Privacy Policy

1. About This Policy

We at Res:Harmonics (LMM Consulting Limited trading as Res:Harmonics, and our affiliates) are committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect personal information when you interact with us.

This Privacy Policy applies to:

• Our website at www.resharmonics.com (the “Website”).
• Our subscription software-as-a-service platform (the “Subscription Service”).
• Any associated mobile applications (the “Mobile Apps”).
• Our sales, marketing, and business operations.

We may update this Privacy Policy from time to time. If you subscribe to the Subscription Service, we will notify you of material changes by email. We encourage you to review this page periodically. Your continued use of our services following any update constitutes acceptance of the revised policy.

2. Who We Are (Data Controller)

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller for information collected through the Website and our own business operations is:

LMM Consulting Limited t/a Res:Harmonics

10x by Spacemade, 10 Brindleyplace
Birmingham, B1 2JB
United Kingdom

Data Protection Contact: privacy@resharmonics.com

Information Security Officer: Giles Horwitch-Smith

3. When We Are a Controller and When We Are a Processor

3.1 resharmonics as Data Controller

We act as data controller when we collect and process personal information for our own purposes — for example, when you visit our Website, enquire about our services, or enter into a contract with us. Sections 4–12 of this policy describe our controller processing activities.

3.2 resharmonics as Data Processor

Our Subscription Service enables property operators (our “Customers”) to manage serviced apartments, co-living spaces, and other residential properties. When our Customers use the Subscription Service to collect and manage personal data about their guests, bookers, and property owners, we process that data on their behalf as a data processor.

That data belongs to our Customers. It is collected, used, disclosed, and protected under each Customer’s own privacy policy, not this one. Our processing of Customer data is governed by the data processing agreement (“DPA”) we enter into with each Customer.

If you are a guest, booker, or end user of one of our Customers and have questions about how your personal data is handled, please contact the Customer (the property operator) directly. We have no direct relationship with individuals whose personal data we process on behalf of our Customers and can only act on their instructions.

Our Customers are contractually prohibited from using the Subscription Service to collect Sensitive Information (as defined in Section 5 below).

4. Information We Collect as a Controller

4.1 Information You Provide to Us

• Contact and identity data: your name, email address, company name, postal address, and telephone number, provided when you register for an account, request a demo, or contact us.
• Payment data: credit or debit card details and billing information, collected when you subscribe to the Subscription Service. Payment processing is handled by our PCI DSS Level 1 compliant payment processor (Stripe). We do not store card details; they are tokenised by Stripe.
• Communications data: the content of emails, form submissions, or support queries you send to us.
• Marketing preferences: your preferences for receiving marketing communications and your communication history with us.

4.2 Information We Collect Automatically

• Navigational data: your IP address, browser type, operating system, referral source, pages viewed, clickstream data, session duration, and geographical location.
• Cookie and tracking data: identifiers set by cookies, web beacons (clear GIFs), and similar technologies. See Section 10 (Cookies) for details.
• Mobile app data: if you use our Mobile Apps, we may collect your city-level location, device model and OS version, device identifier, and in-app usage data using mobile analytics software.

4.3 Information from Third-Party Sources

• Single sign-on (SSO): if you log in using Google SSO, we receive your name and email address to pre-populate your account.
• Publicly available information: we may supplement your information with data from public sources (e.g. LinkedIn, Companies House) to support our sales and marketing activities.

5. Sensitive Information

“Sensitive Information” means personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sex life or sexual orientation, genetic or biometric data, and criminal convictions. It also includes financial account numbers, national insurance numbers, passport numbers, and driving licence numbers.

We do not knowingly collect Sensitive Information through the Website or the Subscription Service. Our agreements with Customers prohibit them from collecting Sensitive Information using the Subscription Service.

6. How and Why We Use Your Information (Lawful Basis)

Under the UK GDPR, we must have a lawful basis for each processing activity. The following sets out the purposes for which we process your personal data and the lawful basis we rely on in each case.

