Please read this Privacy Notice carefully to understand the types of personal data we collect, how we use your personal data, the circumstances under which we will share it, and your rights in relation to the personal data we control.

The scope of this Privacy Notice includes all relevant websites, applications, platforms and other personal data processing by Vebra Solutions Limited as a ‘data controller’. Any references to ‘We’, ‘us’ or ‘our’ in this document refers to Alto Software Group “Alto”.

We may provide further disclosures for some products or services, and these should be read in addition to this Privacy Notice.

Our websites, applications and platforms may contain links to external sites. We do not control these sites and encourage you to read their privacy policies and notices.

Part A of this Privacy Notice contains information which applies generally to Alto products and services.

Part B of this Privacy Notice provides more privacy information relating to specific product offerings, which supplements the information in Part A.

Part A: Framework Privacy Notice

About Us

Vebra Solutions Limited (VSL) is a company incorporated and registered in England and Wales. Our registered office address is The Cooperage, 5 Copper Row, London, England, SE1 2LH. Our company number is 04529917. Our Information Commission - Information Commissioners Officer (ICO) registration number is Z7426718. VSL is part of the Alto Software Group known as Alto, which is a division of ZPG Limited. Any reference to the ZPG or Group Companies within this Privacy Notice includes all or any of the direct or indirect subsidiary undertakings of ZPG Limited.

This Privacy Notice details our responsibilities for when we are a data controller of your personal data. We are a data controller of personal data processed when we offer, or you use our products and services and we determine the purposes and manner in which your personal data is processed as a data controller. Sometimes our products and services may be co-branded with our partners, for example, where we may act as a joint controller with a third party involved in providing you with the product or service, such as an agent or a developer you are purchasing, selling, letting or renting a property from.

Where we process personal data for example on behalf of an agent, developer or partner for the purpose of providing services to them, we are the data processor and they are an independent data controller of your personal data. Any queries you may have about the processing of such personal data, including exercising your data subject rights must be directed to the independent data controller. Where we act in response to instructions from a data controller, that controller's privacy policy and notices will apply.

Key Terms

It would be helpful to start by explaining some key terms used in this Privacy Notice.

• Group Companies or ZPG: Any reference to Group Companies or ZPG within this Privacy Notice includes all or any of the direct or indirect parent or subsidiary undertakings of ZPG Limited from time to time; including: Zoopla Ltd, uSwitch Ltd, Confused.com Ltd, Calcasa B.V, Technicweb Ltd, Jupix Ltd, Hometrack Data Systems Ltd, Hometrack MLS Ltd, Vebra Solutions Ltd, Yourkeys Technology Ltd, Property Software Ltd, Dot Zinc Ltd, Tempcover Limited and Life’s Great Ltd.
• Personal data: Any information relating to an identified or identifiable living individual as defined in the UK GDPR.
• Special category data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, sex life or sexual orientation.
• Data subject: The individual who the personal data relates to.

Personal data we collect about you

The personal data we collect about you depends on how you interact with our websites, apps and different products and services. A detailed explanation of the personal data we collect and how it differs across our products and services is set out in Product Specific Offerings below.

Our lawful basis for processing

To use your personal data, we must have a valid reason (a "lawful basis"). Sometimes we ask for your consent (for example to use certain cookies) and in other cases where you would expect us to use your personal data (for example to provide the product or service you choose to use), then we do not need to ask for consent, and can rely on another lawful reason. Data protection law provides other bases and exemptions for the processing of personal data, and requires us to have an additional reason to process data which is given special protection under data protection laws, such as special category data and criminal conviction data, where relevant. For example we will usually ask for explicit consent when processing health data or biometric data. We will only ever process your personal data where we have a lawful reason to do so. Our reason for using your personal data is usually one of the following:

Contract

This is where we need to use your personal data to carry out a contract you are party to or take steps before you enter a contract. When you choose to use a product or service you will need to agree to terms of use which constitutes a contract. We need to process your personal data to provide you with this product or service. Emails that are sent to provide you with information, updates, status or similar regarding the products and services you choose to use, are sent under the lawful basis of Contract. See Service Messages.

Consent

You have given us, or a party we act jointly with, your consent to use your personal data for a certain reason. We may rely on your consent to send you certain types of electronic mail marketing. See Right to withdraw consent for more information about how you can exercise your data subject rights.

Legal Obligation

We must use your personal data to comply with laws or regulations to which we or a party we act jointly with are subject to.

Legitimate Interests

We may have a legitimate interest in using your personal data. Usually this is to help us run, improve, promote, monetise or protect our products, services and business. You may be able to object to the processing of your personal data when processed for legitimate interests. See Right to object. You are in control of your marketing preferences. If you would like to opt out of electronic mail marketing, you can do so at any time. See Direct Marketing below for more information on the lawful bases we may use to direct market to you.

