Please read this privacy policy carefully

This website, and any subdomains (the “Services”) are operated by Lettings in a box which is a trading style of Quodex limited (for tenant and guarantor referencing) and C&C Risks UK Limited (for insurance products), both with the mailing address of 10 Guildhall Street, Grantham Lincolnshire NG31 6NJ (“We”, “Us”, or “Our”). Quodex limited and C&C Risks UK Limited are the data controllers of your personal information in the context of the services.

This privacy notice (“Notice”) describes how we will process and protect personal information relating to an identified or identifiable individual (“Personal Information”) when you use our services, which includes referencing services, purchasing insurance products, creating an account, accessing policy documents and forms (for example, view policy terms and conditions, print certificates of coverage, print claims forms etc.), make payments, and contact customer support (for example, through the chat function on our websites), and applies to your use of the services.

We use the personal information to provide our referencing, insurance or other services to you, to communicate with you, and to track usage of the services and our products and services.

We also use the personal information to undertake tenant and guarantor referencing services for you, your letting agent or potential landlord, to communicate with you, and to track usage of the tenant referencing services.

When undertaking a tenant or guarantor reference, we use TransUnion Information Group Limited to conduct credit searches on you. Further information on how your data is used by TransUnion Information Group Limited can be found at the following address:

When undertaking a tenant or guarantor reference, we use Yoti to conduct digital verification and right to rent searches. Further information on how your data is used by Yoti can be found at the following address:

We undertaking a tenant or guarantor reference, we use Mistho to conduct open payroll and benefits searches. Further information on how your data is used by Mistho can be found at the following address:

Your personal information shall be held and used in accordance with applicable legislation relating to the protection of personal information (the “Applicable Law”).

Your personal information will be shared with other affiliates and service providers, some of which are located outside the EEA and are not subject to an adequacy decision of the European Commission.

Automated decisions may be taken about you, for example to determine your eligibility for our products and services, the costs of our products and services and the viability of claims that you make under our products and services (see “Automated Decision Taking” for further information)

Where we rely on your consent, such as for the placement of cookies and sending of promotional communications, you can withdraw this consent at any time.

This notice sets out more details of this processing, including details of your data protection rights, such as your right to object to certain processing (see “Your Choices and Rights” for further information).

This notice applies to the service only and does not necessarily reflect practices with respect to information gathered through other services we offer or websites we operate or the collection of information through off-line means. To review the privacy practices of those other services, please refer to the policies provided in association with each.

We may update this notice from time to time in response to changing legal, technical or business developments.

You can see when this privacy notice was last updated by checking the “last updated” date displayed at the bottom of this privacy notice.

Personal Information We Collect

We collect your personal information in the following situations:

For tenant and guarantor referencing

Information you provide voluntarily.

You may be asked to provide voluntarily personal information about yourself when you use our services. As a user of our services (whether a tenant, landlord, estate agent, guarantor or referee), you create an account (“Account”) with us. The personal information that you provide when setting up your account may include your name, email address, postal address, bank account details, and telephone number. You may also provide us with your credit or debit card number, security code and expiry date, when using our services. Furthermore, you may provide us with personal information in your correspondence with us and in the content you upload through the services. If you register to hold an account with us, you will also have a unique identifier and password which enables you to access your account.

In your capacity as a tenant or guarantor you may also provide us information about your employment such as the name of your employer, your role and salary together with the name and contact details of your referees.

Alternatively, you may be an estate agent who is setting up accounts on behalf of a landlord and/or a tenant or guarantor. If that is the case, you will ensure that you communicate this notice to the landlord and/or tenant or guarantor. You confirm that you have been authorised by the landlord and/or the tenant or guarantor to provide their details to us via our websites or services. In your capacity as an estate agent you may also be asked to provide us personal information, including your name, email address, telephone number and name of your employer.

We will use the personal information you provide us:

  1. to facilitate the contract between you and the relevant tenant and/or landlord and/or agent as appropriate;
  2. to create your account and provide you with our services;
  3. to process debit and credit card payments;
  4. to verify your identity;
  5. to prevent, detect and investigate potentially illegal activities;
  6. to send you information about the services;
  7. to provide customer service in relation to your use of the service, to contact you, to deal with enquiries and complaints relating to the use of the Service and to notify you of any changes to the services;
  8. to provide you with marketing communications by post and/or phone unless you have told us you do not want to receive such communications; and
  9. to provide you with marketing communications via electronic means (such as email, SMS and/or MMS) about our products, services, events and offers, which you have requested to be sent or which we think may be of interest to you.

