Cookies, data protection, GDPR and all that other jive...

At Citu, we're committed to maintaining the trust and confidence of our visitors to our website, and residents living in a Citu Place. We're not in the business of selling, renting or trading people’s personal information to other companies and businesses for marketing purposes. That’s not what we’re about, we’re about tackling climate change so all the information we collect is for that purpose, regardless of what stage of the Citu Journey you’re at. 

We also use your data to complete the purchase of your Citu Home, but for us, that still falls under tackling climate change because choosing to live in a Citu Place means exactly that.

We’ve pulled together this privacy policy containing lots of detailed information on when and why we collect your personal information, how we use it, the limited conditions under which we may disclose it to others and how we keep it secure.

We hope you enjoy reading this as much as we enjoyed writing it.

Let’s start at the beginning…

You could be a customer, resident, supplier, visitor to the website, a reader of our blog or someone who is wanting to work with us to tackle climate change. 

Whoever you may be, we want you to know that we take your data seriously, so you can take it easy when it comes to any interaction you have with Citu.

If you’re like us, you’ve probably been asked to read around 50 of these by now.  So, we’re going to keep ours as short as possible. 

So, from the top, let’s do website and cookies.

Our website and cookies

We use cookies when you visit our website. If you can remember, it was the pop-up box that appeared on the website the first time you visited. That was our consent information box and it told you how we use your data and provided a link through to this page for more information.

What’s a cookie?

Cookies are small text files that can be used by websites to make a user’s experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site.

For all other types of cookies, we need your permission.

What are the types of cookies we use on the Citu website?

Well, we keep it simple:

  • We don’t use cookies that store personal details.
  • We don’t use cookies for marketing purposes.
  • We don’t use cookies to personalise your experience on
  • our website.
  • This site uses cookies to track the number of website visitors and usage.

We’re not selling pillows, or socks. We’re selling homes that help you to reduce your carbon footprint. We’re guessing that if you’re looking for a home, then it’s safe to say you’ll know what you want as soon as you find it.

So, we’ve made the decision to not follow you around online with annoying ads that ruin your viewing pleasure on other sites. We hate it, especially the extra loading times for web pages or the videos that automatically play with sound.  Why the hell would we inflict that pain on you?

Plus, tracking the number of visitors to the website keep the Citu Marketing Team in a job. If not for the environment, then do it for Rob Allen who looks after the website and My Citu Account.

And, it would be amazing to be able to turn around and say that more people are interested in climate change than what the Kardashians are up to in the UK. Tracking the number of visitors to our website will help us to do that 

If you’re a Customer or Resident

All the information you need to how we handle and use your data can be found in our nifty little Data Privacy Policy guide.

You can download it here.

It’s worth a read because you’ll find out how your data helps to tackle climate change, even if all you’ve done is visited our website.

If you are a customer who is using the government's Help To Buy scheme, we will exchange relevant information with the relevant Help to Buy agent. You can reaed the data protection and privacy policy of the Help To Buy agent we use by clicking here


It can happen, so we want to make it easy for you to contact us about the bad experience you’ve had in dealing with Citu.

All you need to do is email with your troubles and a member of the Citu Support Team will respond within 5 workings and then can we go from there. 

Hopefully we’ll resolve it all straight away, but if we can’t and it’s going to take time we’ll keep you updated of how we’re getting on in reaching a resolution.

If you’re already living in a Citu Place, then please refer to the contact details provided in Actuate, the smart home app that controls your Home.

Data request or change of information

It’s really simple to request the information we hold on you or to make a change if something changes in your circumstances.

Just email and give us 30 days to collate all the information into a format that you can understand and send through to yourself.

It’s that simple.


We love that you want to help us to tackle climate change.

When you apply for a role at Citu, we always ask for a CV and covering letter.  The personal information on your CV helps us to contact you, but if you didn’t know that already we’d be questioning your suitability for the role.  Or any role at Citu for that matter.

We’ll also use your employment history to help us determine if you’re right for the role.  Sometimes someone may go rogue and use it to stalk you on LinkedIn, we can’t 100% say that won't happen, but if it helps you to get the job...

If you’ve applied for a role and are successful, then your personal details and CV are stored on a secure internal drive that only HR related staff can access.  If you’re not successful, we'll keep your CV for 6 months in case a role pops up that we think you'd be perfect for.

As part of the recruitment process, we also ask you to do a Talent Dynamics profile after you’ve been successful at stage one of the process.  It helps us to better understand what kind of things keep you in flow.  It’s all about performance, you can find out more on their website and read their data privacy policy statement here

If you don’t want us to hold your CV for that 6-month time-period, then all you need to do is contact us at

All straight forward stuff, but what you might now know is that we use a third-party recruitment company called Breathing Space to help us with all things HR related – you can get in touch with them to find out about how they use your data here. 

That’s all great, but is the data secure?

We hear you, so we brought in an external company who specialise in IT.  It’s their job to make sure everything is locked down tight at Citu.

We’ve saved this part to the end because it’s about to get technical, but if you want to know how we secure your data then it’s all here for.


Inbound and Outbound network traffic is protected by way of a Cyberoam CR15 UTM Firewall with VPN support. This device restricts traffic by way of firewall rules with all unrequested ingress traffic being blocked as default. Egress traffic is allowed with certain restrictions based on the type of application.  Periodic firmware updates are done as and when these become available from the manufacturer.

Office Server Access – Internally
Access to the server from inside the office is protected by way of server login credentials, users needing a login name and complex password in order to authenticate against the server to access the data stored therein. Each user is given specific access rights based on the groups they belong to, each group being restrictive in allowing access to only certain server folders.

All users are restricted to standard user accounts removing the ability to elevate to Admin level when accessing both their local machine and the server, without administrator involvement.

Administrative access to the server is restricted to server administrators and admin logins are protected by two factor authentication where possible.

Office Server Access – Externally
Access to the server from outside of the office is blocked by the firewall and is therefore NOT possible without users first connecting to the VPN running on the Cyberoam Firewall. This is done by way of an SSL secured portal which gives tunnel access to the server but no other internal network devices. Once connected users still need to authenticate onto the server as if they are inside the office.

Users are setup with email, server access, telephone line and VPN access (where required) upon joining the company by way of a new user setup process. Access to external email systems (Office 365) is configured for two factor authentication (2FA) via a user’s smartphone.

Lastpass password manager is recommended for users to generate and store complex passwords for use when accessing any third party systems. Leaving users have their access removed from these systems at the point of termination of their employment via contact with our managed support provider, 3TL, upon completion of a termination request.

Internal/Wifi Network
The internal network is protected by way of physical security. Physical entry to the office must be obtained in order to connect to the physical network. The Wi-Fi network is protected by the way of a WPA2 complex security key which is changed periodically. A separate Guest WIFI network is also configured with access restrictions to only allow internet connectivity – this is used by visiting users.

Want to know more?

We’re happy to talk to you about it all, even though it bores us to death.  But, we know it’s important because we would hate it if any organisation misused our personal data without our knowledge.

Email us at with any questions you may have on how we capture, store and use data.