Privacy Policy

Last updated: 11 February 2026

This policy explains how MainDesk collects, uses, stores, and protects your personal data in compliance with UK GDPR and the Data Protection Act 2018.

1. Introduction

MainDesk ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform at maindesk.co.uk (the "Service").

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all users of our Service, including administrators, staff members, and any other individuals who access or use the platform.

Please read this Privacy Policy carefully. By using our Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Who We Are

MainDesk operates the platform at maindesk.co.uk and provides HMO operations and compliance software for supported housing providers in the United Kingdom. We are a data controller for the purposes of UK GDPR, meaning we determine the purposes and means of processing your personal data.

Our registered business address and contact details are provided in Section 14 of this policy. When we refer to "we", "us", or "our" in this policy, we mean MainDesk.

3. Information We Collect

We collect and process various categories of personal data to provide and improve our Service. The types of information we collect depend on how you interact with our platform. We collect this information directly from you when you register, use the Service, or contact us, and automatically through your use of the platform.

Personal Data

We collect the following personal identification information:

  • Name: Your full name as provided during registration
  • Email address: Your primary email address used for account communication and login
  • Job title: Your position within your organisation
  • Organisation name: The name of the company or entity you represent
  • Phone number: Your contact telephone number (if voluntarily provided)
  • Postal address: Your business address (if required for billing or verification)

Account Data

We collect information related to your account and platform usage:

  • Login credentials: Encrypted passwords and authentication tokens
  • User role: Your assigned role (administrator, manager, staff member, etc.)
  • Activity logs: Records of actions performed within the platform, including timestamps
  • Session data: Information about your login sessions and device information
  • Preferences: Your account settings and platform customisation choices

Property & Operational Data

We collect operational data that you create or upload through the Service:

  • Support logs: Records of support provided to tenants, including timestamps and details
  • Maintenance records: Reports of repairs, maintenance work, and property issues
  • Photos: Images uploaded in connection with maintenance, inspections, or property documentation
  • Attendance records: Staff check-in and check-out times, including GPS location data
  • Timesheets: Records of hours worked, shifts, and work schedules
  • Leave records: Holiday requests, sick leave, and other absence records
  • Property information: Details about properties managed through the platform
  • Tenant information: Data about tenants (collected and processed on behalf of your organisation)
  • Compliance documentation: Reports, audit trails, and inspection records

Note: When you process tenant data through our Service, you act as a data controller and are responsible for ensuring you have appropriate legal basis and consent for processing that data.

Technical Data

We automatically collect technical information when you use our Service:

  • IP address: Your Internet Protocol address
  • Device type: Information about your device (mobile, tablet, desktop)
  • Browser: Your web browser type and version
  • Operating system: Your device's operating system
  • Usage data: How you interact with the platform, pages visited, features used
  • Cookies: Small text files stored on your device (see Section 10 for details)
  • Log files: Server logs containing access times, errors, and system events
  • Location data: GPS coordinates when using location-based features (with your permission)

Special Category Data

In some cases, you may upload or create content that contains special category personal data (such as health information in support logs). We process this data only as necessary to provide the Service and in accordance with your instructions. You are responsible for ensuring you have appropriate legal basis for processing special category data.

4. How We Use Your Information

We use your personal data for the following specific purposes:

Service Provision

  • To provide and operate the MainDesk platform and all its features
  • To enable you to create, store, and manage your operational data
  • To process and store your content securely
  • To generate reports, compliance documentation, and audit trails

Account Management

  • To authenticate users and manage account access
  • To assign and manage user roles and permissions
  • To send account-related notifications and updates
  • To process subscription payments and manage billing

Communication

  • To respond to your enquiries and provide customer support
  • To send important service updates and security notifications
  • To communicate about your account, subscription, or billing
  • To send marketing communications (only with your consent)

Service Improvement

  • To analyse usage patterns and understand how the platform is used
  • To identify and fix bugs or technical issues
  • To develop new features and improve existing functionality
  • To conduct research and analytics (using anonymised data where possible)

