Legal
Privacy notice
Last updated · 2026-06-13
1. Who we are
Hublitics is operated by Hublitics Ltd (“Hublitics”, “we”, “us”), a company registered in England & Wales (company number [company number]), registered office [registered office address]. We are registered with the UK Information Commissioner’s Office (ICO) under number [ICO registration number].
For any privacy question, or to exercise your rights, contact hublitics@outlook.com.
2. Controller or processor — which applies
Hublitics is operations software for UK small businesses. Our role under UK GDPR depends on whose data is in question:
- We are the data controller for the personal data of the people who hold or use a Hublitics account — workspace owners and the team members they invite (your name, email, authentication data, billing contact). We decide how that account data is used.
- We are a data processor for the data you enter into your workspace about your own clients, employees and contacts (names, contact details, pay rates, NI numbers, bank details, job and invoice records). You are the controller of that data; we process it only to provide the service to you, on your instructions. Where we act as processor, our Terms of Service (including the data-processing terms) govern that relationship.
The rest of this notice focuses on data for which we are the controller. As a controller of your own customers’ data, you remain responsible for having your own lawful basis and privacy notice for it.
3. What we collect, and why
| Category | Examples | Purpose & basis |
|---|---|---|
| Account identity | Name, email address | Create and secure your account · perform our contract with you |
| Authentication | Google account identifier (OAuth) or magic-link token; session cookie | Sign you in securely · our legitimate interest in account security |
| Workspace content | Everything you enter: clients, employees, jobs, timesheets, expenses, quotes, invoices, payments | Provide the service · (we act as processor — see §2) |
| Billing | Plan tier, subscription status, Stripe customer reference (we never store full card numbers) | Take payment for paid plans · perform our contract |
| Support | Messages you send us and our replies | Answer your questions · our legitimate interest in supporting customers |
| Technical logs | IP address, browser/user-agent, request paths, error diagnostics | Keep the service secure and working · our legitimate interest in security & reliability |
4. Lawful bases
We rely on the following UK GDPR Article 6 bases:
- Contract — to provide the account and service you sign up for.
- Legitimate interests — to secure accounts, prevent abuse, monitor errors, and support customers (balanced against your rights).
- Legal obligation — to keep records we are required by law to keep (e.g. tax/accounting records).
Special-category data is not something we ask for. If you choose to store sensitive personal data about your own staff (e.g. in a notes field), you do so as controller and are responsible for the appropriate lawful basis.
5. Sub-processors
We use a small number of carefully chosen service providers to run Hublitics. Each is bound by a data-processing agreement and processes data only on our instructions:
| Provider | Purpose | Region |
|---|---|---|
| Vercel Inc. | Application hosting & content delivery | EU (London, lhr1) edge region |
| Supabase | Managed PostgreSQL database (your workspace data) | EU |
| Resend | Transactional & support email delivery | EU / US |
| Stripe Payments UK, Ltd. | Subscription billing & card processing | UK / EU / US |
| Sentry (Functional Software, Inc.) | Error monitoring & diagnostics | EU / US |
| Cloudflare, Inc. | File/attachment storage (when enabled) & DNS | EU / global |
| Companies House (GOV.UK) | Optional company-number lookup during onboarding | UK |
Where a provider processes data outside the UK/EEA, that transfer is covered by UK International Data Transfer Agreement / Standard Contractual Clauses or an adequacy decision. We will give notice of material changes to this list.
6. How long we keep it
- Account and workspace data: for as long as your account is active.
- After you close your account: deleted or anonymised within 90 days, except where we must retain records to meet a legal obligation.
- Backups: rolling encrypted backups retained for 30 days, then overwritten.
- Technical logs: typically retained for up to 90 days.
7. How we protect it
- Encryption in transit (TLS) and at rest.
- Especially sensitive fields you store about employees — National Insurance numbers and bank details — are encrypted at the application layer with a separate key.
- Passwords, where used, are stored only as salted bcrypt hashes; we prefer Google sign-in and one-time magic links.
- Strict per-workspace data isolation, a full audit log of changes, and a content-security policy and standard security headers on every response.
8. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected, or incomplete data completed;
- have your data erased (“right to be forgotten”), where applicable;
- restrict or object to certain processing;
- data portability — you can export your workspace data as CSV at any time from within the app;
- withdraw consent where we relied on it.
To exercise any of these, email hublitics@outlook.com. We respond within one month. If you are unhappy with how we handle your data you can complain to the ICO at ico.org.uk, though we’d appreciate the chance to put things right first.
If your request concerns data held in a Hublitics customer’s workspace (where we are processor), we will refer you to that business as the controller, or act on their instruction.
9. Cookies
Hublitics uses only the cookies it needs to function — no third-party advertising or cross-site tracking:
hublitics_session— HTTP-only authentication session.hublitics_theme— remembers your light/dark preference.- Short-lived cookies during sign-in and CSV import to carry one-time state.
10. Changes to this notice
We may update this notice as the service evolves. Material changes will be notified in the app or by email. The “last updated” date above always reflects the current version.