VU.CITY Logo
  • Packages
Try for free
Login
  • Architects
  • Asset Managers
  • Developers
  • Local Authorities
  • Planners
  • Real Estate Agents
VU.CITY App icon
VU.CITY Platform
  • How it works
  • Camera tools
  • Data layers
  • Developments
  • Microclimate
  • Model tools
  • Other tools
sitesolve-app-icon
SiteSolve
  • How it works
  • Site Licence
  • Modelling
  • ZTV
  • Flythroughs
  • Submit a Scheme
  • Knowledge Base
  • Case Studies
  • Videos
  • In the News
  • Blog
  • In Action
  • About
  • B Corp
  • Our Users
  • Careers
  • Contact
United Kingdom
Belfast city icon
Belfast
Birmingham city icon
Birmingham
Brighton city icon
Brighton
Bristol city icon
Bristol
Cambridge city icon
Cambridge
Cardiff city icon
Cardiff
Dacorum / Hemel Hempstead city icon
Dacorum
Edinburgh city icon
Edinburgh
Glasgow city icon
Glasgow
Guildford city icon
Guildford
Leeds city icon
Leeds
Liverpool city icon
Liverpool
London city icon
London
Manchester city icon
Manchester
Nottingam city icon
Nottingham
Oxford city icon
Oxford
Portsmouth city icon
Portsmouth
Rochdale city icon
Rochdale
Slough city icon
Slough
Sheffield city icon
Sheffield
Southampton city icon
Southampton
Southend-on-Sea city icon
Southend-on-Sea
Watford city icon
Watford
Woking city icon
Woking
International
Dublin city icon
Dublin
New York city icon
New York City
Can’t see your city?
Community
Case Studies
In the News
Blog
Testimonials
Knowledge Base

Data Protection & Privacy Statement

UK GDPR & EU GDPR Compliant

Effective Date: 30 June 2026 | Version 1.1


 

1. About This Statement

This Data Protection & Privacy Statement explains how VUCITY LIMITED ("we", "us", "our") collects, uses, stores, and protects personal data in connection with the VU.CITY platform (the "Platform"). It applies to all business customers ("Customers") and the individual end users who access the Platform on their behalf.

We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) (Regulation 2016/679), as applicable to our operations and Customer base in the United Kingdom and European Union.

 

Regulatory Note: This statement reflects updated ICO guidance issued under the Data Protection and Digital Information framework, The Data (Use and Access) Act 2025 (DUAA), the European Data Protection Board (EDPB) Guidelines on legitimate interest (finalised 2024/2025), and EU Data Act obligations where applicable to our platform services.

 

2. Who We Are - Data Controller Details

For the purposes of applicable data protection legislation, VUCITY LIMITED acts as:

  • Data Controller for personal data we collect and process relating to our Customers’ account holders, billing contacts, and platform administrators.
  • Data Processor for personal data uploaded to the Platform by Customers as part of their use of our visualisation, query and analysis services. In this capacity, we process such data solely on the Customer’s documented instructions as outlined in our (Data Processing Agreement) DPA.

 

Our registered details are:

Company Name

VUCITY LIMITED

Registered Address

86-90 Paul Street, London, England, EC2A 4NE

ICO Registration No.

C1879711

 

3. Personal Data We Collect and Process

3.1 Account and Contact Data (Controller capacity)

When a business Customer contracts with us and creates an account, we collect and process the following personal data relating to their nominated contacts and administrators:

  • Full name and job title of account holders and administrators
  • Business email address and contact telephone number
  • Billing and invoicing contact details
  • IP addresses and device information for security and access logging

 

3.2 Financial and Billing Data (Controller capacity)

To process subscription payments, we collect billing information including payment card details and transaction records. Payment card data is processed exclusively by our payment processor Stripe and is not stored on our own systems. We retain invoicing records and transaction histories for statutory accounting purposes.

 

3.3 Usage and Behavioural Analytics (Controller capacity)

We collect data about how our users interact with the Platform, including feature usage, session duration, error logs, and navigation patterns. This data is used to improve platform performance and user experience. Where analytics tools process data that may be linked to an individual, this is governed by our sub-processor agreements.

