This is the privacy notice for Retrace Software Limited (referred to hereafter as Retrace, Our or We). This privacy notice sets out the basis on which any personal data We collect from data subjects (as defined below) or which data subjects provide to us, directly or indirectly, will be processed by the Retrace. Please read the following carefully to understand our views and practices regarding personal data and how We treat it.

Retrace Software Limited is a company registered in England and Wales under company number 11002419. Our registered office is at Sg House, 6 St. Cross Road, Winchester, Hampshire, England, SO23 9HX.

For the purpose of the General Data Protection Regulation 2016/679 and the Data Protection Act 2018 (save where otherwise identified) and with respect to the companies identified above, the data controller is Retrace Software Limited, which is registered at the Information Commissioner’s Office under ICO registration number ZA304636.

Retrace Software Limited can be contacted at the registered office address or


In this statement We have used certain terms which are set out in the General Data Protection Regulation 2016/679 (GDPR or the Regulation):

personal data means: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

controller means: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

processor means: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


Retrace develops and invests in software. Our products and services include:

Retrace: we design and deploy data rooms for the benefit of the property market. These facilitate ease of access to commercial information, including sales memoranda, dynamic charts, videos and images. Our services allow our clients to track new users and activity; it also allows clients and users to ensure that all information is up to date.


Depending on the nature of the interaction, We act as a processor in that We are acting upon instructions from our clients when We provide our services to them. When We control the purposes and means of the processing of personal data, such as processing our employee’s personal data, We are a controller, as defined under the Regulation.


We collect personal data for a number of purposes in order to transact our business. This includes the collection of personal data that identifies data subjects when they sign up to our services or our mailing list, or communicate with Retrace. If a data subject shares any access requirements or other special requirements with us We will note this in the relevant record within our information management system. We keep a record of the emails We send and We may track whether the data subject has received them, so We can make sure We are sending the most relevant information. When We collect personal data We store it under a strict safeguarding and confidentiality regime.

In general, we collect and process personal data which relates to the services we offer. We only process personal data to the extent that this is necessary for the provision of our services. We do not process personal data which is not required by Retrace, and any additional processing of personal data is incidental only. We delete personal data once it is no longer needed.


General: Retrace only processes personal data to provide data subjects with information or services that they have requested, to meet contractual requirements and comply with administrative duties, sectoral regulations and the general law. Personal data collected this way will only be used to provide data subjects with information that they would reasonably expect or have agreed to. When We run activities in partnership with other organisations We will only share personal data with them if (where this is a requirement under the Regulation) a data subject has given us consent to do so; or in accordance with the Regulation. We do not share or sell personal data with other organisations to use for their own purposes without data subjects’ consent. As set out below, We may pass personal data to third-party service providers contracted to us. In these circumstances, the third party will be obliged to keep personal data secure, and to use them only to fulfil their contractual obligations to Retrace. When they no longer need personal data to fulfil this service, they will dispose of the details in line with our data retention policy, the Regulation and our contract with them.

Employees: Retrace employees provide Retrace with their personal data though email, digital or paper-exchange, for the employee and Retrace to undertake a normal employer-employee relationship. Personal data collected might include a name, mobile number, email address, home address, photo, post code and notes about their role and skills. We collect sensitive personal data with respect to health, as necessary and in a proportionate manner. Personal data of Retrace employees is controlled by Retrace and is processed within third party platforms used to help us provide standard employment requirements such as payment of the employee through a third-party payroll business; or dissemination of payment data to HMRC, as is required by law. All Retrace employee data is used in accordance with the Regulation to ensure that the relationship between the employee and Retrace is undertaken in a manner that is consistent with the legal expectations of the parties in addition to third parties (such as HMRC, as referred to above). Retrace employee personal data is stored within Retrace for the duration of the employee’s contract with Retrace.


We may share information with third parties so that they can assist us in providing our services. Such third parties could include:

  • Clients, suppliers, consultants and sub-contractors for the performance of any contract We enter into with them (for example, so that our platform can work effectively, We may engage with contractors to carry out part of our services.)
  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.

