GDPR Statement

Communicating Privacy Information

This is what information we have to provide about personal data processing – it must be:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

”As the ICO puts it when discussing the GDPR, “being transparent by providing a privacy notice is an important part of fair processing. You can’t be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect.”

The guidelines refer to the information we should provide as it is changing, too. The lawful basis for the data processing, how long we will keep the data for, the user’s right to complain –

The following questions will be considered within our privacy notice:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

The aim of our policy is to collate any personal information, all information will be kept secure



1.1 We take the privacy and protection of personal information very seriously. This Privacy Policy sets out details about how we gather, use, and share personal information and about individual privacy rights. How we use personal information depends upon the context in which it is made available to us.

1.2 This Privacy Policy provides up to date information about how we use personal information and will update any previous information we have published about using personal information. We may make minor updates to this Privacy Policy from time to time, however if we make any material changes to the way we process and use your personal information, we will announce this clearly on our website.



2.1 Theori Housing Management Services Limited will be what’s known as the ‘Controller’ ” of the personal information which you provide to us and we use.  When we say “we” or “us” in this Privacy Policy, we mean Theori.



3.1 We use a variety of personal information depending on the circumstances under which personal information is made available to us.

3.2 We may use personal information in the following circumstances:

(a) Business Contacts: We hold the names, job titles, employer details and professional contact details for various business contacts, including but not limited to; client contacts, supplier contacts and interested parties who have contacted us via our website;

(b) Clients:

While providing our normal services, we may collect and use personal information of individuals that work for our clients or are customers of our clients. This can include names, contact details and other information about an individual.

(c) Job Applicants: Where you apply for a role with us, we will process the personal information you provide to us as part of your application and any interview selection process. This will ordinarily include your name, personal contact details, professional history, education and qualifications and references. We may also collect and use some special categories of personal data about job applicants, such as information about an applicant’s racial or ethnic origin and some health information regarding any medical conditions or disabilities.

(d) We need to know your basic personal data in order to provide you with on-going organisational updates and information in line with this overall contract. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.



4.1 We only use personal information which we have obtained directly for the purposes described in this Privacy Policy.

4.2 Personal Information is gathered in the following ways:

(a) Business Contacts: These may be collected through forms on our website, during normal business correspondence with those contacts;

(b) Clients:

Services: We may collect personal information held by our clients while carrying out our services. Personal information could be included in documentation we are required to assess as part of our services, and will normally be made available to us by our clients; and

(c) Consultants and Job Applicants: Personal information will be gathered directly from you or from your third-party references.



5.1 We will use personal information for the following purposes:

(a) Business Contacts: We process the personal information of our business contacts as necessary for the legitimate interests of managing the day-to-day operation of our business, including correspondence, engaging suppliers, and promoting our services to business contacts (this could be to arrange a property inspection, GAS SAFE, Electrical inspections etc;

(b) Clients:

Tenants: We process the personal information of individuals (including all those who reside within the property) in the course of carrying out our services in accordance with legal, regulatory and contractual obligations (Local Authorities) which govern how our services are to be conducted. Such processing is also required for the legitimate interests of our clients.

(c) Job Applicants: We process the personal information of job applicants for the legitimate interests of determining whether or not to employ a particular individual for a role in our organisation. Where we decide to employ a job applicant, we process their personal information for the purposes of entering into and performing our employment contract with the applicant. We process racial and ethnic origin and health information of job applicants for the purposes of meeting our legal obligations under employment and similar laws.

(d) We would however like to use your name and email address and specific identification documents for applying only for a DBS application. Theori employees must have a valid DBS during your employment as a requirement requested by our business partners during your employment. This information is not shared with third purposes

5.2 If we are not provided with access to personal information for the purposes outlined in this policy, we may not be able to offer or provider certain services.



6.1 We will never retain personal information for any longer than is necessary for the purposes we need to use it for.

6.2 Generally, in respect of personal information gather in the context of a contract, we will retain personal information for the duration of the contract and a period of up to six years after the contract has expired or terminated, in case such personal information is required for the exercise or defence of a legal claim during this period.

