1. About this policy
Safa Residences Management Ltd (trading as "Safa Residences", "we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect personal information about visitors to our website, landlords who enquire about or use our property management services, and guests who book accommodation we manage.
This policy applies to all personal data we process, whether obtained through:
- Our website (safaresidences.com)
- Email or telephone enquiries
- Our landlord enquiry form
- Direct guest bookings (when active)
- Our customer relationship management systems
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. Who we are (data controller)
| Field | Value |
|---|---|
| Legal entity | Safa Residences Management Ltd |
| Trading name | Safa Residences |
| Company number | 17098705 |
| Registered in | England and Wales |
| Registered office | Suite Ra01, 195-197 Wood Street, London, E17 3NU |
| Director | Muhammad Sameer Khan |
| Contact | hello@safaresidences.com |
We are the data controller for all personal data processed in connection with our services.
Data Protection Officer: We are not statutorily required to appoint a Data Protection Officer under UK GDPR Article 37 because we do not carry out large-scale systematic monitoring or process special category data on a large scale. All data protection enquiries are handled by our Director, who acts as the designated point of contact.
ICO registration: We are registered with the Information Commissioner's Office (ICO) under registration number ZC138131. This can be verified on our Compliance page and on the ICO public register at ico.org.uk.
3. What personal data we collect
We only collect the personal data we need to provide our services and operate our business.
3.1 Website visitors
When you visit our website, we automatically collect:
- IP address (truncated for analytics)
- Browser type and version
- Device type and operating system
- Pages viewed and time spent
- Referring URL
- Approximate location (country / region only)
3.2 Landlord enquiries
When you submit our enquiry form (or contact us by email or phone), we collect:
- Full name
- Email address
- Phone number
- Property postcode and (optional) full property address
- Property type (Flat / House / Other)
- Number of bedrooms
- Furnishing status
- Current property status (vacant, long-let, short-let, other)
- Permission status (whether short-letting is permitted by your lease, mortgage, or freeholder)
- Current listing link (optional)
- Property photographs (optional, uploaded by you)
- Additional comments (optional)
- How you heard about us
- Your consent to be contacted
- Date and time of submission
- Marketing attribution data (UTM parameters, referring page)
3.3 Landlords who sign a Management Agreement
If we proceed to manage your property, we additionally collect:
- Full property address and access details
- Bank account details for landlord payouts (handled via the Calmony safeguarded account; we do not store full account numbers in our CRM)
- HMRC tax reference (for the Non-Resident Landlord Scheme, if applicable)
- Proof of identity and proof of ownership for KYC compliance
- Insurance certificates and any tenancy or leasehold consent documents
3.4 Guests booking direct (when active)
When direct guest bookings launch, we will collect:
- Full name and date of birth
- Email address and phone number
- Photographic ID (passport or driving licence) for KYC and the statutory guest register
- Nationality (required by law for the statutory guest register)
- Address of next destination (for non-British, Irish, or Commonwealth nationalities, required by law)
- Names of additional guests over 18
- Payment card details (handled by our payment processor — see Section 6; we never store full card numbers)
- Booking dates, property booked, and total price
3.5 Guests booking via OTAs
If you book one of our properties via Airbnb, Booking.com, VRBO, or similar, that platform is the data controller for your booking data. We receive only the booking details necessary to host your stay (name, contact, booking reference, dates), under the platform's own terms.
3.6 Special category data
We do not routinely process "special category data" under UK GDPR Article 9 (race, ethnicity, religion, health, biometrics, etc.). Photographic ID processed for KYC is regular personal data, not biometric data.
4. How we collect your information
We obtain personal information when you:
- Submit an enquiry through our website form
- Email or call us
- Sign a Management Agreement with us
- Stay at one of our managed properties (direct booking)
- Book via an OTA (the OTA passes us limited booking data)
- Sign up for our newsletter or marketing communications (when active)
- Interact with us on social media
- Visit our website (cookies and analytics — see our Cookie Policy)
5. Lawful basis for processing
Under UK GDPR Article 6, we rely on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Responding to your enquiry | (b) Performance of a contract / pre-contract steps you requested |
| Managing your property under a signed Management Agreement | (b) Performance of a contract |
| Hosting a guest booking (direct or via OTA) | (b) Performance of a contract |
| Maintaining the statutory guest register | (c) Legal obligation (Immigration (Hotel Records) Order 1972) |
| KYC and anti-money-laundering checks | (c) Legal obligation |
| Responding to a complaint or claim | (c) Legal obligation; (f) Legitimate interest |
| Fraud prevention and security | (f) Legitimate interest |
| Improving our website and services | (f) Legitimate interest |
| Sending marketing communications | (a) Consent (you can withdraw at any time) |
When we rely on legitimate interest, we have carried out a balancing test to ensure your rights and freedoms are not overridden.
