Privacy Policy
Last updated: 25 October 2025
1. Introduction
Think Menai ("we," "us," "our") operates SubletManager, a booking management platform for UK holiday accommodation owners. We are committed to protecting your privacy and handling your personal data responsibly in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller Information
Company: Think Menai
Address: Capel Bethel Vestry, Stryd Fawr, Caernarfon, Gwynedd, LL54 6PL, UK
Email: hello@subletmanager.com | Phone: +44 1286 875 872
2. Information We Collect
2.1 Account Data
Name, email, phone, password (encrypted), billing address, subscription information.
2.2 Property Data
Property details, addresses, photos, pricing, check-in instructions, WiFi codes, compliance certificates (gas safety, EICR, insurance).
2.3 Guest Booking Data
Guest names, emails, phones, booking dates, payment details, communications (for direct bookings only).
2.4 Technical Data
IP address, browser type, device info, session logs, usage analytics.
2.5 Third-Party Data
iCal booking data from Airbnb, Booking.com, Vrbo. Payment status from Stripe. Email delivery data from SMTP2Go.
3. How We Use Your Information
3.1 Service Provision (Legal Basis: Contract)
Account management, payment processing, calendar syncing, booking management, damage bonds, tourist levy calculations, automated messaging, compliance reminders.
3.2 AI Features (Legal Basis: Contract & Legitimate Interest)
AI Data Processing Notice:
We use Anthropic Claude for optional message tone rewriting. Your message drafts are sent to Anthropic's servers (USA) to generate suggestions. We minimise personal data in AI prompts. You can disable AI features anytime. Post-launch features may include AI guest responses and pricing suggestions.
3.3 Communication & Support
Service updates, booking alerts, conflict notifications, customer support.
3.4 Platform Improvement
Usage analysis, error debugging, security monitoring, fraud prevention.
3.5 Marketing (with consent)
Newsletters, feature updates. Unsubscribe anytime.
4. Data Sharing & Third Parties
We share data only with essential service providers. We never sell your data.
Stripe (Payments)
Purpose: Payment processing, bonds
Location: USA (Privacy Shield certified)
what3words (Location)
Purpose: Address validation (optional)
Location: United Kingdom
International Transfers
Some providers (Stripe, Anthropic) are in the USA. We use Standard Contractual Clauses and adequacy decisions for compliant transfers.
5. Data Retention
Active accounts: Data retained while account is active
Booking records: 7 years (UK tax law)
Financial transactions: 7 years (accounting requirements)
After closure: Guest data deleted within 30 days; account data within 90 days
Backups: 30-day retention
6. Your Rights Under UK GDPR
✓ Right of Access
Request a copy of your data
✓ Right to Rectification
Correct inaccurate data
✓ Right to Erasure
Request data deletion
✓ Right to Restrict Processing
Limit how we use your data
✓ Right to Data Portability
Export your data (CSV format)
✓ Right to Object
Object to certain processing
Exercise Your Rights
Email: hello@subletmanager.com
Subject: "Data Subject Access Request"
We respond within 30 days (max 90 for complex requests)
Complaints
Contact the UK Information Commissioner's Office:
Wycliffe House, Water Lane, Wilmslow, SK9 5AF
Phone: 0303 123 1113 | Web: ico.org.uk
7. Data Protection Impact Assessment (DPIA)
We conducted a DPIA for high-risk processing activities:
High-Risk Activities
Payment processing (card data, financial transactions)
Guest personal data processing
AI data processing (message content to Anthropic)
Automated guest messaging
Safeguards Implemented
PCI DSS compliance via Stripe (no card data stored)
Data minimisation principles
TLS 1.3 encryption in transit, AES-256 at rest
Role-based access controls with audit logging
AI features are optional with explicit consent
Data Processing Agreements with all processors
Quarterly security audits
72-hour breach notification procedures
Conclusion: With safeguards, residual risks assessed as low-to-medium.
8. Security Measures
Technical Security
TLS 1.3 encryption
AES-256 encryption at rest
Bcrypt password hashing
SQL injection prevention
CSRF protection
Rate limiting
Web Application Firewall
Organisational Security
Staff background checks
Annual GDPR training
Least privilege access
Signed DPA agreements
Incident response plan
Regular penetration testing
UK-based hosting
Data Breach Notification
In case of a breach, we notify you and the ICO within 72 hours per UK GDPR requirements.
9. Cookies & Tracking
Essential Cookies (Always Active)
Session management, security (CSRF tokens), load balancing. These are necessary for the platform to function.
Performance Cookies (Optional)
Usage analytics, error tracking, performance monitoring. You can opt out in settings.
Marketing Cookies (With Consent)
Used only if you consent. We do not use third-party advertising cookies.
Manage cookie preferences in your browser settings or account dashboard.
10. Children's Privacy
SubletManager is not intended for users under 18. We do not knowingly collect data from children. If we discover such data, we delete it immediately.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be notified via email 30 days before taking effect.
Continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
For privacy questions, data requests, or complaints:
Think Menai - Data Protection Officer
Capel Bethel Vestry, Stryd Fawr
Caernarfon, Gwynedd, LL54 6PL
United Kingdom
Email: hello@subletmanager.com
Phone: +44 1286 875 872
Version: 1.0 | Effective: 25 October 2025 | Jurisdiction: England & Wales