GDPR and the EU AI Act for Property Management

GDPR and the EU AI Act for Property Management

Blog

Blog

GDPR and the EU AI Act for Property Management

GDPR and the EU AI Act for Property Management

AI is quickly becoming part of everyday property operations. Your team may already use it to read tenant messages, sort repair requests, chase documents, update records or help residents get faster answers.

That is useful. It also raises a bigger question.

When software starts touching private tenant data and helping operational decisions move forward, you need to know exactly how that data is handled, where it is stored, who can access it and when a human remains in control.

That is where GDPR for property management and the EU AI Act meet. For large landlords, letting agents and property teams, compliance is no longer just a privacy policy or a procurement checkbox. It is part of how the operating model works.

In this guide, we will go through on what to check before you trust AI with tenant data, automated workflows and resident communication at scale.

What You Need To Know First

GDPR controls how personal data is collected, used, stored, shared and deleted. The EU AI Act adds a second question: how much risk does the AI system create when it helps or influences decisions about people?

For property teams, the safest operating model is simple. Keep the landlord or managing agent in charge of the data, use software that acts only on documented instructions, store tenant data in a known region, and keep a person in control of decisions that affect housing, money, safety or fairness.

That is the shared centre of GDPR for property management and EU AI Act property management governance. Routine work can be automated. Material decisions need human oversight and a clear audit trail.

This article is context for vendor due diligence and internal planning, not legal advice. Your legal, security and data protection teams should confirm how the rules apply to your portfolio.


Data a Property Team Holds and What GDPR Requires

Property operations depend on accurate tenant and resident information. Names, contact details, tenancy records, payment status, maintenance history and messages all help teams run homes properly, respond faster and keep the record up to date.

GDPR for property management is about making sure that information is used with the right controls in place.

The risk is not that software helps the team handle routine work. The risk is doing that work without clear rules around what data is used, why it is used, where it is processed, who can access it and when a person needs to step in.

A strong setup starts with documented instructions. The landlord or operator stays in control of the data. The software acts only on the work it has been authorised to do, using the information needed for that specific workflow.

That is the standard property teams should expect from any property management compliance software. It should support lawful use, clear purpose, data minimisation, retention rules, role based access and a reliable record of what happened.

For example, a system may use tenancy records to send a renewal reminder, check a maintenance history before triaging a repair, or update a resident record after a document is received. Each action should be tied to a clear purpose and logged back into the system of record.

This is also where data security property management becomes operational rather than theoretical. Good controls mean the right people can see the right information at the right time, while sensitive workflows remain limited, traceable and easy to review.

In a well designed AI workflow, the software does not make material decisions in isolation. It follows documented instructions, works within a known processing region and hands sensitive or uncertain cases back to a human. That keeps GDPR landlord data under control while still letting teams remove repetitive admin from the day.

Who is responsible when software handles tenant data

The landlord, fund, estate agency group or managing agent is usually the controller because it decides why tenant data is processed and how it is used. A software company that handles the data on the operator's instructions is usually the processor.

Under GDPR Article 28, a controller must use processors that provide sufficient guarantees and the processor relationship must be governed by a written contract. In procurement language, that means you need a data processing agreement.

A good data processing agreement should explain what the vendor can do with tenant data, which sub processors are involved, how security works, how data subject rights are supported and what happens when the contract ends.

This is where property management compliance software should make your life easier. The vendor should already have the documents your legal and data teams expect.

Tenant rights must be easy to action

Tenants and applicants have rights over their personal data. The ICO's individual rights guidance covers subject access requests, deletion, correction, restriction, objection and automated decision making.

In practice, a tenant may ask what information you hold about them, ask you to correct a phone number, ask you to delete details after they leave or object to a certain use of their data. Your team needs to find the relevant records, respond properly and write down what was done.

Erasure is not always a simple delete button. Some records may need to be kept for accounting, deposit disputes, legal claims, health and safety evidence or contract records. The right answer is a controlled workflow that deletes what should go, keeps what must stay and records the reason.