(a) We are required under UK tax law to keep your basic personal data (name, address, contact details) Your information will be kept secured. Retention period for your information will be minimum of six years and indefinite for existing employee.

6.3 We may also retain personal information for as long as required by law or regulation or instruction of a relevant accreditation body.

6.4 Unsuccessful job applicant information is retained for a period of 6 months after the position has been filled.

6.5 We will retain the personal information of suppliers and business contacts until they ask to be removed from our database or the information is no longer required.



7.1 We only share personal information with third parties:

(a) to the extent necessary for fulfilling the purposes outlined above, including where necessary for the provision of services;

(b) where we are under a legal or contractual obligation to do so; or

(c) where is it fair and reasonable for us to do so in the circumstances.

7.2 We may share personal information with the following third parties:

(a) Suppliers: We use several different suppliers, including IT suppliers, payment processors and consultants, with whom we share personal information so that these suppliers can process personal information on our behalf.  In these circumstances, we take steps required by data protection laws to ensure that these suppliers protect the personal information we share with them;


(b) All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers and back up hard drives externally from our main office. No 3rd parties have access to your personal data unless the law allows them to do so.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be provided on request.

(c) Accreditation Bodies (i.e. BSI): We may be required to share personal information with accreditation and regulatory bodies, who monitor certification and audit services to ensure that we are compliant with their rules and requirements when awarding certifications; and

(d) Government bodies: law may require us to share personal information with government bodies and regulators.

(e) Local Authorities & Support Service: We may refer details with Local Authorities (placing authority) and relevant support services such as social workers etc.



8.1 We will only transfer your personal information outside the EEA where either:

(a) the transfer is to a country which the EU Commission has decided ensures an adequate level of protection of personal information; or

(b) we have put in place our own measures to ensure adequate security as required by data protection laws. These measures include ensuring that personal information is kept safe by carrying out security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the EU Commission (known as EU standard contractual clauses). Some US partners and supplier may also be certified under the EU-US Privacy Shield which confirms they have appropriate measures in place to ensure the protection of personal information.



9.1 Individuals are entitled to exercise any of the following privacy rights in respect of our processing of personal information:

(a) Access: Individuals can request access to a copy of their personal information held by us, along with details of what personal information we use, why we use it, who we share it with, how long we keep it for and whether it has been used for any automated decision-making.

(b) Rectification: Individuals can ask us to change or complete any inaccurate or incomplete personal information held about them.

(c) Erasure: Individuals can ask us to delete their personal information where it is no longer necessary for us to use it, or where we have no legal basis for keeping it.

(d) Restriction: Individuals can ask us to restrict the personal information we use about them where we are not able to erase their personal information or where an individual has objected to our use of their personal information.

(e) Object: Individuals can object to our processing of their personal information.

(f) Portability: Individuals can ask us to provide them or a third party with some of the personal information we hold about them in a structured, commonly used, electronic format so it can be easily transferred.

(g) Withdraw Consent: Generally, we do not require consent to process personal information and so we do not ordinarily ask for consent to process personal information. However, where we do ask for consent to process personal information, individuals have the right to withdraw their consent at any time.

9.2 Please make all requests to exercise privacy rights via email

9.3 We are required to verify the identity of anyone requesting to exercise their privacy rights and we may ask individuals to provide valid identification documents when making a request to allow us to do this.

9.4 We will not make any charge for responding to any request from an individual exercising their privacy rights, and we will respond to any requests in accordance with our obligations under data protection laws.

9.5 Individuals can make a complaint about how we have used their personal information to us by contacting us as noted above, or to the ICO (



10.1 We use cookies to track your use of our website and pages accessible from our website.

10.2 A cookie is a small file which is sent to your browser and stored on your computer’s hard drive. Cookies help us understand and track your use of our websites and help us identify where we can improve the information and services provided via our website.

10.3 We use the following categories of cookies on our website:

10.4 If you would prefer to restrict, block or delete cookies from us and our third-party advertisers, or any other website, you can use your browser to do this. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. If you choose to disable all cookies we cannot guarantee the performance of our websites and some features may not work as expected