Annington commits to protecting any personal information we obtain about you, whether you are renting or buying a property or if you are working with us.

This Privacy Policy sets out how and why we obtain, use, and protect your personal information if you interact with us in one of these roles.

In the event you work with us in another way, for instance take part in a charitable event or apply for a job at Annington, there may be a separate Privacy Policy which describes how we use that data.

This privacy notice explains how and why Annington Limited (“we, us, our”), part of the Annington Group of companies (each such company and all such companies together referred to as “Annington”), uses personal data collected through the website (the “Website”), about individual visitors to and users of the Website (“you, your”).

You should read this notice, so that you know what we are doing with your personal data.

This notice explains how we use your personal data when you visit or use our Website. Depending on your relationship with us, or Annington more widely, we or Annington may use your personal data for other purposes and one or more other Annington privacy notices may then also apply to such specific uses of your personal data.

Please also read any such other privacy notices from us or Annington.

Add-On Privacy Policies

For specific details information explaining how and why Annington Management Limited (also referred to as “Annington”, “we”, “our” and “us”) uses personal data about different type of stakeholders, please refer to the add-on privacy notices below.

Annington’s data protection responsibilities

Personal data” is any information that relates to an identifiable natural person. Your name, address and contact details can be examples of your personal data, if they identify you. We use the term “Sensitive data” to mean ‘special categories of personal data’ (such as personal data revealing details of health, race, or union membership) and/or personal data which amounts to ‘criminal offence/records’ data (such as criminal allegations, charges or outcomes) both terms as being defined in data protection law.

The term “process” means any activity relating to personal data, including, by way of example, its collection, storage, use, transmission and deletion.

We are a "controller" of your personal data. This means that we make decisions about how and why we process your personal data in relation to the operation of our Website and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

What types of personal data do we collect through our Website and where do we get it from?

We collect and process different types of personal data about you when you visit our Website, or where you otherwise communicate or engage with us. 

It is your responsibility to make sure the personal data you provide to us is complete and accurate and you must help us to keep it accurate and up to date. If you have a current or ongoing relationship with us and any of the personal information you have given to us changes, such as your contact details, please inform us without delay by contacting

The table below sets out the different types of personal information that we collect when you visit or use our Website. The details will be collected directly from you but sometimes through the device you use to access our Website and/or your browser (such as the details of your device, its IP address and screen size) and where explained in our cookies policy below (subject, where relevant, to your prior consent), from cookies deposited on your device when you visit our Website.

Occasionally, we will use your personal data when it has been provided by a person on your behalf when using our Website, such as your spouse, partner, a relative, or your other representative e.g. your agent, solicitor or other professional adviser (your “Representative”).

Website collection of types of personal data

  • IP address, other online identifiers and details about your browser and device  (“Communication Data”)
  • User names, passwords and other log-in information (as applicable)
  • Subject to our cookies policy and, where relevant, your consent to cookies, details of your online browsing activities on our Website, such as the pages or areas of our Website that you visit
  • Your account settings including any default preferences and any preferences we have observed.
  • Any Sensitive Information you or your Representative chooses to share with us.


What do we do with your personal data collected through the Website and why?

We process your personal data for particular purposes in connection with your use of our Website and, dependent on such use and your relationship with us, to deal with your enquiry or your communication or other engagement with us, and the management and administration of our business.

We are required by law to always have a “lawful basis” (i.e. a permitted reason or justification) for processing your personal data. The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

Please note that where we have indicated below that our processing of your personal data is either:

necessary for us to comply with a legal obligation; or

necessary for us to take steps, at your request, to potentially enter into a contract with you, or to perform it,

and you choose not to provide the relevant personal data to us, we may not be able to enter into or continue our contract or engagement with you.



Lawful basis



Purposes of processing

Your consent

To perform a contract with you

To comply with a legal obligation

For our legitimate interests


Communications with you


Responding to your requests, enquiries and/or customer complaints, including sending you details of properties you have requested




(where mandatory for us to do so by law)



(to respond to you in relation to such matters)









Sending you information (including direct marketing) as set out in the section “How do we communicate with you?”, below



(direct marketing information where we need your consent)


(keeping you updated)



(to keep you updated on transactions, orders and with other helpful updates and direct marketing in other cases)









Website Information


Ensure the proper operation and performance of the Website

(please also see our Cookies Policy)




(to record cookie consent state)


(to ensure the Website functions correctly)


To improve the functionality of the Website






(to keep the Website up to date and improve its functionality for your benefit )


To enable you to create accounts and log-in to them via the Website






(to grant you access to a private log-in where you can securely and easily access information relevant to you)






All categories






Establishing and enforcing our legal rights and obligations and monitoring to identify and record fraudulent activity






(to protect our business, other buyers and the public from fraud and crime – this is also in the public interest and may be needed to deal with legal claims)



Complying with requests, orders and instructions from law enforcement agencies, regulators, any court, parties to proceedings or otherwise deal with obligations required by law or regulators and to ensure good governance and compliance





(where binding)


(where not binding but good governance and in the public interest)



For our general record-keeping and relationship management



(if you contract with us as an individual)



(where you represent your employer or organisation, or a buyer or tenant who contracts with us and we need this to run our business properly)



Managing the proposed sale, restructuring or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation






(to sell any part of our business)


To keep records required by law or to evidence our compliance with laws, including tax laws, consumer protection laws and data protection laws.