Information we collect automatically

When you visit our websites, we may automatically collect information from your device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.

Specifically, the information we collect automatically may include information like your IP address, log-in information, broad geographical location (e.g. country or city-level location), browser type and version, browser plug-in types and versions, operating system and platform, information about your visit including the URL clickstream to, through and from our websites, download errors, length of visits to certain pages, page interaction, referral source and similar information. This information may be collected by a third party website analytics service provider on our behalf and may be collected using cookies. For more information on our use of cookies please refer to the ”Cookies and similar tracking technologies” section below, or visit the “Cookie Notice” on our websites.

We use the information we collect automatically:

  1. to administer our websites for internal operations including troubleshooting purposes;
  2. as part of our effort to keep our websites safe and secure;
  3. to measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you;
  4. to develop, improve and personalise the services so as to improve your experience; and
  5. to provide third parties with anonymised statistical information about our users.

Information provided by third parties

Third parties who use our services may provide us with your name and contact details in relation to their use of our services. We will use such data to ask you to create an account with us so that we can provide our services to you and such third parties.

For Insurance Services

When you request a quote

We collect personal information from you when you request a quote for our products  or services through the services. We ask you to provide information about yourself and the insurable risk.

When you make a purchase

We collect personal information from you when you make a purchase on the services. To make a purchase through the services, we ask individuals to provide us with their full name, contact details (for example postal address, telephone number, email address), banking information (for example bank name, sort code, account number), date of birth and communication preferences.

When you create an account

We collect personal information from you when you create an account on the services. To create an account on the services, we ask users to provide us with their full name, contact details (for example – email address), date of birth, security questions (for example your mother’s maiden name), password and communication preferences. We will also collect your IP address.

When you submit a payment

We collect personal information from you when you make a payment (for example an excess payment). We ask you to provide ss with payment details: cardholder name, payment or debit card number, CVC, and expiry date.

When you communicate with us or contact us for customer support

When you contact our customer support team through the chat function on our websites or when you call Us (for example, when you enquire about the status of your account or claim), we will collect information that you provide to us in your communications (such as the query or issue that you have raised, information relating to your device, information relating to your existing policy if you are communicating with us about a claim, or payment card information if you are communicating with us about premium payment). We will also collect your responses to surveys about our products and services and the services, if you choose to participate.

When you access the services

We collect information about devices used to access our services and functionalities of the services (such as the chat function). This includes IP address, operating system and version, browser used and version, language preferences, time zone, screen settings and site visited before arriving on our websites. Additionally, we use cookies and similar technologies such as web beacons to collect information about how you use and navigate our services (for example, the pages that you view and links that you click). We use cookies to help us recognise you, improve your experience, increase security, and measure use and effectiveness of our services. For more information on our use of cookies please refer to the ”Cookies and similar tracking technologies” section below, or visit the “Cookie Notice” on our websites.

Purposes and Legal Basis for the Processing of your Personal Information

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

To undertake a tenant or a guarantor reference please refer to the table below for further details on the legal basis of our processing activities.

Subjects Purpose or Activity Data Category Legal Basis Of Processing Our responsibility
Agents Customer Account Management Identity data

Contact data

Financial data

Platform Activity data

Transaction data

Performance of a contract Controller
All users Analytics Identity data

Contact data

Transaction data

Platform Activity data

Financial data

Performance of a contract Controller
Agents New business activities Identity data

Contact data

Financial data

Platform Activity data

Transaction data

Marketing and Communications data

Performance of a contract Controller
All users Digital Marketing Identity data

Contact data

Consent Controller
Tenants Providing Switching and Change of Occupancy Service Identity data

Contact data

Financial data

Transaction data

Legitimate interests Controller
All users Providing tenancy referencing, insurance, tenancy services and other services Identity data

Contact data

Financial data

Platform Activity data

Transaction data

Performance of a contract Controller
All users Internal Accounting Identity data

Contact data

Financial data

Transaction data

Performance of a contract Controller
All users Facilitating completion of tenancy agreements Identity data

Contact data

Technical data

Financial data

Transaction data

Performance of a contract Processor
All users Communicating with law enforcement and regulatory bodies Identity data

Contact data

Platform Activity data

Financial data

Transaction data

Performance of a contract Controller

For Insurance Services

To fulfil an insurance contract, or take steps linked to a contract: this is relevant where you have entered into, or are taking steps to enter into, an insurance contract with us, or where you submit a claim. This includes:

  • providing you with a quote;
  • providing the Service or amending the services at your request;
  • verifying your identity;
  • processing your claim;
  • taking payment from you;
  • making reimbursement payments to you; and
  • communicating with you.