This is why GDPR landlord data and property management compliance software belong in the same conversation. If the software helps you find, review, action and log a data request, compliance becomes part of normal operations instead of a manual scramble.

How Does the EU AI Act Apply to Property Management?

The EU AI Act applies a risk based framework to AI systems. The European Commission explains that the Act sets four levels of risk: unacceptable, high risk, transparency risk and minimal or no risk.

EU AI Act property management questions should start with the use case, not the label on the software. Is the AI answering a routine question, preparing a draft, routing a repair or influencing a decision that changes someone's access to housing?

Most day to day property workflows are lower risk when they assist staff and keep people in charge. An AI system that answers a resident question, books a viewing, translates a message or summarises a repair history is very different from one that rejects an applicant without human review.

That distinction is the heart of EU AI Act property management planning.


AI use

Practical risk view

What the operator should require

Summarising messages or reports

Usually low risk

Accuracy checks and access controls

Answering common tenant questions

Usually limited or transparency risk

Clear disclosure where appropriate and approved answers

Booking viewings or chasing documents

Usually limited risk

PMS data, templates and an audit trail

Repair triage and contractor routing

Limited risk with safeguards

Urgency rules and human escalation

Recommending an action to a manager

Depends on impact

Review, override and recorded approval

Rejecting a tenancy application automatically

Potentially high risk or legally sensitive

Do not allow sole automation without legal review

This table is not a formal classification. It is a buying lens for what the system does, what data it uses, who can override it and whether a tenant is materially affected.


Human oversight

The safest model is controlled automation. The AI handles routine steps that follow approved rules, and a person handles the decisions that need judgement.

A missing document reminder can run automatically. A complaint involving vulnerability should be escalated. A leaking tap can be triaged with approved questions. A decision to refuse an applicant should stay with a person.

This is why EU AI Act property management is a workflow design issue as much as a legal issue. Your software should show the information used by the AI, pause when a case is unclear and hand the thread to a manager with full context.

Lette is designed around this operating model. It runs routine workflows on top of the PMS and uses human escalation for sensitive or unclear cases, so the team stays in control where judgement matters.

Where Should Tenant Data Be Stored and Who Can Access It?

Data security property management is not only about encryption. It is about where tenant data sits, who can see it, which countries it moves through and what contract covers that movement.

For UK and European portfolios, the cleanest position is to store and process tenant data in the UK or EU where possible. Transfers outside those regions can be lawful, but they add questions that procurement and legal teams must answer.

The ICO's international transfers guidance explains restricted transfers, safeguards such as the UK IDTA and Addendum, and transfer risk assessments.

A vendor saying the data is secure is not enough. A useful answer names the hosting region, the sub processors, the access controls, the transfer mechanism, the retention process and the exit process.


Region matters because tenant data is operationally sensitive

Tenant data is not generic SaaS data. It can describe income, arrears, occupancy, identity, repairs, complaints and sometimes vulnerability. Data security property management should therefore be treated with the same seriousness as financial and operational risk.

If a vendor says data is hosted in Europe, ask which region. If it says Ireland, ask whether it means AWS Europe Ireland. AWS lists eu-west-1 as Europe Ireland in its official region documentation, which gives your team a concrete point to verify.

If a vendor uses an AI model provider, ask whether tenant data is sent to that provider, whether it is retained, whether it is used to train models and whether it leaves the region.

At Lette, we take the data security very seriously. All of our customer data is hosted on AWS servers in Ireland and is not used to train external foundation models. That is the kind of answer a compliance lead should expect from any property management compliance software vendor before a serious rollout.


Access control matters as much as hosting

The right hosting region does not help if too many people can access live tenant records. Data security property management due diligence should cover staff access, support access, sub processors and privileged account logs.

A practical access review should ask who can see live tenant data, whether access is role based, whether support sessions are logged and whether customers are notified when sub processors change.

