Holdright

Privacy Policy

Last updated: March 2026

Who we are

Holdright is operated by Magnodhi Ltd, a company registered in England. We help UK leaseholders scrutinise annual service charge demands.

What data we collect

Uploaded PDF content

When you upload a service charge demand PDF, we extract the text content for analysis. The extracted text is sent to Anthropic’s Claude API for structured data extraction. We do not send your email address, IP address, or any other personal metadata to Anthropic — only the text content of your uploaded document. Uploaded documents are stored temporarily on our servers and automatically deleted after 90 days.

Uploaded image content

When you upload photos of your service charge demand, we process the images using OCR (Tesseract) to extract the text content. Any EXIF metadata embedded in your images — including GPS location, device identifiers, and timestamps — is stripped immediately before any processing or storage takes place. The extracted text (not the original image) is sent to Anthropic’s Claude API for structured data extraction. If you consent to storing your upload, the stored version has all EXIF metadata removed. The same consent-based storage model applies as for PDFs — images are stored only with your permission and automatically deleted after 90 days.

Email address

We collect your email address when you complete a payment via Stripe Checkout or opt in to notifications. We use your email to deliver your report and, if you have opted in, to send product updates. We do not sell or share your email address with third parties for marketing purposes.

IP address

Your IP address is used for rate limiting to prevent abuse of our service. We do not store IP addresses in our database or logs beyond what is necessary for rate limiting.

Payment data

Payment is processed entirely by Stripe. We do not see or store your full card details. Stripe provides us with a transaction reference and confirmation of payment. Payment records are retained for 6 years in accordance with HMRC requirements.

How we process your data

  1. You upload a PDF or photos of your service charge demand.
  2. For images, we first strip all EXIF metadata (location, device info, timestamps), then use OCR (Tesseract) to extract the text content.
  3. For PDFs, we extract the text content using pdfplumber, an open-source PDF parsing library.
  4. The extracted text (from either PDF parsing or OCR) is sent to Anthropic’s Claude API, which returns structured data (amounts, dates, line items, landlord details, etc.).
  5. Our rule engine analyses the structured data against statutory compliance requirements and cost benchmarks.
  6. The analysis results are stored in our database and presented to you.

No email addresses, IP addresses, or other personal metadata are sent to Anthropic. Only the extracted text content of your uploaded document is transmitted.

Legal basis for processing

We process your data under the following legal bases as defined by UK GDPR and the Data Protection Act 2018:

  • Legitimate interest (Article 6(1)(f)): Processing your uploaded document and delivering analysis results is necessary for the service you have requested.
  • Consent (Article 6(1)(a)): Where you provide your email address for notifications or updates, we process it based on your explicit consent. You may withdraw consent at any time by contacting privacy@holdright.co.uk.
  • Legal obligation (Article 6(1)(c)): Payment records are retained as required by HMRC regulations.

Data retention

DataRetention periodAction after expiry
Uploaded PDF documents90 daysAutomatically deleted
Uploaded image files90 daysAutomatically deleted
Analysis records12 monthsAnonymised
Payment records6 yearsDeleted (HMRC requirement)
Email addressesUntil consent withdrawnDeleted or anonymised

Third parties

We share data with the following third-party processors, all of whom are bound by data processing agreements:

  • Anthropic — AI-powered text extraction. Receives extracted text content of uploaded PDFs only.
  • Stripe — Payment processing. Payment details are entered directly into Stripe; we do not handle card data.
  • Postmark — Transactional email delivery. Receives email addresses and email content.
  • Render — Application hosting and database. All application data is hosted on Render.

Where data is transferred outside the UK, appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner’s Office.

Your rights

Under UK GDPR, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interest.
  • Right to restrict processing: Request that we limit how we use your data.

To exercise any of these rights, contact us at privacy@holdright.co.uk. We will respond within one month, as required by UK GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

Cookies

Holdright uses only essential cookies required for the site to function. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the website. The “Last updated” date at the top of this page indicates the most recent revision.

Contact

For any questions about this privacy policy or your personal data, email us at privacy@holdright.co.uk.

Data Controller: Magnodhi Ltd

This privacy policy is governed by UK GDPR and the Data Protection Act 2018.