Privacy Policy
How we collect, use, and protect your data. Covers your privacy rights, data processors, international transfers, and retention across UK.
Updated 10 Jan 2026
Wectory Privacy Policy
Effective Date: 1 January 2026
1. Introduction
1.1 About This Policy
This Privacy Policy explains how Wectory Ltd ("Wectory," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with our website at wectory.com (the "Website") and our rental factoring infrastructure platform (the "Service"). This Policy applies to all individuals whose personal data we process, including representatives of our business partners ("Partners"), visitors to our Website, and landlords whose data is processed through our platform on behalf of Partners.
1.2 Who We Are
Wectory Ltd is a company registered in England and Wales with company number 12790239 and registered office at 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom. For the purposes of data protection legislation, Wectory acts as a data controller in respect of certain personal data as described in this Policy, and as a data processor in respect of other personal data as described in this Policy. Our data protection contact details are set out in Section 13 below.
1.3 Data Protection Legislation
References to "data protection legislation" in this Policy mean the UK General Data Protection Regulation (the "UK GDPR"), being Regulation (EU) 2016/679 as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 and any other applicable laws relating to the processing of personal data and privacy.
1.4 Our Commitment
Wectory is committed to protecting the privacy and security of personal data. We process personal data in accordance with data protection legislation and industry best practices. This Policy describes our data protection practices and your rights in relation to personal data that we process.
2. Our Role in Data Processing
2.1 When We Act as Data Controller
Wectory acts as a data controller, determining the purposes and means of processing, in respect of personal data relating to Partner account registration and administration, including names, contact details, and business information of Partner representatives; Website visitors, including data collected through cookies and similar technologies, enquiry forms, and analytics; marketing and communications, including contact details of individuals who subscribe to our newsletters or express interest in our services; suppliers and service providers with whom we engage; and recruitment and employment, including personal data of job applicants and employees.
When acting as a data controller, Wectory is directly responsible for complying with data protection legislation, including ensuring lawful processing, maintaining appropriate security, and responding to data subject rights requests.
2.2 When We Act as Data Processor
Wectory acts as a data processor, processing personal data on behalf of and under the instructions of Partners, in respect of landlord personal data that Partners submit to or process through our Service. This includes landlord names, contact details, and identification information; property addresses and details; bank account information for Direct Debit collection; rental payment history and tenancy information; and any other personal data that Partners submit through the Service.
When acting as a data processor, our processing is governed by data processing agreements with our Partners as required by Article 28 of the UK GDPR. Partners remain the data controllers for landlord personal data and are responsible for ensuring that their collection and use of such data complies with data protection legislation, including having appropriate lawful bases and providing adequate privacy notices to landlords.
2.3 Implications for Data Subjects
If you are a landlord whose data is processed through our Service, the relevant Partner is the data controller for your personal data. You should refer to that Partner's privacy policy for information about how they process your data. While we process your data as a processor on behalf of the Partner, we maintain appropriate security measures and comply with our processor obligations under data protection legislation. If you wish to exercise your data subject rights in relation to landlord data, you should contact the relevant Partner directly. We will assist Partners in responding to such requests as required by our data processing agreements.
3. Personal Data We Collect
3.1 Partner Account Data
When Partners register for and use our Service, we collect personal data relating to Partner representatives. This includes identity data such as first name, last name, and job title; contact data such as business email address, telephone number, and business address; account credentials such as username and password (stored in encrypted form); business data such as company name, company registration number, and business sector; financial data such as billing information and payment card details (processed by our payment service provider); and usage data such as information about how Partner representatives use our platform, including login history, features accessed, and actions taken.
3.2 Website Visitor Data
When individuals visit our Website, we collect personal data through various means. This includes technical data such as internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Website; usage data such as information about how visitors use our Website, including pages visited, time spent on pages, navigation paths, and referring URLs; and enquiry data such as information provided when visitors complete contact forms or request information, including name, email address, company name, and message content.
3.3 Marketing Data
Where individuals subscribe to our marketing communications or express interest in our services, we collect identity and contact data as described above; communication preferences such as marketing opt-in status and preferred communication channels; and interaction data such as information about engagement with our marketing communications, including email opens, clicks, and website visits following marketing activities.