This is where property management compliance software should prove maturity with a sub processor list, security policy, incident process, DPA and exit process.

Where GDPR and the EU AI Act Meet

GDPR and the EU AI Act meet around automated decisions, human oversight and evidence.

GDPR Article 22 gives people rights around decisions based solely on automated processing when those decisions produce legal or similarly significant effects. The EU AI Act adds a risk based governance model that expects transparency, oversight, logging and stronger controls for higher risk systems.

For property teams, the practical rule is clear. Do not let AI make serious housing decisions alone. Do not let AI act from unclear or stale data. Do not lose the trail between the resident message, the system action and the human decision.

A good test is whether the action affects someone's home, money, safety, legal position or fair treatment. If it does, it should have human review and a record that can be checked later.


The audit trail is the connective tissue

The audit trail turns compliance from a claim into proof. It should show what the resident asked, what data the software used, what action was taken, who approved it, when it happened and where the result was written back.

For example, a resident reports damp in a bedroom. The system asks triage questions, requests a photograph, checks the property record, flags the issue as potentially urgent and routes it to the right team.

If a manager reviews the case, the handover should be visible. If a contractor is dispatched, the record should show the dispatch and the follow up.

That is what strong property management compliance software should do. It should create evidence while the work happens, not ask the team to rebuild the story from inboxes during an audit.


How To Check If Your Property Management Software Is Compliant

The quickest way to evaluate a vendor is to ask plain questions and expect specific answers. If the answers are vague, the risk usually becomes yours later.


Question to ask

Why it matters

Where is tenant data stored and processed

Confirms the data residency claim

Are you a controller or processor

Clarifies GDPR accountability

Can you provide a data processing agreement

Shows Article 28 readiness

Which sub processors touch tenant data

Reveals the full processing chain

Can tenant data be used to train AI models

Protects portfolio and resident information

How do you handle subject access and erasure requests

Tests whether rights are operational

When does a human step in

Tests EU AI Act property management governance

Do you keep time stamped logs of actions and access

Creates audit evidence

What happens to data when we leave

Prevents orphaned tenant records

A good vendor will answer these without defensiveness. A better vendor will provide the evidence: security documentation, a DPA, sub processor information, region details, data retention rules and a clear human escalation model.

This is the difference between buying a clever tool and buying property management compliance software that your legal, IT and operations teams can trust.

How Compliance Becomes Routine at Portfolio Scale

Compliance becomes difficult when it depends on memory. A manager remembers to log a call. A finance lead remembers to save the notice. A support agent remembers to update the PMS. That may work for one building, but it breaks across thousands of homes.

At portfolio scale, the goal is to make the compliant path the default path. The system should use approved templates, pull live PMS data, record messages, log approvals, restrict access and escalate cases that need judgement.

This is where data security property management and operations meet. Better records reduce audit stress. Better access controls reduce exposure. Better escalation reduces the chance that AI oversteps.

The commercial benefit is also real. When compliance evidence is created during the workflow, your team spends less time searching inboxes and more time managing residents, assets and exceptions.

Lette connects resident operations, maintenance and reporting so audit trails and operational data can feed into property management reporting. That makes compliance easier to review because the record is not separate from the work.

What Operators Get Wrong About AI and Tenant Data

The first mistake is treating GDPR as a one time project. GDPR for property management changes every time you add a new channel, vendor, automation workflow or dataset. A privacy notice written years ago does not prove that today's AI workflow is safe.

The second mistake is trusting a popular tool without checking where data goes. If tenant messages, arrears details or repair photos are pasted into a general AI tool, the team may have created a data risk without meaning to.

The third mistake is confusing hosting with access. A vendor can host in Europe and still expose tenant data through broad staff access, unmanaged support workflows or unclear sub processors.

The fourth mistake is ignoring the EU AI Act because the system does not make final decisions today. EU AI Act property management governance is easier to build before automation expands. Waiting until the software influences applicant screening, arrears action or complaint handling makes the review harder.

