Privacy Policy

1. Who We Are

Commercial Property Advisors Ltd ("CPA", "we", "us") is a business rates advisory firm registered in England and Wales. We provide business rates assessment, appeal, and relief services to commercial property occupiers and owners across the UK.

2. Personal Data We Collect

2.1 Data you provide to us

When you enquire about or engage our services, we collect:

  • Names and job titles of directors, company officers, and authorised representatives.

  • Business contact details: postal address, email address, telephone numbers.

  • Company registration details and VAT number where relevant.

  • Correspondence you send us by email, post, or telephone.

2.2 Data Collected as Part of Service Delivery

To provide business rates advice in line with the current and historical rating lists, we process the following:

  • Rateable values of commercial properties (from the Valuation Office Agency rating lists)

  • Property addresses, descriptions, and floor areas

  • Rental information and lease details where needed to support an appeal

  • Turnover and financial indicators where relevant to the rating valuation

  • Business rates bills and correspondence from local billing authorities

  • Credit score indicators where obtained from publicly available sources for service-related purposes

2.3 Data Collected Automatically

When you visit our website, we automatically collect technical data including your IP address, browser type, operating system, and pages visited. This is processed for website security and analytics purposes under our legitimate interest. Please see our Cookie Policy for full details.

3. How We Use Your Data and the Legal Basis

UK GDPR requires us to have a lawful basis for every processing activity. The table below sets this out:

4. Use of Artificial Intelligence

We use AI tools to assist in the analysis of commercial property data and to generate progress reports for clients. This section explains how and why, in line with our obligations under UK GDPR and the EU AI Act.

4.1 AI Tools We Use

  • OpenAI API — used via Make.com for analysis of commercial property data and drafting of client progress reports

  • Google Gemini API — used via Make.com for analysis of commercial property data

4.2 What We Do and Do Not Do with AI

  • We use AI to analyse commercial property data (rateable values, comparable evidence, rating list information) — not to make decisions about individuals.

  • We send AI-assisted progress reports to clients summarising the status of their case.

  • We do not use AI to make automated decisions that produce legal or significant effects on individuals.

  • We do not train any AI model on client data.

  • We do not allow OpenAI or Google to use our data to train their models — our API usage is governed by data processing agreements that prohibit this.

4.3 How We Protect Your Data When Using AI

  • All AI processing is orchestrated through Make.com, which provides us with control over data flows, audit logging, and the ability to apply human review before outputs are used

  • A human at CPA reviews all AI-generated reports before they are sent to clients

  • Where data is transmitted to AI providers, it is encrypted in transit

  • We minimise the personal data included in AI prompts — property and commercial data rather than personal identifiers wherever possible

  • Data transfers to OpenAI (US) and Google (US/EU) are covered by standard contractual clauses (SCCs) and UK adequacy mechanisms

4.4 Your Rights Regarding AI Processing

Because our AI tools are used for property analysis rather than profiling individuals, automated decision-making rights under UK GDPR Article 22 do not typically apply. However, if you have any concerns about how AI has been used in relation to your case, please contact us using the details in Section 1. You are also entitled to request human review of any report we have sent you.

5. Who We Share Your Data With

We do not sell your personal data. We may share data in the following circumstances:

  • Service providers and subcontractors: Including Make.com (automation platform), OpenAI (AI API), Google (Gemini AI API), cloud storage providers, and any specialist rating surveyors engaged on your case — all under data processing agreements

  • Valuation Office Agency and local billing authorities: Where required to progress a business rates appeal or relief application

  • Legal and regulatory authorities: Where required by law or court order

  • Professional advisors: Solicitors, accountants, and auditors under duties of confidentiality

All third parties are required to process your data in accordance with UK GDPR and are contractually bound to do so.

6. International Transfers

Some of our third-party service providers are based or process data outside the UK, including the United States. Where this occurs, we ensure an equivalent level of protection is in place through:

  • UK International Data Transfer Agreements (IDTAs) or UK addenda to EU Standard Contractual Clauses

  • Reliance on adequacy decisions where applicable

  • Technical safeguards including encryption

Specifically, data processed via the OpenAI API and Google Gemini API may be transferred to servers in the United States. These transfers are governed by appropriate contractual safeguards.

7. How Long We Keep Your Data

Our standard retention period for client data is 6 years, aligned with the rating list period. This reflects the statutory timeframe within which business rates appeals and legal disputes may arise.

After expiry of the retention period, data is securely deleted or anonymised. Data relating to dissolved companies is reviewed and deleted quarterly.

Different categories of data may be held for shorter periods — see the table in Section 3.

8. Your Rights

Under UK GDPR, you have the following rights. To exercise any of them, contact Ben Sayer at ben@commercialpropertyadvisors.co.uk.

  • Right to be informed — you are reading this notice

  • Right of access — you may request a copy of the personal data we hold about you

  • Right to rectification — you may ask us to correct inaccurate or incomplete data

  • Right to erasure — you may ask us to delete your data where there is no lawful reason to retain it

  • Right to restrict processing — you may ask us to pause processing in certain circumstances

  • Right to data portability — you may request your data in a structured, commonly used format

  • Right to object — you may object to processing based on legitimate interests or for direct marketing

  • Rights related to automated decision-making — you may request human review of any automated output

We will respond to all rights requests within one month of receipt. This may be extended by a further two months where the request is complex or numerous.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): www.ico.org.uk | 0303 123 1113.

9. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Two-step verification for access to systems containing personal data

  • Encrypted cloud storage

  • Encryption of data in transit, including when transmitted to AI providers

  • Antivirus and malware protection

  • Access controls limiting data access to personnel who require it

  • Regular staff training on data protection

10. Cookies

We use cookies on our website. Please refer to our separate Cookie Policy for full details of the cookies we use and how to manage them.

11. Changes to This Notice

We may update this Privacy Notice from time to time. The effective date at the top of this document will be updated accordingly. We encourage you to review this notice periodically. Where changes are material, we will notify clients directly.

12. Contact Us

For any questions about this notice or to exercise your rights: