Legal
Privacy Policy
How RMEST Ltd collects, uses, stores and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Last updated: 1 January 2026 · Version 4.2
Lawful & Transparent
We process personal data lawfully, fairly and transparently under UK GDPR Article 5.
Secure by Design
Encryption in transit and at rest, access controls, and regular penetration testing.
Minimisation
We only collect data that is adequate, relevant and necessary for stated purposes.
Your Rights First
Access, rectify, erase, restrict, port and object — respond within 30 days.
1. Who we are
RMEST Ltd ("RMEST", "we", "us", "our") is a company registered in England and Wales (company no. 07123456). We are registered with the Information Commissioner's Office (ICO) under reference ZA123456 and act as the data controller for personal information collected through rmest.co.uk and our advisory network.
2. Data we collect
We collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identity Data | Full name, title, date of birth, nationality, photo ID (for AML checks). |
| Contact Data | Email address, telephone number, correspondence address, next-of-kin details. |
| Financial Data | Proof of funds, mortgage-in-principle, bank details for deposit handling. |
| Property Data | Viewing history, saved searches, offers made, tenancy references, landlord history. |
| Technical Data | IP address, browser type, device identifiers, cookies and analytics events. |
| Marketing Data | Preferences on receiving communications from RMEST and selected partners. |
3. How we use your data
- To provide estate agency, lettings and property management services you have requested.
- To comply with our legal obligations under the Money Laundering Regulations 2017 and Estate Agents Act 1979.
- To arrange viewings, offers, tenancy applications and completion.
- To send transactional communications relating to your account, property or transaction.
- To send marketing where you have consented (you can unsubscribe at any time).
- To improve our website, services and customer experience through analytics.
4. Lawful basis for processing
We rely on the following lawful bases: (a) Contract — to deliver services you have engaged us for; (b) Legal obligation — AML checks, HMRC reporting, tenancy deposit protection; (c) Legitimate interests — running our business, preventing fraud, direct marketing to existing clients; (d) Consent — cookies (other than strictly necessary) and third-party marketing.
5. Sharing your data
We share personal data only with vetted third parties: mortgage brokers and lenders (with consent), conveyancing solicitors, referencing providers (HomeLet, Goodlord), deposit protection schemes (DPS, MyDeposits, TDS), HMRC, the Land Registry, portal partners (Rightmove, Zoopla, OnTheMarket), Google Maps for location services, and our cloud infrastructure providers within the UK/EEA. We never sell your personal data.
6. International transfers
Where data is transferred outside the UK/EEA we rely on adequacy decisions or the International Data Transfer Agreement (IDTA) with Standard Contractual Clauses to ensure equivalent protection.
7. Data retention
- Client transaction files: 6 years after completion (HMRC / AML).
- Tenancy files: 7 years after tenancy end.
- Failed applications and unsuccessful enquiries: 12 months.
- Marketing preferences: until you withdraw consent.
- CCTV footage at our branches: 30 days.
8. Your rights
Under UK GDPR you have the following rights:
- Right to be informed about processing
- Right of access to your personal data
- Right to rectification of inaccurate data
- Right to erasure ('right to be forgotten')
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights relating to automated decision-making and profiling
To exercise any right, email dpo@rmest.co.uk. We will respond within 30 calendar days. You have the right to complain to the ICO at ico.org.uk or on 0303 123 1113.
9. Security
We maintain ISO 27001-aligned controls: TLS 1.3 in transit, AES-256 at rest, role-based access, MFA on all staff accounts, annual penetration testing and a documented incident response plan. In the event of a personal data breach likely to result in risk to your rights, we will notify the ICO within 72 hours and affected data subjects without undue delay.
10. Contact our Data Protection Officer
dpo@rmest.co.uk
ICO registration: ZA123456
Changes to this policy
We review this policy annually. Material changes will be notified by email to registered users and posted on this page with a revised "last updated" date.