Data Protection & Privacy Statement
UK GDPR & EU GDPR Compliant
Effective Date: 30 June 2026 | Version 1.1
1. About This Statement
This Data Protection & Privacy Statement explains how VUCITY LIMITED ("we", "us", "our") collects, uses, stores, and protects personal data in connection with the VU.CITY platform (the "Platform"). It applies to all business customers ("Customers") and the individual end users who access the Platform on their behalf.
We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) (Regulation 2016/679), as applicable to our operations and Customer base in the United Kingdom and European Union.
|
Regulatory Note: This statement reflects updated ICO guidance issued under the Data Protection and Digital Information framework, The Data (Use and Access) Act 2025 (DUAA), the European Data Protection Board (EDPB) Guidelines on legitimate interest (finalised 2024/2025), and EU Data Act obligations where applicable to our platform services. |
2. Who We Are - Data Controller Details
For the purposes of applicable data protection legislation, VUCITY LIMITED acts as:
- Data Controller for personal data we collect and process relating to our Customers’ account holders, billing contacts, and platform administrators.
- Data Processor for personal data uploaded to the Platform by Customers as part of their use of our visualisation, query and analysis services. In this capacity, we process such data solely on the Customer’s documented instructions as outlined in our (Data Processing Agreement) DPA.
Our registered details are:
|
Company Name |
VUCITY LIMITED |
|
Registered Address |
86-90 Paul Street, London, England, EC2A 4NE |
|
ICO Registration No. |
C1879711 |
3. Personal Data We Collect and Process
3.1 Account and Contact Data (Controller capacity)
When a business Customer contracts with us and creates an account, we collect and process the following personal data relating to their nominated contacts and administrators:
- Full name and job title of account holders and administrators
- Business email address and contact telephone number
- Billing and invoicing contact details
- IP addresses and device information for security and access logging
3.2 Financial and Billing Data (Controller capacity)
To process subscription payments, we collect billing information including payment card details and transaction records. Payment card data is processed exclusively by our payment processor Stripe and is not stored on our own systems. We retain invoicing records and transaction histories for statutory accounting purposes.
3.3 Usage and Behavioural Analytics (Controller capacity)
We collect data about how our users interact with the Platform, including feature usage, session duration, error logs, and navigation patterns. This data is used to improve platform performance and user experience. Where analytics tools process data that may be linked to an individual, this is governed by our sub-processor agreements.
3.4 Customer-Uploaded Data (Processor capacity)
Customers may upload datasets and proprietary data to the Platform for the purpose of data visualisation, query and analysis. Where such data contains personal data, we act solely as a Data Processor on the Customer’s instructions. Customers are responsible for ensuring they have a lawful basis for any personal data they upload, and for providing appropriate notices to their own data subjects. We do not access, analyse, or use Customer-uploaded data for any purpose other than delivering the contracted service.
|
Important: If you upload personal data to the Platform as part of your visualisation, query or analysis workflows, you remain the Data Controller for that data. Your use of our Platform should be governed by our Data Processing Agreement (DPA). |
4. Legal Basis for Processing
We rely on the following lawful basis under UK GDPR Article 6 and EU GDPR Article 6:
|
Legal Basis |
Processing Activity |
Details |
|
Contractual Necessity (Art. 6(1)(b)) |
Account management, service delivery, billing |
Processing is necessary to perform our contract with Customer organisations and their administrators. |
|
Legitimate Interests (Art. 6(1)(f)) |
Platform security, fraud prevention, usage analytics, cold market-outreach |
We have a legitimate interest in keeping our platform secure, improving and marketing our services. A Legitimate Interests Assessment (LIA) is maintained and available on request. |
|
Legal Obligation (Art. 6(1)(c)) |
Financial records retention, regulatory compliance, incident reporting |
We are required to retain certain records under UK company and tax law. |
|
Consent (Art. 6(1)(a)) |
Marketing communications, optional cookies |
Where we send marketing emails, product updates or deploy optional cookies we obtain freely given, specific, informed, and unambiguous consent. Consent may be withdrawn at any time by contacting us or using the unsubscribe link in any marketing communications. |
|
2025 Update - Legitimate Interests: Following EDPB Guidelines 1/2024 on Legitimate Interests (adopted February 2025), we maintain a documented LIA for all processing activities relying on Art. 6(1)(f). Data subjects retain the right to object to such processing at any time. |
5. Sub-Processors and Third-Party Data Sharing
We engage the following sub-processors who may access or process personal data in the course of delivering our services. All sub-processors are bound by data processing agreements meeting the requirements of UK GDPR Article 28 and EU GDPR Article 28, and are required to implement appropriate technical and organisational security measures.