The fifth mistake is buying property management compliance software on feature lists alone. The real value is whether the software can prove where data sits, who can see it, how decisions are controlled and how evidence is logged.

Common Questions People Ask


Where is tenant data actually kept?

Tenant data should be kept in a named hosting region, not hidden behind a vague promise of secure cloud storage. For UK and European portfolios, ask whether data is stored in the UK or EU, which provider hosts it, and which region is used.


Does tenant data stay inside Europe?

It should stay inside Europe or the UK where possible. If tenant data moves outside those regions, the vendor should explain the transfer mechanism, such as Standard Contractual Clauses, the UK IDTA or another appropriate safeguard. This is a core data security property management question, not a technical detail.


Does the software follow GDPR?

A vendor should be able to explain whether it acts as a processor, provide a data processing agreement, support individual rights, document retention and protect tenant data with appropriate technical and organisational measures. GDPR for property management is only credible when the vendor can prove these points in writing.


Does the software follow the EU AI Act?

No vendor should give a lazy yes without explaining how the system is used. EU AI Act property management compliance depends on the use case, risk level, transparency, human oversight and auditability. The safest model keeps routine automation in software and leaves material decisions to people.


Is tenant data used to train the AI?

You should require a written answer that tenant, portfolio and financial data is not used to train shared or external models unless you have explicitly agreed to that use. This is one of the most important GDPR landlord data questions because model training can change the risk profile completely.


How is a request to delete someone's details handled?

A deletion request should be verified, assessed against retention obligations, actioned where appropriate and logged. Some records may need to remain under lawful retention because of accounting, contract, safety or dispute requirements. Good property management compliance software should show what was deleted, what was retained and why.


What happens to our information if we stop using the software?

The data processing agreement should say whether data is returned, deleted or retained for a limited legal period after the contract ends. The landlord or managing agent should retain control of the data. A vendor should never leave tenant records sitting in an unused platform without a clear exit process.


What To Do Next

The right next step is not to ask whether a vendor is secure and accept a yes. Ask your legal, security and operations teams to review how the software handles tenant data, where the data lives, when a human stays in control and what evidence is created as work happens.

If you are reviewing AI for a UK, Irish or European portfolio, use the checklist in this guide as the starting point. Then ask the vendor to walk through one real workflow from tenant message to system action, human escalation and audit trail.

If you want to see how Lette keeps AI on top of your existing systems while preserving human oversight, you can book a walkthrough and bring your legal or safety team into the review.

AI is quickly becoming part of everyday property operations. Your team may already use it to read tenant messages, sort repair requests, chase documents, update records or help residents get faster answers.

That is useful. It also raises a bigger question.

When software starts touching private tenant data and helping operational decisions move forward, you need to know exactly how that data is handled, where it is stored, who can access it and when a human remains in control.

That is where GDPR for property management and the EU AI Act meet. For large landlords, letting agents and property teams, compliance is no longer just a privacy policy or a procurement checkbox. It is part of how the operating model works.

In this guide, we will go through on what to check before you trust AI with tenant data, automated workflows and resident communication at scale.

What You Need To Know First

GDPR controls how personal data is collected, used, stored, shared and deleted. The EU AI Act adds a second question: how much risk does the AI system create when it helps or influences decisions about people?

For property teams, the safest operating model is simple. Keep the landlord or managing agent in charge of the data, use software that acts only on documented instructions, store tenant data in a known region, and keep a person in control of decisions that affect housing, money, safety or fairness.

That is the shared centre of GDPR for property management and EU AI Act property management governance. Routine work can be automated. Material decisions need human oversight and a clear audit trail.

This article is context for vendor due diligence and internal planning, not legal advice. Your legal, security and data protection teams should confirm how the rules apply to your portfolio.


Data a Property Team Holds and What GDPR Requires

Property operations depend on accurate tenant and resident information. Names, contact details, tenancy records, payment status, maintenance history and messages all help teams run homes properly, respond faster and keep the record up to date.

