you to provide your email address. It will be clear to you at this point what personal data you are providing.

However, there may be instances where we collect your personal data indirectly from yourselves such as when a customer provides us with next of kin information. This policy also applies to you.

Also, from time to time, we may obtain personal information about you from third party sources (for example social workers, GPs, police,), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to provide you with our service or we may be prevented from complying with our legal obligations (such as issuing you with a tenancy agreement, adapting our services to suit your needs for example as part of enforcement action against your tenancy or providing you access to our support fund).

We do not sell your personal data. We only share it when necessary to deliver our services, meet legal obligations, or where you have been informed and it is appropriate to do so.

We may share your personal data with trusted third parties, including:

• Local authorities and government agencies (e.g. for housing benefit or safeguarding purposes);
• Contractors and repair providers (e.g. to carry out maintenance or safety checks);
• Utility companies (e.g. to set up or close accounts when you move in or out);
• Law enforcement or regulatory bodies (e.g. when required by law or to prevent fraud);
• IT and cloud service providers (e.g. for secure data storage and system support);
• Insurers (e.g. for managing claims or liability);
• Legal representatives (e.g. in relation to tenancy disputes or legal proceedings);
• Debt collection agencies (e.g. for recovering unpaid rent or charges).

We will only share the minimum amount of data necessary and ensure that any third parties we work with meet our data protection standards.

In some cases, we may also share your data with the Information Commissioner’s Office (ICO) or other data controllers and processors, for example, when fulfilling our responsibilities as a Data Controller.

We will only use your personal data when the law allows us to. This includes:

• When it is necessary to perform a contract with you (e.g. your tenancy agreement);
• When it is required to comply with a legal obligation;
• When it is in our legitimate interests and your rights do not override those interests.

We aim to store and process your personal data within the UK wherever possible. However, in some cases, your data may be transferred outside the UK, for example, when we use cloud-based systems or service providers that operate internationally.

When this happens, we make sure your data is protected by:

• Only transferring data to countries that have been recognised as providing adequate protection under UK data protection law;
• Putting in place appropriate safeguards, such as the UK International Data Transfer Agreement or Standard Contractual Clauses approved by the Information Commissioner’s Office (ICO);
• Ensuring our suppliers meet strict data protection and security standards through our contracts and procurement processes.

Some of our service providers may store or process data in countries such as the EU, the United States, or other locations. In all cases, we take steps to ensure your data is handled securely and in line with UK GDPR requirements.

If you would like more information about how we protect your data when it is transferred internationally, please contact us using the details provided in this notice.

We record the date, time, and duration of incoming calls, along with the caller ID where available. This helps us manage resources, monitor service levels, and respond to complaints.

Some calls may be recorded for training and security purposes. The recordings are stored for 130 days from the date of the call and the automatically deleted. Recordings are only accessed when necessary, for example, to investigate a complaint or support staff development.

We use CCTV in some of our buildings and communal areas to help keep residents, staff, and visitors safe, and to prevent or detect crime. Signs are clearly displayed in areas where CCTV is in operation.

CCTV footage is only accessed by authorised staff and may be shared with relevant authorities (e.g. the police) in the event of a crime or serious incident. For more information, please refer to our CCTV Policy.

We only keep your personal data for as long as necessary for the purpose it was collected. Our retention periods are based on legal requirements, sector best practice, and operational needs.

Havebury follows the National Housing Federation’s Data Retention Schedule, with some adjustments. For example:

• Tenancy agreements and related records: kept for 6 years after your account is settled;
• Resident contact details: deleted 6 months after your tenancy ends and your account is closed;
• Anti-social behaviour records (e.g. CCTV, nuisance logs): retained for 5 years after the case is closed;
• Unsuccessful housing applicants: data retained for 2 years in case of queries about the process;
• Repairs and asset management records: retained for the life of the organisation (contact details removed when no longer needed).
• Call recordings: 130 days.

If you would like a copy of our full retention schedule, please contact us using the details in the “Contact Us” section.

We also encourage you to keep your personal information up to date. If your contact details change, please let us know.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have several rights regarding your personal data. These include:.

• Right of access – You can ask us for copies of your personal information.
• Right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Right to erasure – You can ask us to delete your personal data in certain circumstances.
• Right to restrict processing – You can ask us to limit how we use your data in certain situations.
• Right to object – You can object to us processing your data where we rely on legitimate interests or for direct marketing.
• Right to data portability – You can ask us to transfer your data to another organisation or to you, where applicable.
• Right to withdraw consent – Where we rely on your consent to process data, you can withdraw it at any time. This won’t affect any processing already carried out. Please note that withdrawing your consent will not affect any use of the data made before and the withdrawal. We may still be entitled to hold and process your personal information where we rely on legal bases other than consent. Withdrawing consent may also have the same consequences as not providing the information in the first place, for example we may no longer be able to provide certain services to you.

We may use your contact details to send you information about our services, such as shared ownership opportunities, housing schemes, community events, or newsletters. This is considered direct marketing under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

We will only send you direct marketing communications where we have a lawful basis to do so. This may be:

• Consent – where you have actively opted in to receive marketing.
• Soft opt-in – where you have provided your contact details during an application or enquiry, and the marketing relates to similar services. You will always be given the opportunity to opt out.

You can opt out of receiving marketing communications at any time by clicking the unsubscribe link in our emails or contacting us directly.

We do not use your personal data for profiling or automated decision-making related to marketing.

You have the absolute right to object to direct marketing. If you do, we will stop sending you marketing messages and ensure your preferences are respected.

You can exercise your rights by emailing us on the contact details below or by writing in to us on with the details under “How to Contact Us”. Please mark your correspondence for the attention of the Data Protection Officer.

You also have a right to lodge a complaint with Information Commissioners Office (ICO) where you believe we have not complied with UK data protection law. In the first instance, we encourage you to resolve the matter with us. However, you can contact the ICO via www.ico.org.uk, casework@ico.org.uk or 0303 123 1113

Havebury Homes does not use your personal data to make decisions that are based solely on automated processing and that have legal or similarly significant effects on you.

We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, or disclosure. This includes secure systems, staff training, and regular reviews of our data protection practices.

Our website uses cookies to improve your experience and help us understand how visitors use our site. Cookies are small text files stored on your device that allow the website to remember your preferences and gather anonymous usage statistics.

You can manage your cookie preferences at any time by visiting our Cookie Policy, where you’ll also find more information about the types of cookies we use and how to control them.

Our website may contain links to other websites. This privacy notice applies only to Havebury’s website, so we encourage you to read the privacy notices of any other websites you visit. We are not responsible for the privacy practices of other organisations sites you visit (even if you access them using links found on our site).