GDPR compliance.

1. Why this page exists

HabiTrak is used to record some of the most sensitive information an organisation can hold — health, support and tenancy data about people living in supported housing. Providers, commissioners and residents are entitled to know how that data is looked after. This page summarises, in plain English, how we approach our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It is a summary, not a replacement for our privacy policy, which remains the authoritative description of how we handle personal data.

2. Who is responsible for what

UK GDPR distinguishes between a "controller" (who decides why and how personal data is processed) and a "processor" (who processes data on a controller's instructions). In HabiTrak the split is:

• Resident and operational data — everything your organisation records about residents, tenancies, support and compliance. Your organisation is the data controller and HabiTrak is the data processor. We process this data only on your documented instructions, under a data processing agreement.
• Account, prospect and website data — data about the people who sign up for and administer HabiTrak accounts, contact us, or visit our website. For this data HabiTrak is the controller, as set out in our privacy policy.

What customer organisations remain responsible for

As controller of resident data, your organisation is responsible for:

• establishing the lawful basis for processing resident data, and giving residents the required privacy information;
• identifying the UK GDPR Article 9 condition (and the associated Data Protection Act 2018 Schedule 1 condition) for any special-category data you record;
• responding to data-subject requests from residents — we assist you as your processor;
• deciding how long resident records are retained;
• managing which of your staff have HabiTrak accounts and what their roles can access.

3. Special-category data

Much of the resident data recorded in HabiTrak is special-category data within the meaning of UK GDPR Article 9 — for example data concerning health, mental health, substance use, risk assessments and support plans. We treat all resident data with the care this demands:

• we process it solely as your processor, to provide the platform and on your instructions;
• we never use resident data for our own purposes, and we never sell personal data;
• no third-party advertising, analytics or tracking services go anywhere near it.

Providers typically rely on Article 9(2)(h) (provision of health or social care) or Article 9(2)(g) (substantial public interest) for this data, together with the associated condition in Schedule 1 of the Data Protection Act 2018.

4. Where your data lives

All personal data in HabiTrak is stored and processed in the United Kingdom. Our infrastructure runs on Amazon Web Services (AWS), configured in the London region (eu-west-2). We do not routinely transfer personal data outside the UK. If that ever changes, we will put appropriate safeguards in place first — such as UK adequacy regulations or the International Data Transfer Agreement — and update this page and our privacy policy.

5. Security

HabiTrak runs as a Spring Boot application hosted entirely on AWS in the London (UK) region — there is no self-hosted infrastructure. Our technical and organisational measures include:

• Network isolation — the application and database run inside a private network (VPC) and are not exposed directly to the internet;
• Encryption — data is encrypted in transit (TLS) and at rest;
• Automated backups — the database is backed up automatically;
• Role-based access control — enforced in the application layer, so each user sees only what their role requires, with sign-in handled by Amazon Cognito;
• Need-to-know access — HabiTrak personnel access customer data only where necessary to operate and support the service;
• Logging and monitoring — activity across the platform is logged and monitored.

We keep these measures under review. No system can be guaranteed fully secure, and we do not over-state the protection any technology can provide.

6. Data subject rights

Under UK GDPR, individuals have rights over their personal data, including access, rectification, erasure, restriction, portability and objection. Who to contact depends on whose data it is:

• Residents — your housing provider or managing agent is the controller of data held about you in HabiTrak, so requests are routed to and handled by them. We support providers in responding, as their processor.
• Account holders, prospects and website visitors — contact us directly using the details below, or use our data deletion page.

7. Data processing agreement

Our processing of resident data on customers' behalf is governed by a data processing agreement, available on request via support@habitrak.co.uk. It covers processing on documented instructions only, confidentiality, security measures, sub-processor changes, assistance with data-subject requests and data protection impact assessments, and the return or deletion of resident data when a customer leaves.

In brief: account data is deleted within 90 days of account closure, technical and security logs are kept for up to 12 months, and resident data is retained in line with the controlling provider's instructions — see our privacy policy for the full retention details.

8. Sub-processors

We use a single infrastructure sub-processor: Amazon Web Services, configured in the London region. AWS provides hosting and storage (Amazon S3 and Amazon CloudFront), user authentication (Amazon Cognito) and service email (Amazon SES), and processes personal data only on our instructions and under contract. We use no third-party analytics, advertising or tracking services. Customers are informed of sub-processor changes in accordance with the data processing agreement.

9. Personal data breaches

Where we are the processor, we will notify the affected customer without undue delay after becoming aware of a personal data breach affecting their resident data, and will assist them in meeting their own notification obligations to the Information Commissioner's Office (ICO) and to data subjects.

Where we are the controller, we will assess the breach and, where required, notify the ICO within 72 hours and inform affected individuals where there is a high risk to them.

Contact us

For questions about this page, our GDPR posture, or to request a copy of our data processing agreement, contact us at support@habitrak.co.uk.