6. Who we share your data with (sub-processors)
We do not sell, rent, or trade your personal data. We share data only with carefully selected third parties who help us operate our business, all of whom are bound by data processing agreements.
| Processor | Purpose | Location |
|---|---|---|
| Lovable (lovable.dev) | Website hosting and runtime; first-party platform analytics | EU / UK / US (CDN edge) |
| Cloudflare | Content delivery, security, R2 file storage (your uploaded property photos) | Global edge; storage location: EU |
| Notion | CRM (storing your enquiry submission) | US (with UK Standard Contractual Clauses) |
| Google Workspace | Business email (hello@safaresidences.com) | Global (with adequacy regulations) |
| Calmony.co | Client money safeguarding (when active) — Electronic Money Regulations 2011 | UK |
| Stripe | Payment processing for direct guest bookings (when active) — PCI-DSS compliant; we do not store payment card details | UK / EU / US |
| Property Management System | Channel manager for OTA listings (when active — e.g. Hostfully or Guesty) | EU / US |
| Resend | Transactional email (when active — e.g. enquiry confirmations) | EU / US |
6.1 Disclosures to landlords
If you are a guest, we do not share your personal data (name, email, phone, ID, payment) with the landlord of the property you are staying in. The landlord receives only aggregate booking and revenue reports — never guest contact details. Safa Residences is the sole data controller for guest data.
6.2 Other disclosures
We may also disclose your data:
- To regulators (HMRC, Information Commissioner's Office, Property Redress Scheme, Client Money Protect)
- To the police or other competent authorities, where legally required
- To professional advisers (accountants, solicitors, insurers) bound by confidentiality
- In connection with a sale, merger, or restructuring of our business (your data would transfer subject to the same protections)
7. International transfers
Some of our processors are based outside the UK. Where personal data is transferred outside the UK, we rely on:
- UK adequacy regulations (e.g. EU/EEA, recognised adequate countries), or
- UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) with appropriate supplementary measures
We have carried out transfer risk assessments to ensure your data continues to receive a substantially equivalent level of protection.
8. How long we keep your data
| Data | Retention period |
|---|---|
| Enquiry data (no booking proceeded) | 24 months from submission, unless you object |
| Landlord Management Agreement records | 7 years after end of agreement (HMRC and statutory) |
| Guest booking records and registers | 12 months from arrival (Immigration (Hotel Records) Order 1972) |
| Financial records | 6 years (Companies Act 2006) |
| Marketing list (if subscribed) | Until you unsubscribe + 30 days |
| Server logs and analytics | 14 months (anonymised after 6 months) |
We review our retention periods regularly.
9. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you (Subject Access Request)
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten") — subject to our legal retention obligations
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest or for direct marketing
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time (where consent is the lawful basis)
- Lodge a complaint with the Information Commissioner's Office (see Section 13)
To exercise any of these rights, email hello@safaresidences.com. We will respond within one month, free of charge in most cases.
10. Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:
- HTTPS encryption (TLS 1.3) for all website traffic
- Encrypted cloud storage for uploaded files (Cloudflare R2 with server-side encryption)
- Access controls and least-privilege permissions on our CRM
- Two-factor authentication on administrative accounts
- Regular security reviews (most recent: pre-launch security scan, 29 April 2026)
- Magic-byte file validation on uploads (rejecting potentially malicious file types)
- Rate limiting on form submissions to prevent abuse
- DMARC, SPF, and DKIM email authentication
Despite our best efforts, no system is 100% secure. If we ever discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals where required.
11. Cookies and tracking
Our website uses cookies and similar technologies. Please see our Cookie Policy for full details, including the categories of cookies, the specific cookies we set, and how to manage your preferences.
12. Children's data
Our website and services are not directed at children under 18. We do not knowingly collect personal data from children. Direct bookings are restricted to adults aged 18 or over. If you believe we have inadvertently collected data about a child, please contact us immediately and we will delete it.
13. How to complain
If you have a concern about how we are handling your personal data, please email hello@safaresidences.com first — we will do our best to resolve the issue.
If you are not satisfied, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated by email (where we hold your contact details) or via a prominent notice on our website.
15. Contact
For any questions about this policy or your personal data:
- Email: hello@safaresidences.com
- WhatsApp: +44 7597 396999
- Postal address: Suite Ra01, 195-197 Wood Street, London, E17 3NU