Privacy Policy

Last updated: 15 April 2026  ·  CUE SPACES LTD  ·  privacy@thecuespaces.com

1. Who Is the Data Controller

CUE SPACES LTD is the data controller for personal data collected through the CueSpaces platform at thecuespaces.com. We are incorporated in Nigeria.

For privacy-related enquiries: privacy@thecuespaces.com

2. Scope & Applicable Law

This policy applies to all personal data collected through the Platform, including data submitted by field agents via web forms and WhatsApp intake channels.

CueSpaces is incorporated in Nigeria and operates under Nigerian data protection law, including the Nigeria Data Protection Act 2023 (NDPA). We also adhere to internationally recognised privacy principles to serve users in the UK, EU, and other jurisdictions.

If you are located in the United Kingdom or European Union, you may have additional rights under the UK GDPR / EU GDPR. We honour those rights regardless of where your data is processed.

3. What Data We Collect

3.1 Account & Identity Data

• Name, email address, and password (hashed) collected on registration
• Organisation name and role (if provided)
• Profile information you choose to add

3.2 Project & Site Data

• Project descriptions, locations, types, and parameters you create
• Site submissions provided by you or your field agents (address, coordinates, photos, descriptions)
• Scorecard configurations and evaluation results
• AI-generated reports and scoring outputs

3.3 Payment Data

Payment transactions are handled by our Merchant of Record. We receive from them: your subscription status, plan type, billing period, and a secure customer identifier. We do not receive or store card numbers, CVVs, or bank details.

3.4 Usage & Technical Data

• IP address and approximate geolocation (country/city level)
• Browser type, operating system, device type
• Pages visited, features used, and timestamps
• Error logs and crash reports

3.5 Agent-Submitted Data (WhatsApp / Web Intake)

When field agents submit sites via the WhatsApp bot or web intake form, we collect the site information they provide (location, coordinates, photos, notes). Agents may provide their name or phone number. You, as the account holder, are responsible for ensuring agents are informed of this policy before submission.

3.6 Communications Data

• Emails you send us (including support requests)
• Content of any feedback or survey responses

4. How We Use Your Data

• Providing the Platform: Operating your account, managing subscriptions, delivering evaluations and reports, sending intake data to the appropriate project.
• AI Processing: Sending site descriptions and project parameters to third-party AI APIs to generate scorecards and reports. See Section 7 for details.
• Payment & Billing: Verifying subscription status via our payment partner, managing usage quotas, and infrastructure billing.
• Communications: Sending transactional emails (report delivery, receipts, account alerts). We will ask your permission before sending marketing communications.
• Platform Improvement: Analysing aggregated, anonymised usage data to improve features, fix bugs, and enhance the AI model.
• Legal Compliance: Retaining records as required by law, responding to lawful requests from authorities.
• Security: Detecting and preventing fraud, abuse, and unauthorised access.

5. Legal Basis for Processing

Under the NDPA and, where applicable, the UK GDPR / EU GDPR, we process your personal data on the following lawful bases:

• Contract: Processing necessary to perform our agreement with you (account management, delivering evaluations, subscription management).
• Legitimate Interests: Platform security, fraud prevention, product improvement through anonymised analytics, and communicating about service changes.
• Legal Obligation: Retaining records required by applicable law or responding to lawful requests.
• Consent: Marketing communications and non-essential cookies (where we rely on your consent, you may withdraw it at any time).

6. Who We Share Data With

We do not sell or rent your personal data to third parties. We share data only in the following circumstances:

• Third-party processors who help us operate the Platform (listed in Section 7) — subject to data processing agreements.
• Your team members — if you add sub-accounts to your organisation, those team members can see the projects and evaluations you share with them.
• Legal requirements — where required to comply with law, regulation, court order, or to protect the rights and safety of CueSpaces, users, or the public.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before any such transfer.

7. Third-Party Processors

We use the following subprocessors. We have data processing agreements (or equivalent) in place with each:

We configure AI API providers (Anthropic and Google) to use enterprise API settings that, to the best of our knowledge, prevent your data from being used to train their models. You should review each provider's enterprise privacy terms if this is critical for your use case.

8. International Data Transfers

CueSpaces is incorporated in Nigeria and uses infrastructure and processors located in the USA, UK, EU, and globally (see Section 7). By using the Platform, you acknowledge that your data may be transferred to and processed in countries outside your home jurisdiction.

Where we transfer personal data from the UK or EU to third countries, we rely on appropriate transfer mechanisms — including the EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs) where applicable.

9. Data Retention

• Account data: Retained while your account is active, plus up to 12 months after account closure, then deleted or anonymised.
• Project and site data: Retained for the duration of your subscription plus 6 months, unless you request earlier deletion.
• Payment records: Retained for 7 years as required by applicable accounting and tax laws.
• Usage logs: Retained for up to 90 days for security and debugging purposes.
• Anonymised analytics: May be retained indefinitely as they do not contain personal data.

You may request early deletion of your account data at any time (subject to any legal retention obligations).

10. Cookies & Tracking

We use a minimal set of cookies and similar technologies:

• Essential cookies: Session authentication tokens required for the Platform to function. These cannot be opted out of while using the Platform.
• Analytics cookies: We may use privacy-respecting analytics to understand aggregate usage. These can be refused without impacting Platform functionality.
• Third-party cookies: Our payment partner may set cookies during the checkout process for fraud prevention and session management. These are governed by their own privacy policy.

We do not use advertising or cross-site tracking cookies. We will ask for your consent before placing any non-essential cookies.

11. Your Data Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Request a machine-readable copy of data you have provided to us.
• Objection: Object to processing based on legitimate interests, including direct marketing at any time.
• Withdraw Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@thecuespaces.com. We will respond within 30 days. We may need to verify your identity before acting on your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (in Nigeria: the Nigeria Data Protection Commission; in the UK: the ICO; in the EU: your relevant national supervisory authority).

12. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data at rest and in transit (TLS 1.2+)
• Database-level row security on all information tables
• Access controls limiting employee access to personal data on a need-to-know basis
• Secure, hashed password storage (never stored in plain text)
• Regular security reviews

No transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at security@thecuespaces.com.

13. Children

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or a prominent notice on the Platform at least 14 days before the changes take effect. The effective date at the top of this page indicates when this version was last revised.

15. Contact Us

For privacy-related questions, data subject requests, or DPA enquiries: