EHQ Brain

legal-checklist

28 min read

Legal & Compliance Checklist

Pre-work for Session 6 | Prepared: 2026-02-18

Summary (3 sentences for Danny)

Envo processes tenant personal data (names, phone numbers, addresses, conversation transcripts, voice recordings) through AI systems hosted in the US — this makes us a Data Processor under GDPR and triggers a stack of legal obligations before we can take a single pound from a customer. The absolute minimum to launch legally is: ICO registration (GBP 52/year), a GDPR-compliant Data Processing Agreement for landlord customers, a privacy policy covering both landlords and tenants, terms of service, and signed DPAs with every sub-processor that touches personal data (Anthropic, OpenAI, Twilio, Supabase). Total estimated cost to get legally launch-ready is GBP 1,500—4,000 if we use templates where possible and a solicitor only for the DPA and T&Cs review — cutting corners on tenant data compliance is not optional given ICO fines of up to GBP 17.5 million.

Why This Matters

Envo is not a simple SaaS tool. It sits in the intersection of three heavily regulated domains:

  1. Tenant personal data — We collect names, phone numbers, addresses, and full conversation transcripts (including voice recordings) from tenants who never signed up to our platform. They are not our customers — they are our customers’ tenants. This makes us a Data Processor handling data on behalf of landlords (the Data Controllers), and GDPR Article 28 mandates a formal Data Processing Agreement.

  2. AI processing of personal data — We send tenant conversations to Anthropic (US) and OpenAI (US) for LLM processing. This is an international data transfer of personal data to a country without an EU/UK adequacy decision. The ICO requires specific transfer mechanisms (UK IDTA or UK Addendum to EU SCCs) and Transfer Risk Assessments.

  3. UK housing regulations — Awaab’s Law (effective October 2025) imposes fixed timeframes for hazard response in social housing, with extension to the private rented sector planned under the Renters’ Rights Act 2025. If Envo’s AI misclassifies an emergency or drops an issue, the landlord faces regulatory action — and may look to us for liability.

What is at risk:

  • ICO fines up to GBP 17.5 million or 4% of annual global turnover (whichever is higher) for GDPR breaches
  • Tenant compensation claims for data mishandling
  • Landlord claims if our AI causes regulatory non-compliance (missed emergency, lost issue)
  • Inability to sell to any landlord who does their due diligence (no DPA = no deal, especially with larger operators)
  • Personal liability for directors if the company lacks appropriate insurance

Documents We Need Before First Customer

Must-Have (Launch Blockers)

#DocumentWhat It IsWho Needs ItTemplate Available?Estimated Cost
1ICO RegistrationLegal requirement to register as a data controller/processor with the Information Commissioner’s OfficeEnvo Energy LtdN/A — online form at ico.org.ukGBP 52/year (Tier 1, under 10 staff)
2Privacy PolicyPublic-facing document explaining what personal data we collect, why, and how we process it. Must cover both landlord customers AND their tenantsPublished on ehq.tech, linked from all channelsYes — ICO template, getterms.io, Termly free generatorsGBP 0 (DIY from template) to GBP 500 (solicitor review)
3Terms of Service (T&Cs)Contract between Envo and landlord customers covering service description, liability, payment, SLAs, acceptable use, terminationEvery paying customer agrees on signupYes — Docue (GBP 35), CompactLaw (GBP 40), SprintLaw templatesGBP 40—100 (template) + GBP 500—1,000 (solicitor review recommended)
4Data Processing Agreement (DPA)GDPR Article 28 mandatory contract between Envo (Processor) and landlord customers (Controllers) defining how we process tenant dataEvery landlord customer must sign (or accept online)Yes — ICO guidance, GDPR.Direct free template, Promise Legal templateGBP 0 (free template) + GBP 500—1,500 (solicitor customisation strongly recommended)
5Sub-processor DPAsSigned DPAs with every third party that processes tenant personal data on our behalfEnvo internal compliance fileProvided by each vendor (see below)GBP 0 (vendors provide their own)
6Cookie PolicyDiscloses use of cookies and tracking on ehq.tech and the tenant chat appPublished on ehq.techYes — free generators (CookieScript, Termly)GBP 0
7Acceptable Use PolicyRules for how landlords may and may not use Envo (no harassment via AI, no discriminatory screening, etc.)Part of T&Cs or separate documentCan be integrated into T&CsGBP 0 (included in T&Cs)
8Data Retention PolicyInternal policy documenting what data we keep, for how long, and deletion proceduresInternal compliance; referenced in Privacy Policy and DPAAlready drafted in GDPR & Compliance doc — needs formalisingGBP 0 (DIY)