As required by us to conduct our business and pursue our legitimate interests, in particular:

  • We will use your personal information to provide the services and other products and services that you have requested, to communicate with you and to respond to any comments, queries or complaints you may send us;
  • We monitor use of the services and use your personal information to help us to track and analyse preferences and trends, evaluate possible new features, functionality and services, and improve our services.
  • We use personal information to help us recognise you on the services, improve your experience, increase security of our networks and systems, and measure use and effectiveness of our services.
  • We use personal information you provide to investigate complaints received from you or from others, about the services or our products and services. We also use this personal information to track potential issues (for example, issues with fulfilment of services) and trends to better serve you;
  • We use personal information to make decisions about, and to effect, reorganisations or sales of all or part of our business;
  • We monitor customer accounts to prevent, investigate and/or report fraud, misrepresentation, or crime, in accordance with applicable Law;
  • We will use personal information in connection with legal claims (for example, relating to denial of an insurance claim), compliance, regulatory and investigative purposes (for example, theft and fraud investigations) as necessary (including disclosure of such information in connection with legal process or litigation);
  • We use personal information of some individuals to invite them to take part in market research and customer surveys; and
  • We use personal information to send you information about Lettings in a box and Quodex Limited or Infinity Risks Limited products and services, such as customer experience surveys (where your consent is not required).

Where you give us consent:

  • We place cookies and use similar technologies in accordance with our “Cookie Policy” and the information provided to you when those technologies are used;
  • We use personal Information to send you information about our products and services, special offers and similar (where your consent is required); and
  • On other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

For purposes which are required by law:

  • In response to requests by government or law enforcement authorities conducting an investigation; and
  • Responding to complaints where we are under a legal or regulatory obligation to adhere to a complaints handling procedure.

Relying on our legitimate interests

We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us.

Withdrawing consent

Wherever We rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. Where you have given us your consent, you can withdraw it by using the mechanism described to you at the time that your consent was obtained, or by contacting us.

Automated Decision Taking

In certain circumstances, decisions about you will be taken by solely automated means:

Providing you with a quote: where you request a quote from us for an insurance policy, information such as your current level of cover and to determine whether the requested changes can be made to your policy and, if so, whether an additional premium is necessary. The consequences of this automated decision taking will be that you are either denied from making the requested change, are permitted to make the requested change with a charge or are permitted to make the requested change with no charge. If you do not agree with the result of a decision taken by solely automated means, you can request human review of the decision, express your point of view, and obtain an explanation of the decision and challenge it. If you wish to do so, please contact us.

Disclosure of Personal Information

Other than as expressly set out in this notice or as otherwise required or permitted by law, we will not share, sell or distribute any of your personal information without your consent.

We may disclose your personal information to the following categories of recipients:

  • to the relevant tenant, landlord and/or agent, as appropriate, who you contract with, you refer or you guarantee for via the services;
  • third party providers of services you request via the services such as insurance providers (for rent protection insurance and contents insurance services), utility providers (for utility switching services). These service providers shall act as a controller of your personal information and you should consult their privacy policies for details regarding how they will process your personal information;
  • where you are a tenant, to local authorities in relation to change of occupancy services provided on behalf of the agent responsible for the property you are renting;
  • third party service providers and partners who provide data processing services to us (including operating this website and in relation to our services, e.g. to verify your identity, to contact you on our behalf), or who otherwise process personal information on our behalf for purposes that are described in this privacy notice or notified to you when we collect your personal information;
  • our third party analytics partners to analyse website traffic and understand customer needs and trends;
  • our third party advertising partners to advertise products to you on third party sites which are tailored to meet your preferences and likely interests;
  • to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary;
  • as a matter of applicable law or regulation;
  • to exercise, establish or defend our legal rights;
  • to protect your vital interests or those of any other person; or
  • as otherwise required or allowed under applicable law.
    • to an actual or potential buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of a business unit, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice;
    • to any other person with your consent to the disclosure.

