Legal

Privacy Policy

Last updated: 20/06/2026

This Privacy Policy explains how Owners HQ Ltd ("we", "us", "our") collects, uses, and protects personal data when you use our platform at ownershq.com, manage.ownershq.com, booking.ownershq.com, and related services (the "Platform").

We are committed to protecting your personal data and handling it in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR).

1. Who We Are

Owners HQ Ltd is a company registered in England and Wales under company number 08450204, with its registered office at 3 Melton Park, Redcliff Road, Melton, East Yorkshire, England, HU14 3RS.

For any privacy-related questions or requests, you can contact us at info@ownershq.com.

2. Our Role: Controller and Processor

The Platform is used by property owners ("Owners") to manage bookings from their guests ("Guests"). Our role under data protection law depends on whose data we are processing and for what purpose:

2.1 When We Are the Controller

We are the data controller for:

  • Owner account data: information you provide when you register and use the Platform as an Owner;
  • Website visitor data: information collected from visitors to our marketing site, including via cookies and analytics;
  • Operational data: data we process for our own business purposes, including billing, fraud prevention, security, and service improvement;
  • Guest data processed for our own purposes: for example, where we need to retain transactional records to meet our legal obligations, or to provide Guests with support relating to their use of the Platform.

This Privacy Policy describes how we handle data where we are the controller.

2.2 When We Are a Processor

When an Owner uses the Platform to manage their bookings, we process Guest personal data (such as name, email, booking details, and payment information) on behalf of the Owner. In this context:

  • The Owner is the data controller of that Guest data;
  • We act as the Owner’s data processor, processing the data only in accordance with their instructions and our agreement with them;
  • Guests should refer to the Owner’s own privacy notice to understand how their data is used in connection with their booking.

If you are a Guest with questions about how your data is being used for your booking, you should contact the Owner directly in the first instance. We will of course still respond to rights requests where required by law.

3. Personal Data We Collect

3.1 Owner Data

When you register and use the Platform as an Owner, we collect:

  • Identity and contact data: name, email address, phone number, business name (where applicable);
  • Account data: login credentials, account settings, preferences;
  • Property data: property details, photos, and content you upload;
  • Booking data: booking records, payment schedules, Guest contact details you enter, rental agreements you upload;
  • Financial data: billing address, VAT number (if applicable), and information relating to Stripe Connect onboarding. Full payment credentials (card numbers, bank details) are handled by Stripe and are not stored by us;
  • Communications data: messages, support queries, and other correspondence with us;
  • Usage data: how you interact with the Platform, including log data, IP address, browser type, and device information.

3.2 Guest Data (Where We Are Controller)

Where we process Guest data for our own purposes — for example, to send transactional emails, retain records for legal compliance, or provide support — we collect:

  • Name and email address;
  • Booking details (property, dates, payment amounts);
  • Payment transaction records;
  • Technical and access data when a Guest uses the booking portal (email address used to request an access link, access-link token, IP address, User-Agent, and access timestamps);
  • Audit information relating to rental agreement signing (timestamp, IP address);
  • Communications with our support team.

3.3 Website Visitor Data

When you visit our marketing site, we may collect:

  • IP address, browser type, device, and operating system;
  • Pages viewed, referring site, and session information;
  • Information provided via contact forms or sign-up pages.

See our Cookie Policy for details of cookies and similar technologies used.

4. Guests and the Booking Portal

If you are a Guest, you access your booking through our booking portal at booking.ownershq.com. This section explains, in plain terms, the limited data we process as controller when you use the portal. The booking details themselves (such as your name, stay dates, and payment amounts) are controlled by the Owner who created your booking, as explained in Section 2.2.

4.1 Passwordless Access (Magic Links)

The portal does not use accounts or passwords. To view your booking you enter your email address and we send you a secure, time-limited access link. We process your email address and the access-link token only to authenticate you and give you secure access to your own booking.

4.2 Access and Security Logging

When you open the portal we record technical information including your IP address, User-Agent (browser and device information), and access timestamps. We use this to authenticate you, keep the portal secure, and prevent fraud and abuse. Our lawful basis is our legitimate interests in operating and securing the service, together with the performance of our contract with the Owner.

4.3 Cookies

The portal uses a single strictly necessary session cookie to keep you signed in for the duration of your visit. It is essential to the service and does not require your consent, so no cookie banner is shown on the portal. See our Cookie Policy for details.

4.4 Payments

When you choose to pay, the portal initiates the payment and redirects you to a secure payment page hosted by Stripe, where you enter your card or bank details directly with Stripe. We do not see or store your full payment credentials. Stripe is a separate data controller for the data it processes, and Stripe’s own privacy terms (stripe.com/privacy) and the legal links shown on its payment page apply.

4.5 Retention

Access-link tokens are short-lived and expire after use or after a short period. Portal access and security logs are kept only for a limited period. Booking and payment records are retained as described in Section 8.

4.6 Your Rights and Contact

You have the rights set out in Section 10 in respect of the data we control. If your question relates to your booking details (which the Owner controls), please contact the Owner who arranged your stay in the first instance. We will still respond to rights requests where we are legally required to.

