Privacy Notice
This policy was last reviewed in June 2026 and will be reviewed at least annually.
If we make changes that affect how we use your data in a material way, we will let you know – either by email (where we have your address and a basis to contact you) or by updating this page.
1. Who we are
The Hill Group is owned by Hill Holdings Limited (Company No. 04202304).The companies within the Hill Group that may process your personal data include Hill Group Limited, Hill Residential Limited, and Hill Partnership Limited, as well as any joint venture company in which a Hill Group company is a partner where that company processes data on Hill's behalf.
For the purposes of UK data protection law, Hill Group acts as a data controller in respect of the personal data we collect and use. This means we are responsible for deciding how and why your data is used.
Your data protection contact:
You’re always in control of your data and we want you to feel confident about how we use your information. It’s important to you, so it’s important to us.
If you have any questions about this policy, exercise your rights, or request a copy the Legitimate Interests Assessment for any processing activity, just drop us a line – we’re happy to help.
- Email: [email protected]
- Post: Hill Data Protection Compliance, The Power House, Gunpowder Mill, Powdermill Lane, Waltham Abbey, Essex, EN9 1BN.
We aim to respond to all data protection queries within one working day and all formal rights requests within one calendar month.
We take your privacy seriously and always aim to get it right. We'd always encourage you to come to us first so we have the chance to put things right, but if you feel we've fallen short, you have the right to complain to the Information Commissioner's Office (ICO) — the independent body that regulates how personal data is used in the UK. You can reach them at www.ico.org.uk.
2. What personal data we collect
2.1 Data you give us directly
When you enquire about a Hill development, register your interest, visit a sales office, attend a viewing, book an appointment, or reserve or purchase a property, you may provide:
- Your name and contact details — email address, phone number, and postal address
- Your nationality and country of birth
- Your property preferences — location, property type, number of bedrooms, budget, and timeline
- Your buying situation — first-time buyer, have a property to sell, already sold, or buying for investment
- Your interest in buying schemes
- Details of your current property, if you are exploring Part Exchange
- Financial information relevant to progressing a purchase — mortgage details, solicitor information, and completion funds
- Identification documents such as a passport or driving licence, as required for legal completion
- Any other information you choose to share in your enquiry or during the sales process
2.2 Data we receive from third parties
We may also receive your personal data from:
- Property search portals including Rightmove, Zoopla, and OnTheMarket. When you submit an enquiry through one of these platforms, the portal passes your contact details to us. We use this data only to respond to your specific enquiry — we will ask for your direct consent before contacting you about other developments.
- Shared ownership and affordable housing portals including Share to Buy and Homes for Londoners. We apply additional care to data received from these platforms.
- Referrals from existing customers or contacts. We will tell you at the earliest opportunity that your data has been shared with us in this way.
- Publicly available sources such as professional networking sites, where relevant to a business relationship.
2.3 Data we collect automatically
We use cookies and similar tracking technologies on our website. Essential cookies are set automatically as they are necessary for the site to function. Non-essential cookies — including analytics and advertising cookies — are only set after you have given your consent through our cookie consent banner. You can accept all non-essential cookies, reject all non-essential cookies, or manage your preferences by category using the cookie settings control available at the bottom of every page. You can change your preferences at any time. We do not rely on continued use of our website or browser settings as a basis for setting non-essential cookies. See Section 10 for full details.
3. How and why we use your personal information
We must have a legal reason — called a lawful basis — before we can use your personal data. We rely on four of the six lawful bases set out in UK data protection law, and we apply each one to specific types of processing.
3.1 Legitimate interests
We rely on legitimate interests when we have a genuine business reason to use your data that is proportionate to any impact on your privacy, and where you would reasonably expect us to use it in this way. The Data (Use and Access) Act 2025 confirms that direct marketing is a statutory example of a legitimate interest. We conduct a Legitimate Interests Assessment (LIA) for each activity relying on this basis and always give you a simple way to tell us to stop.
We have assessed that keeping prospective buyers informed about developments relevant to their expressed interest is a legitimate business interest. We consider this processing necessary because it enables us to match buyers with suitable properties efficiently. We have balanced this against individuals' rights and concluded that, because communications are limited to similar developments and individuals can opt out at any time, our interests do not override theirs. We do not rely on legitimate interests where we believe those interests would be overridden by an individual's right to privacy.
