Skip to content

Legitimate Interests Assessment

The balancing test under UK GDPR Article 6(1)(f) for the deadline-reminder digest and regulatory-update alerts we send to paid Core subscribers. Recorded per ICO guidance and part of our Article 30 processing record.

Legitimate Interests Assessment (LIA) — service-notification emails to Core subscribers

Last updated: 23 April 2026.

This page is the formal record of our balancing test under UK GDPR Article 6(1)(f) for the two classes of service-notification email we send to paid Core subscribers: the deadline-reminder digest and the regulatory-update alert. It mirrors the three-part LIA structure that the Information Commissioner's Office (ICO) recommends ("Purpose test", "Necessity test", "Balancing test"). It forms part of our documented processing record under UK GDPR Article 30.

1. Purpose test — why are we processing?

RentersActReady is a compliance product. The core proposition paid Core subscribers accept at checkout is: "we track the Renters' Rights Act 2025 statutory position for your portfolio and tell you when you need to act". Two classes of service-notification email deliver that proposition:

  • Deadline-reminder digest. A weekly summary of the specific compliance deadlines the subscriber has recorded against their portfolio (gas cert renewals, EICR expiry, Section 21 windows, rent-review anniversaries, etc.) plus any system-derived deadlines the rule engine generated from their readiness assessment.
  • Regulatory-update alerts. A notification sent when a new commencement order or secondary statutory instrument publishes that materially changes the regulations the product's rule engine covers (e.g. PRS Database commencement, Ombudsman scheme designation, Written Statement contents regulations).

The purpose is narrow, specific, and directly necessary to the paid service the subscriber has contracted for. It is not a general-purpose newsletter, cross-sell, or market-research list.

2. Necessity test — is processing necessary?

  • Is this the least-intrusive way to achieve the purpose? Yes. The alternative is requiring every Core subscriber to poll legislation.gov.uk and GOV.UK manually for statutory-instrument publications — which is exactly the work the product is paid to automate. An in-product notification surface alone would not reach subscribers who aren't actively logged in when the SI publishes, which is the critical window.
  • Is there a narrower scope that achieves the purpose? The recipient query is already narrowed on three axes: subscription_tier = 'core' (paid subscribers only; Free-tier users never receive these broadcasts), email_opt_out = false (respects the recipient's standing preference), and subscription_status not in ('cancelled','pending_deletion') (cancelled + pending-deletion users never receive the broadcast). See the .from('profiles').select(...) filter chain in src/app/api/admin/regulatory-update/route.ts (function-level citation — line numbers deliberately omitted to avoid refactor-rot).
  • Is it proportionate? The email volume is strictly event-driven: a weekly deadline digest with at most ~1 email/week, and a regulatory-update per SI publication (target cadence: 6–10 per year, per the GOV.UK RRA implementation roadmap).

3. Balancing test — does the subscriber's interest override ours?

We weigh our legitimate interest in delivering the paid compliance service against the subscriber's reasonable expectations and privacy rights.

Factors in favour of processing:

  • The subscriber has paid for this product on the express basis that it tracks regulations for them. Receiving the notification IS the service.
  • The recipient is not a member of the public — they are an active paid Core subscriber whose current relationship with us makes the notification expected and contextual (ICO Direct Marketing Code paragraph 40 treats "service messages about changes to a product the recipient has paid for" as outside direct marketing).
  • The content is narrowly scoped: a change in the regulation + source URL + relevant action. No cross-promotion, no feature-upsell, no unrelated product content.
  • Opt-out is one click (RFC-8058) with no authentication friction; the unsubscribe link on every email sets email_opt_out = true immediately.

Factors in favour of the data subject's rights:

  • The subscriber did not tick an opt-in checkbox at signup (Condition (a) of our D-2 decision in artifacts/reviews/implementation_plan_2026-04-23.md). Reliance on 6(1)(f) instead of consent means the onus is on us to document and defend the balancing test.
  • Email is a channel that can be intrusive if sent at the wrong frequency or scope.
  • A reasonable subscriber might prefer in-product notifications only.

Mitigations we apply:

  • Strict recipient filter (Core-only, opted-in-by-default, cancelled/pending-deletion excluded), enforced in code — not documentation.
  • One-click opt-out on every email, with server-side confirmation page and immediate effect on future fan-outs (contract test at src/lib/unsubscribe-contract.test.ts verifies the route-signature + PECR copy; no-longer-existent src/app/api/unsubscribe/route.test.ts path corrected 2026-04-24 per Round 7 R7-08-05).
  • Per-recipient idempotency: the same regulatory-update slug cannot be delivered to the same mailbox within a 30-day window (audit_logs.action = 'email.regulatory_update_sent' pre-check).
  • Classified as service_transactional in the audit log so downstream processing (support, compliance audits) can differentiate from true direct marketing.
  • No cross-promotion, feature-upsell, or unrelated-product content in the email body.
  • Full list of sub-processors and transfer mechanisms maintained at /legal/subprocessors.

Outcome. Our legitimate interest in delivering the paid compliance service is not overridden by the data subject's interests, rights, or freedoms, because (a) the processing is strictly necessary to the contracted service, (b) the subscriber has a reasonable expectation of receiving regulation-tracking notifications after paying for a regulation-tracking product, (c) opt-out is frictionless, and (d) the scope of processing is narrowly limited to factual regulatory information.

4. Record of assessment

Field Value
Controller Crocker Digital Ltd (Company No. 17008789)
Processing activity Service-notification emails to Core subscribers (deadline digest + regulatory alerts)
Lawful basis UK GDPR Article 6(1)(f) — legitimate interests
Date of first assessment 2026-04-23
Review cadence On each rule-engine version bump, or at minimum annually
Last reviewed 2026-04-23
Document owner Privacy lead (privacy@rentersactready.co.uk)

5. Right to object

Under UK GDPR Article 21(1) you have the right to object to processing based on legitimate interests. You can exercise that right at any time by:

  • Clicking the unsubscribe link on any service-notification email we have sent you;
  • Using the RFC-8058 one-click unsubscribe that supporting email clients surface in their own UI;
  • Toggling the "email" preference at /dashboard/settings/profile;
  • Emailing privacy@rentersactready.co.uk.

We will stop sending the affected class of email without delay and will retain only what is necessary for audit (an email.unsubscribe entry in the append-only audit log).

Crocker Digital Ltd, Company No. 17008789. ICO registration ZC128626. Contact: privacy@rentersactready.co.uk.