Privacy Notice

Introduction to the UBIQS Privacy Notice

This privacy notice provides you with details of how we collect and process your personal data through your use of our platform at www.ubiqs.co.uk and our property management and document repository services.

By providing us with your data, you warrant to us that you are over 18 years of age and have the legal capacity to use our services.

UBIQS Property Limited is the data controller and we are responsible for your personal data (referred to as ‘we’, ‘us’ or ‘our’ in this privacy notice).

Our Full Details

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at enquiries@ubiqs.co.uk.

Our Dual Role: Controller and Processor

Important: UBIQS operates in two distinct roles depending on the type of data processing.

When We Are a Data Controller

For your user account data, platform usage, and our business operations, we are the data controller and determine how your data is processed.

When We Are a Data Processor

For documents containing personal data that you upload to our platform (such as tenant information), you remain the data controller and we process this data solely according to your instructions.

What Data We Collect, for What Purpose, and on What Legal Ground

Data We Control (UBIQS as Data Controller)

User Account Data

Includes your name, email address, password (encrypted), company/business name, contact details, and account preferences. We process this data to:

• Provide you with access to our platform services
• Manage your account and billing
• Communicate with you about your account
• Provide customer support

Legal Basis: Performance of contract and legitimate interests (service provision and customer support).

Platform Usage Data

Includes login times, features accessed, document upload statistics (without accessing content), platform navigation, and technical performance data. We process this data to:

• Improve our platform functionality
• Ensure platform security and performance
• Understand user needs and preferences
• Develop new features

Legal Basis: Legitimate interests (platform improvement and security).

Communication Data

Includes any communication you send to us through our contact forms, email, support tickets, feedback, or any other communication channel. We process this data to:

• Respond to your inquiries and provide support
• Keep records of our communications
• Improve our services based on feedback

Legal Basis: Legitimate interests (customer service and business improvement).

Technical Data

Includes IP address, browser type, device information, page visits, referral sources, and basic server-log analytics. We process this data to:

• Ensure platform security and prevent fraud
• Analyse platform usage patterns at the aggregate level
• Optimise user experience and platform performance
• Maintain system functionality and troubleshoot issues

We currently do not use third-party analytics tools (such as Google Analytics). Should we integrate any such tools in future, this Privacy Notice will be updated, and where consent is required, it will be obtained before activation.

Legal Basis: Legitimate interests (security, analytics, and service improvement).

Marketing Data

Includes your preferences for receiving service updates and communications from us. We process this data to:

• Send you relevant updates about our services
• Provide information about new features
• Share industry insights and compliance guidance

Legal Basis: Consent (where required) or legitimate interests (existing customer communications).

Trial and Demonstration Tools

Our website may include demonstration tools to showcase platform functionality. Important: No data submitted through demonstration tools is collected, stored, or processed by UBiQS. These tools operate without data retention for maximum privacy protection.

Data We Process (UBIQS as Data Processor)

Uploaded Documents

Includes any documents you upload containing personal data (address, tenant information, property documents, compliance certificates, receipts). We process this data solely to:

• Provide secure document storage
• Enable document organisation and categorisation
• Facilitate compliance deadline tracking
• Support data export and deletion functions

Legal Basis: Performance of contract — we process this data according to your instructions as the data controller.

OCR processing

Documents you upload are processed by our AI-powered OCR sub-processor (currently OpenAI — see How We Share Your Personal Data and International Transfers below) to extract field values and suggest classifications. OCR can and does make mistakes; the values it extracts are presented to you for verification before you attest to their accuracy. Your attestation is your confirmation that the values are correct (see our Terms and Conditions §6.3 for the full attestation duty). The document content sent for OCR is minimised to what is necessary for extraction; OpenAI's published API terms confirm that API inputs are not used to train models.

Sensitive Data

We do not intentionally collect sensitive personal data (special categories under UK GDPR including race, ethnicity, religious beliefs, health data, etc.). If such data is inadvertently uploaded to our platform, please contact us immediately at enquiries@ubiqs.co.uk for secure removal.