Examples of legitimate interests, where relevant, may include but are not limited to:

• sharing data with agents, new home builders or other third parties (“third parties”); so we can help progress an application, lead, quote or other such request;
• sharing data with third parties, so you do not need to re-enter it;
• sharing data with third parties to make available to you third party products or services to enhance our, or a third party product or service, or your customer experience in general;
• sharing data with third parties for the purposes of assisting with tasks to be completed to progress a property transaction, such as completing ID checks or anti money laundering requirements on behalf of agents or new home builders;
• third parties sharing your personal information with us, so we can combine personal data we hold on you to produce data insights or information/outcomes/behaviours about you, to help them improve or personalise their products and services they provide to you;
• sharing and receiving data from third parties to offer and provide you with benefits for choosing to use our or a third party product or service; providing emails concerning status, reminders and outcomes on your use of our, or a third party product or service;
• collecting personal data from third parties, such as to obtain a status of any payment transaction;
• receiving data from third parties to speed up and improve the efficiency of a property transaction and to keep all parties, where required, informed;
• providing emails concerning quote results or confirmation of your use of our or a third party product or services;
• receiving data from third parties to allow us to understand your engagement with them, and for them to share with us the status of a property transaction to facilitate the accurate receipt of referral or other monies payable to us by third parties, or the payment of monies by us to others, or payment of third parties to other third parties, for products and or services you may have chosen to use or are provided to you as a benefit;
• to allow us to understand your user journey and for us to know where you have taken an action such as making a payment or moving to a different website;
• to allow us to understand more about what is relevant and helpful to you such as when you like or dislike content on our websites, applications, emails and social/digital media platforms;
• auditing and monitoring our processes, your engagement and feedback to help keep our high standards;
• market research, statistical analysis, management information, data aggregation and product development for our own purposes, third party purposes or to assist the wider property management industry;
• using a third party to allow for communication with you such as video conferencing. Training, communications and awareness;
• securing our services, ensuring personal data is up to date and accurate, and keeping our services online;
• preventing or prosecuting fraud and other criminal behaviour or activity;
• transferring personal data for the purposes of developing, migrating and maintaining IT infrastructure and services;
• for direct marketing, personalisation, targeting and data shares for the purposes of marketing, monetisation or promotional activities;
• showing you personalised content such as properties of interest on our websites, applications, platforms and systems;
• non targeted marketing on our websites, applications, platforms and systems of either our products or services or products and services of third parties;
• for data insights, services and products improvements and developments based on your use of our or third party offerings on our websites, applications, platforms and systems;
• recording where applicable of telephone calls and related services;
• for relevant processing by another company, such as by Group Companies; and
• we may also process data in aggregated and anonymised form for statistical purposes to improve products and services, including our customer service.

How is your personal data collected

When you use our products or services, we collect data. We only collect personal data necessary for specific purposes that the law allows.

We may obtain personal data about you in the following ways:

• you provide us with your personal data directly or indirectly [such as when you generate quotations or ask for contact];
• personal data is collected automatically [such as the automatic recognition of your IP address or placement of cookies on your device]; and
• we may collect data from third parties about your property, this data is not considered to be personal data, however where any data is collected from a third party that may be considered personal data, this data will only ever be collected in compliance with data protection law.

Artificial Intelligence (AI)

Where we or a third party acting on our behalf use artificial intelligence in any processing of personal data we will always assess the risk to your personal data and will ask for your consent where required under law. We will inform you where applicable of any use of AI or similar technology.

We may use AI for the following purposes (not limited to):

• performance improvement of products and services;
• helping us communicate with you and others more quickly and accurately;
• for research and data insights;
• to assist in us completing tasks more efficiently such as summarising; and
• to improve your personalised advertising and marketing experience (see Direct Marketing below).

Who we share your personal data with

We use third parties to help provide our products and services. These companies may collect, store or otherwise process your personal data on our behalf. Where relevant we share your personal data with third parties such as buyers, sellers, developers, agents, conveyancers, surveyors, lenders, mortgage brokers and other third parties related to the property industry and or a home move journey.

We routinely and only where relevant share personal data with:

• our Group Companies. See Group Companies below;
• third parties who we partner with to bring you relevant products and services. See Product Specific Offerings below for additional privacy information which includes details of other third party data shares;
• third parties together with whom we deliver our products and services to you including but not limited to estate agents, letting agents, conveyancers, and new home builders;
• third parties we use to help deliver our products and services. Such third parties we use to help us run and improve our business include but are not limited to, marketing agencies, information technology providers, cloud hosting or physical server providers, information security providers, identification or verification providers, payment processors, and any other third party acting on our behalf or as a partner;
• third parties approved by you, for example social media sites you choose to link your account to or third party payment providers you chose to use;
• credit and other vetting and referencing agencies;
• providers used to complete anti money laundering or other prevention of financial crime tasks; and
• our insurers and brokers.

We only allow organisations acting as our ‘data processors’ to process your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you, for the purposes we have asked them to undertake on our behalf.

We or the third parties mentioned above occasionally also share personal data with:

• our and their external auditors for example in relation to the audit of our or their accounts or compliance with data protection laws, in which case the recipient of the information will be bound by confidentiality obligations;
• our and their professional advisors (such as solicitors and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;
• a financial services firm where we act as introducer appointed representative for a financial services product;
• law enforcement agencies, courts, tribunals, authorities, emergency services and regulatory bodies and other parties to comply with our legal and regulatory obligations, for a task carried out in the public interest, to protect the rights, property and safety of Group Companies, our customers or others. This includes exchanging data with third parties for the purposes of fraud and other criminal prevention, and where needed to protect the vital interests of an individual. Where we are required to disclose your personal data to to the court services, regulators, law enforcement agencies or other such authorities in connection for example with proceedings or investigations anywhere in the world were compelled to do so, where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime; and
• other parties if we refinance, or that have or may acquire control or ownership of our business, shares in any Group Company or assets (and our or their professional advisers) in connection with a corporate transaction or restructuring, including but not limited to a merger, acquisition, asset sale, initial public offering or in the event of our insolvency. Usually information will be anonymised but this may not always be possible. The recipient of any of your personal data will be bound by confidentiality obligations.