Should-Have (Within 3 Months)

#DocumentWhat It IsPriorityNotes
1Information Security PolicyInternal document covering access controls, encryption, incident response, staff trainingHighRequired for Enterprise sales and any SOC2/Cyber Essentials work. Basis already exists in Security.md — needs formalisation.
2Data Breach Response PlanDocumented procedure for detecting, reporting (72-hour ICO notification), and remediating data breachesHighGDPR Article 33 requires notification to ICO within 72 hours. We need a written plan before it happens, not during.
3Professional Indemnity InsuranceCovers claims of negligence, errors, or omissions in our professional servicesHighEnterprise customers will ask for proof. See Insurance section below.
4Cyber InsuranceCovers costs of data breaches, ransomware, business interruption from cyber incidentsHighIncreasingly expected by B2B customers.
5Transfer Impact Assessments (TIAs)Documented risk assessments for each international data transfer (Anthropic, OpenAI, Twilio)HighRequired under UK GDPR when relying on UK IDTA or SCCs. Template available from ICO.
6Legitimate Interest Assessments (LIAs)Documented assessments for processing based on legitimate interest (tenant data, conversation data)MediumRequired under GDPR Article 6(1)(f). ICO provides a template. Free to do ourselves.
7DPIA (Data Protection Impact Assessment)Formal assessment of risks from AI processing of tenant data at scaleMediumLikely required under GDPR Article 35 because we do systematic processing of personal data using new technologies (AI). ICO screening checklist available free.
8AI Transparency StatementPublic statement explaining how AI is used in tenant communications, what decisions it makes, and how to challenge themMediumGood practice and likely required under forthcoming AI regulation. Builds trust with landlords and tenants.
9Sub-processor ListPublished list of all third parties processing data on our behalf, with notification mechanism for changesMediumGDPR Article 28(2) — controllers must be informed of sub-processor changes. Publish on ehq.tech.

Nice-to-Have (6+ Months)

#DocumentWhat It IsWhen
1Cyber Essentials CertificationUK government-backed security standardBefore targeting local authority or housing association customers
2SOC2 Type I ReportThird-party audit of security controlsWhen targeting Enterprise customers with 200+ units
3Modern Slavery StatementRequired for companies with turnover over GBP 36 millionOnly if/when we reach that scale
4Whistleblowing PolicyInternal reporting mechanismWhen we have employees beyond the founding team
5Business Continuity PlanDocumented plan for maintaining service during disastersBefore Enterprise SLA commitments
6SaaS Escrow AgreementSource code escrow for Enterprise customersOnly if Enterprise customers contractually require it

GDPR Compliance

Our Role

Envo is a Data Processor. Landlords are the Data Controllers.

This is the critical distinction:

Data Controller (Landlord)Data Processor (Envo)
Who decidesWhy and how tenant data is processedProcesses data only on the controller’s instructions
ResponsibilityOverall compliance, lawful basis, responding to tenant rights requestsProcessing data securely, assisting the controller, reporting breaches
Legal basisMust establish lawful basis for each processing activityDoes not need its own lawful basis (acts under controller’s instructions)
ExampleLandlord decides to use Envo for tenant communicationEnvo processes tenant messages as instructed by the landlord

However, Envo is also a Data Controller for:

  • Our own customer data (landlord users: names, emails, payment details)
  • Website visitors and marketing data
  • Our own employee/contractor data

Implication: We need TWO privacy frameworks:

  1. As Processor — DPA with each landlord customer, sub-processor management, processing only on documented instructions
  2. As Controller — Our own privacy policy, lawful basis assessments, direct GDPR obligations for our customer data