Responding to your property enquiry
When you contact us directly or through a portal, we use your details to respond to your specific enquiry. You would reasonably expect this, and we could not reply without it.
Keeping you updated about similar Hill developments by email
Where you have enquired about one of our developments and have not told us otherwise, we may send you email updates about developments that are similar to the one you originally expressed interest in. The five dimensions of similarity are defined as: 1) geographic similarity - the same local authority area or within a reasonable distance of your stated location preference; 2) property type - the same broad property type; 3) bedroom count - within one bedroom of your preference; 4) price bracket - within 20% of the original price point; 5) buying scheme eligibility - offering the same buying scheme where relevant. Every email includes a clear and simple way to stop.
Contacting you by SMS
We will only send you SMS marketing messages where you have specifically consented to receive them by ticking the relevant box at the point of enquiry or registration. Each SMS will contain a clear way to stop future messages. We do not use SMS for any purpose other than that described at the point of consent.
Contacting you by phone about similar developments
We may call you to discuss your property search. The first call in response to a specific enquiry is a service response, not a marketing call.
Sending you information by post
We may send development information, brochures, or marketing materials by post. Every piece of post includes a clear way to opt out. Postal marketing is not governed by the Privacy and Electronic Communications Regulations (PECR).
Retaining records of your enquiry and any transaction
We keep your information for specific periods after your enquiry or purchase to handle follow-up questions, warranty matters, or legal issues. A full retention schedule is set out in Section 8.
Sharing data with our technology and service providers
We use third-party platforms to manage customer records, send emails, screen phone numbers, and analyse website performance. These providers act under our instructions and are bound by data processing agreements. Full details are in Section 6.
What happens if you don't opt in?
If you choose not to receive marketing communications from us, we will only contact you to respond to the specific enquiry you raised. This will not affect the level of service you receive from Hill or your ability to purchase a property.
3.2 Contractual necessity
We rely on contractual necessity when processing is essential to fulfil our obligations under a contract with you, or to take steps at your request before entering into one. This covers:
- Processing your reservation and managing the pre-exchange period
- Sharing your details with solicitors, mortgage providers, warranty providers, and other parties involved in completing your purchase
- Post-completion customer care — snagging, warranty claims, and property-specific matters
- Shared ownership and Help to Buy transactions — processing as required by the scheme and sharing with the relevant housing association or administrator
3.3 Legal obligation
We rely on legal obligation where a law or regulation requires us to process or retain your data. This covers:
- Tax and financial record keeping — HMRC requires retention of financial records for a minimum of six years
- Building safety and warranty records — the Building Safety Act 2022 requires records relating to design, construction, and sale. For properties completed after 28 June 2022, obligations may extend to 30 years.
- Health and safety reporting — RIDDOR and HSE regulations require recording of workplace incidents for up to 40 years where hazardous materials are involved
- Responding to law enforcement and regulatory requests
- Right to work verification for employees and relevant contractors
3.4 A note on automated decision making
We do not make any decisions about you based solely on automated processing that produce legal or similarly significant effects. If this changes, we will update this policy and tell you before it happens.
4. Marketing — what we will and will not do
4.1 Email
We may send you email updates about Hill developments that are similar to those you have enquired about. This is based on our legitimate interest in keeping prospective buyers informed about relevant properties, and is permitted under PECR where you have enquired about a development and have not opted out.
Every marketing email includes a clearly visible unsubscribe link. We will act on unsubscribe requests within five working days. We will not send you emails about developments materially different in location, type, or price to your original interest.
4.2 SMS
We only send marketing texts if you have specifically consented to receive them. We do not use SMS for any purpose beyond what was described at the point of consent. Each SMS includes a way to stop — typically by replying STOP. We never send marketing SMS messages to individuals who have not actively opted in.
4.3 Phone
We may call you to respond to a specific enquiry — this is a service response, not a marketing call. We may also call you for marketing purposes where:
- You have explicitly consented by ticking the relevant box on our form
- You have verbally consented during a previous call, and that consent has been logged in our system with a date and note of what was agreed
- Your number is not registered with the TPS and we have a legitimate interest based on your enquiry
4.4 Post
We may send development information by post on the basis of our legitimate interest in marketing similar properties to individuals who have enquired about our homes. You can opt out of postal marketing at any time by emailing [email protected].