Group Companies

We share some IT infrastructure, and other facilities and support services with Group Companies, and so we may share your personal data with Group Companies business units to help, collect, process, transfer and store your data efficiently and securely. See Key terms for a list of our Group Companies. We may partner with Group Companies to advertise our products and services on their websites, systems and applications. Group Companies may use your personal data to help provide you with products and services that you request from those Group Companies (for example, to help you manage your home or mortgage) and to provide you with relevant recommendations of other Group Companies products and services.

These recommendations may use inferences about your interests based on your activity on our websites and apps, and on other websites, apps, platforms and systems operated by other Group Companies. Personal data used for Group Companies data insights is mostly anonymised or pseudonymised wherever possible to protect your privacy. Group Companies may also use your personal data which we capture when you use our websites, apps, platforms and systems for other purposes which are described in this or other Group Companies Privacy Notices. We will only ever share your personal data with Group Companies where lawful to do so.

Direct Marketing

Direct marketing is any type of advertising or promotional material aimed at a particular person. Marketing that is not aimed at anyone in particular is not direct marketing.

We market to you so we can remind you of all the ways we can help and hopefully encourage you to use our products and services more often. We also may get paid by selected third parties, such as new home builders, estate agents, lettings agents and Group Companies, to send you electronic mail marketing about their products and services.

We may ask you to confirm or update your marketing preferences if you ask us to provide further products and services in the future, or if there are changes in the law, regulation, or the structure or strategy of our business.

Electronic mail marketing:

Where lawful we may use your personal data to send you direct marketing via electronic mail marketing communications (email and similar). We will provide you with an option to unsubscribe or opt-out of further communications, or you may opt-out at any time by contacting us at support.consumer@altosoftware.co.uk

We will always treat your personal data with the utmost respect and will only send you electronic mail marketing we believe would be of interest to you.

Partners

We may ask for your consent so we may send you electronic mail marketing about our partner offers and services, which may include promoting our Group Companies. See Group Companies. We will always aim for our communications to be relevant to you, choosing partners operating within or beneficial to the property industry.

We will always try to provide you with a list of current partners. See Product specific offerings. Check this Privacy Notice often and every time you use our site for updates. To ensure we are as transparent as possible, below is a list of the types of partners we may promote in our partner/third party electronic marketing communications. Where we market to you under third party marketing consent we send you communications promoting the third party product or services, we do not share your contact details with that third party unless we have a separate lawful basis to do so. See Our lawful basis for processing. Our third parties may include but are not limited to the following types of partners:

• those who can physically help with your move and home e.g removal and renovation companies
• those who offer financial or legal services e.g conveyancers or insurers (we will always comply with financial services regulation if required to do so);
• those who help you survey or value your property e.g surveyors;
• those who help us and your agent or new home developer meet legal or regulatory obligations e.g anti money laundering checks;
• those who build and sell new homes e.g new home developers;
• those who provide services to help you sell, buy, let or rent a property eg. Lettings and Estate agents;
• those who attend to administration or provide you with offers, products or services you may need to consider in a move journey or as part of a tenancy e.g companies who help with utility switching or deposit payments;
• those of our Group Companies who offer relevant products or services;
• those who are detailed in our Product specific offerings; and
• those who can provide you with other money saving offers related to your home or moving journey.

Solicited communications:

When you ask us to send you a specific communication or marketing material such as a valuation, quote or alert, we will send you such material as a solicited communication which does not rely on your electronic mail marketing preferences. We will always offer you an unsubscribe from any further marketing emails regarding the requested material.

Telephone and direct mail marketing

We will rely upon our legitimate interests to market Alto products and services via:

• Live telephone calls to numbers not listed as ‘do not contact’ on the Telephone Preference Service
• Direct mail marketing to individuals not listed on the Mail Preference Service.

We will rely on consent to market Alto products and services via:

• Live marketing calls to numbers listed as ‘do not contact’ on the Telephone Preference Service
• Direct mail marketing to individuals listed on the Mail Preference Service
• Automated phone calls (consent specifically obtained for automated calls).

We will always provide you with a means to opt-out of marketing. If we undertake any telephone or direct mail marketing we will provide you with details on how to opt-out.

Push notifications:

Push notifications are sent only with your consent. You can choose to consent to receive or not receive push notifications within your device settings.

Marketing cookies:

Consent is obtained, where required, to utilise cookies for marketing such as for targeting and social media purposes. For changes to your cookie preferences see Cookies below.

Service messages

Not all electronic communications are marketing. Communications confirming you have registered an account or other actions you have taken when using our products and services are service messages, and are sent under performance of contract and not consent. Service messages may also be sent for legitimate interests such as to safeguard your personal data or to meet our, or a third party's legal obligation such as informing you when we have updated terms or a Privacy Notice. Our logo or branding on a message or non intrusive publicity is unlikely to be considered direct marketing on its own. You are unable to opt-out of service messages.

Social media, digital platforms and collaboration partners

We may share your personal data such as hashed email addresses, mobile numbers, user data and IP addresses, with certain social media, digital and agency platforms, such as Meta (Facebook) and Google to allow us to build our campaigns through ours, their and third party platforms. Personal data may be processed for the purposes of:

• Identifying you on a social media or digital platform so that we can advertise products we think would be of interest to you, based on the information we hold about you and your social media profile;
• Understanding the performance and return of our marketing activities on a social media platform, and to optimise the efficiency of our marketing activities;
• Helping a social media platform serve non-Alto users, targeted marketing about our products and services or that of our Group Companies on the social media platform, based on whether their profile matches those of our users; and
• To try and prevent you being targeted with Alto marketing if you have opted out of social media data shares.