What Personal Data We Process

Data TypeSourcePurposeLegal BasisRetention
Tenant nameLandlord imports via CSV or dashboardIdentify tenant, match to conversationsLegitimate interest (landlord’s operational need)Until tenant leaves property or landlord deletes
Tenant phone number (E.164)Landlord imports; WhatsApp/voice intakeReceive and respond to tenant communicationsLegitimate interest + contract performanceUntil tenant leaves property or landlord deletes
Tenant emailLandlord importsEmail notifications, chat app OTP loginLegitimate interest + contract performanceUntil tenant leaves property or landlord deletes
Conversation transcriptsGenerated during WhatsApp, voice, chat interactionsIssue creation, Q&A, audit trailLegitimate interest + consent (first-message notice)Full text: 1 year. Summaries: 3 years. Metadata: 7 years
Voice recordingsVAPI during voice callsTranscription, issue creation, dispute resolutionConsent (“This call may be recorded…“)1 year, then deleted
Media attachments (photos, videos)Tenant uploads via WhatsApp/chatIssue documentation, evidenceLegitimate interest1 year
Property addressesLandlord importsMatch tenants to properties, compliance trackingContract performance (landlord’s subscription)Duration of subscription + 30 days
Landlord user data (name, email, phone)User registrationAccount management, authentication, billingContract performanceDuration of subscription + statutory retention
Vendor data (name, email, phone)Landlord importsJob assignment, notificationsLegitimate interest (landlord’s operational need)Until landlord deletes or subscription ends
Compliance documents (Gas Safety, EPC, etc.)Landlord uploadsExpiry tracking, regulatory complianceLegitimate interestDuration of subscription
AI-generated issue summariesLLM processing of conversationsStructured issue creationLegitimate interestLinked to issue lifecycle
Document embeddings (vectors)Generated from uploaded property documentsRAG pipeline — semantic search for tenant Q&ALegitimate interestUntil source document deleted

Data Processing Agreement (DPA)

Our DPA with landlord customers must contain the following (GDPR Article 28 mandatory clauses):

ClauseDescriptionNotes
Subject matter and durationWhat processing we do, for how long”Processing tenant personal data for AI-powered communication and issue management for the duration of the subscription”
Nature and purposeSpecific processing activitiesReceiving, storing, AI-analysing, and responding to tenant communications; creating and managing maintenance issues
Types of personal dataCategories listed aboveTenant names, phones, emails, conversation content, media, voice recordings
Categories of data subjectsWho the data is aboutTenants, vendors
Controller’s instructionsWe only process on documented instructionsStandard clause; must include provision for additional instructions
ConfidentialityStaff with access to data are bound by confidentialityAll team members must sign confidentiality agreements
Security measuresTechnical and organisational measuresReference our Security doc: RLS, encryption, audit logging, access controls
Sub-processor managementRules for engaging sub-processorsGeneral written authorisation with notification of changes; list of current sub-processors; sub-processor DPAs in place
Assistance with data subject rightsHow we help landlords respond to tenant GDPR requestsProvide data export, deletion capabilities within SLA
Breach notificationNotify controller without undue delayCommit to notifying within 24 hours of becoming aware (gives landlord time for 72-hour ICO deadline)
Data return/deletion on terminationWhat happens when the landlord leavesExport all data in machine-readable format; delete within 30 days of termination; provide deletion certificate
Audit rightsController’s right to audit our processingAllow reasonable audit with advance notice; consider providing SOC2 or Cyber Essentials as alternative
International transfersDisclosure of transfers outside UKList all sub-processors in non-adequate countries; document transfer mechanisms (IDTA/SCCs)

Recommendation: Use the free DPA template from GDPR.Direct or ICO guidance as a starting point, but pay a solicitor GBP 500—1,500 to customise it for our specific AI processing, international transfers, and BYOAK scenarios. The DPA is the single most important legal document for our business — it is what stands between us and GDPR liability.

International Data Transfers

We send tenant personal data to US-based sub-processors. The UK does not currently have an adequacy decision for the US (the UK Extension to the EU-US Data Privacy Framework only covers companies certified under the DPF). Each transfer requires a lawful transfer mechanism.

ProviderData SentWhere ProcessedTransfer MechanismTheir DPA StatusRisk Level
Anthropic (Claude API)Conversation text containing tenant names, phone numbers, issue descriptionsUSAnthropic’s DPA includes EU SCCs (Module 2 and 3) + UK Addendum. API data retained 7 days only, not used for training.DPA auto-accepted with Commercial Terms. Includes UK GDPR provisions.Medium — data is transient (7-day retention), but tenant PII is sent for processing
OpenAI (Embeddings + fallback generation)Conversation text, document chunks for embeddingUSOpenAI DPA includes EU SCCs + UK Addendum. API data not used for training on paid plans.DPA available at openai.com/policies/data-processing-addendum. Must accept explicitly.Medium — embeddings contain document content; fallback generation sees conversation text
Twilio (WhatsApp + SMS)Tenant phone numbers, message content, mediaUS (with global infrastructure)Twilio DPA includes BCRs, EU SCCs, and UK IDTA.DPA incorporated into Terms of Service automatically.Medium — Twilio stores message logs; review their retention policies
VAPI / Retell (Voice AI)Voice recordings, transcriptions, tenant phone numbersUSNeed to verify — check their DPA and transfer mechanismsGAP: Must verify DPA status before launch of voice channelHigh — voice recordings are sensitive; need explicit consent and verified transfer mechanism
Supabase (Database + Auth)All data (full database)Supabase Cloud — check region (EU hosting available)If EU-hosted: no restricted transfer. If US-hosted: need Supabase DPA with SCCs/IDTA.Supabase provides a DPA. Must verify hosting region.Low if EU-hosted. High if US-hosted. Strongly recommend EU region.
SendGrid (Email)Tenant and landlord email addresses, notification contentUS (Twilio subsidiary)Covered by Twilio DPACovered under Twilio’s DPALow — limited PII (email addresses and notification text)
Vercel (Hosting)Dashboard traffic, IP addressesGlobal CDN, processing in configured regionVerify Vercel DPA and hosting regionVercel provides a DPALow — application hosting, limited PII in transit

