Legal

Privacy policy

Last updated: 21 June 2026

Primehold ("we", "us") is the portfolio ledger for UK property owners and the brokers who serve them. This notice explains what personal data we handle, why, and the rights you have over it. Questions or requests: scott@primehold.co.uk.

1. Who we are

Primehold is operated by Primehold App Limited, a company registered in England and Wales (company no. 17287472), registered office 111 Aldershot Road, Church Crookham, GU52 8JY. We are registered with the UK Information Commissioner's Office (ICO) under reference ZC178940. For questions or requests about your personal data, scott@primehold.co.uk reaches us directly.

2. Two roles: controller and processor

Primehold plays two distinct roles under UK GDPR, and your rights run to the right party:

• For your account — your login, name, contact details, membership tier, and billing records — we are the controller.
• For portfolio data — the properties, valuations, mortgages, rents, contacts (which may include tenants, contractors and agents) and history kept in Primehold — the property owner is the controller and we are their processor. We handle that data only on the controller's instructions — whether the owner uses Primehold themselves or through a broker.
• A brokerage or adviser given access to an owner's workspace acts as the owner's authorised representative, on the owner's behalf — being granted access does not make them the controller of the owner's record. (A brokerage may separately be a controller in its own right for its own regulatory or business purposes; that use is governed by the brokerage's own terms, not this notice.) If the broker link ends, the owner keeps the record and access, the broker's access is removed, and we continue to process the data for the owner.

3. What we collect

• Account data — name, email address, contact number, password (stored only as a bcrypt hash — we never see or store the password itself), membership tier, theme preference.
• Portfolio data (processed for the owner, as controller) — names and contact details of the owner's contacts (which may include tenants, contractors and agents), portfolio and company structures, property addresses, valuations, mortgage and rental records, and the dated history of changes including which user made each entry.
• Security records — sign-in attempts and an audit log of sensitive actions (who did what, when), kept for accountability under UK GDPR Article 5(2).
• Register-interest details — if you join the pre-launch list: your name, email and role.

We do not collect special-category data, and we do not buy, sell, or enrich personal data from third parties.

4. Why we use it (lawful bases)

• Performing our contract — providing the platform: accounts, portfolios, invitations, exports, review requests.
• Legitimate interests — keeping the service secure (sign-in throttling, audit logging, session management) and improving it.
• Consent — the register-interest list. You can ask to come off it at any time.
• Legal obligations — records we must keep, and cooperation with regulators.

5. Cookies and analytics

Essential cookies always run, and need no consent: a session cookie to keep you signed in (httpOnly), a small record of your cookie choice, and two preference cookies for light/dark mode and your chosen theme.

On our public pages we also measure traffic. Ahrefs Web Analytics is cookieless and privacy-preserving — it sets no cookies and needs no consent. Google Analytics sets analytics cookies and sends data to Google (including in the US), so it loads only if you accept it in the cookie banner; choose Reject and it never loads. You can change your choice any time via Cookie settings in the footer. We run no analytics or tracking inside your signed-in account.

6. Who sees your data

Access is scoped by design: brokers see only their own firm's book; each property owner sees only their own portfolios; every account is individually named so the history records who changed what. A property owner using Primehold without a linked broker is the sole viewer of their own record. We do not share personal data with third parties except the service providers who host and deliver the platform (hosting, email delivery, and — on the public pages only — website analytics), each bound to process it only for us. We never sell personal data.

7. How long we keep it

Account data lasts for the life of the account. Portfolio data is kept while the owner keeps it — its long history is the product. When an owner's record is erased (by the owner, or a broker acting on their behalf), everything attached (portfolios, properties, history, logins, invitations, review requests) is hard deleted immediately. Sign-in attempt records are pruned after 24 hours; audit records are retained for accountability.

8. Where it lives and how it's protected

Data is hosted in the UK/EEA with our infrastructure provider and encrypted in transit (TLS). The application and your portfolio data stay with that UK/EEA infrastructure; only public-site Google Analytics data (if you accept it) is processed by Google and may be transferred outside the UK under its standard contractual clauses. Passwords are bcrypt-hashed; sessions are httpOnly cookies; repeated failed sign-ins are throttled; invitation links are single-use, expiring, and stored only as hashes; sensitive actions are recorded in an append-only audit log.

9. Your rights

Under UK GDPR you can ask for access to your data, correction, erasure, restriction, portability, or object to processing. Much of this is built in: you can edit your own profile, change your password, delete your own login, and export your complete record as JSON or Excel. If you hold a free account in your own name (no broker linked), you can permanently delete your whole account and everything in it yourself, from account settings. To erase your whole record by request — and for anything else — email scott@primehold.co.uk (a linked broker can also erase a record from the app); we respond within one month. You can also complain to the Information Commissioner's Office (ico.org.uk).

10. Changes

We'll post any changes to this policy here and update the date at the top. Material changes will be flagged to signed-in users.