Please refer to the table below for further details on who we disclose your information to:

Recipient Type Reason
Lettings in a box (and companies) We may share your information with our affiliates and subsidiaries to enable you to benefit from services offered by them.
Original introducing parties If you have been indirectly introduced to the Lettings in a box portal, we may need to report back to the original introducer to provide them with an update on the outcome of your use of our service.
External suppliers Where specialist firms are employed by Lettings in a box to facilitate provision of our services, it may be necessary to share your personal information for example an email address in order to respond to your queries.
Insurance Partners Where insurance is purchased as part of a tenancy processed by us, it may be necessary to share information with our insurance partners in order to meet eligibility criteria and facilitate setting up of policies.
Property Management Software Partners We may share information with the property management software suppliers of lettings agents to enable integration between Lettings in a box and these platforms.
Utility Suppliers and Local Councils If we assist you with switching utilities or council tax, we will need to share your contact details and details about your new property to facilitate processing of applications or set-up of relevant accounts with utilities providers (including our preferred energy supplier) and local councils.
Tenant Offer Providers If you enquire about or purchase additional services such as broadband, gadget rental, or removal services during your tenant journey, we will need to share your information with the relevant providers
Credit reference and Fraud Prevention agencies When providing our referencing service, we will need to approach credit reference agencies to gather information on your credit history in order to provide a referencing report.
Deposit Protection Schemes Where we facilitate registration of security deposits for tenancies, we may share your information required by Deposit Protection Schemes to do this.
Regulators and Ombudsman Services Sharing information with regulatory or law enforcement bodies and ombudsman services may be a requirement if requested and required to fulfil any legal obligation we have. This may include the ICO, FCA, and Financial Ombudsman Service.

Disclosure to our affiliates

We will disclose your personal information to other companies for the purpose of performing tasks that directly relate to the provision of the services. For example, we may share your information with our affiliates to service your account or claim.

Disclosure to our service providers and partners

We employ third party companies and individuals to facilitate the services (in particular, third parties assist us with customer support, the customer chat function on our website, communications, audit, application or database hosting, development, logistics, payment processing, other insurance products (for example, reinsurers), and fraud detection and prevention. These third parties have limited access to your personal information to perform these tasks on our behalf and are obligated to us. The personnel of such third parties who use your personal information is limited to those individuals which are authorised to do so on a need-to-know basis and as necessary to provide these business services to us. To fulfil your service your account or claim, we may share your name, contact details (including postal address, email address and mobile number). We do not authorise such third parties to disclose or use this personal information for other purposes.

Disclosure to public authorities

We may disclose your personal information if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable Law.

Other categories of recipients

We may also disclose your personal information, usage information, and other information about you to parties acquiring part or all of our assets, as well as to attorneys and consultants. Also, if any bankruptcy or reorganisation proceeding is brought by or against us, your personal information may be considered a company asset that may be sold or transferred to third parties.

Where your Data is Processed

In providing the services, personal information may be transferred to, and processed in, countries where data protection and privacy regulations do not offer the same level of protection as the European Economic Area (“EEA”) and other parts of the world.

Sharing personal information with our affiliates involves transfers outside the EEA to the US. For example, if we share your data with other companies to service your account, that data will be processed by our affiliates.

Sharing personal information with our service providers and partners may also involve transfers outside the EEA, to the US. For example, if we share your data with Apple Distribution International, that data will be processed and managed by Apple, Inc. which is located in the United States. Similarly, if you use the chat function available on our websites, your personal information is transferred to our service providers in the US and India.

Where personal information is transferred outside the EEA to a country that is not subject to an adequacy decision by the EU Commission, it is adequately protected by European Commission approved Standard Contractual Clauses, an appropriate Privacy Shield certification or a vendor’s Processor Binding Corporate Rules. To obtain a copy of the relevant transfer mechanism or additional information on the transfers, please address these requests to us.

Your Choices and Rights

In some countries, you have the right to request access to, correction of, and deletion of your personal information, and to restrict the processing of your personal information, under applicable law. You also have the right to request a structured commonly-used and machine-readable copy of personal information that you have provided to us for a contract or with your consent, and to ask us to transmit (port) this personal information to another controller.

You may also object to our processing of personal information in certain circumstances, in particular, where we don’t need to process the information to meet a contractual or other legal requirement, or where we are using the data for customer experience surveying purposes.

We may not always be able to comply with your request to delete personal information for specific legal reasons which will be notified to you, if applicable, at the time of your request.