GDPR for property management is about making sure that information is used with the right controls in place.

The risk is not that software helps the team handle routine work. The risk is doing that work without clear rules around what data is used, why it is used, where it is processed, who can access it and when a person needs to step in.

A strong setup starts with documented instructions. The landlord or operator stays in control of the data. The software acts only on the work it has been authorised to do, using the information needed for that specific workflow.

That is the standard property teams should expect from any property management compliance software. It should support lawful use, clear purpose, data minimisation, retention rules, role based access and a reliable record of what happened.

For example, a system may use tenancy records to send a renewal reminder, check a maintenance history before triaging a repair, or update a resident record after a document is received. Each action should be tied to a clear purpose and logged back into the system of record.

This is also where data security property management becomes operational rather than theoretical. Good controls mean the right people can see the right information at the right time, while sensitive workflows remain limited, traceable and easy to review.

In a well designed AI workflow, the software does not make material decisions in isolation. It follows documented instructions, works within a known processing region and hands sensitive or uncertain cases back to a human. That keeps GDPR landlord data under control while still letting teams remove repetitive admin from the day.

Who is responsible when software handles tenant data

The landlord, fund, estate agency group or managing agent is usually the controller because it decides why tenant data is processed and how it is used. A software company that handles the data on the operator's instructions is usually the processor.

Under GDPR Article 28, a controller must use processors that provide sufficient guarantees and the processor relationship must be governed by a written contract. In procurement language, that means you need a data processing agreement.

A good data processing agreement should explain what the vendor can do with tenant data, which sub processors are involved, how security works, how data subject rights are supported and what happens when the contract ends.

This is where property management compliance software should make your life easier. The vendor should already have the documents your legal and data teams expect.

Tenant rights must be easy to action

Tenants and applicants have rights over their personal data. The ICO's individual rights guidance covers subject access requests, deletion, correction, restriction, objection and automated decision making.

In practice, a tenant may ask what information you hold about them, ask you to correct a phone number, ask you to delete details after they leave or object to a certain use of their data. Your team needs to find the relevant records, respond properly and write down what was done.

Erasure is not always a simple delete button. Some records may need to be kept for accounting, deposit disputes, legal claims, health and safety evidence or contract records. The right answer is a controlled workflow that deletes what should go, keeps what must stay and records the reason.

This is why GDPR landlord data and property management compliance software belong in the same conversation. If the software helps you find, review, action and log a data request, compliance becomes part of normal operations instead of a manual scramble.

How Does the EU AI Act Apply to Property Management?

The EU AI Act applies a risk based framework to AI systems. The European Commission explains that the Act sets four levels of risk: unacceptable, high risk, transparency risk and minimal or no risk.

EU AI Act property management questions should start with the use case, not the label on the software. Is the AI answering a routine question, preparing a draft, routing a repair or influencing a decision that changes someone's access to housing?

Most day to day property workflows are lower risk when they assist staff and keep people in charge. An AI system that answers a resident question, books a viewing, translates a message or summarises a repair history is very different from one that rejects an applicant without human review.

That distinction is the heart of EU AI Act property management planning.


AI use

Practical risk view

What the operator should require

Summarising messages or reports

Usually low risk

Accuracy checks and access controls

Answering common tenant questions

Usually limited or transparency risk

Clear disclosure where appropriate and approved answers

Booking viewings or chasing documents

Usually limited risk

PMS data, templates and an audit trail

Repair triage and contractor routing

Limited risk with safeguards

Urgency rules and human escalation

Recommending an action to a manager

Depends on impact

Review, override and recorded approval

Rejecting a tenancy application automatically

Potentially high risk or legally sensitive

Do not allow sole automation without legal review

This table is not a formal classification. It is a buying lens for what the system does, what data it uses, who can override it and whether a tenant is materially affected.