How We Share Your Personal Data

We may share your personal data with the following parties:

Sub-processors

• Supabase — Cloud database, file storage, and authentication services. User data resides in AWS eu-west-2 (London) for UK/European user data residency.
• Vercel — Application hosting and edge delivery, with EU deployment regions.
• OpenAI — AI-powered document text extraction (OCR). US-based — see International Transfers below for safeguards.
• Payment processors (when we implement paid services — PCI DSS compliant providers)
• Customer support tools — to provide technical assistance and user support

Professional advisers

• Lawyers, accountants, and auditors (under confidentiality agreements)
• Cyber security consultants for platform security assessments

Legal requirements

• ICO or other regulatory bodies when legally required
• Law enforcement agencies when legally obligated
• Courts when subject to legal proceedings

Business transfers

• In the event of a merger, acquisition, or business sale (with appropriate safeguards)

We require all third parties to respect the security of your personal data and treat it in accordance with the law. We only allow sub-processors to handle your data for specified purposes and according to our instructions.

International Transfers

Data Storage.Primary data processing — including database storage, file storage, authentication, and application hosting — is conducted within the European Economic Area (EEA). User data resides in Supabase's AWS eu-west-2 (London) region; application hosting via Vercel uses EU deployment regions.

Transfers Outside EEA. International transfers outside the UK/EEA occur only for document text extraction (OCR), which is processed by OpenAI in the United States. These transfers are made under the UK Extension to the EU-US Data Privacy Framework where applicable, or under Standard Contractual Clauses (SCCs)approved by the UK ICO. We send only the document content necessary for OCR extraction. OpenAI's published API terms confirm that API inputs are not used to train models, and inputs are retained only as required for abuse monitoring before deletion.

Any future change of sub-processor that introduces new international transfers will trigger our change-management notice process (see our Terms and Conditions §5.3).

Data Security

We implement comprehensive security measures to protect your personal data:

Technical Measures

• Encryption of data at rest using AES-256 standard
• Encryption in transit using TLS 1.3
• Multi-factor authentication for platform access
• Regular security scanning and vulnerability assessments
• Secure backup systems with tested recovery procedures
• Access logging and real-time monitoring

Organisational Measures

• Staff security training and background checks
• Segregation of duties and least privilege access
• Regular security audits and penetration testing
• Incident response procedures and breach notification protocols
• Business continuity and disaster recovery plans

We allow access to your personal data only to employees and sub-processors who have a legitimate business need and are bound by confidentiality obligations.

Data Retention

We retain your personal data only for as long as necessary to fulfil our stated purposes or as required by law:

• User Account Data: Duration of account plus 7 years (for business records and potential legal claims)
• Platform Usage Analytics: 2 years from collection
• Communication Records: 3 years from last communication
• Support Tickets: 3 years from closure
• Uploaded Documents: Held according to your retention settings and instructions as data controller. See our Terms and Conditions §7.5 for the document-deletion cascade rules (hard delete only; downstream-only cascade for coupled compliance chains). System maximums: tax-related documents 7 years; other property documents according to your specified retention periods.
• System backups: 30 days after primary deletion, retained only in encrypted form for disaster-recovery purposes.

Legal Compliance:Some data may be retained longer where required by law (for example, UBiQS's own accounting records under the Companies Act 2006 and VAT Act 1994 — see our Terms and Conditions §13.3(e) for the limited carve-out).

Data Export and Sharing

CSV Export Functionality

• Users can export their data in machine-readable format
• Exports include only data the user has legitimate access to
• Exported data may contain personal information of tenants or other parties
• Users remain responsible for data protection when sharing exports
• Export logs maintained for audit purposes

Third-Party Professional Sharing

• Users may share exported data with their chosen professional advisers (accountants, legal advisers, consultants)
• Users must ensure third parties have appropriate data protection measures
• Sharing occurs outside the UBiQS platform and is the user's responsibility
• Users should obtain appropriate consent for sharing personal data with third parties

Automated Decision Making

We do not engage in automated decision-making or profiling that significantly affects your legal rights. Our compliance deadline calculations are tools to assist your decision-making, not automated decisions about you.

Managing Your Data Preferences

Account Settings

If you have an account with us, you can manage basic preferences by logging into your account, where you can:

• Update your communication preferences
• Control marketing email subscriptions
• Update your contact information
• Manage your account details

For other data management requests, please contact us at enquiries@ubiqs.co.uk using the procedures outlined in the Data Breach and Urgent Requests section below.

