Privacy Policy

Effective date: 1 May 2026 · Controller: HubSecure Holding LLC, Wyoming, USA · Contact: [email protected]

Who we are
What data we collect
Legal basis for processing
How we use your data
Data storage and international transfers
Sub-processors and third parties
Data retention
Your rights
Cookies
Children
Changes to this policy
Contact and complaints

1. Who We Are

HubSecure Holding LLC ("HubSecure", "we", "us", "our") is a limited liability company incorporated in the State of Wyoming, USA (Entity Filing ID: 2024-001468048). We operate the HubSecure platform at hubsecure.ai — a compliance and business management platform for regulated businesses.

For the purposes of GDPR:

We are the data controller for personal data collected through our website, marketing activities, and customer account management.
We are the data processor for personal data our customers store and process through the platform (governed by our Data Processing Agreement).

2. What Data We Collect

2.1 Website visitors

Contact and enquiry data: Name, email address, company name, job title, and message content when you submit a demo request, contact form, or sign up for communications.
Usage data: Pages visited, time on page, referral source, browser type, and device type, collected via privacy-respecting analytics.
Cookie data: As described in our Cookie Policy.

2.2 Platform customers (registered accounts)

Account data: Name, work email address, company name, billing address, and payment method (handled by our payment processor; we do not store card details).
Platform usage data: Feature usage, login history, API calls, and audit logs generated during use of the Services.
Support and communication data: Messages and attachments exchanged with our support team.
Customer Data: Personal data belonging to your clients, employees, or contacts that you input into or generate through the platform. This data is processed under the terms of our DPA, not this Privacy Policy.

2.3 Data we do not collect

We do not collect special category data (health, racial/ethnic origin, political opinions, religious beliefs, biometric data) about our customers or website visitors. We do not use your data for advertising profiling or share it with advertising networks.

3. Legal Basis for Processing

Under GDPR, we process personal data on the following legal bases:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services, manage your account, send invoices, and provide support.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, product improvement, and sending service-related communications to existing customers. We have conducted Legitimate Interests Assessments (LIAs) for these activities, available on request.
Legal obligation (Art. 6(1)(c)): Compliance with applicable law, including responding to lawful government requests and maintaining required financial records.
Consent (Art. 6(1)(a)): Marketing emails and optional analytics cookies. Consent can be withdrawn at any time without affecting lawfulness of prior processing.

4. How We Use Your Data

Providing, operating, and improving the Services
Creating and managing your account
Processing payments and sending invoices
Providing customer support and responding to enquiries
Sending service notifications, security alerts, and platform updates
Sending marketing communications about our services (with consent or under legitimate interests for existing customers)
Detecting and preventing fraud, abuse, and security incidents
Analysing usage to improve platform functionality
Complying with legal obligations

We do not sell personal data to third parties. We do not use personal data for automated individual decision-making that produces legal or similarly significant effects.

5. Data Storage and International Transfers

Infrastructure: HubSecure currently hosts its platform infrastructure in Singapore (Equinix SG3 data centre). We plan to add EU infrastructure (Frankfurt, Germany) by Q3 2026. We will communicate this migration to customers in advance.

Company location: HubSecure Holding LLC is incorporated and headquartered in the United States (Wyoming).

International transfer mechanism for EU/EEA data subjects: Because we are a US company and currently process data in Singapore, transfers of personal data from the EU/EEA to HubSecure are governed by EU Standard Contractual Clauses (SCCs) under European Commission Implementing Decision 2021/914 (Module 2: Controller to Processor). Our DPA incorporates these SCCs and is available for signature.

Transfer Impact Assessment: We have assessed the data protection framework in Singapore. Singapore's Personal Data Protection Act (PDPA) and its absence from intelligence-sharing alliances (e.g. Five Eyes) means the risks to EU data subjects are lower than for US-hosted alternatives. Our full TIA summary is available to customers on request.

US jurisdiction note: As a US company, HubSecure is potentially subject to US law including the CLOUD Act. However, our Singapore infrastructure means data is not physically located in the US. We will notify affected customers of any government data request to the extent legally permitted, and will challenge requests we believe are unlawful.

6. Sub-processors and Third Parties

We engage the following categories of sub-processors to deliver the Services:

Cloud infrastructure: Data centre colocation provider (Singapore)
AI model providers: Frontier AI models used to power AI Operator and AI features (US-based providers). AI processing of Customer Data uses minimum necessary data and is covered by our DPA sub-processor provisions.
Payment processing: Stripe, Inc. (handles payment card data under its own PCI-DSS compliance)
Email delivery: Transactional email provider for service notifications
Analytics: Privacy-first analytics tool (no cross-site tracking)

A current sub-processor list with names, locations, and purposes is maintained on our Security page. We provide 30 days' advance notice of new sub-processors through our customer notification channels.

7. Data Retention

Account data: Retained for the duration of your subscription plus 3 years, or as required by applicable law.
Billing records: 7 years from the invoice date (legal obligation).
Marketing data: Until you withdraw consent or object, after which deleted within 30 days.
Customer Data (platform): Retained for the duration of your subscription plus 30 days post-termination (to enable export), then deleted. Longer retention available on request for compliance purposes.
Support communications: 3 years from the date of the communication.
Security logs: 12 months.

Lead attribution and signup metadata

When you submit a signup, demo, contact or partner form, HubSecure stores the information you provide together with structured interest metadata such as signup type, industry, module, use case, comparison target, source page and campaign parameters.

For security, attribution and follow-up relevance, we may also store submission time, IP address, hashed IP, country if provided by Cloudflare, user agent, browser/device classification, referrer, landing page and Cloudflare request identifiers. We avoid precise geolocation unless already provided by infrastructure and needed for operations.

Access to this data is restricted to authorised administrators. Admin list, view, export, update and delete actions are logged. Raw IP data should be retained only for a limited operational period, while hashed IP may be retained longer for deduplication and abuse prevention.

8. Your Rights

If you are in the EU/EEA or UK, you have the following rights under GDPR (and UK GDPR):

Access (Art. 15)

Request a copy of personal data we hold about you.

Rectification (Art. 16)

Request correction of inaccurate or incomplete data.

Erasure (Art. 17)

Request deletion of your data where no legitimate basis exists for continued processing.

Restriction (Art. 18)

Request that we limit processing of your data in certain circumstances.

Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Object (Art. 21)

Object to processing based on legitimate interests, including for direct marketing.

To exercise any of these rights, email [email protected] with "Privacy Rights Request" in the subject line. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before processing the request.

If you are not satisfied with our response, you have the right to lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or the relevant DPA in your EU member state).

9. Cookies

We use essential cookies for platform functionality and, with your consent, optional analytics cookies. See our Cookie Policy for full details and preference management options.

10. Children

Our Services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have collected data from a child under 16, contact us at [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal obligations, or infrastructure. We will post the updated policy here with a revised effective date. For material changes, we will notify registered customers by email at least 30 days before the change takes effect.

12. Contact and Complaints

General privacy queries: [email protected]

Data breach reports: [email protected]

Postal address: HubSecure Holding LLC, 30 N Gould St Ste 5991, Sheridan, WY 82801, USA

EU/EEA data subjects may also contact our EU-based point of contact at [email protected]. We are in the process of appointing an EU representative under GDPR Article 27 and will update this section when confirmed.

Contents