Required actions:

  1. Sign/accept DPAs with all sub-processors — Verify each is in place and covers UK GDPR
  2. Complete Transfer Impact Assessments (TIAs) for each US transfer — ICO provides a template
  3. Ensure Supabase is on an EU region — This is the single biggest risk-reduction step; if our primary database is in the EU, we avoid the most complex transfer issues
  4. Verify VAPI/Retell DPA and transfer mechanisms before launching the voice channel
  5. Publish a sub-processor list on ehq.tech with a mechanism for landlords to be notified of changes

ICO Registration

Yes, we must register with the ICO. There is no exemption that applies to us.

DetailAnswer
Must we register?Yes — we process personal data as both a controller (our own customers) and a processor (tenant data)
CostGBP 52/year (Tier 1: turnover under GBP 632,000, fewer than 10 staff). GBP 5 discount for Direct Debit = GBP 47/year
How to registerOnline at ico.org.uk/for-organisations/data-protection-fee/register/
TimelineRegister before processing any personal data. Takes approximately 1—2 working days online.
Penalty for not registeringUp to GBP 4,350 fine
When to move to Tier 2When turnover exceeds GBP 632,000 or staff exceeds 10 (fee rises to GBP 78/year)

Action: Register immediately. This takes 15 minutes and costs GBP 52.

Data Subject Rights

Tenants have full GDPR rights even though they are not our customers. The landlord (as Controller) is primarily responsible for responding, but we must have the technical capability to assist.

RightHow We HandleAutomated?Gap
Right of access (SAR)Tenant contacts landlord (or us via gdpr@ehq.tech). We export all tenant data from our system.Not yet — manual DB query requiredNeed: Self-service data export for landlords in dashboard. Target: before first customer or within 3 months.
Right to erasure (“right to be forgotten”)Anonymise tenant record: replace PII with [REDACTED]. Retain anonymised conversation data for regulatory compliance. Confirm within 30 days.Soft delete exists. Full anonymisation not implemented.Need: Anonymisation function that scrubs PII from tenants, conversations, messages, and media. Also delete from sub-processors (request deletion from Anthropic logs, Twilio logs).
Right to rectificationUpdate tenant details via dashboard.Yes — landlord can edit tenant recordsMinor gap: tenant cannot self-serve corrections. Acceptable for launch — landlord mediates.
Right to data portabilityExport tenant data in machine-readable format (JSON/CSV).Not implemented.Need: Data export endpoint. Can be manual (CSV from Supabase) at launch, automated later.
Right to restrict processingFlag tenant record to stop AI processing while dispute is resolved.Not implemented.Need: “Processing restricted” flag on tenant record that pauses AI responses. Medium priority.
Right to objectTenant objects to processing. Landlord assesses and instructs us.Not implemented.Handled via landlord. We need a documented process.
Right not to be subject to automated decisions (Article 22 / DUAA)See AI section below. Our AI assists — it does not make binding decisions. Landlord always has final say on issue prioritisation and vendor assignment.N/A — human in the loopDocument clearly that AI recommendations are advisory, not determinative.

Using LLMs to process tenant conversations raises specific issues that go beyond standard GDPR compliance.

Issue: Tenants interact with an AI system. Do they need to know? Do they need to consent?

Our position:

  • Tenants are informed at first contact: “This call may be recorded…” (voice), consent notice in first WhatsApp message, consent in chat onboarding
  • The consent notice must explicitly state that AI is used to process their communications
  • Under the ICO’s guidance on AI and data protection, transparency is key — even if legitimate interest is the lawful basis, tenants must know AI is involved

Action needed: Review all first-contact consent messages to ensure they explicitly mention AI processing. Current wording may say “recorded” but not “processed by AI.”

Suggested wording (WhatsApp first message):

“Hi, I’m [Property Name]‘s digital assistant, powered by AI. I can help with questions about your property and log maintenance issues 24/7. Your messages are processed using AI technology and stored securely. For more information, visit [privacy policy link]. Reply STOP at any time to opt out.”