Human oversight

The safest model is controlled automation. The AI handles routine steps that follow approved rules, and a person handles the decisions that need judgement.

A missing document reminder can run automatically. A complaint involving vulnerability should be escalated. A leaking tap can be triaged with approved questions. A decision to refuse an applicant should stay with a person.

This is why EU AI Act property management is a workflow design issue as much as a legal issue. Your software should show the information used by the AI, pause when a case is unclear and hand the thread to a manager with full context.

Lette is designed around this operating model. It runs routine workflows on top of the PMS and uses human escalation for sensitive or unclear cases, so the team stays in control where judgement matters.

Where Should Tenant Data Be Stored and Who Can Access It?

Data security property management is not only about encryption. It is about where tenant data sits, who can see it, which countries it moves through and what contract covers that movement.

For UK and European portfolios, the cleanest position is to store and process tenant data in the UK or EU where possible. Transfers outside those regions can be lawful, but they add questions that procurement and legal teams must answer.

The ICO's international transfers guidance explains restricted transfers, safeguards such as the UK IDTA and Addendum, and transfer risk assessments.

A vendor saying the data is secure is not enough. A useful answer names the hosting region, the sub processors, the access controls, the transfer mechanism, the retention process and the exit process.


Region matters because tenant data is operationally sensitive

Tenant data is not generic SaaS data. It can describe income, arrears, occupancy, identity, repairs, complaints and sometimes vulnerability. Data security property management should therefore be treated with the same seriousness as financial and operational risk.

If a vendor says data is hosted in Europe, ask which region. If it says Ireland, ask whether it means AWS Europe Ireland. AWS lists eu-west-1 as Europe Ireland in its official region documentation, which gives your team a concrete point to verify.

If a vendor uses an AI model provider, ask whether tenant data is sent to that provider, whether it is retained, whether it is used to train models and whether it leaves the region.

At Lette, we take the data security very seriously. All of our customer data is hosted on AWS servers in Ireland and is not used to train external foundation models. That is the kind of answer a compliance lead should expect from any property management compliance software vendor before a serious rollout.


Access control matters as much as hosting

The right hosting region does not help if too many people can access live tenant records. Data security property management due diligence should cover staff access, support access, sub processors and privileged account logs.

A practical access review should ask who can see live tenant data, whether access is role based, whether support sessions are logged and whether customers are notified when sub processors change.

This is where property management compliance software should prove maturity with a sub processor list, security policy, incident process, DPA and exit process.

Where GDPR and the EU AI Act Meet

GDPR and the EU AI Act meet around automated decisions, human oversight and evidence.

GDPR Article 22 gives people rights around decisions based solely on automated processing when those decisions produce legal or similarly significant effects. The EU AI Act adds a risk based governance model that expects transparency, oversight, logging and stronger controls for higher risk systems.

For property teams, the practical rule is clear. Do not let AI make serious housing decisions alone. Do not let AI act from unclear or stale data. Do not lose the trail between the resident message, the system action and the human decision.

A good test is whether the action affects someone's home, money, safety, legal position or fair treatment. If it does, it should have human review and a record that can be checked later.


The audit trail is the connective tissue

The audit trail turns compliance from a claim into proof. It should show what the resident asked, what data the software used, what action was taken, who approved it, when it happened and where the result was written back.

For example, a resident reports damp in a bedroom. The system asks triage questions, requests a photograph, checks the property record, flags the issue as potentially urgent and routes it to the right team.

If a manager reviews the case, the handover should be visible. If a contractor is dispatched, the record should show the dispatch and the follow up.

That is what strong property management compliance software should do. It should create evidence while the work happens, not ask the team to rebuild the story from inboxes during an audit.


How To Check If Your Property Management Software Is Compliant

The quickest way to evaluate a vendor is to ask plain questions and expect specific answers. If the answers are vague, the risk usually becomes yours later.


