BlocBack to Bloc

Legal

GDPR and Data Protection

Effective date: 12 May 2026Company: Percy Real Estate Ltd (trading as Bloc)Regulation: UK GDPR / DPA 2018

Bloc is committed to processing personal data lawfully, fairly, and transparently. This notice explains your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, and how we fulfil our obligations as a data controller and, where applicable, a data processor.

1. Overview

Percy Real Estate Ltd (trading as “Bloc”), Company Number 15525233, registered at 25 Cabot Square, Canary Wharf, London E14 4QZ, is the data controller for personal data collected directly from visitors to this website and from individuals who register for the Platform.

Where Bloc processes personal data on behalf of estate agency customers using the Platform, we act as a data processor and those customers are the data controllers. This dual role is explained in Section 11.

This notice should be read alongside our Privacy Policy (which covers broader privacy practices).

2. Data Controller Details

Percy Real Estate Ltd (trading as Bloc)

Company Number: 15525233

Registered address: 25 Cabot Square, Canary Wharf, London E14 4QZ

Data Protection contact: [email protected]

Registered with the ICO: Yes

We are registered with the Information Commissioner's Office (ICO) as a data controller as required by the Data Protection Act 2018. Our ICO registration can be verified at ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/.

3. What Personal Data We Collect

Website Visitors

  • Device and browser information (anonymised) collected via analytics tools.
  • IP address (anonymised or truncated before storage).
  • Pages visited, time on page, and referral source.
  • Contact details submitted via enquiry forms (name, email, company, message).

Platform Users (Account Holders)

  • Name and email address provided at registration.
  • Password (stored as an irreversible hash; we cannot read your password).
  • Job title and company name.
  • Profile photo, if voluntarily uploaded.
  • Activity logs: login times, features used, and actions taken within your Workspace.
  • Communications with our support team.
  • Billing name and address (payment card details are held by our payment processor, not by us).

CRM Data (Processed on Behalf of Customers)

Estate agency customers upload and manage personal data relating to their own clients, including vendors, buyers, landlords, tenants, and applicants. This data is described in the customer's own privacy notices. Bloc processes this data as a data processor under the customer's instructions (see Section 11).

4. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

Contract (Article 6(1)(b))

Processing necessary to register your account, provide the Platform, process your Subscription, and deliver customer support.

Legitimate Interests (Article 6(1)(f))

Maintaining platform security, preventing fraud, improving the Platform using anonymised analytics, and contacting existing customers about related products or updates. We have conducted a legitimate interests assessment (LIA) for each of these purposes.

Legal Obligation (Article 6(1)(c))

Retaining financial records for HMRC compliance, responding to court orders, and complying with AML obligations.

Consent (Article 6(1)(a))

Sending marketing emails to prospective customers; setting non-essential cookies. You may withdraw consent at any time.

Where we process special category data (Article 9), such as health information relevant to a tenancy, we rely on explicit consent or another condition under Article 9(2) as appropriate.

5. How We Use Your Data

  • To create and manage your Bloc account and Workspace.
  • To provide, operate, maintain, and improve the Platform.
  • To process your Subscription payments and send billing records.
  • To send service notifications, security alerts, and essential product updates.
  • To provide customer support and respond to enquiries.
  • To measure and analyse platform usage using anonymised analytics (PostHog).
  • To send marketing communications to you where you have opted in or where we have a legitimate interest as an existing customer. You may opt out at any time.
  • To comply with our legal and regulatory obligations.
  • To prevent fraud, abuse, and security threats.
  • To enforce our Terms of Service.

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

6. Sharing and Processors

We share personal data only with trusted sub-processors that are necessary to operate the Platform, and only to the extent required for those purposes. All sub-processors are bound by data processing agreements. Our current sub-processors are:

ProcessorPurposeLocation / Transfer Mechanism
Vercel / AWS / HetznerCloud hosting and infrastructureEEA / UK / US (Standard Contractual Clauses)
PostHogProduct analytics (anonymised)EEA
Resend / SendGridTransactional email deliveryUS (Standard Contractual Clauses)
StripePayment processingEEA / US (Standard Contractual Clauses)
Meta (WhatsApp Business API)WhatsApp messaging integrationUS (Standard Contractual Clauses)
OpenAI / AnthropicAI feature processing (no training on customer data)US (Standard Contractual Clauses)

We may also disclose personal data to: (a) law enforcement or government authorities where required by law; (b) our professional advisers (lawyers, accountants, auditors) under confidentiality obligations; (c) a successor entity in the event of a merger, acquisition, or sale of assets, in which case we will notify you in advance.

7. International Transfers

Some of our sub-processors are based outside the UK. Where we transfer personal data to countries that do not benefit from a UK adequacy decision, we rely on one or more of the following safeguards:

  • UK International Data Transfer Agreements (IDTAs) or addenda to the EU Standard Contractual Clauses (SCCs) approved for UK use.
  • The UK adequacy decision for EEA transfers.
  • The UK-US Data Bridge where applicable.

