Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how Cubo ("we", "us", "our") collects, uses, and protects your personal data when you use the Cubo mobile app (iOS and Android) and our website at mycubo.co.uk.

Cubo is the data controller for your account data under the UK General Data Protection Regulation (UK GDPR). For any privacy-related queries, contact us at privacy@mycubo.co.uk.

2. What Data We Collect

Account Data

  • Email address, password (hashed)
  • Business name, contact name
  • Business address, phone number
  • Trade type, UK region
  • VAT registration number (if applicable)
  • Company logo (if uploaded)
  • Bank account details for displaying on invoices (account name, sort code, account number)

Client Data

Data you enter about your customers, including client name, email, phone number, and address. You (the builder) are the data controller for your client data; Cubo acts as the data processor.

Quote & Invoice Data

  • Voice recordings of job descriptions (temporarily processed, not permanently stored after transcription)
  • Transcription text
  • Quote details: line items, prices, sections, totals
  • Invoice details: amounts, payment status, dates
  • Payment records: amount paid, payment method, date

Usage Data

  • App usage analytics (screens viewed, features used)
  • Device type, operating system
  • IP address (for rate limiting and security)
  • Crash reports

3. How We Use Data

  • Voice recordings: Sent to Deepgram for speech-to-text transcription. Recordings are processed in real-time and are NOT permanently stored on our servers.
  • Transcription text: Sent to Anthropic (Claude AI) for AI-powered quote generation. Transcripts are used to generate itemised quotes with pricing.
  • Quote & invoice data: Stored in Supabase (hosted on AWS in the EU region) for you to access from the app.
  • Business details: Displayed on generated quotes and invoices sent to your clients.
  • Bank details: Displayed on invoices and hosted invoice pages so your clients can make payment. We do NOT process card payments directly.
  • Analytics: Used to improve the app and understand feature usage. No personal data is sold to third parties.

4. Third-Party Services

ServicePurposeData Shared
SupabaseDatabase, authentication, file storageAll account and business data
Anthropic (Claude AI)AI quote generationTranscription text, job details
DeepgramVoice transcriptionVoice audio recordings
Expo / EASApp distribution and updatesDevice info, crash reports
Vercel AnalyticsWebsite analytics and performance monitoringPage views, web vitals, anonymised visitor data

None of these services use Cubo user data to train AI models. Anthropic's API usage policy states that API inputs are not used for model training.

5. Data Retention

  • Account data: Retained while the account is active. Deleted within 30 days of account deletion request.
  • Voice recordings: Processed in real-time and not permanently stored. Deepgram processes and discards audio after transcription. Recordings are deleted from the device immediately after transcription completes.
  • Quotes and invoices: Retained while the account is active. Builders may need these for tax records (HMRC requires 6 years).
  • Payment records: Retained for 6 years for tax compliance (HMRC requirement).
  • Usage analytics: Anonymised after 24 months.

6. Your Rights Under GDPR

UK users have the right to:

  • Access — Request a copy of all personal data we hold
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion of data (subject to legal retention requirements)
  • Portability — Receive data in a machine-readable format
  • Restriction — Restrict processing of data
  • Objection — Object to processing based on legitimate interests
  • Withdraw consent — Where processing is based on consent

To exercise these rights, email privacy@mycubo.co.uk. We will respond within 30 days.

You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

7. Security

  • All data transmitted over HTTPS/TLS
  • Passwords hashed using bcrypt (via Supabase Auth)
  • Row Level Security (RLS) enforced on all database tables
  • API keys stored in environment variables, never in client code
  • Regular security audits

8. Children

Cubo is not intended for users under 18. We do not knowingly collect data from children.

9. Changes to This Policy

We may update this policy. Material changes will be notified via email or in-app notification. Continued use after changes constitutes acceptance.

10. Contact

For privacy questions: privacy@mycubo.co.uk