EHQ Brain

GDPR & Compliance

2 min read

GDPR & Compliance

Status: Draft Owner: @bilal @deen Last Updated: 2026-02-15

GDPR Requirements

Personal Data Held

TableFieldsLawful Basis
usersemail, full_name, phoneContract (user signed up)
tenantsname, phone, emailLegitimate interest (landlord’s tenant)
vendorsname, phone, emailContract (vendor relationship)
conversationsmessage content, phoneLegitimate interest + consent
messagescontent, media_urlLegitimate interest + consent

Data Subject Rights

RightImplementationStatus
Right to accessExport tenant data on requestNot implemented
Right to erasureDelete/anonymise tenant dataSoft delete exists, full erasure TBD
Right to rectificationUpdate personal dataVia dashboard
Right to portabilityExport in machine-readable formatNot implemented

Deletion Flow

Contact: gdpr@ehq.tech (not yet set up — see Domain & Email Setup)

Process (to be implemented):

  1. Receive deletion request
  2. Verify identity
  3. Anonymise tenant record (replace PII with [REDACTED])
  4. Retain anonymised conversation data for regulatory compliance
  5. Confirm deletion to requester within 30 days

Data Retention

DataFullSummaryMetadata
Conversations1 year3 years7 years
Audio recordings1 yearN/A7 years
Media attachments1 yearN/A7 years
ChannelMethod
Voice”This call may be recorded…” at start
WhatsAppFirst message includes consent notice
ChatConsent in onboarding / first interaction

UK Housing Regulations

Compliance documents tracked per property:

  • Gas Safety Certificate (annual)
  • EPC (10 years)
  • EICR (5 years)
  • HMO License (5 years)
  • Fire Risk Assessment
  • Legionella Assessment

Envo tracks expiry dates and alerts landlords before documents expire (30-day default).

Security Compliance (Future)

  • SOC2 readiness (Drata/Immuta)
  • OWASP scanning
  • Penetration testing
  • Privacy policy for ehq.tech
  • Terms of service

See also: Security, Data Model

Graph View

Backlinks