4.5 Enquiries received from property portals
When we receive your enquiry from a property portal such as Rightmove, Zoopla, or OnTheMarket, we use your contact details only to respond to that specific enquiry. If we wish to contact you about other Hill developments for marketing purposes, we will ask for your direct consent through a follow-up email at the point of first contact. We will not add portal enquiry data to our general marketing database without first obtaining your direct consent.
4.6 Your point of collection notice - what each form tells you
Every Hill enquiry or booking form includes a short notice explaining the two legal operations taking place simultaneously:
We will use your details to arrange your appointment and — unless you tell us otherwise — to keep you updated about this and similar Hill developments. You can ask us to stop at any time by emailing [email protected]. We hold enquiry data for 18 months. If you tick any of the channel options on the form, that ticking is your consent for that specific channel.
This notice reflects two distinct lawful bases operating simultaneously: legitimate interests for the enquiry response and email soft opt-in; and consent for any SMS or phone channel you actively select. The two are legally separate and the form is designed to make that distinction clear.
5. Your rights
UK data protection law gives you a number of rights in relation to the personal data we hold about you. Here is what each means and how to use it.
| Your right | What it means | How to use it |
|---|---|---|
| Right to be informed | To be told clearly how we use your data. This privacy policy fulfils that obligation. | Read this policy. Email us if anything is unclear. |
| Right of access | To receive a copy of the personal data we hold about you and details of how and why we use it. We will respond within one calendar month. | Email [email protected] with the subject: Subject Access Request |
| Right to rectification | To ask us to correct any inaccurate data or complete any incomplete data. | Email [email protected] |
| Right to erasure | To ask us to delete your data where we no longer have a legitimate reason to hold it. This right is not absolute — we may need to retain some data to comply with legal obligations. | Email [email protected] |
| Right to restrict processing | To ask us to pause how we use your data — for example while you contest its accuracy or while an objection is being considered. | Email [email protected] |
| Right to data portability | To receive your personal data in a structured, machine-readable format where we process it by automated means on the basis of consent or contract. | Email [email protected] |
| Right to object | To object to us processing your data on the basis of legitimate interests. For direct marketing this right is absolute — we will stop immediately and without question. For other processing, we will stop unless we have compelling grounds. | Email [email protected] or use the unsubscribe link in any marketing email |
| Rights around automated decisions | We do not use automated decision-making. If we introduce it, we will update this policy and tell you before it begins. | Not currently applicable |
We will respond to all rights requests within one calendar month. Where a request is complex, we may extend this by a further two months — we will tell you if this is the case and explain why. We will never charge a fee unless a request is manifestly unfounded or excessive.
6. Who we share your data with
We only share your personal data where there is a clear purpose and a legal basis for doing so. We do not sell your data to any third party. We do not share your data with any organisation for their own marketing purposes without your explicit consent.
6.1 Named advertising and digital platforms
Where you have consented to targeted advertising through our cookie banner or contact form, we may upload your encrypted contact details to:
- Meta (Facebook and Instagram) — for targeted advertising and audience matching. Meta acts as an independent data controller. See Meta's privacy policy at facebook.com/privacy/policy.
- Google — for Google Ads targeting and conversion tracking via Google Consent Mode v2. Google acts as an independent data controller. See Google's privacy policy at policies.google.com/privacy.
Any data uploaded is encrypted before transfer. We only upload where you have given consent and do not authorise these platforms to use your data for purposes other than showing you Hill property advertising.
6.2 Names property portals - in bound data sources
We receive enquiry data from these platforms when you submit an enquiry through them:
- Rightmove — rightmove.co.uk/this-site/privacy-policy.html
- Zoopla — zoopla.co.uk/privacy
- OnTheMarket — onthemarket.com/privacy-policy
- Share to Buy and Homes for Londoners — for shared ownership enquiries
We are a separate data controller in respect of enquiry data received from these platforms. As described in Section 4.5, we use this data only to respond to your specific enquiry unless you give us direct consent.
