Privacy policy

How we collect, use and protect personal data in line with UK GDPR and the Data Protection Act 2018 — in the context of social and supported housing, temporary accommodation and related services.

This policy applies to our public website, enquiries you send us, and personal data we process when we deliver or arrange social housing, supported housing and temporary accommodation with partner organisations. It should be read alongside our Terms and conditions.

1. Who we are

Aalay Housing (“we”, “us”, “our”) is the data controller for personal data processed through this website and in connection with our housing and property management activities described on the site, except where we tell you another organisation is the controller (for example your local authority or a registered housing provider in relation to their own statutory records).

For data protection questions, including exercising your rights, contact us at hello@aalayliving.com or via our contact page. We are not currently required to appoint a Data Protection Officer under UK GDPR; data protection queries are handled by our team.

2. What this policy covers

We process personal data to operate our business: managing and letting homes for social and temporary accommodation, working with local authorities, housing associations, registered providers, charities and support services, communicating with residents and prospective residents, and engaging landlords and property owners. This policy explains what we collect, why, who we share it with, how long we keep it, and your rights.

3. Categories of personal data

Depending on how you interact with us, we may process:

  • Identity and contact: name, email, telephone number, postal address.
  • Enquiry and placement-related: query type, household size, preferred area, dates or duration, placement type (e.g. social housing, temporary accommodation, supported housing), messages you send, and references or case identifiers your referrer asks us to use.
  • Resident and tenancy management: information needed to manage the home, repairs, complaints and safeguarding — including communications and records of issues reported.
  • Landlord and partner data: property details, ownership or management contacts, bank or payment-related information where we need it for our agreement with you, and correspondence about compliance and performance.
  • Website and technical data: IP address, browser type, device identifiers, pages viewed, and similar data collected through cookies and similar technologies (see section 9).

Some information you or partners provide may be special category data under UK GDPR (for example health or disability where relevant to a supported placement, or safeguarding concerns). We only process such data where the law allows — typically with your explicit consent, or where necessary for reasons of substantial public interest (including statutory or government purposes relating to social protection and safeguarding), or for the establishment, exercise or defence of legal claims. We will minimise what we collect and share only what is necessary.

4. Why we process data and lawful bases

We process personal data on one or more of the following lawful bases under UK GDPR:

  • Contract — to take steps at your request before a contract, or to perform our agreement with you (for example responding to an enquiry, managing a property we are responsible for, or delivering agreed management services to landlords).
  • Legal obligation — where we must comply with housing, health and safety, tax, accounting or regulatory requirements.
  • Legitimate interests — to run our organisation, improve services, prevent fraud, keep properties safe, and communicate with partners and residents in a proportionate way that does not override your rights. You may object to processing based on legitimate interests in certain circumstances.
  • Consent — where we rely on consent (for example optional marketing, or non-essential cookies where required), you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Vital interests — rarely, in an emergency affecting life or safety.

Where we process special category or criminal offence data, we will also meet the conditions in Articles 9 and 10 of UK GDPR (for example explicit consent, employment/social protection, substantial public interest with a basis in law, or legal claims).

5. Purposes of processing

  • Assessing and progressing housing enquiries and placements with partner organisations.
  • Managing properties, repairs, compliance (including gas, electrical and fire safety), and resident communications.
  • Safeguarding, preventing fraud, and protecting residents, staff and neighbours.
  • Managing relationships with landlords and partners, including onboarding and reporting.
  • Operating and securing our website; understanding aggregate use of our services (where we use analytics).
  • Complying with law, regulatory requests and court orders.

6. Who we share data with

We may share personal data with:

  • Partner organisations involved in referrals, placements or support — for example local authorities, housing associations, registered providers, charities and support providers — only as needed for those purposes.
  • Contractors and suppliers who help us operate (repairs, IT hosting, email delivery, CRM or workflow tools), under contracts that require them to protect your data.
  • Professional advisers (for example lawyers or accountants) where required.
  • Regulators, law enforcement and emergency services when we are legally required or it is necessary to protect vital interests.

We do not sell your personal data. We do not allow third parties to use your data for their own marketing unless you have clearly agreed.

7. International transfers

We generally store and process data in the UK or the European Economic Area (EEA). Where we use suppliers or tools that process data outside the UK (for example certain US-based services), we ensure appropriate safeguards under UK GDPR — such as the UK extension to the EU-US Data Privacy Framework where applicable, UK international data transfer agreements (IDTA), or standard contractual clauses approved for use in the UK — unless an exception applies.

Our website may load content from third parties (for example the Meta (Facebook) pixel for measurement and advertising). Those providers may process device and usage data; see section 9 and their privacy notices for more detail.

8. How long we keep data

We retain personal data only for as long as necessary for the purposes we collected it, including to satisfy legal, accounting or reporting requirements. Typical factors include the length of a placement or contract, limitation periods for claims, and statutory retention rules. Enquiry records are kept for a reasonable period to handle follow-up and disputes, then deleted or anonymised where appropriate. Exact periods vary by record type; you can ask us for more detail in relation to your data.

9. Cookies and similar technologies

Our site uses cookies and similar technologies as needed for the site to function, and may use third-party scripts (for example Meta Pixel) for analytics and marketing measurement. You can control cookies through your browser; blocking some cookies may affect how the site works. For more information about Meta’s processing, see Meta’s data policy. Where UK law requires consent for non-essential cookies, we will align our consent mechanism with that requirement.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration or destruction. No online transmission is completely secure; we encourage you to use secure channels when sending sensitive information.

11. Your rights under UK GDPR

Subject to applicable exemptions, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data in certain circumstances.
  • Restriction — ask us to limit processing in certain circumstances.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Data portability — receive certain data in a structured, machine-readable format where processing is based on consent or contract and is automated.
  • Withdraw consent — where we rely on consent, without affecting earlier lawful processing.
  • Information about automated decision-making including profiling — we do not rely on solely automated decisions with legal or similarly significant effects for individuals in a way that requires a right to human intervention under UK GDPR; if that changes, we will update this policy.

To exercise these rights, contact us at the email above or via contact. We may need to verify your identity. You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.

12. Children

Our services may involve families with children in the context of housing placements. We process children’s data only where necessary, lawfully and with appropriate safeguards; parents or guardians may exercise rights on behalf of children where applicable.

13. Changes to this policy

We may update this privacy policy to reflect changes in law, our practices or our services. The current version is always on this page with the “Last updated” date below. For significant changes we may also notify you where appropriate.

Last updated: March 2026.