2. EU AI Act and UK Position

Current status: The EU AI Act entered into force in August 2024, with most provisions applying from August 2026. The UK has not adopted equivalent legislation and is pursuing a “pro-innovation” approach through sector-specific regulators rather than a standalone AI Act.

Envo’s risk level: Our AI system is likely classified as limited risk under the EU AI Act (AI systems that interact with humans must disclose they are AI). If we ever serve EU customers, we would need to comply with transparency obligations. In the UK, the ICO’s AI guidance applies.

Action: Ensure AI identifies itself as AI in all tenant interactions. This is already good practice and insulates us against future UK regulation.

3. Accuracy Obligations

Issue: LLMs hallucinate. If our AI gives a tenant incorrect safety information (e.g., “the gas smell is probably nothing”), there is a liability risk.

Our mitigations (already in place):

  • Emergency keyword detection bypasses LLM entirely — hardcoded response with emergency numbers
  • RAG pipeline grounds responses in landlord-uploaded documents
  • Response confidence thresholds and escalation triggers
  • Channel-specific response limits

Gaps:

  • No formal accuracy monitoring or evaluation framework in production yet (planned as E-009)
  • No disclaimer in tenant-facing messages that AI responses are informational, not professional advice
  • Need documented process for when AI gives incorrect information that causes harm

Action: Add a brief disclaimer to AI responses where appropriate, and implement the evaluation framework before scaling beyond pilot customers.

4. Automated Decision-Making (Article 22 / DUAA)

Issue: Does Envo make automated decisions with legal or significant effects on tenants?

Analysis:

  • Issue categorisation (plumbing, electrical, etc.) — automated by AI. Does not have legal effect on tenant.
  • Urgency classification (low, medium, high, emergency) — automated by AI. Could have significant effect if emergency is misclassified as low.
  • Vendor assignment — recommended by AI in Enterprise tier, but landlord makes final decision. Human in the loop.
  • Issue resolution — decided by landlord, not AI.

Our position: Envo’s AI makes recommendations, not decisions. The landlord (human) is always in the loop for actions that affect the tenant’s housing conditions. This means Article 22 does not apply in its strictest sense.

However, urgency classification is a grey area. If our AI classifies a gas leak as “medium” urgency and the landlord relies on that classification without reviewing it, there is an argument that the AI made an automated decision with significant effects.

Mitigations:

  • Emergency detection system bypasses normal classification — hardcoded, not AI-dependent
  • Dashboard shows AI confidence scores (planned) so landlords can review
  • All classifications can be overridden by landlord
  • Document in T&Cs that AI classifications are advisory

Post-DUAA (expected February 2026): The Data Use and Access Act 2025 narrows ADM restrictions to only apply when special category data (health, ethnicity, etc.) is involved. This significantly reduces our risk. However, best practice remains to keep a human in the loop.

5. Training Data Concerns

Issue: Do our sub-processors (Anthropic, OpenAI) use tenant data to train their models?

Current status:

  • Anthropic API: Data is not used for training. Retained for 7 days for safety monitoring, then deleted.
  • OpenAI API: Data from paid API is not used for training (since March 2023 policy update).

Action: Document these commitments in our privacy policy and DPA. Monitor for policy changes from both providers.

Insurance

TypeWhat It CoversDo We Need It?Estimated Cost (Annual)Provider Examples
Professional Indemnity (PI)Claims of negligence, errors, omissions, breach of professional duty. E.g., AI gives wrong advice causing property damage.Yes — strongly recommended before first customer. Enterprise customers will require proof of PI.GBP 300—1,500/year for GBP 1M cover (startup with low turnover). Rises with revenue.Hiscox, PolicyBee, Simply Business, Get Indemnity
Cyber InsuranceData breach costs (forensics, notification, legal fees, regulatory fines), ransomware, business interruption from cyber attack.Yes — strongly recommended. We store tenant PII and process it via multiple third parties. A breach could be catastrophic.GBP 130—500/year for basic cover.Superscript, Hiscox, CyberCover.uk
Public LiabilityThird-party injury or property damage claims. Less relevant for pure SaaS.Low priority. Only needed if we visit customer premises for onboarding.GBP 50—150/yearSimply Business, Hiscox
Directors & Officers (D&O)Personal liability of directors for company decisions (e.g., regulatory failures, wrongful trading).Consider within 6 months. Becomes important as we take on commercial risk.GBP 300—800/yearPolicyBee, Hiscox
Employers’ LiabilityRequired by law if we have employees (not required for directors-only).Not yet — required when we hire our first employee. Legal requirement: GBP 5M minimum cover.GBP 50—150/yearRequired by law

Recommendation: Get PI + Cyber insurance before first paying customer. Budget GBP 500—1,500/year. Get quotes from PolicyBee (SaaS-specific) and Hiscox (startup-friendly).