6.3 All other third party sharing by category
| Category | Purpose | Relationship | Basis |
|---|---|---|---|
| CRM and marketing platform | Storing and managing contacts and sending marketing communications | Processor | Legitimate interests |
| Email delivery provider | Delivering marketing and service emails on our behalf | Processor | Legitimate interests |
| NHBC and warranty providers | Registering your property warranty at completion | Controller | Contractual necessity |
| Solicitors and conveyancers | Progressing your property purchase | Controller | Contractual necessity |
| Mortgage brokers and financial advisors | Where you have been referred or have asked us to share details | Controller | Consent / Contract |
| Housing associations and scheme administrators | For shared ownership and Help to Buy purchases | Controller | Contractual necessity |
| IT hosting and infrastructure providers | Storing and processing data on our systems | Processor | Legitimate interests |
| Analytics platform (Google Analytics) | Understanding how visitors use our website — only where cookie consent is given | Processor/Controller | Consent |
| Market research providers | Gathering customer satisfaction and market insight data | Processor | Legitimate interests |
| HMRC, HSE, local authorities, building control | Statutory and regulatory compliance | Controller | Legal obligation |
| Solicitors instructed in legal disputes | Defending or pursuing legal claims | Controller | LI / Legal obligation |
| Police and law enforcement | Responding to lawful requests | Controller | Legal obligation |
7. International data transfers
We aim to process and store your personal data within the UK. Where suppliers store or process data outside the UK, we ensure appropriate safeguards are in place before any transfer.
Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place. This may include relying on UK adequacy regulations, or using UK approved contractual protections such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. Further information about relevant safeguards is available on request.
8. How long we keep your information
We keep your personal data only for as long as necessary for the purpose for which it was collected, or as required by law. At the end of each retention period, data is securely deleted or anonymised. Where we delete a marketing contact, we retain their email address or phone number on a suppression list to ensure they are not accidentally re-added from a future enquiry.
| Data category | Retention period | Reason |
|---|---|---|
| Prospect and enquiry data — no purchase | 18 months from last engagement | Active property search cycle; legitimate interests weakens with time |
| Prospect data — marketing consent given | 24 months from last active engagement | Consent currency; re-engagement email sent at 18-month mark |
| Marketing consent records | Duration of consent + 6 years after marketing ends | Evidence of lawful basis for complaint or ICO investigation |
| Reservations that did not proceed | 6 years from withdrawal | Limitation Act 1980 — contract claim period |
| Completed purchases — buyers | 15 years from legal completion* | NHBC warranty; latent defect claims; Building Safety Act 2022 |
| Post-completion customer care records | 6 years from resolution of last issue | Warranty and contract claim period |
| Health and safety records | 40 years from incident or record creation | Industrial disease claims; RIDDOR; HSE requirements |
| Employee and contractor records | 6 years from end of employment or contract | Employment and tax law; tribunal claim periods |
| Job applicant data — unsuccessful | 6 months from end of recruitment | Employment tribunal claim period |
| TPS and MPS screening records | 2 years from screening date | ICO enforcement timeline; evidence of lawful calling |
| Call recordings | 12 months; 6 years where material to a dispute | Quality and training; contract and legal claim evidence |
| CCTV footage | 30 days unless preserved as evidence | ICO CCTV code of practice |
| Website analytics data | 26 months (aggregated); 13 months (user-level) | Year-on-year comparison; privacy-proportionate user tracking |
| Supplier and contractor records | 6 years from end of contract | Contract dispute limitation period |
9. How we manage your consent
Where we process your personal data on the basis of consent, we keep a record of: when consent was given; the exact wording shown to you at the time; the specific channel or channels you consented to; the development or purpose for which consent was given; and the date and method of any subsequent withdrawal.
We review consent records periodically. For marketing contacts who have not engaged with any communication for 18 months, we send a re-engagement email to confirm they would still like to hear from us. If we do not receive a response, we suppress the contact from further marketing.
To update your preferences or withdraw consent at any time:
- Use the unsubscribe link in any marketing email
- Reply STOP to any SMS message
- Email [email protected]
- Write to us at the address in Section 1
If you withdraw consent, we will act on your withdrawal within five working days.
10. Cookies
Cookies are small files placed on your device when you visit a website. We use cookies to make our website work, to understand how visitors use it, and — where you have given your consent — to show you relevant advertising on other platforms.