Legal & Compliance

  • To comply with applicable laws, regulations, and legal obligations
  • To respond to legal requests, court orders, or government inquiries
  • To enforce our Terms of Service and protect our rights
  • To prevent fraud, abuse, and unauthorised access
  • To maintain security and protect against threats

5. Legal Basis for Processing (UK GDPR)

Under UK GDPR, we must have a lawful basis for processing your personal data. We process your data under the following legal bases:

Contractual Necessity (Article 6(1)(b))

We process your personal data to perform our contract with you and provide the services you have requested. This includes:

  • Processing your account information to provide access to the platform
  • Storing and processing your operational data as part of the Service
  • Managing your subscription and processing payments
  • Providing customer support and responding to your requests

Legal Obligation (Article 6(1)(c))

We process your data to comply with our legal obligations, including:

  • Complying with tax and accounting requirements
  • Responding to legal requests from authorities
  • Maintaining records as required by law
  • Complying with data protection regulations

Legitimate Interests (Article 6(1)(f))

We process your data based on our legitimate interests, balanced against your rights and freedoms:

  • Improving and developing our Service
  • Ensuring platform security and preventing fraud
  • Analysing usage to improve user experience
  • Marketing our services (where you have not opted out)
  • Managing our business operations

You have the right to object to processing based on legitimate interests (see Section 11).

Consent (Article 6(1)(a))

Where we rely on consent, we will:

  • Obtain your explicit consent before processing
  • Clearly explain what you are consenting to
  • Make it easy for you to withdraw consent at any time
  • Stop processing when consent is withdrawn

We typically seek consent for: marketing communications, non-essential cookies, and optional features.

6. How We Store and Protect Data

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

Encryption

  • All data in transit is encrypted using TLS 1.3 or higher
  • Data at rest is encrypted using industry-standard AES-256 encryption
  • Database connections are secured with encrypted channels
  • Passwords are hashed using bcrypt with appropriate salt rounds

Access Controls

  • Role-based access control ensures users only access data they are authorised to see
  • Multi-factor authentication available for enhanced security
  • Staff access is limited to those who need it for their role
  • All access is logged and monitored for suspicious activity
  • Regular access reviews to ensure permissions remain appropriate

Infrastructure Security

  • Data is stored on secure servers in UK-based data centres (or equivalent jurisdictions with appropriate safeguards)
  • Servers are protected by firewalls and intrusion detection systems
  • Regular security patches and updates are applied promptly
  • Backup systems ensure data availability and recovery
  • Disaster recovery procedures are tested regularly

Organisational Measures

  • All staff receive data protection training
  • Confidentiality agreements are in place for all personnel
  • Regular security audits and penetration testing
  • Incident response procedures for data breaches
  • Compliance with ISO 27001 standards where applicable

Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected users without undue delay, in accordance with UK GDPR requirements.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Our retention periods are based on:

Retention Periods

  • Account data: Retained while your account is active and for 7 years after account closure (for legal and accounting purposes)
  • Operational data: Retained for the duration of your subscription and for 7 years after termination (to comply with regulatory requirements for housing providers)
  • Financial records: Retained for 7 years as required by UK tax and accounting law
  • Support communications: Retained for 3 years after the last interaction
  • Marketing consent: Retained until you withdraw consent or unsubscribe
  • Technical logs: Retained for 12 months for security and troubleshooting purposes

When data is no longer needed, we securely delete or anonymise it in accordance with our data retention policies. Anonymised data (which cannot identify individuals) may be retained indefinitely for statistical and analytical purposes.

You may request deletion of your data at any time (subject to legal obligations). See Section 11 for information about your right to erasure.

8. Data Sharing

We do not sell your personal data. We may share your data with the following categories of third parties, only as necessary to provide the Service:

Service Providers

We work with trusted third-party service providers who help us operate the platform:

  • Hosting providers: To store and process data on secure servers
  • Payment processors: To process subscription payments securely (e.g., Stripe, PayPal)
  • Email service providers: To send transactional and service emails
  • Analytics providers: To understand platform usage (data is anonymised where possible)
  • Backup services: To maintain secure backups of your data

All service providers are contractually bound to protect your data and use it only for specified purposes.