3.4 Landlord Data Processed on Behalf of Partners
When acting as a processor on behalf of Partners, we process landlord personal data that Partners submit to or process through our Service. The categories of landlord data processed typically include identity data such as landlord names, dates of birth, and identification document details; contact data such as addresses, email addresses, and telephone numbers; property data such as addresses and details of properties owned by landlords; financial data such as bank account details for Direct Debit mandate creation and collection; tenancy data such as information about tenancies, rental amounts, payment history, and tenant details; and deal data such as information about advance applications, approvals, funding, and repayments.
Partners determine what landlord data is submitted to our Service. We process landlord data only in accordance with Partner instructions and our data processing agreements.
4. How We Collect Personal Data
4.1 Direct Collection
We collect personal data directly from individuals when they register for a Partner account or request access to our Service; complete forms on our Website, including contact forms and newsletter subscription forms; correspond with us by email, telephone, or other means; attend events, webinars, or meetings hosted or attended by Wectory; or apply for employment with Wectory.
4.2 Automated Collection
We collect certain personal data automatically when individuals interact with our Website or Service. This includes data collected through cookies and similar technologies as described in Section 10 of this Policy; log files recording visits to our Website and use of our Service; and analytics tools that help us understand how our Website and Service are used.
4.3 Collection from Partners
We receive landlord personal data from Partners when they submit such data through our Service. Partners are responsible for ensuring that they have appropriate lawful bases and have provided adequate privacy notices before submitting landlord data to our Service.
4.4 Collection from Third Parties
We may receive personal data from third parties in certain circumstances. This includes business contact data from marketing data providers and business directories; credit and identity verification data from credit reference agencies and identity verification services; and technical data from analytics providers, advertising networks, and search information providers.
5. Purposes and Legal Bases for Processing
5.1 Processing of Partner Account Data
We process Partner account data for the following purposes and relying on the following legal bases under Article 6 of the UK GDPR.
We process Partner account data to provide and administer the Service, including creating and managing Partner accounts, providing access to the platform, processing transactions, and delivering the services described in our Terms of Service. The legal basis for this processing is that it is necessary for the performance of our contract with Partners.
We process Partner account data to communicate with Partners about the Service, including sending service-related notifications, responding to enquiries, and providing customer support. The legal basis for this processing is that it is necessary for the performance of our contract with Partners and, in some cases, for our legitimate interests in providing effective customer service.
We process Partner account data to bill Partners and process payments for our services. The legal basis for this processing is that it is necessary for the performance of our contract with Partners.
We process Partner account data to ensure the security and integrity of our Service, including monitoring for fraudulent or unauthorised use, investigating security incidents, and enforcing our terms and policies. The legal basis for this processing is our legitimate interest in protecting our Service, our Partners, and other users from harm.
We process Partner account data to comply with our legal and regulatory obligations, including tax reporting, anti-money laundering requirements, and responding to lawful requests from authorities. The legal basis for this processing is that it is necessary for compliance with legal obligations to which we are subject.
We process Partner account data to improve and develop our Service, including analysing usage patterns, conducting research and development, and testing new features. The legal basis for this processing is our legitimate interest in improving our Service and developing new products and features.
5.2 Processing of Website Visitor Data
We process Website visitor data for the following purposes and relying on the following legal bases.
We process technical and usage data to operate and maintain our Website, including ensuring that content is presented effectively and that the Website functions properly. The legal basis for this processing is our legitimate interest in operating an effective website.
We process technical data to ensure the security of our Website, including monitoring for malicious activity and protecting against cyber attacks. The legal basis for this processing is our legitimate interest in maintaining the security of our systems.
We process usage data to analyse how our Website is used and to improve user experience. The legal basis for this processing is our legitimate interest in understanding our audience and improving our Website, or, where cookies are used, consent where required by applicable law.
We process enquiry data to respond to enquiries and requests for information submitted through our Website. The legal basis for this processing is our legitimate interest in responding to individuals who contact us and, where the enquiry relates to our services, taking steps at the request of the individual prior to entering into a contract.
5.3 Processing of Marketing Data
We process marketing data for the following purposes and relying on the following legal bases.
We process marketing data to send marketing communications about our products, services, and events to individuals who have consented to receive such communications or, in the case of existing Partners and individuals who have enquired about our services, where we have a legitimate interest in marketing our services and the individual has not opted out. Where consent is the legal basis, individuals may withdraw consent at any time as described in Section 8 of this Policy.