Terms of Service

Key clauses that must be in our T&Cs:

ClauseWhyStandard or Custom
Service descriptionDefines exactly what Envo provides (and does not provide). Prevents scope creep and manages expectations.Standard — use clear language describing AI-powered tenant communication, issue management, compliance tracking
AI disclaimerClarifies that AI recommendations are advisory, not professional advice. Envo is not a property management company, surveyor, or legal adviser.Custom — critical clause. Must disclaim liability for AI-generated urgency classifications and tenant responses.
Licence and accessGrant of non-exclusive licence to use the SaaS platform.Standard SaaS clause
Data processingReference to DPA; confirm GDPR roles; link to privacy policyStandard but must reference our specific DPA
Acceptable useProhibit use for harassment, discrimination, illegal purposes. Landlord must not instruct AI to discriminate against tenants.Standard with property-specific additions
Payment termsSubscription fees, billing cycle, payment methods, late payment, price changesStandard SaaS clause. 30-day notice for price increases.
SLA and uptime99.5% uptime target (not guarantee) for Professional. No SLA for Starter. 99.9% for Enterprise.Standard — make these targets, not contractual guarantees, at launch
Liability capCap our total liability at 12 months’ fees paid (standard SaaS). Exclude liability for indirect, consequential, or special damages.Standard but needs solicitor review. Property damage from AI error could exceed 12 months’ fees.
Exclusions from liability capLiability for data breaches, GDPR violations, wilful misconduct, death/personal injury should NOT be capped (UK law does not allow capping certain liabilities).Custom — solicitor must draft.
IndemnificationLandlord indemnifies Envo for claims arising from landlord’s breach of data protection law, tenant misuse, or unlawful instructions.Standard with property-specific additions
BYOAK responsibilitiesWhen customers bring their own API keys, they are responsible for their own provider relationships, costs, and data processing through those providers.Custom — unique to our model. Must clearly delineate responsibility.
Intellectual propertyEnvo owns the platform, IP, and AI models. Customer owns their data. No rights to AI-generated outputs beyond the service.Standard
Termination and data returnEither party can terminate with 30 days’ notice. On termination: data exported within 30 days, deleted within 60 days.Standard with GDPR-mandated data handling
Force majeureExclude liability for events beyond control (including third-party API outages — Anthropic, Twilio, etc.)Standard
Governing law and jurisdictionEnglish law, English courtsStandard for UK SaaS
Consumer Rights Act complianceIf any customers are individuals (sole traders who are consumers), CRA 2015 applies. Digital content must be of satisfactory quality, fit for purpose, and as described. Cannot exclude CRA rights.Custom — solicitor should advise on whether our B2B customers might qualify as consumers under CRA 2015.
Changes to termsRight to update T&Cs with 30 days’ notice. Material changes require explicit acceptance.Standard
Third-party rightsNo third-party rights under Contracts (Rights of Third Parties) Act 1999 — tenants cannot sue us under the landlord’s T&Cs.Standard exclusion clause
Anti-bribery and modern slaveryStandard compliance statementsStandard

Privacy Policy

We need one privacy policy published on ehq.tech that covers two audiences:

For Landlord Customers (Data Controller Relationship)

Must include:

  • Identity and contact details of Envo Energy Ltd (data controller for customer data)
  • Data Protection Officer contact (or nominated contact — gdpr@ehq.tech)
  • What personal data we collect (name, email, phone, payment details)
  • Lawful basis (contract performance)
  • How we use data (account management, billing, support, product improvement)
  • Who we share data with (payment processor, support tools, analytics)
  • Retention periods
  • Rights (access, rectification, erasure, portability, objection, complaint to ICO)
  • Cookie usage
  • International transfers (if any)

For Tenants (Data Processor Transparency)

Even though the landlord is the controller, we should provide transparency to tenants:

  • Explain that their landlord uses Envo to manage communications
  • What data we process on the landlord’s behalf
  • That AI is used to process their communications
  • How to exercise their rights (contact their landlord first; contact gdpr@ehq.tech if landlord is unresponsive)
  • Retention periods
  • That voice calls are recorded (if voice channel is used)
  • Link to opt-out mechanism

Template Approach

Recommendation: Use a free template generator (getterms.io, Termly, or the ICO’s own template) as a starting point. Customise for our specific AI processing and dual-audience structure. Budget GBP 0—500 (free if DIY, GBP 500 if we want a solicitor to review).