✔ (including compliance with related regulatory guidance and best practice)


Resolving any complaints from or disputes with you



(if with you as an individual)



(to try and resolve any complaint or dispute you might raise with us and to deal with legal claims)



We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand and improve the use of our Website.

X (formerly known as Twitter)

Annington has an X feed (formerly known as Twitter) on its Website, which displays posts by Annington, and posts that Annington has reposted. These posts may contain individuals’ personal data.

If a post on the Website X feed contains your personal data and you are not happy with it appearing on the Website’s X feed, please contact us using the contact details at the end of this privacy notice, and we will remove the retweet (subject to any X limitations that prevent us from doing so).

Sensitive Information collected through the Website

If volunteered by you or your Representative, some of the processing described in the above table will include the processing of Sensitive Information, which we are required to process with more care in order to meet our legal obligations.

We will only process your Sensitive Information for the reasons explained above and either with your explicit consent or for meeting our legal obligations, such as making reasonable adjustments to how we deal with you.

Who do we share your personal data with, and why?

Sometimes we need to disclose your personal data to other people.

From time to time we may ask third parties or other Annington Group companies to carry out certain business functions for us, such as the administration of our Website and IT support. These third parties will process your personal data on our behalf (as our processor). We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to these third parties, we will seek to ensure that they have appropriate security standards in place to protect your personal data. Examples of these third party service providers include our providers of IT systems software and maintenance, back up, and hosting services.

In certain circumstances, we will also disclose your personal data to third parties who will receive it as controllers of your personal data in their own right (for the purposes set out above), where the relevant disclosure is:

  1. if we buy or sell our business (or part of it) in connection with a share or asset sale, we may disclose or transfer your personal data to the prospective seller or buyer and their advisors; and
  2. if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others.

We have set out below a list of the categories of recipients with whom we are likely to share your personal data:

  1. IT support, Website and data hosting providers and administrators;
  2. your Representative, or (if you are a Representative) the individual(s) you represent;
  3. consultants and professional advisors including legal advisors, auditors and accountants;
  4. courts, court-appointed persons/entities, receivers and liquidators;
  5. business partners and joint ventures;
  6. insurers; and/or
  7. governmental departments, statutory and regulatory bodies including (in the UK) the Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs.

Where in the world is your personal data transferred to?

Annington is UK based and the majority of our processing of your personal data takes place within the UK. However, some of our service providers (please see above) may have processing operations in other jurisdictions and in those cases your personal data can be transferred to recipients outside the UK.

Although data protection laws in some jurisdictions may not provide the same level of protection for your personal data as is provided under the laws in the United Kingdom, we will only transfer your personal data abroad as permitted by law. This includes allowing transfers:

  1. to a country which is recognised as already ensuring an adequate level of protection applies to personal data;
  2. where appropriate safeguards are put in place with the recipient to protect your personal data, such by use of the official approved standard contractual clauses used for this purpose (called the International Data Transfer Agreement, or the UK Addendum) - please contact if you wish to obtain a copy of these;
  3. where the transfer is necessary for a permitted reason specified in data protection law; or
  4. where you consent to the transfer.

How do we keep your personal data secure?

We will adopt security measures to provide appropriate protection for your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

How long do we keep your personal data for?

We will only retain your personal data for a limited period of time and for no longer than is necessary for the purposes for which we are processing it.

Your personal data may be retained following completion of such processing where permitted by law, including:

  1. to comply with any applicable laws or regulations;
  2. to deal with any legal or other type of dispute; and
  3. where we are asked by you or a regulatory authority to keep your personal data for a valid reason.

How do we communicate with you

We may use your personal data in order to contact you in relation to your interactions with us, services, promotions and/or offers which may be of interest.

In each case, such communications will be based on our legitimate interest and you will have the right to opt-out of receiving marketing communications from us at any time.

To the extent that we send any other direct marketing to you (on a business to consumer basis), we will ensure that we have a lawful basis and provide you with the opportunity to opt-out of receiving such communications where we rely on legitimate interest, or (where necessary) obtain your explicit consent.


Please see our separate Cookies Policy.

What are your rights in relation to your personal data and how can you exercise them?

Where our processing of your personal data is based on your consent (please see above), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we are relying on – in which case, we will let you know.

Where our processing of your personal data is based on the legitimate interests (please see above), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

Where we are processing your personal data for direct marketing purposes, you have the right to object to that processing. This will not affect our need to keep in touch with you for non-marketing reasons, such as when we are dealing with a request by you or query from you.

You have the right (subject to applicable laws and certain limitations) to:

  1. access your personal data and to be provided with certain information in relation to it, such as the purpose for which it is processed, the persons to whom it is disclosed and the period for which it will be stored;
  2. require us to correct any inaccuracies in your personal data without undue delay;
  3. require us to erase your personal data;
  4. require us to restrict processing of your personal data;
  5. receive the personal data which you have provided to us, in a machine readable format, where we are processing it on the basis of your consent or because it is necessary for your contract with us (please see the tables above) and where the processing is automated; and
  6. object to a decision that we make which is based solely on automated processing of your personal data (however, we do not currently conduct any such decision making).

You also have the right to lodge a complaint with the Information Commissioner’s Office, the UK’s data protection regulator. More information can be found on the Information Commissioner’s Office website at

Updates to this notice

We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the purposes for which and/or the way in which it is processed. We encourage you to check this notice on a regular basis.

Where can you find out more?

If you want more information about any of the subjects covered in this privacy notice or if you would like to discuss any issues or concerns with us, you can contact us at Hays Lane House, 1 Hays Lane, London, SE1 2HB or via

12 July 2024