Privacy Notice
Last updated: May 2026 · Applies to: app.datumbase.tech
1. Who we are (the data controller)
Datumbase is operated by Datumbase Ltd(company number 17189698), a company registered in England and Wales. When this notice refers to “we”, “us”, or “Datumbase”, it means Datumbase Ltd acting as data controller for the Datumbase platform.
Contact: hello@datumbase.tech
We are not currently required to register with the Information Commissioner’s Office (ICO) but we comply fully with UK GDPR obligations. If you have a complaint about how we handle your data you may contact the ICO at ico.org.uk.
2. What personal data we collect and why
| Category | Data collected | Legal basis | Purpose |
|---|---|---|---|
| Account data | Email address, full name (optional) | Contract performance (Art. 6(1)(b)) | Creating and managing your account; sending sign-in links |
| Usage data | Pages visited, actions performed, timestamps | Legitimate interests (Art. 6(1)(f)) | Keeping the service running, debugging, improving features |
| Site & project data | Construction site names, addresses, CDM document content, duty holder details you enter | Contract performance (Art. 6(1)(b)) | Delivering the CDM compliance management service you subscribed to |
| Uploaded documents | PDF files, drawings, and images you upload | Contract performance (Art. 6(1)(b)) | Storing and displaying your compliance documents and drawings |
| Communications | Email address (for notification emails) | Legitimate interests (Art. 6(1)(f)) | Notifying team members of document status changes |
| Support data | Content of support tickets you submit | Legitimate interests (Art. 6(1)(f)) | Diagnosing and resolving technical issues |
| AI extraction (optional) | Content of documents you submit for AI field extraction | Contract performance (Art. 6(1)(b)) | Extracting structured data from uploaded documents to pre-fill forms. Documents are sent to Anthropic's API for processing — Anthropic does not retain document content beyond the API request. |
We do not collect special category data (health, race, religion, etc.) as part of normal platform use. If you enter such data in CDM documents (e.g., health conditions in H&S plans) that data is stored solely to fulfil the service.
3. Sub-processors (third parties we share data with)
We use the following sub-processors to deliver the service. Each is contractually bound to handle data securely and in accordance with UK GDPR.
| Sub-processor | Role | Data transferred | Location | Certification |
|---|---|---|---|---|
| Vercel Inc. | Application hosting & CDN | All application traffic; no persistent storage | USA (global edge) / EU edge nodes available | SOC 2 Type II |
| Supabase Inc. | Database, file storage & authentication | All user and platform data | eu-west-2 (London) | SOC 2 Type II |
| Resend Inc. | Transactional email delivery | Email address, notification content | USA | SOC 2 Type II |
| PostHog Inc. | Product analytics (optional — consent required) | Page views, feature usage (anonymised). Only collected after cookie consent. | EU (eu-central-1, Frankfurt) | SOC 2 Type II |
| Upstash Inc. | Rate limiting (server-side) | Hashed IP address (temporary, for abuse prevention only) | EU (Frankfurt) | SOC 2 Type II |
| Cloudflare Inc. | Bot protection (Turnstile) | Browser challenge token (no personal data stored) | Global edge network | SOC 2 Type II, ISO 27001 |
| Sentry (Functional Software Inc.) | Error monitoring | Error stack traces, browser metadata (no personal data by default) | EU (Frankfurt) | SOC 2 Type II |
| Anthropic PBC | AI document extraction (optional feature) | Document content during API call only — not retained | USA | Enterprise DPA available |
We do not sell your data to third parties or use it for advertising.
4. How long we keep your data
We retain your account and project data for as long as your organisation has an active account with Datumbase. If you close your account or request deletion, we will delete your personal data within 30 days, except where we are legally required to retain records for longer (for example, for accounting or regulatory purposes).
Uploaded files in Supabase Storage are deleted when you remove them from the platform or when your account is closed. Anonymised usage logs may be retained for up to 12 months for service improvement purposes.
5. How we protect your data
We implement appropriate technical and organisational measures including:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
- Passwordless authentication — no passwords are stored
- Role-based access control limiting what each user can see and do
- Time-limited signed URLs for document access (no permanent public links)
- Infrastructure hosted on SOC 2 Type II certified providers
- UK data residency for the primary database (Supabase eu-west-2)
A full security posture summary is available on request for enterprise customers undergoing due diligence.
6. Your rights
Under UK GDPR you have the right to:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Request deletion of your personal data ("right to be forgotten") |
| Portability | Receive your data in a structured, machine-readable format |
| Restriction | Ask us to limit processing of your data in certain circumstances |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without affecting prior processing |
To exercise any of these rights, email hello@datumbase.tech. We will respond within 30 days. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.
8. Changes to this notice
We may update this Privacy Notice from time to time. When we make material changes we will notify account holders by email and update the “Last updated” date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated notice.
Datumbase is operated by Datumbase Ltd (17189698), England & Wales. Contact: hello@datumbase.tech