Data Protection Governance

UK GDPR policy.

This policy describes, in formal data protection terms, how Zytrivox processes personal data within the building operations platform and how the system is intended to support compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Scope and status

This document is a platform-level data protection policy for Zytrivox Ltd and the Zytrivox building operations system. It is intended to supplement, and not replace, any customer-specific privacy notice, data processing agreement, tenancy documentation, employment documentation, or lawful instruction issued by a building operator, managing agent, landlord, resident management company, or other customer.

References to "UK GDPR" mean the retained UK General Data Protection Regulation as supplemented by the Data Protection Act 2018 and applicable domestic data protection legislation.

2. Controller and processor roles

Where Zytrivox processes personal data to provide hosted building management functionality to a customer, Zytrivox will ordinarily act as a processor and the relevant customer will ordinarily act as controller. The customer determines the purposes and essential means of processing, including which residents, staff, visitors, parcels, requests, access events, notices, support tickets, and operational records are entered into the system.

Zytrivox may act as controller for limited business administration purposes, including account administration, security monitoring, billing, platform support, service improvement, legal compliance, and communications with prospective or current customers.

3. Categories of personal data

The system may process the following categories of personal data, depending on modules enabled by the customer:

  • Identity and contact data, including names, email addresses, telephone numbers, staff roles, resident references, flat or unit identifiers, and authorised user credentials.
  • Building operations data, including parcel records, collection status, visitor entries, resident forms, maintenance or service requests, support tickets, noticeboard interactions, access feed records, leave records, key logs, and staff activity records.
  • Communications data, including messages, notes, comments, support correspondence, and operational follow-up entered by authorised users.
  • Technical and security data, including IP addresses, timestamps, authentication events, audit logs, session data, error logs, device/browser metadata, and security monitoring information.
  • Commercial and account data, including customer configuration, subscription status, invoices, payment administration references, and support history.

4. Purposes of processing

Personal data is processed for the following specified, explicit, and legitimate purposes:

  • Provision, configuration, maintenance, security, and support of the Zytrivox platform.
  • Administration of building operations, resident services, parcel handling, maintenance requests, access workflows, visitor management, internal staff workflows, and customer support.
  • Authentication, access control, auditability, incident investigation, fraud prevention, abuse prevention, and protection of the rights, property, and safety of users, customers, residents, visitors, staff, and Zytrivox.
  • Compliance with legal obligations, enforcement of contractual rights, business continuity, backup, disaster recovery, and regulatory accountability.

5. Lawful basis

Where Zytrivox acts as controller, processing may rely on one or more lawful bases under Article 6 UK GDPR, including performance of a contract, compliance with a legal obligation, legitimate interests, consent where applicable, or steps taken at the request of a data subject prior to entering into a contract.

Where Zytrivox acts as processor, the customer is responsible for identifying and documenting the applicable Article 6 lawful basis for its processing instructions. Zytrivox processes such data only on documented instructions, subject to any legal obligation requiring otherwise.

Legitimate interests may include securing the platform, providing operational support, maintaining audit logs, preventing misuse, improving service reliability, and administering customer relationships, provided such interests are not overridden by the rights and freedoms of the data subject.

6. Special category and criminal offence data

Zytrivox does not intentionally require special category data or criminal offence data for ordinary building operations. Users should not enter such data unless it is necessary for the relevant operational purpose and authorised by the applicable controller.

If special category data is submitted, for example within a free-text maintenance request, accessibility note, health-related safety request, or support communication, the controller must identify both an Article 6 lawful basis and an Article 9 condition for processing. Where criminal offence data is processed, the controller must identify an applicable condition under the Data Protection Act 2018.

7. Data protection principles

Zytrivox is designed to support the UK GDPR principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

  • Role-based access controls restrict access to authorised users.
  • Audit and activity records support accountability and operational traceability.
  • Customer settings and feature flags support purpose limitation by enabling only required modules.
  • Security controls, authentication, session handling, and backup arrangements support confidentiality, integrity, and availability.

8. Retention and deletion

Personal data must not be retained for longer than is necessary for the purposes for which it is processed. Customer-controlled operational records are retained in accordance with the customer's lawful instructions, applicable contract terms, legal obligations, limitation periods, safety requirements, and business continuity requirements.

Zytrivox may retain platform logs, backups, support records, and account administration records for limited periods necessary for security, troubleshooting, legal compliance, dispute resolution, and service continuity. Backup deletion may occur on a delayed cycle consistent with disaster recovery controls.

9. Data subject rights

Data subjects may have rights of access, rectification, erasure, restriction, objection, data portability, and rights relating to automated decision-making, subject to statutory conditions and exemptions. Where Zytrivox acts as processor, requests should normally be directed to the relevant controller, but Zytrivox will provide reasonable assistance to the controller in responding to lawful requests.

Zytrivox does not use the platform to make solely automated decisions producing legal or similarly significant effects on data subjects.

10. Sharing, sub-processing, and transfers

Personal data may be disclosed to authorised customer users, contracted service providers, infrastructure providers, professional advisers, insurers, regulators, law enforcement bodies, or courts where necessary and lawful. Sub-processors are engaged only where appropriate contractual safeguards are in place.

Where personal data is transferred outside the United Kingdom, Zytrivox will use an appropriate transfer mechanism where required, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another mechanism recognised under UK data protection law.

11. Security and breach management

Zytrivox applies technical and organisational measures appropriate to the nature, scope, context, and purposes of processing, including access controls, authentication controls, audit logging, backup controls, service monitoring, and administrative safeguards.

Suspected personal data breaches are assessed against UK GDPR requirements. Where Zytrivox acts as processor, it will notify the relevant controller without undue delay after becoming aware of a personal data breach affecting customer-controlled personal data.

12. Contact and complaints

Data protection enquiries relating to Zytrivox-controlled processing may be sent to support@zytrivox.com. Requests concerning customer-controlled resident, staff, visitor, parcel, access, or building operations records should normally be directed to the relevant building operator or managing agent as controller.

Data subjects also have the right to lodge a complaint with the Information Commissioner's Office, subject to applicable law.

13. Legal references

This policy has been prepared by reference to public guidance from the Information Commissioner's Office and GOV.UK, including guidance on UK GDPR lawful basis, controllers and processors, special category data, transparency information, and the Data Protection Act 2018.

Sources: ICO UK GDPR guidance, ICO controller and processor guidance, ICO special category data guidance, and GOV.UK data protection legislation summary.