TenancyDocsUKGenerate a document
Legal

Privacy Policy

Last updated: April 2026

We take your privacy seriously and collect the minimum amount of information required to run the service. This policy explains what we collect, why, and your rights under UK GDPR.

1. Data controller

The data controller is TenancyDocs (a trading name of Sodalis). You can reach us at privacy@sodalis.dev.

2. What we collect

  • Email address — you provide this at checkout. We use it to deliver your PDF and to send a login link if you subscribe.
  • Payment information — handled entirely by Stripe. We never see your card number. Stripe stores a reference which we use to verify your membership status.
  • Document field data — information you type into the document forms (tenant names, property address, rent amount, etc.). This is transmitted through Stripe metadata to our server, used to generate your PDF, and included in the delivery email. We do not retain this data in our own database after delivery.
  • Server logs — Vercel (our hosting provider) records standard HTTP logs including IP address, user agent, and timestamps. Logs are retained for 30 days for security and debugging.
  • Error reports — we use Sentry to capture application errors. Reports may include the URL of the page where the error occurred and a stack trace. We do not knowingly send form-field data to Sentry.

3. Legal basis for processing

  • Contract — to deliver the documents you have paid for and manage your subscription.
  • Legitimate interests — to keep the service secure, to prevent fraud, and to improve reliability through aggregated error monitoring.
  • Legal obligation — to retain payment records for HMRC compliance (minimum 6 years).

4. Sub-processors

We share data with the following service providers, each under a data processing agreement:

  • Stripe, Inc. — payment processing (data stored in EU/US, adequacy decision in place)
  • Vercel, Inc. — hosting (data stored in EU region)
  • Resend, Inc. — email delivery (EU region)
  • Sentry — error monitoring (EU region)

5. How long we keep data

  • Email address: while you have an active subscription, plus 12 months after cancellation
  • Payment records: 6 years (HMRC requirement)
  • Document field data: not retained after PDF delivery (stays only in your inbox and Stripe's session metadata for the default Stripe retention period)
  • Server logs: 30 days
  • Error reports: 90 days

6. Your rights

Under UK GDPR you have the right to access your data, rectify it, erase it, restrict or object to processing, and receive it in a portable format. To exercise any of these, email privacy@sodalis.dev and we will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies

We use one essential cookie to keep subscribers signed in (the td_session cookie). We do not use analytics or advertising cookies. See our Cookie Policy for details.

8. International transfers

Where our sub-processors transfer data outside the UK, they rely on UK International Data Transfer Agreements or adequacy decisions.

9. Changes to this policy

We will notify active subscribers by email of any material changes. The "Last updated" date at the top of this page reflects the most recent revision.