Privacy Policy

Last updated April 2026

1.  Who we are

Overcharged.uk is a service charge audit service for UK leaseholders and residents' management companies. We help leaseholders identify unjustified or inflated service charges and support them in challenging those charges.

[Our ICO registration number is [x]

If you have questions about this, or anything else, you can contact us as Projects@overcharged.uk 

2. What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, how long we keep it, and what your rights are. It applies to all personal data we process in connection with your use of overcharged.uk and our audit services.

We are committed to handling your personal data responsibly and in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We may amend this Privacy Policy from time to time. Please just visit this page if you want to stay up to date, as we will post any changes here.

3. What data we collect

Information you give us directly

When you use our website, submit an enquiry, or commission an audit, we may collect:

  • Your name and contact details, including email address and phone number

  • The address of the property you are enquiring about

  • Information about your lease, including lease length and type of tenure

  • Your annual service charge amount and details of your managing agent or freeholder

  • Documents you upload, including service charge statements, leases, correspondence with managing agents or freeholders, and any other supporting materials

  • Details of any existing disputes or formal proceedings you are involved in

  • Your responses to questions in our enquiry form

Information we collect automatically

When you visit our website, we may collect:

  • Your IP address

  • Browser type and version

  • Pages visited and time spent on each page

  • Referring website

  • Device type and operating system

This information is collected via cookies and analytics tools. Please see our Cookie Policy for more information.

Information from third parties

We do not purchase or obtain personal data from third party data brokers. If you are referred to us by a solicitor, residents' association or other professional, we may receive your name and contact details from them.

4. Why we collect your data and our legal basis for doing so

We collect and use your personal data for the following purposes:

To provide our audit service

When you commission an audit, we need to process your personal data and the documents you provide in order to carry out the service. Our legal basis is the performance of a contract with you, or steps taken at your request prior to entering into a contract.

To communicate with you

We use your contact details to respond to enquiries, send you your audit report, and follow up on your case. Our legal basis is the performance of a contract and, where relevant, our legitimate interests in running our business effectively.

To improve our service

We analyse anonymised and aggregated data about service charges across the buildings we review. This helps us with benchmarking and improves the accuracy of our assessments. No individual is identifiable in this analysis. Our legal basis is our legitimate interests.

To comply with legal obligations

We may be required to retain certain records for legal, regulatory or tax purposes. Our legal basis is compliance with a legal obligation.

To send you relevant information

If you opt in, we may send you updates about leasehold rights, changes in legislation, and our services. Our legal basis is your consent. You can withdraw consent at any time.

5. Special category data

Some of the information you share with us (e.g. housing disputes, or personal circumstances that led you to seek an audit) may constitute sensitive personal data under UK GDPR. We handle such information with the highest level of care and use it only where strictly necessary to provide our service. We do not share it with third parties except as described in section 6 below.

6. Who we share your data with

We do not sell your personal data. We do not share it with third parties for their own marketing purposes.

We may share your data with the following categories of third parties where necessary:

  • Service providers who help us operate our business, including our website hosting provider, form and file storage platform and email delivery service. These providers act as data processors on our behalf and are contractually required to handle your data securely and only as instructed.

  • Professional advisers such as solicitors or surveyors, where you have asked us to refer your case or where we need professional input to complete your audit. We will always discuss this with you first.

  • Regulatory or legal authorities where we are required by law to disclose information, for example in response to a court order or regulatory investigation.

We do not transfer your personal data outside the United Kingdom or European Economic Area unless appropriate safeguards are in place.

7. How long we keep your data

We retain your personal data for as long as necessary to provide our service and fulfil the purposes set out in this policy, and for a reasonable period afterwards in case of queries, disputes or follow-up work.

In practice this means:

  • Enquiry data where no audit was commissioned: deleted after 12 months

  • Audit files and reports: retained for 6 years from the date of the audit, in line with standard limitation periods for contractual claims

  • Financial transaction records: retained for 7 years in line with HMRC requirements

  • Marketing consent records: retained until you withdraw consent, plus 12 months

We review our retention practices regularly and delete data that is no longer needed.

8. How we keep your data secure

We take the security of your personal data seriously. The measures we have in place include:

Encrypted file storage for all documents you upload

  • Secure, access-controlled systems for audit files and reports

  • Employee  confidentiality obligations

  • Regular review of our security practices

No method of transmission or storage is completely secure. If you have concerns about how to share sensitive documents with us, please contact us and we will advise on the most secure method.

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office as required by law.

9. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access:  you can request a copy of the personal data we hold about you.

  • Right to rectification: you can ask us to correct inaccurate or incomplete data.

  • Right to erasure: you can ask us to delete your data in certain circumstances, for example where it is no longer necessary for the purpose it was collected.

  • Right to restrict processing: you can ask us to limit how we use your data in certain circumstances.

  • Right to data portability: you can ask us to provide your data in a structured, machine-readable format so you can transfer it to another service.

  • Right to object: you can object to our processing of your data where we rely on legitimate interests as our legal basis.

  • Right to withdraw consent: where we rely on your consent to process data, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.

  • Rights relating to automated decision-making: we do not make solely automated decisions that have a legal or similarly significant effect on you.

To exercise any of these rights, please contact us at projects@overcharged.uk. We will respond within one calendar month but we will need to verify your identity before processing your request.

10. Complaints

If you are unhappy with how we have handled your personal data, please contact us in the first instance and we will do our best to resolve your concern.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator: 

  • Phone: 0303 123 1113

  • Email: casework@ico.org.uk

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

11. Cookies

Our website uses cookies to help it function and to understand how it is used. A full list of the cookies we use and the purposes they serve is set out in our Cookie Policy. You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the website.

12. Contact us

If you have any questions about this policy, your personal data, or if you would like to exercise any of your rights under data protection law, please contact us at Projects@overcharged.uk