We also process personal data for the purposes of collaboration partnerships. We aim to utilise agencies' platforms “clean data rooms” to ensure collaborative partners never have access to your personal identifiable information. We and such social media, digital platform or collaboration partners are most often joint data controllers of this processing protected by contractual terms. The social media and digital platforms are responsible for responding directly to data subject rights where they process your personal data as a data controller.

If we ever are to share your personal data via an email platform, to create audiences and target users on social media platforms such as Facebook Ads Manager and Smartly. You will have the right to opt-out of such data sharing and we will inform you of the processing before it will take place, and will provide you with a means for you to be removed from our audiences.

Some of our marketing activities are not targeted so we are unable to guarantee that you won't see the promotion of Alto or Group Companies products and services on social media or digital platforms, however where you have opted-out to such data shares we will suppress you from our targeted campaigns.

For further information about how a social media or digital platform processes your personal data, and how you can exercise your data subjects rights over the data they hold on you visit their Privacy Notice that can be found on their website/s or within their application/s.

We work with third party partners who help us to identify any social media posts in which we have been tagged. If your tagged post includes an image we would like to reuse then we may post a comment asking if you would be happy to give your consent for us to potentially reuse it, we will only ever reuse or retweet content you have posted about us on social media if we have both asked for, and received your consent. You can withdraw your consent any time via the same means you gave it.

If you make a comment about us on one of our social media posts then we may add our own comments in response. If you have provided negative feedback then we may post a comment encouraging you to message us directly to discuss further.

Third party websites

Please note that where we make third party products and services available and include links to their website/s, you should read the applicable third party’s privacy notice if you would like to understand how they collect, store and use your personal data. This Privacy Notice does not apply to third party websites or applications.

Cookies and similar technologies

Cookies are small text files widely used and placed on your device when you visit websites and applications. We use cookies (and similar technologies such as SDKs on apps and local storage) to distinguish you from other users. This allows you to use our products and services, and helps us provide you with a good experience when you use our website (including related applications, platforms and systems).

There are two main categories of cookies: essential and non-essential.

Essential cookies let you log in, use products, services and help us understand and improve your user experience. They include essential functional and performance cookies that cannot be disabled as they are strictly necessary for the functioning, acceptable user performance and improvement of our website, and for other necessary processing such as data security and remembering your cookie settings.

You can set your browser to block or alert you about such cookies, however this is likely to affect your user experience as the website in full or parts will not be able to function.

We will always ask for your consent to use non-essential cookies which includes cookies used for additional functionality and performance of our website, We also use non essential cookies to help us with targeting, and marketing (including social media marketing).

You have control over our use of cookies. You are able to reject non-essential cookies.

We will always inform you if we use targeting, marketing or social media cookies to show you personalised advertising on our websites, applications, platforms, systems, and that of others.

Some targeting cookies include having to process offline or account information to fulfil the purpose of the cookie, meaning in order to provide you with ads relevant to you, personal data we hold about you may need to be processed so we can best understand your interests and what ads would be the most relevant for you to see. If you do not consent to targeting cookies, you will still see ads, however, these will not be targeted and so may not be of interest to you.

You can disable cookies being stored on your computer by changing your browser settings. You can also control your privacy settings on your mobile device.

We use Google Analytics and similar to provide us with statistics on website usage. Analytics cookies are non-intrusive cookies and we may consider them essential in providing and improving our products and services. The only non-anonymised personal data divulged to Google is your IP address. You can opt-out of Google Analytics following the advice here – https://tools.google.com/dlpage/gaoptout.

Cookies help you move from one website (or page) to another. By counting redirects and engagements on our website, Group Companies websites or others, for example that of estate agents and new home builders, we track how effective ads are for analytical and data insights purposes. We also need to monitor the performance of ads (ours or others) so as to make accurate payments (by us or others) of referral or conversion monies, and comply with contractual obligations. Data provided by cookies for analytics purposes is anonymised and aggregated.

We may share your personal data, such as a hashed email address and related events, with Google or other vendors to assist with advanced user matching. Personal data is shared with these third parties only if you have consented to third-party marketing or tracking cookies. Any personal data used for matching, such as an email address, will always be cryptographically hashed for security.

We may allow some third parties, such as Meta, Pinterest, Tiktok, Bing, and Google to use cookies to collect information from our websites, applications, platforms and systems. They use this information to help us advertise Alto and other Group Companies products and services on other websites and social media platforms, and also to help us find others who might be interested in our products and services.

For example, Meta uses a custom audience pixel, which is why you might see Alto and Group Company ads on Facebook after you have been on our website. We use the Facebook pixel to display our ads to Facebook users who’ve previously shown an interest in our website, and the products and services advertised on it. We also display our ads for example to those who’ve shown an interest in certain locations or properties within a particular price range, or those who’ve shown intent to purchase, sell, let or rent a property.

Facebook ‘lookalike’ audiences allow us to show ads on Facebook to people who show similar characteristics to those who use our website. ‘Lookalike’ audiences are created using data collected by the Facebook pixel, or in some cases, email address matching, but only on an anonymised and aggregated or hashed basis. We do this to make sure we show ads to people who are likely to be interested in them.

You can change your cookie preferences at any time. You may need to ensure your preferences are selected for each device and/or website or application you visit.

Where your personal data Is held

Personal data may be held at our offices and those of our Group Companies, third party agencies, service providers, ‘data processors’, representatives and agents as described above. See Who we share your personal data with.

Some of these third parties may be based outside the United Kingdom (UK) or European Economic Area (EEA). For more information, including on how we safeguard your personal data when this happens see transferring your personal data outside the UK and EEA.