Cookie Usage

Our website currently uses only essential cookies required for platform functionality and security:

• Authentication session cookies (Supabase) — required to keep you signed in and to maintain your session securely.
• Anti-fraud cookies (e.g. CSRF tokens) — protect against cross-site request forgery during sign-in and form submissions.

We do not currently use non-essential cookies (such as analytics or marketing cookies). Should we add any in future, we will update this Privacy Notice and present a cookie consent banner before any non-essential cookies are set. Essential cookies cannot be disabled as they are required for site functionality.

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right to Access — Request copies of your personal data
• Right to Rectification — Request correction of inaccurate personal data
• Right to Erasure— Request deletion of your personal data. UBiQS operates a hard-delete model for account erasure, preceded by a downloadable archive (“zip-and-ship”) so you retain a copy of everything we hold on your behalf. We acknowledge erasure requests within 5 business days and complete the process within 30 days, in accordance with UK GDPR Article 12. See our Terms and Conditions §13.3 for the full procedure.
• Right to Restrict Processing — Request temporary suspension of processing
• Right to Data Portability — Receive your data in machine-readable format
• Right to Object — Object to processing based on legitimate interests
• Right to Withdraw Consent — Where processing is based on consent
• Right to Complain — Lodge complaints with the ICO (see Complaints below)

Exercising Your Rights

Making Data Requests. To make a request, please contact us at enquiries@ubiqs.co.uk with:

• Your full name and account email address
• Specific details of your request (access, correction, deletion, etc.)
• Proof of identity (for security purposes)
• Preferred format for data delivery (where applicable)

We will acknowledge receipt within 5 business days and respond to your request within one month in accordance with UK GDPR Article 12 requirements, though complex requests may take longer with appropriate notification. For erasure requests specifically, see the procedure in our Terms and Conditions §13.3 (including the pre-erasure zip-and-ship offer).

Self-Service Options. Many data management tasks can be completed directly through your account: update personal information in account settings, manage communication preferences, and view your platform activity history.

You will not be charged for exercising your rights unless requests are clearly unfounded, repetitive, or excessive.

Marketing Communications

Existing Customers. We may send service updates, feature announcements, and relevant industry information based on our legitimate interests in keeping customers informed.

Marketing Consent. For promotional marketing, we will obtain your explicit consent and provide easy opt-out mechanisms.

Opt-out. You can opt out of marketing communications at any time by:

• Using unsubscribe links in emails
• Emailing enquiries@ubiqs.co.uk
• Adjusting preferences in your account dashboard

Changes to This Privacy Notice

We may update this privacy notice periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

• Email notification to registered users
• Prominent notice on our platform
• Updated “Last Updated” date at the top of this page

Continued use of our services after notification constitutes acceptance of the updated privacy notice.

Contact Us

Data Breach and Urgent Requests

For suspected data breaches, urgent data protection matters, or formal data subject requests:

Email: enquiries@ubiqs.co.uk

Required Subject Line: Your email subject line must contain one of the following keywords:

• “URGENT” — for time-sensitive data protection matters requiring immediate attention
• “BREACH” — for suspected or actual data breaches affecting personal data
• “DATA REQUEST” — for formal data subject access requests under GDPR Article 15

Response Commitments:

• BREACHmatters: We will acknowledge receipt within 3 working days and begin immediate investigation to meet GDPR's 72-hour ICO reporting requirement where applicable
• URGENT matters: We will respond within 3 working days during business hours (Monday–Friday, 9 AM–5 PM GMT)
• DATA REQUEST: We will acknowledge receipt within 3 working days and provide a full response within 30 days as required by GDPR
• All other data protection inquiries: We will respond within 3 working days

What to Include in Your Email:

• Clear description of the issue or request
• Your contact details for follow-up
• For breach reports: approximate time, scope, and nature of the suspected breach
• For data requests: specific information you're seeking and verification of your identity

Emergency Contact: For genuine data protection emergencies outside business hours, mark your email subject as “URGENT BREACH” and we will monitor for these on a priority basis.

Note: Emails without the required subject line keywords may experience delayed processing. This system ensures urgent matters receive immediate priority attention while maintaining efficient handling of all data protection communications.

Complaints

If you have concerns about our handling of your personal data, please contact us first at enquiries@ubiqs.co.uk.

If you remain unsatisfied, you have the right to complain to the Information Commissioner's Office (ICO):