Privacy Policy

Your Building (the business centre that gave you access) is the data controllerfor your personal data — they decide what data is collected and what it's used for. ECET is the data processor— we run the software on your Building's behalf under a written contract that meets UK GDPR Art 28 requirements.

Your Building's name, registered address, and Data Protection Officer (where appointed) are visible inside the app at Profile → Help & support. Direct privacy questions to them first.

Account data— your name, email address, password (stored as a salted hash), role, and the company inside the Building you're associated with.

Booking data— every boardroom booking you make or that's made for you, with start time, end time, room, who created it, any notes, and cancellation reason if applicable.

Access events — every tap-in / tap-out at the building, with timestamp, method (NFC, QR, kiosk), and the credential used.

Usage telemetry— basic error logs and request traces to keep the platform running. We don't attach a marketing profile to your account; we don't use third-party analytics that profile individuals.

Cookies — only essential session cookies (kept until you sign out or 1 hour of inactivity, whichever is sooner). No tracking or advertising cookies.

• Contract (UK GDPR Art 6(1)(b)) — bookings, access, and account administration are needed to provide the service you signed up for.
• Legitimate interests(Art 6(1)(f)) — fraud prevention (tap-in spoofing), audit logging, security incident response, and platform monitoring. We balance these against your rights — see "Your rights" below.
• Legal obligation (Art 6(1)(c)) — tax record-keeping (typically 7 years), compliance with valid law-enforcement requests.
• Consent (Art 6(1)(a)) — only for things that genuinely require it (e.g. push notifications). You can withdraw any consent any time inside the app.

Your Building's staff — Subscribers, Building Managers, Owners, and Company Managers see the data their role allows. The role-permission table is documented and audited.

Sub-processors we rely on to run the platform:

• Supabase Inc. (database hosting, EU-West region) — UK GDPR Art 28-compliant DPA in place.
• Vercel Inc. (web hosting) — same.
• Resend / Postmark (transactional email) — only processes name + email for booking confirmations.

We don't sell your data. We don't share it with marketing networks. We don't use your data to train AI models.

Our primary database lives in the EU (Ireland). Some sub-processors may store backups or process data in the US under the EU-US Data Privacy Framework or Standard Contractual Clauses + Transfer Risk Assessments. Documentation is available on request.

• Active account data: while you have an account.
• Bookings + access logs: 7 years from the event (UK accounting record minimum).
• Audit log (security events): 7 years (compliance / dispute resolution).
• Closed-account data: anonymised within 30 days of account closure unless retention is required by the categories above.

• Access — get a copy of the personal data we hold about you (Art 15). The app provides a one-click data export at Profile → Privacy & data.
• Rectification — fix wrong details directly in the app or by contacting your Building (Art 16).
• Erasure— "right to be forgotten" (Art 17). Contact your Building. We'll erase data we're not legally required to retain.
• Portability — get your data in a machine-readable format (Art 20). Same one-click export.
• Restriction / objection — pause or object to processing (Art 18, 21).
• Withdraw consent — for anything based on consent (e.g. push notifications). One tap in the app.
• Complain to the ICO— if you're unhappy with how we've handled your data, you can lodge a complaint with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

We use industry-standard practices: TLS 1.3 in transit, AES-256 at rest, row-level access control on every database query (so a Member can never read another company's data, even if a developer wrote a query that tried to). Passwords are hashed with bcrypt; we never see them in plain text. Access to production systems is multi-factor and audited.

If we change this policy in a way that materially affects how your data is used, we'll surface a re-consent prompt the next time you sign in. The current version of this document is shown at the top.

ECET data-protection email: privacy@ecetagency.co.uk. For your Building's privacy contact, see Profile → Help & support in the app.