6.1 Providing and administering the Subscription Service

Data used: Contact, identity, payment, and communications data

Lawful basis: Performance of a contract (Art. 6(1)(b))

6.2 Responding to enquiries and providing customer support

Data used: Contact, identity, and communications data

Lawful basis: Performance of a contract / legitimate interests

6.3 Processing payments

Data used: Payment data (tokenised via Stripe)

Lawful basis: Performance of a contract (Art. 6(1)(b))

6.4 Sending transactional emails (e.g. invoices, service updates)

Data used: Contact data

Lawful basis: Performance of a contract (Art. 6(1)(b))

6.5 Direct marketing (newsletters, product updates, event invitations)

Data used: Contact data, marketing preferences

Lawful basis: Consent (Art. 6(1)(a)) — you may withdraw consent at any time

6.6 Website analytics and improvement

Data used: Navigational data, cookie data

Lawful basis: Legitimate interests (Art. 6(1)(f)) for essential analytics; consent for non-essential cookies

6.7 Detecting and preventing fraud and security threats

Data used: Navigational data, access logs, contact data

Lawful basis: Legitimate interests (Art. 6(1)(f))

6.8 Complying with legal and regulatory obligations

Data used: As required by the specific obligation

Lawful basis: Legal obligation (Art. 6(1)(c))

6.9 Recruitment and employment

Data used: Candidate and employee data

Lawful basis: Performance of a contract; legitimate interests; legal obligation (as applicable)

6.10 Legitimate interests

Where we rely on legitimate interests, we have carried out a balancing assessment to ensure that our interests do not override your fundamental rights and freedoms. You may contact us at privacy@resharmonics.com to request details of these assessments.

7. Who We Share Your Information With

7.1 We Never Sell Your Personal Information

We will never sell your personal information to any third party.

7.2 Sub-Processors and Service Providers

We share personal data with third-party service providers (“sub-processors”) who help us operate our business. Each sub-processor is bound by a data processing agreement that requires them to process personal data only on our instructions and to maintain appropriate security measures.

Our current sub-processors are available to customer, please contact privacy@resharmonics.com

We will notify Subscription Service customers in advance of any change to this sub-processor list, in accordance with our DPA.

7.3 Other Disclosures

We may also share personal data in the following circumstances:

• Legal compliance: where required to comply with applicable law, court order, or legal process.
• Protection of rights: where necessary to protect our rights, your safety or the safety of others, or to investigate fraud.
• Corporate transactions: in connection with a merger, acquisition, or sale of all or a portion of our assets. You will be notified via email and/or a prominent notice on our Website of any change in ownership or use of your personal information.
• Statistical information: we may share aggregated, anonymised statistical data that cannot identify any individual.

8. International Transfers of Personal Data

Our primary infrastructure is hosted in AWS’s UK/EU regions. However, some of our sub-processors are based in the United States or other countries outside the UK and European Economic Area (EEA).

Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, including:

• Adequacy decisions: transfers to countries that the UK Secretary of State or European Commission has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): we enter into the UK International Data Transfer Agreement (IDTA) or EU SCCs (as applicable) with sub-processors located in countries without an adequacy decision.
• Supplementary measures: where required by the transfer risk assessment, we implement additional technical or organisational safeguards (e.g. encryption in transit and at rest, access controls, pseudonymisation).

You may request a copy of the relevant transfer safeguards by contacting us at privacy@resharmonics.com.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The retention periods below apply to data we hold as a controller:

Customer account and contract data

Duration of contract + 6 years

Limitation Act 1980; contractual obligations

Billing and payment records

6 years from transaction date

HMRC requirements; Companies Act 2006

Marketing contact data

Until consent withdrawn or 24 months of inactivity

Consent / legitimate interests

Website analytics and cookie data

Up to 26 months

Analytics retention settings

Support correspondence

Duration of contract + 2 years

Contractual and service improvement purposes

Recruitment candidate data

6 months from decision (unless consent to retain longer)

Legitimate interests; Equality Act 2010

Employee records

Duration of employment + 6 years

Employment law; HMRC; pension obligations

Security and access logs

Minimum 12 months

Information security and legal compliance

Policy documentation

6 years from supersession

Regulatory and audit requirements

Customer data held as processor

Retention of data processed on behalf of our Customers is governed by each Customer’s DPA. Upon termination of a Customer’s subscription, we will provide a data export and securely delete Customer data in accordance with the agreed timeline.

