Privacy Policy

Privacy Policy


Mainstay Group Limited along with its subsidiaries is committed to the protection of its Customer’s Data. This policy explains what information we collect, how we collect it, hold it, process it and for what purposes.

Please ensure that you read this document carefully as by. If you have any queries please contact us at


What is a Data Subject?

The Data Subject is a living individual to whom personal data relates. For the purposes of this Privacy Notice the Data Subject is any customer of Mainstay Group.

What is Personal Data?

As described by Article 4 in the GDPR Definitions ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is a Data Controller?

A Data Controller means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.

What is a Data Protection Officer?

A data protection officer (DPO) is required by the General Data Protection Regulation (GDPR) if a company has more than 250 employees. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.

ICO (Information Commissioners Office)

Mainstay has been registered with the ICO since 2001. We have a lot of experience in dealing with Personal data and keeping it safe. We know what to do if there is a breach of data or if a request for data comes in. Our Registration Numbers are below: -

Mainstay Group Limited, Registration Number Z5319196
Mainstay Residential Limited, Registration Number Z5338802
Mainstay Facilities Management Limited, Registration Number Z4854434
Mainstay Commercial Limited, Registration Number ZA126794

All registrations are automatically renewed annually.

Data Protection Complaints

If you would like to raise a complaint in regards to the way we have handled your data or you have a concern please raise this with our DPO by: -

Data Protection Officer
Mainstay Group
Whittington Hall
Whittington Road

Email: -

If we are unable to come back to you with a satisfactory response you can raise your concerns with the ICO. This can be done by: -

Email: -

Phone: - 0303 123 1113

Information Commissioner's Office
Wycliffe House
Water Lane

Data Controller/Data Processor

Due to the wide variety of customers and clients we serve in some instances, we are the Data Controller and others we are the Data Processor. Please see definitions at the top of the Notice in accordance with the GDPR.

Who does this policy apply to?

This policy applies to our customers and clients (including but not limited to Leaseholders, Tenants and Residents)
What do we collect and how do we use it?

Please see Data Map at the bottom of this document.

Sharing information
• We may give out your personal data if required to so for Police Investigation or Court Order.

• We may give your personal data to a 3rd party as part of a sale of the business and assets to the 3rd party. However, steps will be taken to ensure that your privacy rights continue to be protected and the data is used in accordance our Privacy Notice.
• In an emergency, we may be required to give your contact details out to a contractor to contact you. However, we will always try and contact you beforehand.
• As part of our process for collecting site funds, where there has been no contact made by you to advise why there has been no payment or to setup a payment plan we may pass your details on to a Debt Collecting Agency. We would like to assure you that the agency we use has under gone checks to ensure they are GDPR compliant and will not share your details further.
• When required to do so we enlist the expertise of external solicitors for legal advice. Your data may be passed on to them to give them a better understanding of certain legal situations.
• There may be instances where we share data with the Freeholder, RMC and directors of a site. We will query the use of the data to ensure the reason is a ‘legitimate interest’ before giving this to them and ensure they have adequate protection in place to store your data.
• If we lose management of a site we will give all information we hold to the new management agents to ensure they can properly manage the site from the moment they take control. This is part of the ARMA guidelines to which we are a member.

Other than the points listed above we will not disclose your personal information without your permission. We do not sell your information to third parties and your personal data is treated with the up most care.

How do we protect your data?

• Every member of staff is trained how to handle your Personal Data according to their Job Role.
• Your data is only accessible by the teams involved in the management and service provision for your site/s.
• Your data is housed in a secure data centre, patrolled by security guards when the office is unmanned, monitored by CCTV cameras behind a card entry door only accessible by the IT Department and Security Guards of Mainstay.
• Mainstay operates 2 firewalls which are regularly updated with the latest patches to ensure the latest threats are protected against.
• All PC's and Servers are updated with the latest operating system updates available to ensure the Operating Systems are as protected as they can be.
• USB/Optic drives are locked down to ensure no head office staff can take data offsite.
• Internet is restricted down to stop file sharing sites and malicious software.
• Laptops, PCs and Servers are fully encrypted.
• Remote workers use a Citrix environment to ensure data is kept in one location.
• Latest cloud enforced Antivirus and Endpoint security is rolled out across the fleet of PC's and Servers.
• All mobile devices are password protected and capable of being remotely wiped.
• All Servers are backed up regularly into an external Data Centre which (in the event of a disaster) can be up and running in 4 hours to continue core services.

Changing your details

• You can view your personal details by logging into the Mainstay Portal and clicking on 'My Details'. The website is located here: -
• You can change your preferred method of communication on the same page. Please note that we must send you site correspondence by either email or by post. This is a legal requirement.
• There is a field which allows us to send site updates via SMS to your mobile, this is an optional service. Where we believe you would greatly benefit from receiving information quickly we may contact you via this method. This communication will only be in emergency situations.
• You can also change your personal details by sending an email to Please ensure that you include your Tenant Reference number which can be found on any previous correspondence from us or your address that you are contacting us about.

Subject Access Request (SAR)

If you would like to request the data that we hold on you, please email with a subject of 'Subject Access Request'.
Please include specifics of what data you’d like to receive.

The maximum time we will take on your request is 1 month from receiving the request unless we give a specific reason why it cannot be completed in this time.

If the request is manifestly unfounded, excessive or repetitive then there will be a fee. The fee will be quoted after an initial look at the request has taken place. Once accepted and we have received payment then we will action the request.

How information will be provided to you
We will ask how you would like the information to be provided whether that be electronically or in printed hard copy.

Large requests
Where the SAR request relates to data held over a large timeframe we may ask you to be more specific to assist us in searching for the information you are after. You may be asked to be more specific on the timeframe or come up with keywords to enable a more effective search.

Data Controller/Processor
Where we are the Data Controller we will process your request.
Where we are the Data Processor we will communicate with the Data Controller as they may wish to take ownership of the request.

Data Map

• What Personal Data we might hold on you.
• The legal reason for processing this data.
• How we collect the data.
• How long we will keep the data for.

We hope that you find this Privacy Notice useful and believe it to be an honest and transparent view to what information we hold on you and how we use it. We welcome any feedback, please direct this to the DPO on the contact details which are listed in this document.