Privacy Policy
1. Who we are
SmartStreet is a UK property platform — area intelligence, property scoring, and agent-onboarded listings. The publisher and data controller is the SmartStreet team (sole trader, Deepak Cheri). Registered with the UK Information Commissioner's Office under registration number ZC160313. Contact: privacy@getsmartstreet.co.uk.
2. What we collect from agents
If you use this portal we collect your account email, name, agency details, and the listings you publish (addresses, photos, prices, descriptions). Photos are stored in our image bucket and served via CloudFront. Listings are visible to consumers who search for that postcode in the iOS app.
3. What we collect from consumers (iOS app)
Account email (mandatory for sign-in), optional display name, plus the postcodes / Homescore configurations / listings the consumer chooses to save. Property facts typed into the Homescore form are sent to our backend to compute the score. We don't collect payment details, location, contacts, or browsing history. The app contains no advertising or tracking SDKs.
4. Where your data lives
- AWS Cognito — sign-in, password reset
- AWS RDS PostgreSQL (eu-west-2, London) — your account row + the data you save
- AWS S3 + CloudFront — agent-uploaded listing photos
- AWS SES — transactional email (agent invitations)
- Stripe Payments Europe Ltd. — web subscriptions (Premium). Stripe processes card details directly — SmartStreet never sees them. Stripe privacy notice.
- Apple Inc. — in-app subscriptions (iOS Premium) via Apple's StoreKit. Apple is the merchant of record and we never see your payment details. Apple privacy policy.
AWS, Stripe and Apple act as our processors / sub-processors under standard data-processing agreements. All SmartStreet-controlled data stays in the UK / EU region; subscription processing happens via the listed providers in their normal regions.
5. Third-party data sources
Every area-level dataset SmartStreet uses comes from a UK public source. None of these services are told who's asking — we send only the postcode (no personal identifier):
| Source | What it provides |
|---|---|
| postcodes.io | Postcode → coordinates + LSOA |
| data.police.uk | Crime statistics (live + monthly snapshot) |
| Food Standards Agency | Restaurant hygiene ratings |
| ONS (SAIEFE + Census 2021) | Income, demographics |
| MHCLG (IMD 2019) | Overall deprivation + 7 sub-domains |
| Department for Education (GIAS) | Schools + Ofsted ratings |
| Land Registry | House price data |
| Environment Agency | Flood-risk warning + alert areas |
| Transport for London | PTAL public-transport accessibility (London) |
| Ordnance Survey (Code-Point Open via doogal.co.uk) | Outward postcode boundary polygons |
| NHS Digital Organisation Data Service | GP surgery + pharmacy locations (per-outward counts) |
| DfT National Charge Point Registry | Public EV chargepoint locations (per-outward counts) |
| MHCLG — Get energy performance of buildings data | Energy Performance Certificate distribution (per-outward A–G band counts only; individual addresses are discarded after counting) |
All non-address fields from these sources are used under the Open Government Licence (OGL v3.0). The Crime + Amenities datasets used by the "Compare to neighbours" maps are pre-computed per-outward snapshots refreshed monthly via an automated job, so opening those maps doesn't trigger a live API call.
Energy Performance Certificate data has an additional consideration: addresses in EPC records are owned by Ordnance Survey + Royal Mail and are used by SmartStreet under the "Promotion and better understanding of the current energy efficiency of buildings and potential improvement in the building sale or rental markets and/or by building occupiers or users" permission in MHCLG's copyright notice. We process EPC addresses only momentarily in memory during the monthly refresh job to aggregate ratings to per-outward counts — we never store, display, or republish individual addresses. The persisted per-outward counts (e.g. "1,200 EPC certificates in IG11; 18% in band C or above") carry no personal data.
6. Analytics and tracking
None. No third-party analytics, advertising SDKs, or tracking cookies. We log basic operational metrics on our server (request paths, response times, error counts); these never include your account email or other personal identifier.
7. Your UK GDPR rights
You can access, correct, delete, object, restrict, or port your data. The easiest paths in the agent portal are the "Account" link in the header and the listings table on the dashboard. If you need anything else, email privacy@getsmartstreet.co.uk and we'll respond within 30 days. Unhappy with our response? You can complain to the UK Information Commissioner's Office (ico.org.uk — our registration number is ZC160313).
8. Data retention
Account profile + saved data are kept while your account is active. On deletion, they're removed within 30 days. Operational logs (server-side request metadata) are kept for 7 days. Agent listing photos are kept while the listing is live, plus 30 days after withdrawal.
9. Security
Authentication uses AWS Cognito with strong password policies (10 characters minimum for agents, 12 for admins, mixed case + symbols required). All client traffic is HTTPS with TLS 1.2 minimum. Session cookies are HttpOnly + Secure + SameSite=Strict. Listing image uploads use short-lived (15-minute) pre-signed URLs scoped to a single listing.
Found a security issue? We welcome responsible disclosure — email security@getsmartstreet.co.uk and we'll acknowledge within 5 working days. Please give us a reasonable window to fix before any public disclosure.
10. Changes to this policy
When we change how the app handles personal data, we update this page and bump the last-updated date above. Substantive changes are flagged in-app on next sign-in.
11. Related documents
Our Terms of Use set out the contract between you and SmartStreet. Reading both gives you the full picture of how the service works and how we look after your data.