Privacy Policy

WHO WE ARE

Quark Solution Ltd (“we”, “us”, or “our”) is a company incorporated in England and Wales under registration number 13120748, with registered office at Broom House, 39/43 London Road, Hadleigh, Benfleet, Essex, SS7 2QL, United Kingdom, and trading as Atalo.

Atalo is a property-management platform used by landlords, letting agents and portfolio managers (our “Customers”) to manage Houses in Multiple Occupation (HMOs) and other rental properties across the tenancy lifecycle.

This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it. It applies to our website at https://atalo.co and its subdomains, and to the Atalo web and mobile applications (together, the “Service”).

If you have any questions or concerns about this policy or our handling of your personal information, please contact us at admin@quarksolution.com.

We are registered with the UK Information Commissioner’s Office (ICO).

OUR ROLE: CONTROLLER AND PROCESSOR

This is the most important section for understanding how your data is handled, because Atalo acts in two different capacities.

We are a data controller for personal data where we decide how and why it is processed. This applies to our Customers and their authorised users (account, contact, login and billing details), prospective customers and marketing contacts, visitors to our website, and our own business, security, analytics and support records.

We are a data processor for the personal data that our Customers enter into, or generate within, the Service about their own tenants, prospective tenants, guarantors, occupants and properties. In that case the Customer (the landlord, agent or portfolio manager) is the controller, and we process that data only on their documented instructions under a data processing agreement.

When a deposit is registered with a government-approved tenancy deposit scheme (for example the Tenancy Deposit Scheme), or when referencing or credit checks are carried out by a third-party provider, that scheme or provider is a separate, independent controller acting under its own legal obligations. We transmit the necessary data to them on the Customer’s instruction but do not control how they subsequently process it.

If you are a tenant or other individual whose data is held in Atalo by a landlord or agent, that landlord or agent is your controller. Requests about that data (such as access or erasure) should normally be directed to them; we will support them in responding.

WHAT INFORMATION DO WE COLLECT?

As a controller (about Customers, prospects and visitors):

Identity and contact data: name, business name, email address, postal address, telephone number.

Account credentials: usernames and passwords (stored in hashed form), and authentication/security data.

Billing data: subscription and payment records. Card and bank-payment details are collected and processed by our payment provider; we do not store full card numbers or card security codes.

Usage and technical data: IP address, device and browser characteristics, operating system, language preferences, referring URLs, and information about how you use the Service, collected partly through cookies.

Communications: correspondence with our support team and feedback you provide.

As a processor (about tenants and others, on our Customers’ instructions):

Tenant and occupant identity and contact data: names, dates of birth, contact details.

Tenancy data: tenancy agreements, tenancy terms, dates, rent and arrears records, correspondence.

Property data: addresses, UPRNs, EPC and compliance information.

Deposit data: deposit amounts, protection references and scheme records.

Payment data: rent and direct-debit information processed via our payment provider.

Referencing and affordability data: information used for tenant referencing and credit checks carried out by third-party providers.

Right-to-Rent and identity documents: immigration status and identity-document information required by law. This can include special category data and other sensitive data, which is processed only where lawful and only on the Customer’s instruction.

HOW DO WE USE YOUR INFORMATION?

Under UK GDPR we must have a lawful basis for processing. Where we act as a controller, we rely on the following:

Performance of a contract — to create and administer accounts, provide the Service, take payment and provide support.

Legitimate interests — to secure and improve the Service, prevent fraud and misuse, understand usage, and carry out B2B marketing to business contacts (balanced against your rights; you can object at any time).

Legal obligation — to meet our obligations under tax, accounting, anti-fraud and other applicable law.

Consent — for certain marketing communications and non-essential cookies, where required. You may withdraw consent at any time without affecting prior lawful processing.

Where we act as a processor, the Customer determines the purpose and lawful basis for processing tenant and property data; common bases they rely on include contract, legal obligation (such as deposit protection and Right-to-Rent checks) and legitimate interests.

WILL YOUR INFORMATION BE SHARED WITH ANYONE?

We do not sell personal data. We share it only as necessary to run the Service or to meet legal obligations.

Sub-processors. We use carefully selected service providers who process personal data on our behalf under written contracts that meet UK GDPR Article 28 requirements. Our current sub-processors include:

Cloud hosting and infrastructure — Google Cloud Platform / Firebase.