Transferring your personal data out of the UK and EEA

It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases, we will comply with data protection laws designed to ensure the privacy and appropriate protection of your personal data. Where personal data is transferred outside of the UK, your personal data is protected by:

1. the relevant receiving party being located in an ‘adequate’ territory, which means it is deemed to have an equivalent standard of protection to that offered to you under UK laws; or
2. a written agreement which adds appropriate protections approved by the UK government and ICO to safeguard that personal data.

An exemption may exist for the transfer of personal data outside of the UK and adequate territories, such as when:

• you explicitly consent to the transfer being aware of the risks;
• we have a contract with you, the transfer is needed for the performance of that contract and the contract benefits another individual whose data is being transferred;
• the transfer is deemed necessary for reasons of public interest;
• the transfer is necessary in relation to a legal claim;
• the transfer is necessary to protect your or another individual’s vital interests, such as their life; and
• the transfer is a one-off and necessary for our legitimate interests.

How long your personal data will be kept

We only keep your personal data long enough to carry out tasks we collected it for. Different retention periods will apply depending on the type of personal data and which of our products or services you are using. After that time, we securely erase your personal data. Erasure may include anonymising data or where required, putting data beyond use.

For most personal data we collect to provide our products and services to you, this will be for the duration you use our products and services plus a 6-7 year period, in line with statutory limitation periods. We also retain personal data where required to meet contractual, legal and regulatory obligations. Where personal data is held within a valid retention we may be unable to meet a data subject right to erasure, and your personal data will be erased in line with our data housekeeping practices. See Your privacy rights. For more information on retention you can email support.consumer@altosoftware.co.uk

Your privacy rights

You have data subject rights which are granted to you under data protection law, which you can exercise at any time. We manage all rights requests raised to us as the law requires. This means there may be legal reasons why we cannot complete all requests.

To exercise your privacy rights concerning personal data in the control of your agent, new home builder or similar (‘data controller’), you should contact them directly. Where we are not the sole ‘data controller’ of your personal data, we will only be able to assist with the meeting of any data subject rights request on the direct instruction or agreement of the ‘data controller’. Where we are not the ‘data controller’ or the sole ‘data controller’ of your personal data, we will likely have an obligation to either direct your data subject rights request to the ‘data controller’, or send them your request to handle.

You have the following data subject rights concerning your personal data we control, which you can generally exercise free of charge (subject to certain limitations detailed below):

Right of Access	You have the right to obtain from us confirmation as to whether your personal data is being processed, and you may have the right to access such personal data. Personal data is only disclosable if it is your personal data. Where an exemption to the disclosure of data applies or the data does not relate to you, we will be unable to provide you with access to such data. We will provide you with information on any withheld or redacted data in writing.
Right to Rectification	We will use reasonable endeavours to ensure your personal data is accurate. In order to assist us with this, you should notify us of any changes to the personal data you have provided to us by sending us a request to rectify your personal data where you believe the personal data we have is inaccurate or incomplete. You can help us keep your personal data accurate by updating your personal data yourself via relevant account Settings.
Right to Erasure (also known as the right to be forgotten)	Asking us to delete your personal data will result in us erasing your personal data in line with data protection law time scales, unless there is a legitimate and legal reason why we are unable to delete certain or all of your personal data, in which case we will inform you of this in writing. Erasure may include anonymising data so you are no longer identifiable. If we are not able to meet your right to erasure we will inform you in writing. We will retain a copy of your erasure request to evidence receipt and response.
Right to Restriction	You may have the right to ask us to stop processing your personal data. We may be able to restrict the processing of your personal data where there is a valid reason to do so and the restriction is possible. Personal data is often restricted whilst an investigation or action is undertaken in response to your request on another data subject right, such as when your personal data is waiting to be deleted in line with a request for erasure. If we are not able to restrict the processing we will inform you in writing.
Right to data Portability	Where it is technically feasible for us to do so, and within lawfully required collection of personal data parameters, you may have the right to request that we transmit your personal data to another data controller in a structured, commonly used and machine-readable format. The right to portability only applies in certain circumstances. We will always provide you with a reason in writing should we be unable to meet a portability request.
Right to Object	You may be able to object to our use of your personal data, when we use it based on our legitimate interests or those of a third party, unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims. If we are not able to meet your right to object we will inform you in writing. You have the right to object: at any time to your personal data being processed for direct marketing purposes. See Direct Marketing.
Automated Decision making and Profiling	Where we or a third party acting on our behalf processes personal data via automated decision making or profiling to make a decision based solely on that automated processing or profiling, and that decision produces legal effects concerning you or similarly significantly affects you, we will always where possible provide a means for you to obtain human intervention to question the outcome.
Right to withdraw Consent	Where you have given us consent to use your personal data, you may withdraw this at any time subject to the consented processing not already having taken place. No further processing will take place as soon as reasonably possible and always within legally required time scales, once consent has been withdrawn. Withdrawing consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.
Right to be Informed	You have the right to know what personal data we hold on you, how we use that personal data, how long we hold it and who we share it with. This information is included in this Privacy Notice, together with any more specific notices given to you during your user journey.
Right to Complain	You have the right to lodge a complaint to a supervisory authority such as the Information Commission - Information Commissioner’s Office (ICO) in the UK (see www.ico.org.uk). Although we encourage our customers to engage with us and allow us the opportunity to first respond to any complaint. In the event you have any concerns or complaints about our privacy practices, please allow us an opportunity to help you by emailing support.consumer@altosoftware.co.uk or dpo@zpg.co.uk or you can escalate your complaint directly to the ICO (see www.ico.org.uk).

