Privacy notice

How SubBundle handles your data.

This notice explains who we are, what personal data we collect from you, why we collect it, who we share it with, how long we keep it, and what rights you have. Written under UK GDPR Article 13. Last updated 2026-05-06.

Data controller	Morgan and Co. Enterprise Limited, a company registered in England & Wales.
Trading name	SubBundle (subbundle.org)
Director	Cai Morgan
Privacy contact	cai@subbundle.org
ICO registration	Pending — Tier 1 registration in progress
Last updated	2026-05-06

02 — What we collect

The personal data SubBundle processes.

To produce an HRB Gateway 2 compliance bundle for your job, we process the following categories of personal data:

Your identity: your name, your firm name, your email address.
Project particulars: project address, principal contractor name, scheme assessed against (CAS / CHAS / SafeContractor / SMAS / Constructionline).
Trade scope evidence: drawings, photos, certificates, training records, supplier paperwork, method statements you upload as inputs.
Personnel data inside RAMS templates: employee names, qualification records, training expiry dates — only as supplied by you for the bundle output.
Payment data: Stripe processes your card details; we never see or store the card number. We retain the Stripe transaction reference and the amount paid.
Communications: any email correspondence with cai@subbundle.org.

We do not collect special-category data (health, biometric, etc.) unless you supply it inside RAMS templates relating to specific medical accommodations on site. If you do, treat it as your responsibility to flag it explicitly so we can handle it under heightened protection.

03 — Lawful basis

Why we are allowed to process it.

Our lawful basis under UK GDPR Article 6(1)(b) is performance of a contract — you have asked us to produce a compliance bundle for your job, and we cannot do that without the data above. Personnel data inside RAMS templates is processed under Article 6(1)(f) legitimate interest, balanced against employee rights via our internal Legitimate Interest Assessment, available on request.

We do not process personal data on the basis of your consent for marketing — we do not run marketing communications at Stage 1.

04 — Who we share with

Recipients of your data.

Stripe Payments Europe Ltd (Ireland) — payment processing. Stripe's privacy policy.
Supabase Inc. (data residency: EU-West) — order database. Customer name, email, project metadata, intake data stored here. Supabase's privacy policy.
Sendinblue SAS (Brevo) (France) — transactional email delivery. Recipient email and message content pass through Brevo. Brevo's privacy policy.
Netlify Inc. (US) — website hosting. Standard server logs (IP address, user agent, page views). Netlify's privacy policy.

We do not sell personal data. We do not share it with marketing partners, data brokers, or analytics platforms beyond what's listed above. Stage 1 has no third-party analytics installed.

Data residency for project content: Supabase EU-West. Project particulars, RAMS, evidence files, and personnel data inside templates do not leave the UK/EU.

05 — Retention

How long we keep it.

Order data + project particulars + intake content: 12 months from delivery, then deleted unless you request earlier deletion. We deliberately do not retain longer than necessary because compliance bundles age fast and stale customer data is risk, not asset.
Audit-trail metadata (delivery records): 7 years, matching the Limitation Act 1980 contract claim window.
Stripe transaction records: retained by Stripe under their own retention policy (typically 7 years for tax purposes).
Email correspondence: 3 years from last contact, then deleted.
Server logs (Netlify): 30 days.

06 — Your rights

What you can ask us to do.

Under UK GDPR you have the right to:

Access — request a copy of all personal data we hold about you.
Rectification — correct any inaccurate data.
Erasure — request deletion (subject to retention obligations above).
Restriction — pause processing while a dispute is resolved.
Portability — receive your data in a machine-readable format.
Object — challenge processing under Article 6(1)(f) legitimate interest.
Complaint — lodge a complaint with the UK Information Commissioner's Office at any time. ico.org.uk/make-a-complaint.

Email cai@subbundle.org with your request. We respond within one calendar month, free of charge for the first request.

07 — Cookies + tracking

What we do not do.

This site uses no third-party analytics, no advertising pixels, no behavioural tracking cookies. The only cookies are functional (Stripe checkout session, theme preference). No consent banner is required because no consent-bearing tracking is in place. If we add analytics in future, we will publish a cookie banner and update this notice before the change goes live.

08 — Changes to this notice

How we update it.

Material changes will be announced by email to all customers with active orders, at least 14 days before they take effect. The "Last updated" date at the top of this page reflects every revision. Prior versions are kept on request.