|
Sub-Processor |
Purpose |
Entity Location |
Data Hosting |
Transfer Safeguard |
|
Okta |
Authentication |
US |
UK/EEA |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
Twilio |
SMS confirmation |
US |
UK/EEA/US |
EU-US Data Privacy Framework + UK Extension, SCCs + UK Addendum |
|
Amazon Web Services EMEA SARL |
Platform hosting, infrastructure, data storage, logs and monitoring. |
EEA |
UK/EEA |
UK Adequacy Decision |
|
Anthropic |
To provide Anthropic’s artificial intelligence services via our platform on request. |
US |
UK/EEA/US |
Standard Contractual Clauses + UK Addendum |
|
Clickhouse |
Data storage, logs and monitoring. LLM debug and analysis (Langfuse) |
US |
UK/EEA |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
Posthog |
Platform usage analytics and performance monitoring |
US |
UK/EEA |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
Stripe |
Payment processing and billing |
US |
UK/EEA/US |
EU-US Data Privacy Framework + UK Extension, Standard Contract Clauses + UK Addendum |
|
Productboard |
Product management platform used to collect customer feedback, prioritiSe features, and manage roadmaps |
US |
UK/EEA/US |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
HubSpot |
Customer relationship management (CRM); support communications |
US |
UK/EEA |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
Mailgun |
Marketing and product update emails |
US |
UK/EEA |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
LinkedIn Sales Navigator |
Sales intelligence and engagement platform |
US |
UK/EEA/US |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
|
Google Workspace |
Identity management, email, calendar, document storage and collaboration |
US |
UK/EEA/US |
EU-US Data Privacy Framework + UK Extension, Standard Contractual Clauses + UK Addendum |
We do not sell personal data to third parties. We do not share personal data with any party other than our sub-processors listed above, unless required to do so by law or regulatory authority.
|
We conduct and maintain Transfer Risk Assessments (TRAs) for each Restricted Transfer, in accordance with ICO guidance and EDPB Recommendations 01/2020, copies of which are available on request. |
6. International Data Transfers
We will not transfer Customer Data outside the EEA without ensuring that at least one of the following safeguards is in place:
- Standard Contractual Clauses (SCCs) - UK Addendum to the EU SCC, incorporated into our sub-processor agreements.
- UK International Data Transfer Agreements (IDTAs) - as approved by the ICO for UK personal data transfers.
|
The EU-US Data Privacy Framework remains operative as of 2026. Where Sub-Processors are DPF-certified, this may supplement (but does not replace) contractual safeguards. The Provider monitors adequacy decisions and DPF certification status and will notify the Controller of any material change affecting transfer safeguards. |
7. Data Retention
We retain personal data only for as long as necessary for the purposes described in this statement, or as required by applicable law.
|
Data Category |
Indicative Retention Period |
Basis |
|
Account data |
24 months from contract termination |
Contractual, legitimate interests |
|
Billing and financial records |
7 years post transaction |
Legal obligation (UK Companies Act / HMRC) |
|
Usage analytics data |
24 months (rolling) |
Legitimate interests |
|
Security and access logs |
24 months (rolling) |
Legitimate interests, legal obligation |
|
Customer-uploaded data |
24 months from contract termination |
Contractual (per DPA) |
|
Correspondence and support records |
24 months post resolution |
Legitimate interests, legal claims |
|
Cold market-outreach |
24 months post engagement |
Legitimate interests |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our data destruction procedures.
8. Rights of Data Subjects
Where we act as Data Controller, individuals whose personal data we process have the following rights under UK GDPR and EU GDPR. Requests should be directed to our DPO at the contact details in Section 10.
|
Right |
How It Applies |
|
Right of Access (Art. 15) |
You may request confirmation of whether we process your personal data and obtain a copy. We will respond within one calendar month. |
|
Right to Rectification (Art. 16) |
You may request correction of inaccurate or incomplete personal data we hold about you. |
|
Right to Erasure (Art. 17) |
You may request deletion of your personal data where there is no compelling legal basis for continued processing. |
|
Right to Restriction (Art. 18) |
You may request that we restrict processing of your data in certain circumstances, such as where accuracy is contested. |
|
Right to Data Portability (Art. 20) |
Where processing is based on contract or consent and carried out by automated means, you may request your data in a structured, machine-readable format. |
|
Right to Object (Art. 21) |
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. |
|
Rights related to automated decisions (Art. 22) |
We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals. |
Where we act as Data Processor (in relation to Customer-uploaded data), rights requests from end-users should be directed to the relevant Customer organisation as Data Controller. We will assist Customers in responding to such requests as required under our DPA.
|
2025 Update - Response Timelines: The ICO and EDPB have both emphasised enforcement of the one-month response deadline for data subject requests, with extensions only in genuinely complex cases. |
9. Security Measures
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, in accordance with UK GDPR Article 32 and EU GDPR Article 32. Our security measures include, but are not limited to:
- Encryption of personal data at rest and in transit (TLS 1.2+ / AES-256)
- Pseudonymisation of Customer Data where technically feasible and appropriate
- Role-based access controls and least-privilege principles
- Multi-factor authentication (MFA) for all administrative access
- Regular penetration testing and vulnerability assessments
- Ongoing confidentiality, integrity, availability, and resilience of processing systems
- Incident response and breach notification procedures (72-hour reporting to the ICO / relevant supervisory authority where required)
- Employee data protection training and confidentiality obligations
- Annual review of sub-processor security compliance
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay where the risk is high, in accordance with Articles 33–34 of the UK/EU GDPR.
10. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection legislation. The DPO is the first point of contact for all data protection queries, subject access requests, and complaints.
Contact our DPO:
- Name: Martin Denham
- Email: trust@vu.city
- Postal: 86-90 Paul Street, London, England, EC2A 4NE
11. Right to Lodge a Complaint
If you have concerns about how we handle your personal data and are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:
- UK data subjects: Information Commissioner’s Office (ICO)
- EU data subjects: Your national data protection authority
We would welcome the opportunity to address your concerns before you approach a supervisory authority, and encourage you to contact our DPO in the first instance.
12. Changes to This Statement
We will review and update this Data Protection and Privacy Statement periodically, and in response to changes in applicable law, regulatory guidance, or our processing activities. Where changes are material, we will notify Customers via email or in-platform notification with at least 30 days’ advance notice.