For more information on each of those rights, including the circumstances in which they apply, please contact us. See How to contact us below or see guidance from the UK Information Commissioner’s Office (ICO).

We will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above. However, if you make excessive, vexatious, repetitive or manifestly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests in line with what is acceptable under data protection law. Where we are required to provide a copy of personal data this will usually be free of charge. However, any further copies requested may be subject to reasonable fees based on administrative costs.

Where you request us to rectify, erase or restrict the processing of your personal data, we may where possible notify third parties to whom such personal data has been shared of such request. However, such third parties may have the right to retain and continue to process such personal data in its own right.

Where we reasonably need to identify you, we may need to request proof of identity or ask you to prove your identity, including via automated means, before we can process your personal data for the purposes of a data subject rights request. Where we utilise automated decision making for this or any other personal data process, we will where possible offer human intervention.

We are unable to process a data subject right request made through or via a third party provider without having adequate evidence of your identification and your instruction for the third party provider to act on your behalf. This is to protect your personal data. We may ask the third party provider to have you make direct contact with us.

Where you would like to make a data subject rights request on behalf of another individual, please ensure you are able to provide us with evidence of their consent for you to act on their behalf, and for the request to pass identification checks.

If you would like to exercise your data subject rights, please:

• email, call or write to us. See How to contact us below;
• provide enough information to identify yourself for example your full name and email address, and any additional identity information we may reasonably request from you; and
• let us know what right you want to exercise and the information to which your request relates.

Property information

We may collect, process or share property information, such as a property’s address and attributes about the property or a property transaction. Where data relates to a property or property transaction, and not an individual it is property information, and the requirements of or rights provided by data protection law and regulation do not apply. Property information is not personal data unless it is directly or indirectly linked to a data subject.

Keeping your personal data secure

Information security

Our websites generally use encryption technology to protect the transfer of your information to and from our websites and applications. We maintain and enforce physical, electronic, and procedural safeguards in connection with the collection, transfer and storage of your personal data. However, whilst we take these appropriate technical and organisational measures to ensure the security of your personal data, we cannot guarantee the security of all personal data that you transfer over the internet in every circumstance.

Password strength

It is important to keep any account password secure to prevent fraudulent use. Where you are required to create a password: Never disclose your password to anyone else, and especially to anyone who requests it from you by telephone or email. We will never request your password. You should avoid using the same password for multiple websites and avoid using common terms for your password such as "password" or "123456". Instead, try using three or four words linked together combined with numbers, capitals and special characters, something easy to remember but difficult to guess. Take care when using public WiFi networks and ensure all email accounts you use are secure. If you use a shared computer, make sure that you log out once you have finished using a website or application.

Phishing

Threat actors may try to steal your personal data using a technique known as 'phishing'. This is where threat actors send emails that appear to be from someone or a company you know, but are actually the threat actor attempting to make you provide them with your personal data or even transfer money to them (known as redirection fraud). If you receive an email that claims to be from us and contains a link to an external website, or a request for you to enter any personal data or transfer money, treat it as suspicious and do not enter any personal data, even if the email appears legitimate. If you suspect your account details are subject to any fraudulent activity, please contact us immediately. We are unable to take responsibility for any loss you may suffer either directly or indirectly as a result of any fraud, security incident or success of any threat actor outside of our secure environments, or where we have taken all reasonable measures to protect your personal data.

Payment card details and subscriptions

We are committed to ensuring the protection of your payment card details and comply where required with the Payment Card Industry's Data Security Standard (PCI-DSS). Payments whether once-off or subscriptions made via our websites, applications, platforms and systems are processed and managed by specialist payment card providers. The full payment card number is never stored by us and is only stored and processed by the specialist payment card provider approved by us. We may keep an encrypted authentication token to represent your card and this token is transmitted to the specialist payment card provider during the order or refund processing.

We may retain some information to allow us to link the transaction to you, this information will never be your full account or card details. We will retain your consent to our Privacy Notices and practices where needed to evidence you have agreed for a payment to be made or to be entered into a subscription agreement for the purposes of processing of personal data for auto-renewals. Your financial information will also be processed by our payment provider in order to generate any valid requested refund. Subscriptions and payments may be stopped or paused at our or our payment provider’s discretion, to comply with legal and regulatory obligations, or to prevent fraud.

Vulnerability disclosure policy

When it comes to our products and marketing we don't compromise on security. If you've noticed something that doesn't seem quite right with any of our platforms please let us know. Drop us an email on security@houseful.co.uk including your name, details of the vulnerability and how to reproduce it.

Although we welcome all reports of suspected vulnerabilities, we aren't able to respond to every email, and aren't offering rewards or bounties for any finding forwarded to us.

We expect professionalism from any security researchers and for them to avoid privacy or legal violations; these violations include (amongst others) not destroying or corrupting our data, not interrupting our operations, not accessing personal data, not targeting our staff, not performing any scans on our systems and not trying to access the account details of any other user. Any unauthorised access, transfer or other processing of Alto personal data or personal data processed by Alto on behalf of a controller, may be a criminal offence under the Computer Misuse Act.

If you have disclosed a valid unique bug, we will of course pass this on to our teams internally to resolve, but will not be able to keep you updated on the progress of the report. Regardless of the outcome of your finding we would ask that disclosures be made directly to us, and that no public disclosure is made without our prior explicit consent. Only reports that have been encrypted will be read.

Making personal data public

If you post, comment, indicate interest, or share personal data, including photographs, to any third party public forum, social network, blog, or any other publicly accessible online location, you must note that any personal data you submit can be read, viewed, collected, or used by other users, and could be used to contact you, send you unsolicited messages, or for purposes that neither you or we can control. We are not responsible for the personal data you choose to disclose publicly on websites, applications, platforms, systems, forums or similar. Please refer to the relevant third party privacy notice for how they may process your personal data.