Question to ask

Why it matters

Where is tenant data stored and processed

Confirms the data residency claim

Are you a controller or processor

Clarifies GDPR accountability

Can you provide a data processing agreement

Shows Article 28 readiness

Which sub processors touch tenant data

Reveals the full processing chain

Can tenant data be used to train AI models

Protects portfolio and resident information

How do you handle subject access and erasure requests

Tests whether rights are operational

When does a human step in

Tests EU AI Act property management governance

Do you keep time stamped logs of actions and access

Creates audit evidence

What happens to data when we leave

Prevents orphaned tenant records

A good vendor will answer these without defensiveness. A better vendor will provide the evidence: security documentation, a DPA, sub processor information, region details, data retention rules and a clear human escalation model.

This is the difference between buying a clever tool and buying property management compliance software that your legal, IT and operations teams can trust.

How Compliance Becomes Routine at Portfolio Scale

Compliance becomes difficult when it depends on memory. A manager remembers to log a call. A finance lead remembers to save the notice. A support agent remembers to update the PMS. That may work for one building, but it breaks across thousands of homes.

At portfolio scale, the goal is to make the compliant path the default path. The system should use approved templates, pull live PMS data, record messages, log approvals, restrict access and escalate cases that need judgement.

This is where data security property management and operations meet. Better records reduce audit stress. Better access controls reduce exposure. Better escalation reduces the chance that AI oversteps.

The commercial benefit is also real. When compliance evidence is created during the workflow, your team spends less time searching inboxes and more time managing residents, assets and exceptions.

Lette connects resident operations, maintenance and reporting so audit trails and operational data can feed into property management reporting. That makes compliance easier to review because the record is not separate from the work.

What Operators Get Wrong About AI and Tenant Data

The first mistake is treating GDPR as a one time project. GDPR for property management changes every time you add a new channel, vendor, automation workflow or dataset. A privacy notice written years ago does not prove that today's AI workflow is safe.

The second mistake is trusting a popular tool without checking where data goes. If tenant messages, arrears details or repair photos are pasted into a general AI tool, the team may have created a data risk without meaning to.

The third mistake is confusing hosting with access. A vendor can host in Europe and still expose tenant data through broad staff access, unmanaged support workflows or unclear sub processors.

The fourth mistake is ignoring the EU AI Act because the system does not make final decisions today. EU AI Act property management governance is easier to build before automation expands. Waiting until the software influences applicant screening, arrears action or complaint handling makes the review harder.

The fifth mistake is buying property management compliance software on feature lists alone. The real value is whether the software can prove where data sits, who can see it, how decisions are controlled and how evidence is logged.

Common Questions People Ask


Where is tenant data actually kept?

Tenant data should be kept in a named hosting region, not hidden behind a vague promise of secure cloud storage. For UK and European portfolios, ask whether data is stored in the UK or EU, which provider hosts it, and which region is used.


Does tenant data stay inside Europe?

It should stay inside Europe or the UK where possible. If tenant data moves outside those regions, the vendor should explain the transfer mechanism, such as Standard Contractual Clauses, the UK IDTA or another appropriate safeguard. This is a core data security property management question, not a technical detail.


Does the software follow GDPR?

A vendor should be able to explain whether it acts as a processor, provide a data processing agreement, support individual rights, document retention and protect tenant data with appropriate technical and organisational measures. GDPR for property management is only credible when the vendor can prove these points in writing.


Does the software follow the EU AI Act?

No vendor should give a lazy yes without explaining how the system is used. EU AI Act property management compliance depends on the use case, risk level, transparency, human oversight and auditability. The safest model keeps routine automation in software and leaves material decisions to people.


Is tenant data used to train the AI?

You should require a written answer that tenant, portfolio and financial data is not used to train shared or external models unless you have explicitly agreed to that use. This is one of the most important GDPR landlord data questions because model training can change the risk profile completely.


How is a request to delete someone's details handled?

A deletion request should be verified, assessed against retention obligations, actioned where appropriate and logged. Some records may need to remain under lawful retention because of accounting, contract, safety or dispute requirements. Good property management compliance software should show what was deleted, what was retained and why.


