UK GDPR & Email Compliance in NurtureHub
UK GDPR & Email Compliance in NurtureHub
Version: 1.0.21
NurtureHub v1.0.21 introduces a full suite of compliance features required by UK GDPR and the Privacy and Electronic Communications Regulations (PECR). This post explains what has changed, what it means for your agency, and how each feature works.
Why This Matters
Property agencies handle significant volumes of personal data — applicants, landlords, vendors, tenants. UK GDPR and PECR set legally enforceable obligations around how that data is processed, stored, and used for marketing. Non-compliance carries substantial ICO fines and reputational risk. NurtureHub now handles the technical requirements so your agency can market with confidence.
What's New
1. One-Click Unsubscribe in Every Email
Every email sent by NurtureHub now contains a one-click unsubscribe link. This satisfies the PECR requirement that recipients can opt out of electronic marketing at any time without friction.
- When a contact clicks unsubscribe, they are immediately added to the suppression list.
- Suppressed contacts will never receive a NurtureHub email again, regardless of which nurture sequence they are enrolled in.
- No manual action is required from the agent.
2. Consent Tracking
NurtureHub now records when and how consent was obtained for each contact:
- Consent entries are timestamped and include the consent method (e.g. web form, verbal, imported).
- The full consent history for a contact is visible in their contact detail view.
- Consent records are included in DSAR exports (see below).
This supports your ability to demonstrate a lawful basis for processing under UK GDPR Article 6.
3. ICO-Compliant Privacy Notice Links in Email Footers
All outbound email footers now include a link to your agency's privacy notice, in line with ICO guidance on transparency. You can configure your privacy notice URL in your agency settings.
4. Data Subject Access Request (DSAR) Export
Under UK GDPR Article 15, individuals have the right to request a copy of all personal data you hold about them. NurtureHub now provides a dedicated DSAR export endpoint:
- Returns all personal data held for the specified contact.
- Includes: contact details, consent history, email engagement records (opens, clicks, unsubscribes), nurture sequence membership, and audit log entries.
- Output is structured JSON, suitable for presenting to the data subject or retaining as a compliance record.
See the API Reference — Compliance Endpoints for request/response details.
5. Right to Erasure (Right to Be Forgotten)
Under UK GDPR Article 17, individuals can request that their personal data be erased. NurtureHub's erasure endpoint:
- Anonymises the contact record in place — personal identifiers (name, email, phone) are replaced with anonymised values, preserving referential integrity for reporting.
- Adds the contact to the suppression list so no further emails can be sent to that address.
- The erasure action is written to the audit log with a timestamp.
Note: Anonymisation rather than hard deletion is used to preserve aggregate analytics and audit trail integrity, consistent with ICO guidance on erasure.
6. Automatic Bounce & Complaint Handling
NurtureHub now processes email hard bounces and spam complaints automatically:
- When a hard bounce is received (invalid or non-existent address), the address is added to the suppression list.
- When a spam/abuse complaint is received from a receiving mail provider, the address is suppressed immediately.
- This protects your sender reputation and ensures you are not repeatedly emailing addresses that cannot or do not wish to receive your emails.
The Suppression List
All suppression reasons — unsubscribe, erasure, bounce, and complaint — are stored in a single suppression_list table. Any contact present in this table is excluded from all outbound sends, regardless of their nurture sequence status. The suppression reason and timestamp are recorded for each entry.
Audit Logging
Every compliance action generates an audit log entry, including:
| Action | Logged Details |
|---|---|
| Unsubscribe | Contact ID, timestamp, method (link click) |
| Consent recorded | Contact ID, timestamp, consent method |
| DSAR export | Contact ID, requesting user, timestamp |
| Erasure request | Contact ID, performing user, timestamp |
| Bounce received | Contact ID, bounce type, timestamp |
| Complaint received | Contact ID, complaint source, timestamp |
Audit logs are immutable and available to agency administrators.
Action Required
- Privacy notice URL: Ensure your agency's privacy notice URL is set in Settings → Agency Profile so it appears correctly in email footers.
- Consent records for existing contacts: If you are importing contacts from a CRM, ensure you record the lawful basis and consent method at import time using the consent tracking fields now available.
- DSAR process: Update your internal DSAR handling process to use NurtureHub's export endpoint when a request relates to email marketing data.