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies (web beacons, clear GIFs, and local storage) to operate and improve our Website and Subscription Service.

10.2 Types of Cookies We Use

• Strictly necessary cookies: required for the Website and Subscription Service to function (e.g. session management, authentication). These do not require consent.
• Analytics cookies: help us understand how visitors use the Website (e.g. pages visited, session duration). We use these to improve our services.
• Marketing cookies: used to deliver relevant advertisements and measure campaign effectiveness.

10.3 Your Cookie Choices

When you first visit our Website, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your preferences at any time by clicking the “Cookie Settings” link in the Website footer or by adjusting your browser settings.

Please note that disabling certain cookies may affect the functionality of the Website or Subscription Service.

10.4 Web Beacons

We use web beacons (clear GIFs) in some of our HTML emails to track whether emails have been opened and which links have been clicked. You can opt out of email tracking by unsubscribing from our marketing communications (see Section 12).

10.5 Third-Party Cookies

Our Customers may use third-party cookies or tracking technologies on pages hosted via the Subscription Service. We do not control our Customers’ use of these technologies; they are governed by each Customer’s own privacy and cookie policies.

11. Your Rights Under Data Protection Law

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may request that we correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”): you may request that we delete your personal data where there is no compelling reason for its continued processing.
• Right to restriction of processing: you may request that we restrict the processing of your personal data in certain circumstances (e.g. while we verify the accuracy of your data).
• Right to data portability: you may request a copy of your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller.
• Right to object: you may object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Rights related to automated decision-making: we do not currently make decisions based solely on automated processing that produce legal effects or similarly significant effects on you. If this changes, we will update this policy.

To exercise any of these rights, please contact us at privacy@resharmonics.com or write to: LMM Consulting Limited t/a Res:Harmonics, 10x by Spacemade, 10 Brindleyplace, Birmingham, B1 2JB. We will respond within one month. In complex cases, we may extend this by up to two further months, and we will inform you if this is necessary.

11.1 Right to Lodge a Complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
United Kingdom

Website: https://ico.org.uk

Helpline: 0303 123 1113

If you are located in the EEA, you may also lodge a complaint with the supervisory authority in your country of residence.

12. Opting Out and Unsubscribing

12.1 Marketing Communications

You may unsubscribe from our marketing emails at any time by clicking the “unsubscribe” link at the bottom of any marketing email, or by contacting us at privacy@resharmonics.com. Please note that you cannot opt out of transactional emails related to your Subscription Service account (e.g. invoices, security notifications, service changes).

12.2 Our Customers’ Communications

We cannot unsubscribe you from communications sent by our Customers. Please contact the relevant Customer directly or use the unsubscribe mechanism in their emails.

13. Security of Your Personal Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:

• Encryption of data at rest and in transit (TLS 1.2 minimum).
• Role-based access controls and the principle of least privilege.
• Multi-factor authentication for access to critical systems.
• Regular vulnerability scanning and penetration testing.
• Endpoint protection (antivirus, full-disk encryption, MDM).
• Employee security awareness training.
• Incident detection, response, and notification procedures.

We are pursuing ISO 27001:2022 certification and maintain a comprehensive Information Security Management System (ISMS). Further details are available upon request.

If you have questions about the security of your personal data, please contact us at privacy@resharmonics.com.

14. Children’s Data

Our Website and Subscription Service are not intended for or directed at children under the age of 13 (or 16 in jurisdictions where a higher age threshold applies). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@resharmonics.com so that we can delete it promptly.

15. Third-Party Websites and Social Media

Our Website may contain links to third-party websites and social media features (e.g. LinkedIn, Facebook, Twitter). We do not control these third-party services and are not responsible for their privacy practices. This Privacy Policy does not apply to those services; please review their respective privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email to Subscription Service customers and posted on this page. We recommend reviewing this policy periodically.

This policy is published at: https://www.resharmonics.com/privacy-policy

17. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how we handle personal data, please contact us:

Email: privacy@resharmonics.com

Post: LMM Consulting Limited t/a Res:Harmonics
10x by Spacemade, 10 Brindleyplace
Birmingham, B1 2JB
United Kingdom

Phone: +44 121 295 1310

‍