Privacy policy

This policy is effective from 12th May 2026 and explains how COHO handles your personal data. It’s written to be clear and simple so you know exactly what we do and why.

By using the COHO website, app, or services, you agree to this policy.

If you have any questions about this policy, just email us at support@coho.life.

Our role under data protection law

COHO acts as a data controller for the personal information we collect directly from you. For example, when you create an account, use the platform, contact our support team, or browse our website. We decide how and why that data is used, and we explain it throughout this policy.

If you’re a tenant or other individual whose information has been added to COHO by a property manager, then COHO is not the controller of that data. In that case, we act only as a data processor, storing and handling the data on behalf of the person or organisation who entered it. They are the data controller and they decide what information to collect, how it’s used, and how long it’s kept. If you have questions about that data or want to exercise your rights, you should contact the property manager directly.

If you’re a property manager or agent, you become a data controller for any personal information you enter into COHO about other people, such as tenants, landlords, guarantors, or members of your team. We process that data only on your instructions, and only so you can use the COHO platform. You’re responsible for making sure you have a lawful basis to collect and use that data.

We explain more about our responsibilities as a data processor in our terms and conditions.

What we collect

We collect personal information in a few different ways.

When you create an account, we collect details like your name, email address, and password. When you use COHO, we store information about your organisation, the properties, tenants, and teams you manage, along with logs of your activity.

If you contact us for help or support, we’ll keep copies of your messages and correspondence.

We also collect some technical details automatically, such as your IP address, browser type, and which pages you visit. This helps us keep the service running smoothly.

Why we collect it

We only collect and use your data when we have a valid reason.

Most of the time, this is because it’s needed to provide the service you signed up for. That includes letting you log in, helping you manage your properties, sending invoices, or responding to support requests.

We also use data to improve COHO, fix bugs, and make sure the platform runs securely. In some cases, we may need to process your data to meet our legal obligations for example, for tax or fraud prevention.

FastTrack

If you use our FastTrack service, you may give us files or access to another property management system so we can import data into COHO. During this process our authorised staff or contracted support team may temporarily download and handle that data.

Files may be stored briefly in a secure cloud workspace (for example, a COHO-managed Google Drive folder) to enable transfer. Data may be temporarily transferred outside the UK/EU (to India), but we ensure safeguards are in place to keep it protected under UK GDPR. All data stored in this way is deleted once the FastTrack process is complete, and we only use this data to complete your onboarding into COHO.

Our India-based onboarding consultants are on our sub-processor list and work under an executed UK International Data Transfer Agreement.

Who sees your data

We never sell your data, and we keep it confidential.

Sub-processors. We use trusted service providers, known as sub-processors, to help us deliver the COHO service. These include cloud hosting, email, customer support, engineering tooling, and analytics providers. Some of our support teams are based outside the UK/EEA (in India), supporting both FastTrack onboarding and first-line customer support. All sub-processors are required to meet our privacy and security standards. Our current sub-processor list includes each sub-processor’s purpose, location, and transfer mechanism.

Independent third-party recipients. When you use certain features, your information may also be shared with third parties who act as independent controllers in their own right and not as our sub-processors. The contractual relationship in each case is between the property manager and the third party directly:

  • Advanced Rent and Canopy for tenant referencing, when a property manager initiates a referencing request.
  • Salt Edge for open banking (Account Information Services), where a tenant connects their bank account to share affordability data.
  • GoCardless for Direct Debit collection, where a property manager has set up their own GoCardless account through COHO.

Each of these third parties handles your data under its own privacy policy.

Support and regulators. If you contact us for help, our support staff (including support partners outside the UK/EEA, under safeguards described in “International transfers” below) may have access to respond. We may also share information with regulators or law enforcement where required by law.

Other COHO users. If you choose to share data through COHO (for example, with property team members or tenants), that data is visible to them as well.

Everyone we work with is bound by appropriate confidentiality obligations.

Cookies and analytics

We use cookies and similar technologies to help the site run, to understand how it’s being used, and to deliver some embedded features.

  • Strictly necessary — for the site and app to work (e.g. logging you in, remembering your session).
  • Analytics — Google Analytics 4, loaded via Google Tag Manager, to understand general site usage and trends. We don’t use this to identify individuals.
  • Maps — Google Maps, when we display map content.

We don’t use advertising cookies and we don’t share cookie data with advertisers. You can manage or block cookies in your browser settings if you prefer. Google is a US-based provider — see International transfers below for the safeguard we rely on.

Session replay

When you’re using the COHO app, we may record portions of your session (page interactions, navigation, and errors). This helps us reproduce and fix bugs. We don’t share these recordings with anyone outside COHO. Text inputs, email addresses, and form values are masked by default; only specific non-sensitive fields are recorded as text. Access to recordings is limited to authorised staff with multi-factor authentication.

Your rights

You have full control over your personal data.

You can ask us for a copy of what we hold, request corrections if something’s wrong, or ask us to delete your data entirely. You also have the right to object to certain uses, or to withdraw consent if you previously gave it. If you want to exercise any of these rights, just email us at support@coho.life and we’ll help.

How we keep data safe

We take data protection seriously. We store your data securely and use safeguards to prevent misuse or unauthorised access. Our approach to security is summarised in our security summary.

Where we use external tools or cloud services, we make sure they meet our security and privacy standards. We are registered with the Information Commissioner’s Office (ICO) under registration number ZA749111.

International transfers

Some of our support team and service providers are based outside the UK and EEA, including in India and the US. Whenever your data is transferred internationally, we make sure it has the same level of protection as under UK law, using a legally recognised safeguard:

  • India: our India-based contractors work under an executed UK International Data Transfer Agreement (IDTA), supported by a Transfer Risk Assessment that we review at least annually.
  • United States: depending on the sub-processor, transfers are made under the UK Extension to the EU-US Data Privacy Framework (where the sub-processor is an active certified participant), the sub-processor’s Binding Corporate Rules, or the EU Standard Contractual Clauses with the UK Addendum.
  • Elsewhere: where data is processed outside the UK by a sub-processor in a country covered by UK adequacy regulations (for example, the EEA), no additional safeguard is required.

The current transfer mechanism for each sub-processor is published on our sub-processor list.

How long we keep it

We keep your data only as long as necessary, usually while your account is active and for a short period afterwards (for things like tax and legal compliance). We’ll delete or anonymise it when it’s no longer needed.

Changes to this policy

We may update these terms from time to time. The effective date at the top shows when they were last changed. Please check this page periodically as we don’t notify you of changes. By continuing to use COHO after we’ve made changes, you’re accepting the updated version.