We process marketing data to personalise marketing communications and website content based on individual interests and preferences. The legal basis for this processing is consent where required, or our legitimate interest in providing relevant content to our audience.
We process marketing data to measure the effectiveness of our marketing activities and to understand engagement with our communications. The legal basis for this processing is our legitimate interest in evaluating and improving our marketing activities.
5.4 Processing of Landlord Data as Processor
When processing landlord data on behalf of Partners, we process such data only in accordance with Partner instructions as documented in our Terms of Service and data processing agreements. Partners are responsible for determining the purposes and legal bases for processing landlord data and for providing appropriate privacy notices to landlords. Our processing of landlord data as a processor is necessary for the performance of our contract with Partners.
6. Data Sharing and Disclosure
6.1 Sharing with Service Providers
We share personal data with third-party service providers who assist us in operating our business and providing our services. These service providers process personal data on our behalf and are contractually obligated to process such data only in accordance with our instructions and to maintain appropriate security measures. Categories of service providers with whom we share personal data include cloud infrastructure providers who host our platform and store data; payment processors who process payments on our behalf; identity verification providers who assist with know-your-customer and anti-money laundering checks; document service providers who provide electronic signature and document generation services; communication service providers who send emails and other communications on our behalf; analytics providers who help us understand how our Website and Service are used; and customer support tools that help us manage support enquiries.
6.2 Sharing with Payment Service Providers
We share personal data with payment service providers to facilitate payment collection. In particular, we share landlord bank account details and mandate information with GoCardless Ltd to create and manage Direct Debit mandates and collect payments. GoCardless is an authorised payment institution regulated by the Financial Conduct Authority and processes personal data in accordance with its own privacy policy and data protection obligations.
6.3 Sharing with Partners
Where we process landlord data as a processor on behalf of a Partner, we provide that data back to the Partner through our platform. Partners receive access to landlord data that they have submitted or that has been generated through processing on their behalf, such as scoring outputs, collection status, and transaction records.
6.4 Sharing for Legal Reasons
We may disclose personal data where we believe disclosure is necessary to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms of Service or other agreements; to protect the rights, property, or safety of Wectory, our Partners, or others; to detect, prevent, or address fraud, security, or technical issues; or to respond to an emergency that we believe in good faith requires disclosure.
6.5 Business Transfers
If Wectory is involved in a merger, acquisition, reorganisation, sale of assets, or bankruptcy, personal data may be transferred to the acquiring entity or successor. We will provide notice of any such transfer and any choices individuals may have regarding their personal data.
6.6 No Sale of Personal Data
Wectory does not sell personal data to third parties and has no intention of doing so.
7. International Data Transfers
7.1 Data Location
Personal data is primarily stored and processed within the United Kingdom and the European Economic Area. Our primary cloud infrastructure is located in data centres within these regions.
7.2 Transfers Outside the UK and EEA
Some of our service providers are located in, or process personal data in, countries outside the United Kingdom and European Economic Area. Where personal data is transferred to countries that have not been deemed to provide an adequate level of data protection by the UK Government or European Commission, we ensure that appropriate safeguards are in place to protect such data.
7.3 Transfer Safeguards
Where we transfer personal data to countries without an adequacy decision, we rely on the following transfer mechanisms. We use Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses. These contractual arrangements impose data protection obligations on the recipient of personal data, giving individuals enforceable rights. We conduct transfer impact assessments where required to evaluate whether the legal framework of the destination country provides adequate protection. We implement supplementary measures where necessary, such as additional technical or organisational safeguards, to ensure an adequate level of protection.
7.4 Further Information
Individuals may request further information about the safeguards we have in place for international transfers by contacting us using the details in Section 13.
8. Data Subject Rights
8.1 Your Rights Under Data Protection Legislation
Where Wectory acts as a data controller, individuals have certain rights under data protection legislation in relation to their personal data. These rights are subject to certain exemptions and limitations under applicable law.
Individuals have the right of access, being the right to request confirmation of whether we process personal data about them and, if so, to request a copy of that personal data along with certain supplementary information about our processing.
Individuals have the right to rectification, being the right to request that we correct any inaccurate personal data about them and, taking into account the purposes of processing, to complete any incomplete personal data.