Please note: We will disclose personal data to third parties:

  • If Retrace (as a whole) or substantially all of its assets are acquired by a third party, in which case personal data held about data subjects will be one of the transferred assets.
  • If Retrace is under a duty to disclose or share personal data to comply with any legal obligation, or in order to enforce or apply terms and other agreements (but subject, always, the Regulation); or to protect the rights, property, or safety of Retrace, our clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.


We only process personal information where We have a lawful basis for doing so. These are:


Where We process personal data as a result of data subject consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where a data subject wishes to withdraw consent, We have set out below how this may be done.

Contract Performance

Where We enter into a contract with third parties, processing of personal data may, as a matter of course, be necessary to execute such contract or take pre-contract preparation steps.

Legal Obligations

Where We have legal obligations, processing of personal data may be required by law. This may include contact with our regulators or public institutions.

Legitimate Interest

Where We process personal data as it is necessary for the purpose of our legitimate interests, We do so on the basis of a balanced evaluation of our interests and those of relevant data subjects. We may therefore contact data subjects about things which We feel are of interest or which, based on what We know about data subjects. This will from time to time include marketing and raising awareness, but at any stage data subjects can tell us that they do not want to receive such information and We will stop contact.


Consent should be as easy to withdraw as it is to give; and data subjects may ask, at any time, that We do not process their personal data. A data subject may contact us to withdraw consent using the contact details at the end of this privacy statement. Equally, where We process personal data based on our legitimate interest, a data subject has a right to request that We stop processing personal data for our legitimate interests.


We take appropriate physical, electronic and managerial measures to ensure that We keep information secure, accurate and up to date, and that We only keep it as long as is reasonable and necessary. Any external providers We use to process personal data (for instance the operators of our contact management system) must meet our security policies and comply with all relevant legislation about how they store and process personal data. We may also receive information about data subjects from third parties.


At a data subject’s request, We will confirm the information We hold and how it is processed. A data subject can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process personal data.
  • The purpose of the processing as Well as the legal basis for processing.
  • If the processing is based on the legitimate interests, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the personal data is/will be disclosed to.
  • If We intend to transfer the personal data to a third country or international organisation, information about how We ensure this is done securely.
  • How long the personal data will be stored.
  • Details of rights to correct, erase, restrict or object to such processing.
  • Information about the right to withdraw consent at any time.
  • The source of personal data if it wasn’t collected directly from the data subject.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as Well as the significance and expected consequences of such processing.

What forms of ID will I need to provide in order to access this?

We accept the following forms of ID when information with respect to personal data is requested: passport, driving licence, birth certificate, utility bill from the previous 3 months.


Where We process sensitive personal data in acting as a processor, We do so on the basis that the controller has established a lawful exception to the prohibition on processing sensitive personal data under Article 9 of the Regulation; and where We are processing the sensitive personal data of employees, we do so pursuant to its employment relationship with its personnel and so uses the exception set out in paragraph 2(b) of Article 9 of GDPR.


Storing: We use cloud providers to store our personal data. Personal data may be transferred to and stored at a destination outside of the European Economic Area (EEA).

Processing: We may use third parties to help us deliver our services and they may be based outside the EEA. Where data is transferred outside the EEA, We adhere to compliance mechanisms that are identified by the European Commission, for example, the use of EU model contract clauses or conformity to US Privacy Shield.

Where We are the processor: in general, personal data is stored in the locations required by our clients. Periodically, our clients may agree specific terms as to where customer data, venue employee data and head office employee data is stored by us. At all times, We act in accordance with the Regulation.


We have a data retention policy which sets out how long it will store personal data, which is consistent with Article 5 of the Regulation. Retrace only keeps personal data for as long as is necessary. For example, Retrace is required to retain certain information in accordance with the general law, where information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on Retrace’s business needs, which are balanced against the requirements of GDPR and the rights of the individual.