Company Structure

ItemCurrent StatusRequired?ActionCost
Ltd Company RegistrationNeed to verify — is Envo Energy Ltd registered at Companies House?Yes — must trade as a registered companyVerify registration or register via Companies House (online, same-day)GBP 12 (online registration) or GBP 0 if already registered
VAT RegistrationLikely not required yet (threshold: GBP 90,000 turnover)Not until turnover approaches GBP 90,000. Note: threshold may change to GBP 60,000—70,000 from April 2026.Monitor turnover. Register when approaching threshold.GBP 0 (free to register via HMRC)
Business Bank AccountNeed to verifyYes — keep business finances separate from personalOpen a business account if not already doneGBP 0 (many free options: Starling, Tide, Monzo Business)
Registered Office AddressNeeds to be on all official documents, T&Cs, privacy policyYesUse registered office address on all legal documentsGBP 0 if using home address; GBP 50—200/year for virtual office
Data Protection Officer (DPO)Not required for SMEs unless core activity is large-scale systematic monitoringUnlikely to be required at launchDesignate a data protection contact (Bilal or Deen) without the formal DPO title. Review when scaling.GBP 0
Stripe Account (Billing)Required for subscription billingYes — before first paying customerSet up Stripe, configure subscription billingGBP 0 to set up (transaction fees apply: 1.5% + 20p per UK card)
Domain and Emailehq.tech registered but email not configured (noted in GDPR doc)Yes — need gdpr@ehq.tech, support@ehq.tech, legal@ehq.techConfigure email on ehq.tech domainGBP 0—50/year (Google Workspace or similar)

Cost Estimate

Total estimated cost to get legally compliant for launch:

ItemCost (Low End)Cost (High End)DIY or Lawyer?
ICO RegistrationGBP 52/yearGBP 52/yearDIY (online form)
Privacy PolicyGBP 0GBP 500DIY from template; solicitor review optional
Terms of Service (template + review)GBP 40GBP 1,500Template + solicitor review recommended
Data Processing Agreement (template + customisation)GBP 0GBP 1,500Free template + solicitor customisation strongly recommended
Cookie PolicyGBP 0GBP 0DIY (free generator)
Sub-processor DPA verificationGBP 0GBP 0DIY (vendors provide their own)
Professional Indemnity InsuranceGBP 300/yearGBP 1,500/yearBroker or online quote
Cyber InsuranceGBP 130/yearGBP 500/yearBroker or online quote
Data Breach Response PlanGBP 0GBP 0DIY (templates available)
Information Security PolicyGBP 0GBP 0DIY (already partially documented)
Transfer Impact AssessmentsGBP 0GBP 0DIY (ICO template)
Legitimate Interest AssessmentsGBP 0GBP 0DIY (ICO template)
DPIAGBP 0GBP 0DIY (ICO screening checklist)
Company registration (if needed)GBP 0GBP 12DIY
Domain email setupGBP 0GBP 50/yearDIY
TOTAL (Year 1)GBP 522GBP 4,114

Realistic budget: GBP 1,500—2,500 — This assumes DIY on everything we can (privacy policy, cookie policy, internal policies, ICO registration, TIAs, LIAs, DPIA) and solicitor time only for T&Cs review and DPA customisation, plus basic PI and cyber insurance.

Where NOT to cut costs:

  1. DPA customisation — This is the document that defines our GDPR liability. A generic template may not cover AI processing, international transfers via LLM APIs, or BYOAK scenarios. GBP 500—1,500 on a solicitor here is money well spent.
  2. T&Cs review — The AI disclaimer and liability cap clauses need professional drafting. A mis-drafted liability clause could expose us to unlimited claims.
  3. Insurance — GBP 500—1,000/year for PI + cyber is cheap protection against potentially company-ending claims.

Action Plan

Prioritised steps to get legally ready:

#StepOwnerTimelineCostBlocker?
1Register with ICO@bilal @deenThis weekGBP 52Yes — legally required before processing personal data
2Set up gdpr@ehq.tech email@bilal @deenThis weekGBP 0—50Yes — needed for privacy policy and DPA
3Verify company registration (Companies House)DannyThis weekGBP 0—12Yes — needed for all legal documents
4Draft Privacy Policy@bilal @deenWeek 1GBP 0Yes — must be published before first customer
5Draft Terms of Service@bilal @deen (draft) + Solicitor (review)Weeks 1—2GBP 500—1,500Yes — must be in place before first customer
6Draft and customise DPA@bilal @deen (draft) + Solicitor (customise)Weeks 1—3GBP 500—1,500Yes — must be signed by every customer
7Verify and sign all sub-processor DPAs@bilal @deenWeeks 1—2GBP 0Yes — must be in place before processing tenant data
8Confirm Supabase hosting region (EU)Bilal/DeenThis weekGBP 0Yes — determines international transfer obligations
9Draft Cookie Policy@bilal @deenWeek 1GBP 0Yes — required if ehq.tech uses cookies
10Update consent messages (all channels) to mention AIBilal/DeenWeek 2GBP 0Yes — transparency obligation
11Get PI + Cyber Insurance quotesDannyWeeks 1—2GBP 500—1,500/yearNot a hard blocker but strongly recommended before first customer
12Write Data Breach Response Plan@bilal @deenWeeks 2—3GBP 0Not a blocker but needed before any real data
13Complete Transfer Impact Assessments@bilal @deenWeeks 2—4GBP 0Should-have within first month
14Complete Legitimate Interest Assessments@bilal @deenWeeks 2—4GBP 0Should-have within first month
15Complete DPIA for AI processing@bilal @deenWeeks 3—4GBP 0Should-have within first month
16Publish sub-processor list on ehq.tech@bilal @deenWeek 3GBP 0Should-have
17Implement data export for tenants (SAR support)DeenMonth 2—3GBP 0 (engineering time)Should-have within 3 months
18Implement full anonymisation/erasure functionDeenMonth 2—3GBP 0 (engineering time)Should-have within 3 months
19Draft Information Security Policy@bilal @deenMonth 2GBP 0Should-have
20Get Cyber Essentials certificationBilal/DeenMonth 4—6GBP 300—500Nice-to-have (becomes must-have for housing association customers)

Open Questions for Session

  1. Is Envo Energy Ltd registered at Companies House? If not, we need to register before any commercial activity. Danny — can you confirm?

  2. Who is our solicitor? We need one for T&Cs and DPA review. Do we have a relationship with a tech/SaaS solicitor? If not, options include SprintLaw (fixed-fee, startup-friendly, from GBP 500), Rocket Lawyer (subscription model), or a local firm. Danny — any connections?

  3. Supabase hosting region — are we on EU or US? This is the single biggest variable in our international transfer obligations. Bilal/Deen to confirm.

  4. VAPI/Retell DPA status — do they have a GDPR-compliant DPA with UK IDTA? Voice is the highest-risk channel (recordings of tenant conversations). We must verify this before launching voice.

  5. Do we need separate T&Cs for Enterprise/white-label customers? The BYOAK model and white-label arrangement likely need custom terms beyond the standard T&Cs. Or do we handle this with an Enterprise addendum?

  6. Insurance budget — what can we afford? PI + Cyber insurance at GBP 500—1,500/year is the recommendation. Is this in budget?

  7. Liability cap — what number are we comfortable with? Standard SaaS is 12 months’ fees. But if our AI misclassifies a gas leak as “low urgency” and a tenant is harmed, 12 months’ fees (GBP 600 for a 10-unit Starter customer) is meaningless. Do we need higher caps? Do we need specific exclusions? This is a solicitor question.

  8. Consent model for tenants — opt-in or notice-only? Currently, we plan to notify tenants that AI is used (legitimate interest basis). Should we require explicit opt-in consent instead? Opt-in is safer but creates friction (tenants who do not reply “yes” cannot use the system). Danny — what do landlords expect here?

  9. Who handles GDPR requests operationally? If a tenant emails gdpr@ehq.tech requesting data access or deletion, who responds? This needs to be assigned before launch.

  10. Awaab’s Law and the Renters’ Rights Act — should we build compliance tracking features? Awaab’s Law timeframes (24-hour emergency response, 7-day investigation for hazards) are now law for social housing and coming to the private rented sector. If Envo tracks these timeframes and alerts landlords, it is a powerful selling point. But it also increases our exposure if the tracking fails. Danny — is this a feature landlords are asking about?

  11. Renters’ Rights Act database — will landlords need to register properties on the new national database? Phase 3 of the Act (late 2026) introduces a national landlord database. Should Envo integrate with this? Too early to build but worth noting.

  12. Do we need E&O (Errors and Omissions) insurance on top of PI? PI and E&O overlap significantly. A solicitor or insurance broker can advise on whether our PI policy adequately covers AI-related errors.

Research Sources

Prepared for Session 6: Legal & Compliance. This checklist is research-based guidance, not legal advice. Key documents (T&Cs, DPA) should be reviewed by a qualified solicitor before use with customers.

Graph View