You may request a copy of the relevant transfer mechanism by contacting [email protected].

8. Retention Periods

Data CategoryRetention PeriodBasis
Account and profile dataDuration of account + 12 monthsContract / legal obligation
Billing records and invoices7 yearsLegal obligation (HMRC)
Support communications3 years from last contactLegitimate interests
Platform activity logs12 months rollingSecurity / legitimate interests
Analytics data (anonymised)26 monthsLegitimate interests
Marketing consent recordsUntil consent withdrawn + 3 yearsLegal obligation
CRM Data (customer data)30 days post-termination then deletedContract (DPA)

After the applicable retention period, personal data is securely deleted or anonymised. Where anonymisation is not possible (e.g. backup tapes), data is isolated and not accessed until it is overwritten or destroyed.

9. Your Rights

Under the UK GDPR you have the following rights. We will respond to valid requests within one calendar month (extendable by a further two months for complex requests, with notice):

Right of Access (Article 15)

You may request a copy of the personal data we hold about you, together with information about how and why we process it.

Right to Rectification (Article 16)

You may ask us to correct inaccurate personal data or complete incomplete data we hold about you.

Right to Erasure (Article 17)

You may ask us to delete your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent, or processing is unlawful. This right is not absolute and does not apply where we have a legal obligation to retain data.

Right to Restriction (Article 18)

You may ask us to suspend processing of your data (for example, while you contest its accuracy) without requiring us to delete it.

Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.

Right to Object (Article 21)

You may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is for the establishment, exercise, or defence of legal claims.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing (including AI-generated matching) that produces a legal or similarly significant effect. We do not make final decisions about individuals by fully automated means.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

10. Exercising Your Rights

To exercise any of your rights, contact us at [email protected] with the subject line “Data Subject Request”. Please include:

  • Your full name and the email address associated with your Bloc account.
  • A clear description of the right you wish to exercise and the data concerned.
  • Any information that will help us locate your data quickly.

We will acknowledge your request within 72 hours and respond fully within one calendar month. We may ask you to verify your identity before processing the request. We will not charge a fee unless a request is manifestly unfounded or excessive, in which case we will notify you before charging.

If your request relates to data processed by Bloc on behalf of an estate agency customer (e.g. your personal details in their CRM), you should contact that agency directly. We will forward requests to the relevant customer where we are able to identify them.

11. Bloc as Data Processor (Business Customers)

When estate agency customers use the Platform to manage their own client data (vendors, buyers, landlords, tenants, applicants), Bloc acts as a data processor and the customer is the data controller.

Data Processing Agreement

A Data Processing Agreement (DPA) is available to all business customers and forms part of the contract between Bloc and those customers. The DPA sets out:

  • The subject matter, duration, nature, and purpose of processing.
  • The type of personal data processed and categories of data subjects.
  • Our obligations as processor, including confidentiality, security, sub-processor notification, and data subject rights assistance.
  • Return and deletion of data on termination.
  • Our sub-processor list and change notification process.

Customers may request a copy of the DPA or sign the DPA by contacting [email protected].

Customer Responsibilities

Business customers are responsible for ensuring they have a lawful basis for every use of personal data within their Workspace, maintaining an appropriate privacy notice for their own clients, and responding to data subject rights requests in respect of their CRM Data. Bloc will provide reasonable assistance to customers in meeting these obligations.

Security Measures

We implement appropriate technical and organisational measures (TOMs) to protect personal data processed on behalf of customers, including: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, multi-factor authentication, regular penetration testing, and audit logging.

12. Children's Data

The Platform is not directed at, and should not be used to process data of, individuals under the age of 18 except to the minimum extent necessary for a lawful property transaction (for example, where a tenant is a minor co-signatory with parental consent). Bloc does not knowingly collect personal data from children under 13 for any purpose.

If you believe we hold personal data of a child without appropriate authorisation, please contact us immediately at [email protected].

13. Changes to This Notice

We may update this notice at any time to reflect changes in our practices or applicable law. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. The current version is always available at bloc.matchouse.com/gdpr.

We recommend you review this notice periodically. Continued use of the Platform after any changes take effect constitutes acceptance of the updated notice.

14. Contact and Complaints

For any data protection query, subject access request, or concern, please contact:

Bloc Data Protection Team

Email: [email protected]

Percy Real Estate Ltd (trading as Bloc)

25 Cabot Square, Canary Wharf, London E14 4QZ

Complaints to the ICO

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first so that we can resolve your concern directly, but you are always entitled to approach the ICO at any stage.

Privacy PolicyTerms of ServiceService Level Agreement

This notice was drafted in accordance with UK GDPR, the Data Protection Act 2018, and applicable ICO guidance.

This notice is governed by the laws of England and Wales.

Percy Real Estate Ltd — Registered in England and Wales. Company Number: 15525233.