Individuals have the right to erasure, being the right to request that we delete personal data about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, where consent is withdrawn and no other legal basis applies, or where the data has been unlawfully processed.
Individuals have the right to restriction of processing, being the right to request that we restrict our processing of personal data in certain circumstances, such as where the accuracy of the data is contested, where processing is unlawful but erasure is not desired, or where we no longer need the data but it is required for legal claims.
Individuals have the right to data portability, being the right to receive personal data that they have provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
Individuals have the right to object to processing based on legitimate interests, including profiling based on legitimate interests. Where an individual objects, we will cease processing unless we demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or processing is necessary for legal claims.
Individuals have the right to object to direct marketing, being the absolute right to object at any time to processing of personal data for direct marketing purposes, including profiling related to direct marketing. Where an individual objects, we will cease processing for direct marketing purposes.
Individuals have rights related to automated decision-making, being the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects, except where the decision is necessary for a contract, is authorised by law, or is based on explicit consent.
8.2 Exercising Your Rights
To exercise any of the rights described above in relation to personal data for which Wectory is the data controller, individuals should contact us using the details in Section 13. We will respond to requests within one month of receipt, unless the request is complex or we receive numerous requests, in which case we may extend this period by up to two further months. We will inform individuals of any such extension within one month of receipt of the request. We do not charge a fee for responding to requests unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
8.3 Rights Regarding Landlord Data
If you are a landlord whose personal data is processed through our Service on behalf of a Partner, the Partner is the data controller for your personal data. To exercise your data subject rights in relation to such data, you should contact the relevant Partner directly. We will assist Partners in responding to data subject requests as required by our data processing agreements.
8.4 Right to Complain
Individuals have the right to lodge a complaint with a supervisory authority if they believe that our processing of their personal data violates data protection legislation. The supervisory authority in the United Kingdom is the Information Commissioner's Office, which can be contacted at ico.org.uk or by telephone at 0303 123 1113. We would, however, appreciate the opportunity to address any concerns before individuals approach the supervisory authority, and we encourage individuals to contact us in the first instance.
9. Data Retention
9.1 Retention Principles
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. To determine appropriate retention periods, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the data and whether we can achieve those purposes through other means; and applicable legal, regulatory, and contractual requirements.
9.2 Retention Periods for Controller Data
We retain Partner account data for the duration of the Partner relationship and for seven years following termination of the Partner account, as required for tax, accounting, and legal compliance purposes. We retain Website visitor data for up to two years from the date of collection, except where longer retention is necessary for security or legal purposes. We retain marketing data until the individual unsubscribes or requests deletion, and for up to two years following unsubscription for suppression list purposes. We retain enquiry data for up to two years from the date of enquiry, except where the enquiry leads to a business relationship in which case data is retained as Partner account data. We retain recruitment data for up to one year following the conclusion of the recruitment process for unsuccessful candidates, and in accordance with employment records retention requirements for successful candidates.
9.3 Retention of Landlord Data
When acting as a processor, we retain landlord data in accordance with Partner instructions and our data processing agreements. Our standard retention period is seven years following completion or default of an advance, as required for regulatory and legal compliance purposes. Partners may instruct us to delete landlord data earlier, subject to our legal retention obligations.
9.4 Deletion and Anonymisation
When personal data is no longer required, we securely delete or anonymise it. Anonymisation involves processing personal data such that it can no longer be used to identify an individual, either directly or indirectly, after which the data is no longer subject to data protection legislation.
10. Cookies and Similar Technologies
10.1 What Are Cookies
Cookies are small text files that are placed on devices when individuals visit websites. Cookies serve various purposes, including enabling websites to function, improving user experience, and providing analytics and advertising functionality. Similar technologies include web beacons, pixels, and local storage.
10.2 How We Use Cookies
We use cookies and similar technologies on our Website for the following purposes.
We use strictly necessary cookies that are essential for the Website to function properly. These cookies enable core functionality such as security, network management, and accessibility. These cookies do not require consent as they are necessary for the operation of the Website.
We use functional cookies that enhance the functionality of the Website by storing user preferences such as language settings and login information. These cookies are not strictly necessary but improve user experience.
We use analytics cookies that help us understand how visitors interact with our Website by collecting information about pages visited, time spent on pages, and navigation patterns. We use Google Analytics for this purpose. Analytics cookies help us improve our Website and understand our audience.
