Privacy Policy
What personal data we collect across our sites and products, why, on what lawful basis, and your rights.
Version 1.0 · effective 18 July 2026
01Who we are
Obedience ("we", "us") builds AI software for quantity surveying. This policy covers our websites (obedience.global, obedience.cloud) and our products, including QuantifyQS (quantify.obedience.global).
We are the data controller for the personal data described in this policy, except where we process customer project data inside QuantifyQS on a customer's instructions, where we act as a processor under our Data Processing Agreement.
Contact for anything in this policy: hello@obedience.global.
02The data we collect, and why
We collect only what each purpose needs:
| Data | Purpose | Lawful basis |
|---|---|---|
| Access-request details (name, work email, practice, role, message) | Responding to your request and onboarding your practice | Legitimate interests (B2B contact you initiated) |
| Account data (name, email, organisation, role) in QuantifyQS | Providing and securing the service | Contract |
| Project and commercial data you put into QuantifyQS | Delivering the product features you use | Contract (as processor, on your instructions) |
| Usage and device data in the product (consent-gated analytics) | Understanding what works and fixing what does not | Consent |
| Security logs (IP address, authentication events) | Protecting accounts and preventing abuse | Legitimate interests (security) |
| Billing details (handled by Stripe) | Payments, tax and accounting | Contract and legal obligation |
03Where your data lives
Customer project data is stored in the United Kingdom (London). Some supporting services process data in the EEA or the United States under UK-approved safeguards (the UK Extension to the EU-US Data Privacy Framework, or the UK Addendum to Standard Contractual Clauses). The full picture, service by service, is in our Subprocessor List.
04AI processing
AI features are powered by Anthropic and OpenAI under their commercial API terms, which do not permit training on our customers' data. AI outputs in our products are drafts: they show their source and require human review and sign-off. Details are in our Responsible AI Statement.
05How long we keep data
We keep personal data only as long as the purpose requires, then delete it. The specific periods and the reasoning behind them are published in our Data Retention Schedule. Account data is deleted within 30 days of contract end, subject to legal holds.
06Your rights
Under UK GDPR you can ask us to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete data ("right to erasure")
- Restrict or object to processing
- Port your data to another provider
- Withdraw consent at any time, where consent is the basis
07Complaints
You have a statutory right to complain to us directly, and we will acknowledge within 30 days: see Data Rights & Complaints for the route. You can also complain to the Information Commissioner's Office (ico.org.uk) at any time.
08Changes to this policy
We version every policy. Material changes are listed in the policy header and announced to account holders by email before they take effect.