Legal Authorities

We may disclose your data if required by law or to:

  • Comply with legal obligations, court orders, or government requests
  • Protect our rights, property, or safety, or that of our users
  • Prevent fraud or investigate potential violations of our Terms
  • Respond to emergency situations where disclosure is necessary

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity. We will notify you of any such change and ensure your data continues to be protected in accordance with this policy.

We Never:

  • Sell your personal data to third parties for marketing or commercial purposes
  • Share your data with advertisers without your explicit consent
  • Use your data for purposes unrelated to providing the Service

9. International Transfers

Your data is primarily stored and processed within the United Kingdom. However, some of our service providers may be located outside the UK. When we transfer your personal data outside the UK, we ensure appropriate safeguards are in place to protect your data in accordance with UK GDPR requirements.

Safeguards We Use

  • Standard Contractual Clauses (SCCs): We use UK-approved standard contractual clauses with service providers outside the UK
  • Adequacy Decisions: We may transfer to countries with UK adequacy decisions (recognised as having adequate data protection laws)
  • Binding Corporate Rules: Where applicable, we rely on binding corporate rules for intra-group transfers
  • Certification Schemes: We may use certified schemes that ensure adequate protection

If you would like more information about the specific safeguards we use for international transfers, please contact us using the details in Section 14.

10. Cookies

We use cookies and similar tracking technologies to enhance your experience on our platform. Cookies are small text files stored on your device when you visit our website.

Types of Cookies We Use

Essential Cookies

These cookies are necessary for the platform to function and cannot be disabled:

  • Authentication cookies to keep you logged in
  • Session cookies to maintain your session state
  • Security cookies to protect against fraud and abuse
  • Load balancing cookies to distribute server load

Analytics Cookies

These cookies help us understand how you use the platform (you can opt out):

  • Usage analytics to improve the platform
  • Performance monitoring to identify issues
  • Feature usage tracking to guide development

Preference Cookies

These cookies remember your preferences (you can opt out):

  • Language preferences
  • Display settings
  • Notification preferences

You can manage cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. However, disabling essential cookies may affect platform functionality. For more information about managing cookies, visit allaboutcookies.org.

11. Your Rights

Under UK GDPR, you have several rights regarding your personal data. You can exercise these rights at any time by contacting us at hello@maindesk.co.uk. We will respond to your request within one month (or inform you if we need more time).

Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you, including information about how we process it. We will provide this in a commonly used, machine-readable format.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. You can also update much of your information directly through your account settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data in certain circumstances, such as when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there is no other legal basis
  • The data has been unlawfully processed
  • You object to processing and there are no overriding legitimate grounds

Note: We may not be able to delete data if we have a legal obligation to retain it.

Right to Restriction (Article 18)

You can request that we limit how we process your data in certain circumstances, such as when you contest the accuracy of the data or object to processing while we consider your objection.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Data Portability (Article 20)

You can request a copy of your data in a structured, commonly used, machine-readable format. This applies to data you have provided and which we process based on consent or contract.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data correctly. Visit ico.org.uk for more information.

How to Exercise Your Rights: To exercise any of these rights, please email us at hello@maindesk.co.uk with "Data Protection Request" in the subject line. We may need to verify your identity before processing your request.

12. Children's Data

MainDesk is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at hello@maindesk.co.uk, and we will delete such information.

If you are under 16, please do not use our Service or provide any personal data to us. If we become aware that we have collected data from someone under 16, we will take steps to delete that information promptly.

13. Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons. We will notify you of any material changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification to registered users (for significant changes)
  • Displaying a notice on the platform when you next log in

We encourage you to review this policy periodically to stay informed about how we protect your data. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy. If you do not agree to the changes, you may close your account or stop using the Service.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

MainDesk

Email: hello@maindesk.co.uk

Website: maindesk.co.uk

For data protection enquiries, please include "Data Protection" in your subject line to ensure your message is handled promptly.

Data Protection Officer

If you have concerns about how we process your personal data, you can also contact the Information Commissioner's Office (ICO), the UK's data protection regulator:

ICO Website: ico.org.uk

ICO Helpline: 0303 123 1113

← Back to Home