Children under the age of 13

Neither our websites, applications, platforms, systems, products or services are aimed at children under 13 years of age. You must be 18 years old or over to create an account on our websites, applications, platforms or systems, or to contact us or third parties through using our products and services. Minors are not permitted to use our websites, applications, platforms and systems. No content is intended for children.

We do not knowingly collect personal data from children under 13. If you are under 13, please do not use our products or services and do not provide any personal data to us via any means. If we learn we have collected or received personal data from a child under 13 without verification of parental consent, we will delete that personal data. If you believe we might have any personal data from or about a child under 13, please contact us at dpo@zpg.co.uk.

How to contact us

We hope all of the above makes sense and you’re happy with how we use your personal data. If not, please contact us at support.consumer@altosoftware.co.uk, or you can contact our Data Protection Officer at dpo@zpg.co.uk or via post to The Cooperage, 5 Copper Row, London, SE1 2LH. Please mark the envelope ‘Data Protection Officer’.

You may also lodge a complaint with the Information Commissioner’s Office (ICO), if you think your data protection rights have been breached in any way by us and you have already made a complaint to us in the first instance and you remain unsatisfied with the complaint outcome. You may contact the ICO at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or at www.ico.org.uk. See Right to Complain.

Changes to this Privacy Notice

From time to time, we change this Privacy Notice. We will post any changes to this page, so please check it often. Where appropriate, we will notify you of the change, for example by email or by means of a notice on our websites, applications, systems or platforms. Your continued use of our relevant products and services, including use after the posting of any changes, will be deemed acceptance and acknowledgement by you of the information found within Privacy Notice. You are responsible for ensuring we have an up-to-date active and deliverable email address for you and that you regularly visit this Privacy Notice to check for any changes.

This Privacy Notice was last updated in July 2025.

Do you need extra help?

If you would like this notice in another format (for example audio, large print, braille) please contact us. See How to contact us above.

Part B: Product Specific Offerings

Alto offers a range of products and services which can help you with decisions and actions such as a property search, property transaction or moving journey.

Where you use certain specific products and services, we may also collect or process additional personal data from you to provide that product or service. For ease we have set out more detail below.

Alto Consumer Portal (Keyflo)

Sales

Keyflo provides a means for you to review information related to a property sale and/or purchase to which you are a party, such as completing administrative tasks and reviewing documentation which can help to ensure the transaction progresses smoothly. We collect and process personal data as a ‘data controller’ to provide you with our Alto Consumer (Keyflo) offering, which includes processing in addition to that listed above. In some instances we may act as a joint controller with a third party involved in providing you with the product or service. We also undertake processing on behalf of Alto Agent Members where we act as a ‘data processor’. See Alto as a data processor.

Below is further privacy information concerning this offering:

Service or product	What personal data we collect and process, and when information is not personal data	How your data is collected	What lawful basis we rely upon
Alto Consumer	Your contact details including name, email address, sales transaction data, user identification code (for access), status, behaviour, preferences and your IP address. A property address and attributes where it relates to the property and not an individual is not personal data.	We collect personal data directly from you through the Keyflo portal. We also may gather personal data you have provided to third parties such as your agent within our Alto Customer Relationship Managements platform.	Consent (Cookies) Performance of a Contract (Alto Consumer/Keyflo terms of use) Legitimate Interests

If you are a Keyflo user, we may share your personal data for the purposes of providing you our products and services with:

• Group Companies;
• Estate and Lettings Agents;
• Partners;
• An E-signature provider;
• Just Move In;
• Thirdfort; and
• Legal Marketing Services.

Letting Progression

Through the Alto Consumer (Keyflo) portal we collect and process personal data from you and via third parties as a ‘data controller’ which is in addition to that listed in Part A (as applicable). We may process your personal data for the purposes of offering you services to assist you with your application, home move, and/or your letting property transaction.

If you are using our Lettings Progression service within the Keyflo portal, we may act on behalf of the relevant lettings agent in facilitating the technology to process your personal data to do things like process your ID documents or have you sign a tenancy agreement (as a tenant, landlord or guarantor). Note that where you are signed up with a lettings agent, that lettings agent may require further personal data from you. They are the ‘data controller’ in this instance and you should review their privacy notice for details about their processing activities which we may help to facilitate as ‘a data processor’. See Alto as a data processor.

Below is some further privacy information concerning this offering:

Service or product	What personal data we collect and process, and when information is not personal data	How your data is collected	What lawful basis we rely upon
Letting Progression	Your contact details including name, email address, lettings transaction data, user identification code (for access), status, behaviour, preferences and your IP address. A property address and attributes where it relates to the property and not an individual is not personal data.	Provided by you when you use the offering or create an account with us as part of your use of this offering. We may also gather personal data from a third party such as your agent or landlord.	Consent (solicited action) Contract (Alto Consumer / Keyflo terms of use) Legitimate Interests.

If you are a Keyflo user, we may also share your personal data for the purposes of providing you our products and services with:

• Group Companies;
• Estate and Lettings Agents;
• Partners;
• An E-signature provider;
• Just Move In;
• Thirdfort; and
• Zero Deposit.

PropertyFile

PropertyFile is an online platform designed to keep you informed and updated on your properties whether you're selling, letting or renting. Property File (co-branded with our partner estate agents) is the data controller (we participate in determining the purposes and manner in which your personal data is processed). In some instances we may act as a joint controller with a third party involved in providing you with the product or service, such as an agent or a developer (agent) you are purchasing, selling, letting or renting a property from.