Payments and direct debit — Stripe.

Tenant referencing and credit checks — Vorensys.

A current, itemised list of sub-processors is available on request from admin@quarksolution.com. We will give Customers advance notice of material changes to this list where their data processing agreement requires it.

Other recipients. We may also disclose data to professional advisers, to comply with a legal or regulatory obligation or valid request, to enforce our terms, to protect rights and safety, or in connection with a merger, acquisition or sale of assets (in which case we will continue to protect your data and notify you where required).

INTERNATIONAL TRANSFERS

Our primary hosting region is the United Kingdom. Some sub-processors may store or process personal data outside the UK. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place, such as transfer to a country covered by UK adequacy regulations, or the International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum, plus any additional measures required.

Details of the safeguards used for a specific transfer are available on request.

HOW LONG DO WE KEEP YOUR INFORMATION?

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, tax or reporting requirements.

Customer account data — for the duration of the contract and for a reasonable period afterwards.

Financial and transaction records — typically retained for 6 years to meet UK tax and accounting obligations.

Tenancy, deposit and related records processed on a Customer’s behalf — retained in line with the Customer’s instructions and the statutory and dispute-resolution periods that apply to deposit protection and tenancy records, which can extend beyond the end of a tenancy.

Marketing data — until you opt out or it is no longer needed.

When we act as a processor, we return or delete personal data at the Customer’s choice on termination, except where we are required by law to retain it. When data is no longer needed we delete or anonymise it, or securely isolate it from further processing where deletion is not immediately possible (for example in backups).

COOKIES

We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service against automated abuse, and understand aggregate usage.

You can set your browser to refuse some or all cookies, or to alert you when sites set or access cookies. If you disable or refuse cookies, some parts of the Service may become inaccessible or may not function properly.

HOW WE PROTECT YOUR INFORMATION

We implement appropriate technical and organisational measures to protect personal data, including: encryption of data in transit and at rest; role-based access controls and the principle of least privilege; secure management of credentials and API keys (held in a dedicated secrets manager, not in application-readable storage); audit logging of access to and changes affecting personal data; and ongoing monitoring and regular review of our controls.

No system can be guaranteed completely secure, but we work to protect data and to respond promptly to any incident.

PERSONAL DATA BREACHES

If a personal data breach occurs that is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by UK GDPR. Where the breach is likely to result in a high risk to affected individuals, we will inform them without undue delay. Where we act as a processor, we will notify the relevant Customer (controller) without undue delay so they can meet their own obligations.

AUTOMATED DECISION-MAKING

Some processing carried out through third-party referencing or credit-check providers may involve automated processing or scoring as part of a Customer’s tenant-assessment process. Where a decision producing legal or similarly significant effects is based solely on automated processing, the relevant controller must provide the safeguards required by UK GDPR, including the ability to obtain human review. If you are a tenant, contact the landlord or agent who carried out the check.

WHAT ARE YOUR PRIVACY RIGHTS?

Under UK GDPR you have the right to: access a copy of your personal data; have inaccurate data corrected; have data erased in certain circumstances; restrict or object to processing in certain circumstances; data portability; and withdraw consent where processing is based on consent.

To exercise these rights in relation to data we control, contact us using the details below. For data we process on behalf of a Customer (such as tenant data entered by a landlord or agent), please contact that Customer as the controller; we will assist them in responding.

We will respond within one month, as required by law.

HOW CAN YOU CONTACT US ABOUT THIS POLICY?

If you have questions or comments about this policy, you may email us at admin@quarksolution.com or by post to: Quark Solution Ltd, Broom House, 39/43 London Road, Hadleigh, Benfleet, Essex, SS7 2QL, United Kingdom.

How to contact our Data Protection Officer:

Should you wish to report a complaint or if you feel that we have not addressed your concern satisfactorily, you may contact our Data Protection Officer in writing:

Tanya Fletcher

Quark Solution Ltd, Broom House, 39/43 London Road, Hadleigh, Benfleet, Essex, SS7 2QL, United Kingdom

COMPLAINTS

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve it. You also have the right to complain to the UK supervisory authority:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

Helpline: 0303 123 1113

https://ico.org.uk

CHILDREN

The Service is intended for use by businesses and adults. It is not directed at children, and we do not knowingly collect data directly from children. Tenants and other individuals recorded in the Service are expected to be adults (18 or over).