SiftDocs
Compliance

GDPR & Lead Data

How Sift handles UK GDPR compliance for estate agent lead data — consent, erasure, and data subject rights

GDPR & Lead Data

Sift is designed for UK estate agents who are subject to UK GDPR (Data Protection Act 2018). This page explains what data Sift holds, how consent works, and how to respond to data subject requests.

Roles Under UK GDPR

RolePartyResponsibility
Data ControllerYour estate agencyDecides why and how personal data is processed; responsible for getting consent from leads
Data ProcessorSiftProcesses data on behalf of the controller (qualifying leads, storing conversations)

As the data controller, your agency is responsible for:

  • Having a lawful basis for processing lead enquiries (typically "legitimate interests" for property enquiries, or explicit consent via the Sift widget)
  • Responding to data subject rights requests from leads
  • Maintaining your own privacy policy that covers Sift's involvement

Sift's role is to give you the tools to honour those obligations — not to replace your compliance obligations.

What Data Sift Holds

For each lead that contacts your agency through Sift, the following data is stored:

Lead record:

  • Name (if provided during conversation)
  • Email address (if provided)
  • Phone number (if provided via SMS)
  • Qualification score and status
  • Property preferences (budget, bedrooms, location, type)
  • UK qualification signals (chain status, mortgage status, buyer scheme, stamp duty position)

Conversation data:

  • Full message history (all messages from the lead and Sift's AI responses)
  • Channel (Web Widget, SMS, or Email)
  • Timestamps
  • Consent record (when and how consent was given)

What Sift does NOT hold:

  • Payment details (processed by Stripe, not stored in Sift)
  • Rightmove or Zoopla profile data
  • Property viewing records (unless captured during conversation)

Web Widget

When a lead opens the web widget for the first time, a consent panel appears before the message input is enabled. The lead must click "Accept & Start Chat" before any personal data is captured. If they decline, no data is recorded.

The consent statement, the timestamp, and the version of the privacy policy shown are all recorded in Sift's database against the conversation.

The consent panel displays your agency's name and links to your privacy policy. You can configure the privacy policy URL in Deploy → Web Widget → Widget Settings.

Email Channel

When a lead emails your Sift inbound address, their act of sending the email constitutes consent to process the enquiry. This mirrors standard practice for property enquiries. Consent is recorded automatically.

SMS Channel

When a lead texts your Sift SMS number, their act of sending the message constitutes consent. Consent is recorded automatically.

Responding to Data Subject Requests

Under UK GDPR, leads have rights over their personal data. Here is how to fulfil each right using Sift.

Right of Access (Article 15 — Subject Access Request)

If a lead asks "what data do you hold about me?", you can export everything Sift holds about them:

Lead data export requires a Growth or Scale plan.

Go to Leads in the sidebar. Search by name, email, or phone.

Click the lead's row to open their detail panel on the right.

Click Export Lead Data at the bottom of the panel. This downloads a JSON file containing all stored data: lead record, full conversation history, consent records, and timestamps.

You have 30 days to respond to a SAR from the date of the request.

Right to Erasure (Article 17 — Right to Be Forgotten)

If a lead asks you to delete their data:

Go to Leads in the sidebar and locate the lead.

Click the lead's row to open their detail panel. Click Erase Lead Data at the bottom of the panel.

A confirmation prompt will appear. Type ERASE to confirm. This permanently deletes:

  • The lead record (name, contact info, qualification data)
  • All conversation messages
  • All conversation metadata

The consent record in Sift's audit log is retained without personal identifiers — this preserves the evidence that consent was granted and later withdrawn, as required for regulatory defensibility, without retaining any PII.

Erasure is permanent and cannot be undone. Export the lead data first if you need a record for your own files before deleting.

You have 30 days to complete an erasure request from the date of receipt.

Right to Rectification (Article 16)

If a lead asks you to correct inaccurate data (e.g., a misspelled name):

  1. Open the lead record in the Leads dashboard
  2. Edit the relevant fields directly — name, email, and phone are editable
  3. Save changes

Sift does not store historical versions of the lead record, so corrected data takes effect immediately.

Bulk Deletion

To delete all lead data at once (e.g., when offboarding from Sift):

Go to Settings → Data Management and use the bulk delete options. This covers all leads, conversations, and messages. See Data Management for details.

Sift maintains a consent event log. Each log entry records:

  • Event type (consent granted or withdrawn)
  • Channel (Web Widget, Email, or SMS)
  • Timestamp
  • Privacy policy version shown at time of consent

This audit trail is available on request for ICO inspections or litigation. Contact support@sift.software to request a consent audit export for your organisation.

The audit trail is retained even after a lead's personal data is erased — the record shows "consent was granted at TIME, erased at TIME" without containing any lead PII.

Data Retention

Sift does not automatically delete lead data after a fixed period. You are responsible for your agency's retention policy.

Recommended practice for UK estate agents:

Data typeSuggested retention
Active leads (enquiring within 24 months)Retain — you may still transact with these buyers/tenants
Cold leads (no activity for 24+ months)Review and erase unless you have a specific reason to retain
Completed transactionsRetain for 6 years (HMRC records, AML obligation) — note: Sift holds conversation data, not completion records

Use Settings → Data Management → Delete All Leads to bulk-erase old leads, or erase individual leads who have specifically requested it.

Data Processing Agreement

For agencies that require a formal Data Processing Agreement (DPA) under Article 28, email legal@sift.software. A DPA is typically required by:

  • Corporate chains and franchise networks
  • Agencies undergoing external compliance audits
  • Agencies whose own DPO has requested one

Independent agencies operating under their own ICO registration generally do not need a separate DPA with Sift — your standard terms of service incorporate the required processor obligations.

Data Location

All lead data is stored in the UK on Supabase infrastructure (AWS eu-west-2, London). Data does not leave the UK.

ICO Registration

As a data controller, your estate agency must be registered with the Information Commissioner's Office (ICO). Sift does not require you to list Sift explicitly in your ICO registration, but your privacy policy should reference that you use third-party AI tools to process enquiries.

If you are not yet registered with the ICO, register here. Annual registration costs £40–60 for most small agencies.

Next Steps

Data Management

Bulk delete leads, conversations, or properties

Exporting Data

Export lead CSV for your own records

Previous

Deleting Your Account

Next

FAQ

On this page