Alto further acts as a processor of any personal data hosted on the PropertyFile platform that is in the independent control of an agent. Where Alto only processes personal data hosted on the PropertyFile platform for the purpose of providing PropertyFile services to agents, they are the controller of your personal data and any queries you may have about the processing of such personal data, including exercising your data subject rights must be directed to the agent. Where we act in response to instructions from agents, the agent's privacy policy and notices will apply. See Alto as a data processor.

Below is further privacy information concerning this offering:

Service or product	What personal data we collect and process, and when information is not personal data	How your data is collected	What lawful basis we rely upon
Property File	Your contact details including name, email address, password, status, property transaction data, behaviour, preferences and your IP address. A property address and attributes where it relates to the property and not an individual is not personal data.	We collect personal data directly from you through the PropertyFile portal. We also may gather personal data you have provided to your agent within our Alto Customer Relationship Managements platform.	Consent (Cookies) Performance of a Contract (PropertyFile terms of use) Legitimate Interests

If you are a PropertyFile user, we may also share your personal data for the purposes of providing you our products and services with:

• Group Companies;
• Estate and Lettings Agents;
• Partners;
• An E-signature provider;
• Just Move In; and
• Zero Deposit.

Movemnt

Movemnt allows you to obtain quotes from conveyancers. In doing this, we collect and process certain personal data from you and via third parties (such as Group Companies) as a ‘data controller’. We may process your personal data on the instruction of your agent or new home builder (or similar), in such an instance, we may be acting as a ‘data processor’ and your agent or new home builder will be the ‘data controller’.

Below is some further privacy information concerning this offering:

Service or product	What personal data we collect and process, and when information is not personal data	How your data is collected	What lawful basis we rely upon
Movemnt	Your name and contact information, including email address and telephone number. Your property address, any lender details (if applicable), property transaction status, online behaviour, preferences and claim details (if applicable). Financial information such as credit / debit cards (if applicable). The property address and any other property related information required to obtain a quote for conveyancing or other property transaction related purposes. A property address and attributes related to a property and not an individual is not personal data. In certain circumstances, we may need to verify your identity for anti-money laundering purposes. This may include identification documents and biometric identifiers.	We collect personal data directly from you when you choose to search for conveyancing quotes or other property transaction products or services on our or third party websites or portals. We may receive personal data about you and your property transaction from third parties such as your agent or new home builder, for the purposes of us helping you obtain quotes for conveyancing (and other property related products and services), and to select and instruct a conveyancer (or other service provider).	Consent (solicited action and contact) Contract (Movemnt terms and conditions) Legitimate Interests Explicit consent for special category / biometric data processing.

We share your personal data with our product partner Legal Marketing Services Ltd (LMS) who in turn facilitates introducing conveyancers to you. We may make available to you or introduce you to third party products or services to enhance or contribute towards the benefits of your use of our product or service, such as providing you with a home protection guarantee.

We are the policyholder of an insurance back guarantee policy (“IBG”). This IBG has been arranged by Rhino Protect Limited (“Rhino”) administered by ARAG plc, who is the coverholder of the Insurer, SCOR UK Company Limited. Refer to our Movemnt terms and conditions for more information. Where eligible for the guarantee, we may share your personal data with Rhino to provide you with this benefit.

If you engage with Rhino for the purposes of making a claim or lodging a complaint about their service, Rhino will be the data controller and you must agree to their privacy notice and terms that can be found on their website Rhino Home Protect.

If you are using Movemnt, we may also share your personal data for the purposes of providing you this offering with:

• Legal Marketing Services Ltd (https://www.lms.com/privacy.html);
• Conveyancers approved by the SRA (https://www.sra.org.uk);
• Conveyancers approved by the CLC (https://www.clc-uk.org);
• Stripe Inc or other payment processors (https://stripe.com/en-gb);
• oPayo (https://www.elavon.co.uk/privacy-policy.html);
• Rhino Protect Limited (https://www.rhinohomeprotect.com/);
• Data with Search providers used to initiate property searches, for example Move Reports (https://www.movereportsuk.com);
• Group Companies such as Uswitch to help us introduce you the our consumer Movemnt products and services (https://www.uswitch.com); and
• An E-signature provider.

For any complaint concerning our offer of the guarantee, where eligible, or the use of our product or service, you can contact support.consumer@altosoftware.co.uk

Alto as data processor

As a reminder this Privacy Notice applies where we act as a ‘data controller’ under data protection laws. You should consult the privacy notice of your estate agent, lettings agent, landlord or new home builder (our customers) to understand how your personal data is processed, shared and retained by them, in particular when you ask them to undertake a service for you. For clarity and transparency, in facilitating Alto Consumer, PropertyFile, Movemnt, Keyflo and/or Letting Progression offering, for certain purposes we act as a data processor on behalf of our customers who you may buy, sell, rent for you, or you let a property from.

The data this relates to includes information required by our customers to allow you to complete a property transaction, including (without limitation and subject to additional requirements of any of such third parties): your contact details; personal data included in any documents you submit, e-signatures, or further agreements (for example if you upload identification documents), special categories of personal data needed or obtained during required AML checks, vetting and referencing.

We may share your personal data back to our customers and to our customers’ partners as a data processor for any further processing we are instructed to undertake such activity on our customers’ behalf. We may further need to share your personal data with any joint applicant, landlord, guarantor (or other interested party) and vice versa, with whom we may share the status of your property transaction and any other personal data where required by our customer or by law.

Updated: January 2026