5. How We Use Personal Data and Our Legal Bases

We only process personal data where we have a lawful basis to do so. The main bases we rely on are:

Purpose Lawful basis
Providing the Platform to Owners (account management, booking management, payment processing) Contract
Sending transactional emails (confirmations, receipts, reminders) on behalf of Owners Contract (with Owner); legitimate interests in operating the service
Billing Owners and collecting fees Contract
Complying with legal, tax, and accounting obligations Legal obligation
Authenticating Guests and securing access to the booking portal (magic-link access, access logging) Legitimate interests; contract (with Owner)
Preventing fraud, abuse, and securing the Platform Legitimate interests
Improving the Platform and developing new features Legitimate interests
Sending marketing communications to Owners about our services Legitimate interests or consent, depending on context
Responding to support queries Contract; legitimate interests
Responding to legal claims or regulatory requests Legal obligation; legitimate interests

Where we rely on legitimate interests, we balance those interests against your rights and only proceed where we consider the processing is proportionate and does not override your interests.

You can object to processing based on legitimate interests (see Section 10).

6. Sharing Personal Data

We do not sell personal data. We share it only with:

  • Stripe, our payment processor, to process payments and manage Stripe Connect accounts. Stripe is a separate data controller for the data it processes for its own purposes. See stripe.com/privacy;
  • Hosting, infrastructure, and software providers that help us run the Platform (for example, cloud hosting, email delivery, analytics, customer support tools). These providers act as processors under contracts that require appropriate data protection safeguards;
  • Professional advisers such as accountants, auditors, and legal advisers where necessary;
  • Regulatory and law enforcement authorities where we are legally required to disclose information;
  • A buyer or successor in the event of a merger, sale, or reorganisation of our business;
  • Owners and Guests as necessary to operate the service (for example, a Guest receives data about their own booking; an Owner sees data about their Guests’ bookings).

A list of our current key sub-processors is available on request.

7. International Transfers

Some of our service providers are based outside the UK or EEA. Where personal data is transferred internationally, we rely on appropriate safeguards, which may include:

  • The UK and/or EU adequacy decisions for the recipient country;
  • Standard Contractual Clauses approved by the UK Information Commissioner’s Office or the European Commission, together with the UK International Data Transfer Addendum where applicable;
  • Other lawful transfer mechanisms permitted under applicable law.

You can request further information about the safeguards we use by contacting us.

8. How Long We Keep Data

We keep personal data only for as long as necessary for the purposes it was collected, including to meet legal, tax, accounting, and regulatory requirements.

Typical retention periods:

  • Owner account data: for the duration of the account, and for up to 7 years after closure to meet legal and tax obligations;
  • Booking and payment records: up to 7 years after the booking, in line with UK tax record-keeping rules;
  • Guest portal access tokens, session and security logs: access-link tokens expire after use or after a short period; portal access and security logs are kept for a limited period only;
  • Support communications: up to 3 years after the last contact;
  • Website analytics data: typically up to 26 months;
  • Marketing data: until you unsubscribe or we conclude the data is no longer needed.

Where we are a processor for Guest data, retention is determined by our instructions from the Owner, subject to our own overriding legal obligations.

9. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encryption in transit, access controls, secure hosting infrastructure, and regular review of our security practices. Payment card data is handled by Stripe under PCI-DSS standards and is not stored on our systems.

No system is entirely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the Information Commissioner’s Office and, where required, affected individuals.

10. Your Rights

Under data protection law, you have the following rights in respect of personal data we hold about you as a controller:

  • Access: request a copy of the data we hold about you;
  • Rectification: request correction of inaccurate or incomplete data;
  • Erasure: request deletion of your data, subject to certain exceptions;
  • Restriction: request that we restrict processing in certain circumstances;
  • Portability: request a copy of data you provided to us in a structured, machine-readable format;
  • Objection: object to processing based on legitimate interests, or to direct marketing at any time;
  • Withdraw consent: where processing is based on consent, withdraw it at any time (this does not affect the lawfulness of processing before withdrawal);
  • Complain: lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, contact us at info@ownershq.com. We will respond within one month, although complex requests may take longer (we will let you know if so).

If you are a Guest and your request relates to how an Owner is using your data for your booking, we will forward the request to the Owner where appropriate, or respond directly where we are legally required to.

11. Marketing

We may send marketing communications to Owners about our services. You can opt out at any time by using the unsubscribe link in any marketing email or by contacting us.

We do not send marketing communications to Guests. Transactional emails (such as booking confirmations, payment reminders, and receipts) are not marketing and are necessary for the service to operate.

12. Cookies

We use cookies and similar technologies on our website. Full details are in our Cookie Policy.

13. Children

The Platform is not intended for children and we do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a child, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top shows when it was most recently revised. Where changes are material, we will notify you by email or via the Platform.

15. Contact Us

Questions, concerns, or requests relating to this Privacy Policy should be sent to:

Owners HQ Ltd
3 Melton Park, Redcliff Road, Melton, East Yorkshire, England, HU14 3RS
Email: info@ownershq.com

You can also contact the UK Information Commissioner’s Office at ico.org.uk or on 0303 123 1113.