Where We are the controller

We will retain personal data for as long as necessary. As described above, in some cases, We will have a legal or statutory obligation to retain information for a set period, such as the limitation period.

Where We are the processor

Personal data is stored as instructed by the controller in accordance with their approach to retention of personal data provided that this is within GDPR.


In order to provide our services to our clients and their customers, Retrace defines the different categories of personal data and works with carefully selected third parties. Some of our selected third parties are required to process personal data on our behalf, in compliance with our role as both a controller and processor.


We have implemented security measures that are designed to help protect the personal data We collect or receive in connection with our services, from unauthorised access or disclosure. For example, We use encryption techniques to ensure the security of data; We also use password protection. However, no transmission or storage of data can be guaranteed to be completely secure and We cannot ensure or warrant the security of any information which We collect and store.


We strive to provide data subjects with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:

Promotional offers from Retrace: We may use activity disclosed to us to form a view on what we think a data subject may want or need, or what may be of interest. This is how We decide which products, services and offers may be relevant for the data subject, who will receive marketing communications from Us if you have requested information from us or purchased goods or services from Us and in each case, you have not opted out of receiving that marketing.

Third-party marketing: We will get your express opt-in consent before we share your personal data with any company outside of estate create for marketing purposes.

Opting out: You can ask Us or third parties to stop sending You marketing messages at any time by contacting estate create on at any time.


Where there is a requirement to contact data subjects or the supervisory authority in the event of an unauthorized breach or disclosure of personal data, We will get in touch with the supervisory authority (which in Retrace’s case is the Information Commissioner on the United Kingdom) and with affected data subjects – in each case, in the event of the unauthorized disclosure of personal data which results in a risk (or high risk) to the rights and freedoms of data subjects.


Our website may contain links to other websites of interest. However, once these links to leave our site have been used, We do not have any control over that other Website. Therefore, We cannot be responsible for the protection and privacy of any personal data which is provided whilst visiting such sites and such sites are not governed by this privacy statement. Our recommendation is to exercise caution and look at the privacy statement applicable to the website in question.


We use cookies to distinguish data subjects from other users of our Website. This helps us to provide a good experience when browsing our website and allows us to improve our site. By continuing to browse the site, the viewer are agreeing to our use of cookies. A cookie is a small file of letters and numbers that We store on a browser or the hard drive of a computer. Cookies contain information that is transferred to the computer’s hard drive. We use the following cookies:

Strictly necessary cookies

These are cookies that are required for the operation of our website. They include, for example, cookies that enable users to log into secure areas of our website.

Analytical/performance cookies

They allow us to recognize and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily

Functionality cookies

These are used to recognize data subjects when they return to our website. This enables us to personalise content, greet returners by name and remember preferences (for example, choice of language or region).

Targeting cookies

These cookies record visits to our website, the pages visited and the links followed. We will use this information to make our Website more relevant.


How do I block first party cookies?

It is possible to block first party cookies by activating the setting on a browser that allows you to refuse the setting of all or some cookies. If you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.


We may use Google Analytics cookies to track anonymous usage statistics but We do not collect any personal information that can be used to identify data subjects. This data helps us analyze Web page usage and improve our Website to tailor it to our audience needs.

Google Analytics stores information about what pages you visit, how long you are on the site, how you got there and what you clicked on.

These are cookies served by a third-party service provider and are usually used to identify a computer when it visits another Website, for example, when a data subject logs in to a social media site to share an article.

How do I block third party cookies?

Third party cookies may be blocked by activating the settings on your browser that allows you to refuse the setting of all or some cookies. However, if browser settings are used to block all cookies (including essential cookies) data subjects may not be able to access all or parts of our site.


For more information on cookies, go to


Data subjects have a right to complain about the way We process personal data and can register their concern by contacting the Information Commissioner and following the instructions set out at


Retrace Software Limited
Address:Sg House
6 St. Cross Road
England, SO23 9HX
FAO Data Protection Owner