You can exercise any of your rights, or obtain other information, such as a copy of a legitimate interests balancing test, by contacting us. In order to safeguard your personal information from unauthorised access, we may ask that you provide sufficient information to identify yourself prior to providing access to your personal information.

In certain situations, and subject to applicable law, we may not be able or obliged to comply with part or all of your individual requests. For example, we may not comply with an access request if doing so would reveal personal information about another person, or comply with a deletion request relating to information which we are required by law to keep or have compelling legitimate interests in keeping. Please note that we have the right to refuse requests which are manifestly unfounded or excessive (for example, due to their repetitive character). Relevant exemptions are included in both the GDPR and in the Data Protection Act 2018. We will inform you of relevant exemptions we rely upon when responding to any request you make.

If you have unresolved concerns, you have the right to complain to an EU data protection authority (‘supervisory authority’) where you live, work or where you believe a breach may have occurred.

To provide certain parts of the services (for example purchasing a product,
creating an account and making payment), the provision of personal information is mandatory: If relevant data is not provided, then we will not be able to provide certain parts of the services. All other provision of your information is optional. If you do not wish to provide optional information, then your experience on our websites may be less personalised.

Communications from Us

We communicate with you through email, SMS, telephone and the services. We will send you service-related communications, marketing and promotional messages (with your consent if required) customer satisfaction and market research surveys.

You can change your email, SMS and telephone contact preferences by contacting us.

Opting Out:

You may opt out of receiving marketing and promotional messages from us by using the opt out link in emails sent by us or by replying “Stop” to text messages sent by Us to you or contacting us.  We will request your consent prior to sending you marketing and promotional messages, where required.

Please be aware that you cannot opt-out of receiving service-related messages from us.

Data Retention

We retain personal information you provide as needed to provide the services.

We may retain your personal information if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce this notice and our websites terms and conditions.

We may retain personal information for a limited period of time if requested by law enforcement.

We may retain information for as long as is necessary to provide support-related reporting and trend analysis only, but we generally delete or de-personalise transaction-related data consistent with this notice for up to 6 months after your transaction has been completed.

Once personal information is anonymised, we may retain and use such information.

We maintain logs and backups for security, debugging, and site stability purposes for up to 6 months after your transaction has been completed.

We typically delete logs and other backup information through the deletion process within 6 months of your last activity, except as noted herein.

Where we process registration data, we do this for as long as you are an active user of our websites and for 6 years after this.

Where we process personal information in connection with performing a contract, we keep the data for 6 years from your last interaction with us.

We also retain communications that you send to Us (for example, via email and the chat functionality) for 6 years.

Transcripts of communications sent via the chat functionality on our website are stored for 12 months.

Information Security

We have implemented safeguards designed to protect your personal information in accordance with industry standards.

We have measures in place to restrict access to personal information to those individuals whom We know have a valid business purpose to have access to such data.

We maintain physical, electronic and procedural safeguards.

We follow generally accepted standards designed to protect the personal information submitted to us, both during transmission and once we receive it.

We require those who provide services for us and to whom we provide personal information collected through the services to keep such information secure and confidential.

However, no method of transmission over the Internet or method of electronic storage is totally secure. Therefore, we cannot guarantee its absolute security.

You are responsible for keeping your password and user details confidential. Nobody at Lettings in a box will ever ask you for your password so do not to share this with anyone.

Important Information

Minimum age

We do not knowingly collect personal information from anyone under the age of 18. You must be at least 18 years of age to use the services.

Changes to this Notice

We may update this notice from time to time. If we make any material changes to our notice, we may notify you by email or by means of a notice through the services, or by other means prior to the change becoming effective, so that you may review the changes before you continue to use the services. Please review changes carefully.

Contact Us

For customer enquiries, please contact us at Lettings in a box, 10 Guildhall Street, Grantham, Lincolnshire NG31 6NJ or by calling us.

We welcome your questions or comments regarding this notice. Please write to us at Data Protection Officer, Lettings in a box, 10 Guildhall Street, Grantham, Lincolnshire NG31 6NJ, or by calling us or send Us an email at

Third-Party Website and Portals

Our websites and services may contain links to other websites belonging to or operated by third parties. By making these links available, we are not endorsing third-party websites, their content, products, services or the owners of these third-party websites. It is your responsibility to make sure that you obtain any information which may be relevant to making a decision, and that you read the privacy and security policy on such third-party websites.

Last Updated January 2023