Privacy Policy

1. Who is responsible (“controller”)?

The controller of your personal data is HERBICON, which determines why and how personal data is processed when you use the Service. You can reach us for privacy questions via the Contact page. If we appoint a data protection officer (DPO), their contact details will be added here.

2. Scope

This Policy applies to visitors of our website, registered users (including syndics, building managers, owners, tenants, and staff), and others whose data we receive while providing the Service. It does not override specific agreements you may have with us (for example, a data processing agreement with a professional client).

3. Categories of personal data we process

Depending on how you use the Service, we may process the following types of personal data (non-exhaustive):

• Identity and contact data: name, email address, telephone number, postal address;
• Account and profile data: username, role(s), preferences, organisation and building links;
• Building and co-ownership context: unit identifiers, ownership or tenancy relationships, and similar information needed to operate the platform for a building;
• Communication and support: messages, contact form submissions, support tickets, chat content where the Service includes chat;
• Operational data: meeting information, documents, and workflow data you or your organisation uploads or generates;
• Financial or accounting-related data where such features are used (e.g. references linked to costs or payments — limited to what is necessary for the Service);
• Technical and usage data: IP address, device and browser type, log data, approximate location derived from IP, security events, and how you navigate or use the Service;
• Cookies and similar technologies as described in section 10.

We do not ask you to provide special categories of data (Article 9 GDPR) unless strictly necessary and with an appropriate legal basis; we discourage uploading such data unless required for your legitimate use of the Service.

4. Purposes and legal bases (GDPR Article 6)

We process personal data only where a legal basis applies. Typical purposes and bases include:

• Performance of a contract (Article 6(1)(b) GDPR): creating and maintaining accounts; providing features you or your organisation subscribe to; communications about the Service.
• Legitimate interests (Article 6(1)(f) GDPR), balanced against your rights: securing the platform; troubleshooting; improving reliability and usability; analytics in aggregated or pseudonymised form where appropriate; enforcing our Terms of Service; fraud prevention.
• Consent (Article 6(1)(a) GDPR): where we rely on consent (e.g. certain cookies or marketing emails), you may withdraw consent at any time without affecting prior processing.
• Legal obligation (Article 6(1)(c) GDPR): bookkeeping, tax, or responding to lawful requests from authorities when required.

5. Processing of data on behalf of clients (processor role)

Where a syndic, management company, or other organisation uses the Service to manage buildings and invites owners or tenants, that organisation often decides why certain personal data is processed. In those situations the organisation may be a controller for that processing, and HERBICON may act as a processor, following their instructions and a written agreement meeting Article 28 GDPR. Individuals should refer to that organisation’s privacy information for activities under their control; this Policy describes HERBICON’s role as provider of the Service and our processing as controller where we determine purposes (e.g. billing our customer, platform security, account administration).

6. Recipients and processors

We may share personal data with:

• Infrastructure in the United States: we run the Service on Railway (application hosting) and use DigitalOcean Spaces (object storage for files and media), among other suppliers. Unless we configure a region in the EEA or UK, your personal data may be processed and stored on servers located in the United States. Additional providers (for example email, analytics, or payments) may also process data in the US or other countries; we bind them contractually where they act as processors.
• Other service providers that assist us (hosting-related tools, customer support, analytics, payment processing), bound by contracts requiring them to protect personal data and to process it only on our instructions where they act as processors;
• professional advisers where necessary (lawyers, auditors);
• competent authorities when we are legally required to disclose information.

We do not sell your personal data.

7. Transfers outside the European Economic Area (EEA)

The United States is outside the EEA. Transfers of personal data to the US therefore require appropriate safeguards under Chapter V GDPR, unless a narrow exception applies (Article 49 GDPR). In practice we rely on one or more of the following, depending on the provider and the nature of the transfer:

• the European Commission’s Standard Contractual Clauses (Module 2 and/or 3) with our processors, sometimes together with a transfer impact assessment and supplementary measures where appropriate; and/or
• the EU–U.S. Data Privacy Framework (and, where relevant, the UK extension to the Framework), when the US recipient is certified and the transfer can be based on that framework under applicable EU or UK guidance;
• other mechanisms recognised under GDPR from time to time.

US law may allow public authorities to request access to data held by companies subject to US jurisdiction; our agreements and, where applicable, the Framework or SCCs impose obligations on importers, but we cannot exclude statutory access requests in the destination country. You may contact us to request further information about the safeguards we apply.

8. Retention

We keep personal data only as long as necessary for the purposes above, including legal, tax, or accounting requirements and dispute resolution. Criteria include the duration of your contract, statutory retention periods, and whether data can be aggregated or anonymised instead. When data is no longer needed, we delete or anonymise it in line with internal policies.

9. Security

We implement appropriate technical and organisational measures (Article 32 GDPR) having regard to the state of the art, implementation cost, and risk—such as access controls, encryption where appropriate, backups, and staff training. No method of transmission or storage is completely secure; please use strong passwords and protect your credentials.

10. Cookies and similar technologies

We use cookies and similar technologies where necessary for the functioning of the Service (often based on legitimate interest or for the performance of a contract), and, where required, for non-essential purposes only after consent in line with the ePrivacy rules and national legislation implementing the EU Privacy and Electronic Communications Directive (2002/58/EC), as updated by subsequent EU law. You can control cookies through your browser settings; blocking some cookies may affect functionality. A detailed cookie list may be provided in a separate cookie notice if we use optional tracking tools.

11. Automated decision-making

We do not use automated decision-making, including profiling, which produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR, unless we inform you otherwise and provide a suitable legal basis and safeguards.

12. Your rights under the GDPR

Subject to conditions and exceptions in the GDPR, you have the following rights regarding your personal data:

• Access (Article 15): obtain confirmation as to whether we process your data and receive a copy;
• Rectification (Article 16): correct inaccurate data;
• Erasure (“right to be forgotten”) (Article 17): in specific circumstances;
• Restriction of processing (Article 18): in specific circumstances;
• Data portability (Article 20): where processing is based on consent or contract and is carried out by automated means;
• Object (Article 21): to processing based on legitimate interests or for direct marketing;
• Withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of processing before withdrawal;
• Lodge a complaint with a supervisory authority (Article 77).

To exercise your rights, contact us via the Contact page. We may need to verify your identity. You also have the right to lodge a complaint with a data protection authority. In Belgium, the supervisory authority is the Gegevensbeschermingsautoriteit / Autorité de protection des données (www.gegevensbeschermingsautoriteit.be). If you live or work in another EEA country, you may contact your local authority instead.

13. Children

The Service is not directed at children below the age at which valid consent for information society services can be given under national law (often 13 with parental responsibility rules varying by Member State). We do not knowingly collect personal data from children without appropriate authority; if you believe we have, please contact us.

14. Changes to this Policy

We may update this Policy to reflect legal requirements or changes to the Service. We will post the revised version and update the “Last updated” date. Where changes are material and require further transparency under Articles 13–14 GDPR, we will provide additional information or notices as appropriate.

15. Contact

For any questions about this Privacy Policy or our processing of personal data, please use the Contact page.