What happens to our information if we stop using the software?

The data processing agreement should say whether data is returned, deleted or retained for a limited legal period after the contract ends. The landlord or managing agent should retain control of the data. A vendor should never leave tenant records sitting in an unused platform without a clear exit process.


What To Do Next

The right next step is not to ask whether a vendor is secure and accept a yes. Ask your legal, security and operations teams to review how the software handles tenant data, where the data lives, when a human stays in control and what evidence is created as work happens.

If you are reviewing AI for a UK, Irish or European portfolio, use the checklist in this guide as the starting point. Then ask the vendor to walk through one real workflow from tenant message to system action, human escalation and audit trail.

If you want to see how Lette keeps AI on top of your existing systems while preserving human oversight, you can book a walkthrough and bring your legal or safety team into the review.

See Lette In Action

See Lette In Action

Modern apartment buildings with lush green park and walking paths under a blue sky.

Ready to simplify your property operations?

See how Lette helps leasing and residential teams automate daily work, respond faster, and scale with confidence.

The image shows a dashboard interface for a real estate management application, featuring a to-do list with various property-related tasks marked as "Awaiting counter signature" or "Ready for review," alongside an amendment section displaying current signatures for a specific studio apartment.

AI-powered platform for leasing, residential operations, maintenance, and insights built to simplify property management at scale.

167-169 Great Portland Street 5th Floor London W1W 5PF

33 Fitzwilliam Place, Dublin 2 Carroll Estates Mews DUBLIN 2 D02 A5WO IRELAND

info@lette.ai

© 2026 Lette AI. All rights reserved.

Modern apartment buildings with lush green park and walking paths under a blue sky.

Ready to simplify your property operations?

See how Lette helps leasing and residential teams automate daily work, respond faster, and scale with confidence.

The image shows a dashboard interface for a real estate management application, featuring a to-do list with various property-related tasks marked as "Awaiting counter signature" or "Ready for review," alongside an amendment section displaying current signatures for a specific studio apartment.

AI-powered platform for leasing, residential operations, maintenance, and insights built to simplify property management at scale.

167-169 Great Portland Street 5th Floor London W1W 5PF

33 Fitzwilliam Place, Dublin 2 Carroll Estates Mews DUBLIN 2 D02 A5WO IRELAND

info@lette.ai

© 2026 Lette AI. All rights reserved.

Modern apartment buildings with lush green park and walking paths under a blue sky.

Ready to simplify your property operations?

See how Lette helps leasing and residential teams automate daily work, respond faster, and scale with confidence.

The image shows a dashboard interface for a real estate management application, featuring a to-do list with various property-related tasks marked as "Awaiting counter signature" or "Ready for review," alongside an amendment section displaying current signatures for a specific studio apartment.

AI-powered platform for leasing, residential operations, maintenance, and insights built to simplify property management at scale.

167-169 Great Portland Street 5th Floor London W1W 5PF

33 Fitzwilliam Place, Dublin 2 Carroll Estates Mews DUBLIN 2 D02 A5WO IRELAND

info@lette.ai

© 2026 Lette AI. All rights reserved.

Modern apartment buildings with lush green park and walking paths under a blue sky.

Ready to simplify your property operations?

See how Lette helps leasing and residential teams automate daily work, respond faster, and scale with confidence.

The image shows a dashboard interface for a real estate management application, featuring a to-do list with various property-related tasks marked as "Awaiting counter signature" or "Ready for review," alongside an amendment section displaying current signatures for a specific studio apartment.

AI-powered platform for leasing, residential operations, maintenance, and insights built to simplify property management at scale.

167-169 Great Portland Street 5th Floor London W1W 5PF

33 Fitzwilliam Place, Dublin 2 Carroll Estates Mews DUBLIN 2 D02 A5WO IRELAND

info@lette.ai

© 2026 Lette AI. All rights reserved.