We use marketing cookies that track visitors across websites to enable us to display relevant advertisements. We may use these cookies to measure the effectiveness of our advertising campaigns and to provide targeted advertising.
10.3 Cookie Consent
Where cookies are not strictly necessary for the operation of our Website, we obtain consent before placing such cookies on devices. Visitors can manage their cookie preferences through our cookie consent banner or by adjusting their browser settings. Visitors can also withdraw consent at any time by clearing cookies from their browser or updating their preferences through our cookie consent mechanism.
10.4 Third-Party Cookies
Some cookies on our Website are placed by third parties, such as analytics and advertising providers. These third parties may collect personal data about individuals' online activities over time and across different websites. We do not control these third-party cookies and recommend that individuals review the privacy policies of these third parties.
10.5 Do Not Track
Some browsers include a "Do Not Track" feature that signals to websites that individuals do not wish to have their online activity tracked. Our Website does not currently respond to Do Not Track signals.
11. Data Security
11.1 Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures include encryption of personal data at rest using AES-256 encryption and in transit using TLS 1.3; access controls including multi-factor authentication, role-based access control, and the principle of least privilege; network security measures including firewalls, intrusion detection systems, and network segmentation; regular security assessments including vulnerability scanning and penetration testing; employee security awareness training and background checks for personnel with access to personal data; incident response procedures for detecting, investigating, and responding to security incidents; and physical security measures at our offices and data centre facilities.
11.2 Security Certifications
We are working towards SOC 2 Type II certification and ISO 27001 certification to demonstrate our commitment to information security best practices.
11.3 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to individuals, we will also notify affected individuals without undue delay. Where we experience a breach affecting landlord data that we process as a processor, we will notify the relevant Partner without undue delay, and within 48 hours where feasible, to enable the Partner to fulfil its own breach notification obligations.
11.4 Your Responsibilities
While we implement robust security measures, the security of personal data also depends on individuals taking appropriate precautions. Partner representatives should keep their account credentials secure and confidential, use strong and unique passwords, enable multi-factor authentication where available, and notify us immediately of any suspected unauthorised access to their account.
12. Additional Information
12.1 Children's Data
Our Website and Service are not directed at children under the age of 18, and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete such data promptly.
12.2 Links to Third-Party Websites
Our Website may contain links to third-party websites that are not operated by Wectory. We are not responsible for the privacy practices of these third-party websites and recommend that individuals review the privacy policies of any third-party websites they visit.
12.3 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify individuals by posting the updated Policy on our Website with a new effective date and, where appropriate, by other means such as email notification. We encourage individuals to review this Policy periodically to stay informed about our data protection practices.
12.4 Language
This Privacy Policy is written in English. Translations may be provided for convenience, but in the event of any conflict between the English version and any translation, the English version shall prevail.
13. Contact Us
13.1 Data Protection Contact
For questions, concerns, or requests relating to this Privacy Policy or our data protection practices, individuals may contact us by email at privacy@wectory.com, by post at Data Protection, Wectory Ltd, 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom, or through the contact form on our Website at wectory.com/contact.
13.2 Data Protection Officer
Wectory has designated a data protection point of contact who can be reached at dpo@wectory.com for matters relating to data protection compliance.
13.3 Supervisory Authority
The supervisory authority for data protection in the United Kingdom is the Information Commissioner's Office. Individuals have the right to lodge a complaint with the ICO if they believe their data protection rights have been violated.
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF United Kingdom
Telephone: 0303 123 1113 Website: ico.org.uk
14. Definitions
In this Privacy Policy, unless the context otherwise requires:
"Data controller" means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Data processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
"Data subject" means an identified or identifiable natural person whose personal data is processed.
"Partner" means a business entity that has entered into an agreement with Wectory to use our Service.
"Personal data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
"Service" means the Wectory rental factoring infrastructure platform and all related services provided by Wectory.
"UK GDPR" means the UK General Data Protection Regulation, being Regulation (EU) 2016/679 as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
"Website" means the Wectory website at wectory.com.
Wectory Ltd
Company Registration Number: 12790239
Registered Office: 86-90 Paul Street, London, Greater London, England, EC2A 4NE, United Kingdom
United Kingdom
This Privacy Policy is effective as of 1 January 2026.
© 2026 Wectory Ltd. All rights reserved.