 

3.4 Customer-Uploaded Data (Processor capacity)

Customers may upload datasets and proprietary data to the Platform for the purpose of data visualisation, query and analysis. Where such data contains personal data, we act solely as a Data Processor on the Customer’s instructions. Customers are responsible for ensuring they have a lawful basis for any personal data they upload, and for providing appropriate notices to their own data subjects. We do not access, analyse, or use Customer-uploaded data for any purpose other than delivering the contracted service.

 

Important: If you upload personal data to the Platform as part of your visualisation, query or analysis workflows, you remain the Data Controller for that data. Your use of our Platform should be governed by our Data Processing Agreement (DPA).

 

4. Legal Basis for Processing

We rely on the following lawful basis under UK GDPR Article 6 and EU GDPR Article 6:

Legal Basis

Processing Activity

Details

Contractual Necessity (Art. 6(1)(b))

Account management, service delivery, billing

Processing is necessary to perform our contract with Customer organisations and their administrators.

Legitimate Interests (Art. 6(1)(f))

Platform security, fraud prevention, usage analytics, cold market-outreach

We have a legitimate interest in keeping our platform secure, improving and marketing our services. A Legitimate Interests Assessment (LIA) is maintained and available on request.

Legal Obligation (Art. 6(1)(c))

Financial records retention, regulatory compliance, incident reporting

We are required to retain certain records under UK company and tax law.

Consent (Art. 6(1)(a))

Marketing communications, optional cookies

Where we send marketing emails, product updates or deploy optional cookies we obtain freely given, specific, informed, and unambiguous consent. Consent may be withdrawn at any time by contacting us or using the unsubscribe link in any marketing communications.

 

2025 Update - Legitimate Interests: Following EDPB Guidelines 1/2024 on Legitimate Interests (adopted February 2025), we maintain a documented LIA for all processing activities relying on Art. 6(1)(f). Data subjects retain the right to object to such processing at any time.

 

5. Sub-Processors and Third-Party Data Sharing

We engage the following sub-processors who may access or process personal data in the course of delivering our services. All sub-processors are bound by data processing agreements meeting the requirements of UK GDPR Article 28 and EU GDPR Article 28, and are required to implement appropriate technical and organisational security measures.

 

Sub-Processor

Purpose

Entity Location

Data Hosting

Transfer Safeguard

Okta

Authentication

US

UK/EEA

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

Twilio

SMS confirmation

US

UK/EEA/US

EU-US Data Privacy Framework + UK Extension, SCCs + UK Addendum

Amazon Web Services EMEA SARL

Platform hosting, infrastructure, data storage, logs and monitoring.

EEA

UK/EEA

UK Adequacy Decision

Anthropic

To provide Anthropic’s artificial intelligence services via our platform on request.

US

UK/EEA/US

Standard Contractual Clauses + UK Addendum

Clickhouse

Data storage, logs and monitoring. LLM debug and analysis (Langfuse)

US

UK/EEA

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

Posthog

Platform usage analytics and performance monitoring

US

UK/EEA

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

Stripe

Payment processing and billing

US

UK/EEA/US

EU-US Data Privacy Framework + UK Extension, Standard Contract Clauses + UK Addendum

Productboard

Product management platform used to collect customer feedback, prioritiSe features, and manage roadmaps

US

UK/EEA/US

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

HubSpot

Customer relationship management (CRM); support communications

US

UK/EEA

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

Mailgun

Marketing and product update emails

US

UK/EEA

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

LinkedIn Sales Navigator

Sales intelligence and engagement platform

US

UK/EEA/US

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

Google Workspace

Identity management, email, calendar, document storage and collaboration

US

UK/EEA/US

EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum

 

We do not sell personal data to third parties. We do not share personal data with any party other than our sub-processors listed above, unless required to do so by law or regulatory authority.

 

We conduct and maintain Transfer Risk Assessments (TRAs) for each Restricted Transfer, in accordance with ICO guidance and EDPB Recommendations 01/2020, copies of which are available on request.

 

6. International Data Transfers

We will not transfer Customer Data outside the EEA without ensuring that at least one of the following safeguards is in place:

  • Standard Contractual Clauses (SCCs) - UK Addendum to the EU SCC, incorporated into our sub-processor agreements.
  • UK International Data Transfer Agreements (IDTAs) - as approved by the ICO for UK personal data transfers.