10.1 Cookie categories
| Category | Purpose | Consent needed? | Examples |
|---|---|---|---|
| Strictly necessary | Essential for the website to function. Cannot be switched off. | No | Session cookies |
| Analytics and performance | Understanding how visitors use our site so we can improve it. | Yes | Google Analytics |
| Marketing and advertising | Enabling targeted advertising on third-party platforms including Meta and Google. | Yes | Meta Pixel, Google Ads |
| Functionality | Remembering preferences such as language settings or previously viewed developments. | Yes | Preference cookies |
10.2 How we obtain cookie consent
When you first visit our website, a cookie banner gives you the option to accept all cookies, reject all non-essential cookies, or manage your preferences by category. We do not place any non-essential cookies on your device before you have made a choice.
You can change your cookie preferences at any time by clicking the Cookie settings link in the footer of any page on our website. Your changed preferences take effect immediately for new cookies. Non-essential cookies already placed will be deleted when you reduce your preferences.
Note on analytics cookies: The Data (Use and Access) Act 2025 may create a limited exemption for analytics cookies used purely for statistical purposes. We are monitoring ICO guidance on this provision. Until the ICO confirms the scope of any exemption, we continue to request consent for all analytics cookies.
10.3 YouTube and embedded video
Some development pages include videos hosted on YouTube. We load these using the youtube-nocookie.com domain, which means YouTube does not set advertising cookies until you actively choose to play the video. A short notice will appear before the video loads confirming that YouTube may set cookies if you proceed.
You can read the YouTube privacy policy here for more information on their use of cookies.
10.4 Managing cookies through your browser
Most browsers allow you to view, manage, and delete cookies through their settings. Browser controls are available as an additional tool but they do not replace our cookie consent mechanism and we do not rely on them as the basis for our cookie compliance.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit: www.allaboutcookies.org.
11. CCTV
We operate CCTV cameras at our sales offices, show homes, and construction sites for health and safety, crime prevention, and the protection of our employees and visitors. Footage is not continuously monitored but may be reviewed following an incident, complaint, or security concern, and may be shared with police or other authorities where required.
Footage not required for a specific purpose is deleted automatically after 30 days. Where footage is relevant to an ongoing matter, it is preserved for the duration of that matter plus the relevant limitation period. CCTV signage is displayed at all locations where cameras operate.
12. Call recording
We record inbound and outbound calls for quality monitoring, training, and evidential purposes. An automated message at the start of each call informs you of recording. If you prefer not to be recorded, please tell our team member at the start of the call.
Call recordings are held for 12 months as standard. Where a recording documents a specific commitment, consent, or matter relevant to a transaction or legal claim, it is retained alongside the relevant record for up to six years. Access is restricted to authorised members of our customer care, compliance, and legal teams.
13. Children
Our products and services are directed at adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected data about a child, please contact [email protected] and we will delete it promptly.
14. Security
We have put in place appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
- Encryption of data in transit and at rest
- Access controls limiting who within Hill can access personal data, based on role and need
- Regular security assessments and staff training
- Data processing agreements with all suppliers who handle personal data on our behalf
- An incident response procedure to identify, contain, and report data breaches promptly
If we become aware of a breach likely to risk your rights and freedoms, we will notify the ICO within 72 hours and — where required — notify you directly without undue delay.
15. Changes to this policy
We review this policy at least once a year. Where we make changes that affect how we use your data in a way you would not reasonably expect, we will tell you before the change takes effect — by email where we have your address and a basis to contact you, or by a prominent notice on our website.
Minor changes — such as rewording for clarity or updating supplier names — will be made without specific notification, but the review date will always be updated. The version history at the top of this policy confirms which version is current.
16. Complaints and concerns
We want to get things right. If you feel we have not handled your personal data the way you would expect, please come to us first — we will take your concern seriously and respond within one calendar month.
- Email: [email protected]
- Post: Data Protection Compliance, The Power House, Gunpowder Mill, Powdermill Lane, Waltham Abbey, Essex, EN9 1BN
We will acknowledge your complaint within five working days and provide a full response within one calendar month. If your complaint is complex, we may extend this by a further two months — we will tell you and explain why.
If you are not satisfied with our response, you have the right to contact the Information Commissioner's Office:website: ico.org.uk