 

The EU-US Data Privacy Framework remains operative as of 2026. Where Sub-Processors are DPF-certified, this may supplement (but does not replace) contractual safeguards. The Provider monitors adequacy decisions and DPF certification status and will notify the Controller of any material change affecting transfer safeguards.

 

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this statement, or as required by applicable law.

 

Data Category

Indicative Retention Period

Basis

Account data

24 months from contract termination

Contractual, legitimate interests

Billing and financial records

7 years post transaction

Legal obligation (UK Companies Act / HMRC)

Usage analytics data

24 months (rolling)

Legitimate interests

Security and access logs

24 months (rolling)

Legitimate interests, legal obligation

Customer-uploaded data

24 months from contract termination

Contractual (per DPA)

Correspondence and support records

24 months post resolution

Legitimate interests, legal claims

Cold market-outreach

24 months post engagement

Legitimate interests

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our data destruction procedures.


8. Rights of Data Subjects

Where we act as Data Controller, individuals whose personal data we process have the following rights under UK GDPR and EU GDPR. Requests should be directed to our DPO at the contact details in Section 10.

Right

How It Applies

Right of Access (Art. 15)

You may request confirmation of whether we process your personal data and obtain a copy. We will respond within one calendar month.

Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 17)

You may request deletion of your personal data where there is no compelling legal basis for continued processing.

Right to Restriction (Art. 18)

You may request that we restrict processing of your data in certain circumstances, such as where accuracy is contested.

Right to Data Portability (Art. 20)

Where processing is based on contract or consent and carried out by automated means, you may request your data in a structured, machine-readable format.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Rights related to automated decisions (Art. 22)

We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals.

Where we act as Data Processor (in relation to Customer-uploaded data), rights requests from end-users should be directed to the relevant Customer organisation as Data Controller. We will assist Customers in responding to such requests as required under our DPA.

 

2025 Update - Response Timelines: The ICO and EDPB have both emphasised enforcement of the one-month response deadline for data subject requests, with extensions only in genuinely complex cases.

 

9. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, in accordance with UK GDPR Article 32 and EU GDPR Article 32. Our security measures include, but are not limited to:

  • Encryption of personal data at rest and in transit (TLS 1.2+ / AES-256)
  • Pseudonymisation of Customer Data where technically feasible and appropriate
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication (MFA) for all administrative access
  • Regular penetration testing and vulnerability assessments
  • Ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Incident response and breach notification procedures (72-hour reporting to the ICO / relevant supervisory authority where required)
  • Employee data protection training and confidentiality obligations
  • Annual review of sub-processor security compliance

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay where the risk is high, in accordance with Articles 33–34 of the UK/EU GDPR.

 

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection legislation. The DPO is the first point of contact for all data protection queries, subject access requests, and complaints.

 

Contact our DPO:

  • Name: Martin Denham
  • Email: trust@vu.city
  • Postal: 86-90 Paul Street, London, England, EC2A 4NE

 

11. Right to Lodge a Complaint

If you have concerns about how we handle your personal data and are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

 

  • UK data subjects: Information Commissioner’s Office (ICO)
  • EU data subjects: Your national data protection authority

We would welcome the opportunity to address your concerns before you approach a supervisory authority, and encourage you to contact our DPO in the first instance.

 

12. Changes to This Statement

We will review and update this Data Protection and Privacy Statement periodically, and in response to changes in applicable law, regulatory guidance, or our processing activities. Where changes are material, we will notify Customers via email or in-platform notification with at least 30 days’ advance notice.

 

VU logo
info@vu.city

33 Foley St, London W1W 7TL

Want to get in touch? Contact us here
Need Help and Support? Visit the Knowledge Base

Privacy policy | Cookie policy - Terms and conditions for: Private sector | Public sector

© 2026. All rights reserved VU.CITY Limited.

Accreditations

ISO-27001-2013-badge-white-1
ISO-14001-2015-badge-white-1
ISO-9001-2015-badge-white-2
B Corp Logo Black
EIC Logo
RICS Tech Partner logo