Back to Home

Privacy Policy

Last updated: 26 November 2025

Who we are

  • oBubble LTD (company no. 16838569) ("oBubble", "we", "us", "our") provides a tool to organise and understand your insurance information.
  • We are the data controller for the personal data we collect about you.
  • Contact: privacy@obubble.co.uk
  • Registered in the UK.
  • oBubble is registered with the UK Information Commissioner's Office (ICO) under registration number 12262847.

What we collect

We process your personal data only when we have a lawful basis to do so under the UK GDPR:

PurposeLawful basis
Transmit insurance documents (which may include personal data) to third-party AI processors for extraction and summarisationContract (necessary to perform the service you request)
Provide the service (create your account, store and secure your insurance information, and send essential service messages)Contract
Decode and summarise your policy (analyse uploaded documents to generate summaries, renewal reminders, and coverage checks)Contract
Improve and protect oBubble (debugging, security, analytics with privacy safeguards)Legitimate Interests
Send optional marketing or product updates (only if you opt in)Consent
Meet legal or regulatory requirements (record-keeping, lawful disclosures)Legal Obligation
Improve our AI's ability to read insurance documents and generate aggregated insights (using irreversibly anonymised and aggregated data only)Legitimate Interests (for improving and developing our services)

When you upload insurance documents, we securely transmit them to trusted third-party AI processors (currently OpenAI LLC) solely to extract and summarise policy details on your behalf.

You can opt out of marketing emails at any time through your account settings or by contacting privacy@obubble.co.uk.

Why we use your data (lawful bases)

  • Provide the service (create/secure your account, store your insurance info, send essential service emails): Contract.
  • Improve and protect oBubble (debugging, security, analytics with privacy safeguards): Legitimate Interests.
  • Marketing emails (only if you opt in): Consent (you can withdraw anytime).
  • Legal compliance (record-keeping, responding to lawful requests): Legal Obligation.

Children

oBubble is for users 16+. Please don't use the service if you're under 16.

AI & Automated Processing

We use machine-learning models (currently operated by OpenAI LLC in the United States) to help identify, extract and summarise information from your insurance documents.

  • These models process the full document, including personal identifiers, because that's required to understand your coverage correctly.
  • Processing is performed under a Data Processing Agreement incorporating the EU Standard Contractual Clauses and UK Addendum.
  • OpenAI does not use any data sent through our API to train its models.
  • Only anonymised or aggregated data is later used to improve oBubble's own AI systems.
  • AI is not used to make automated decisions about you that have legal or significant effects.

Improving our AI and services

  • We may use fully anonymised and aggregated data derived from user documents to enhance our models' ability to read and summarise insurance policies.
  • This process involves removing all personal identifiers so the data can no longer identify you or any individual.
  • We may also share aggregated, non-personal insights (for example, trends in policy coverage or structure) with trusted partners to improve market understanding and customer experience.
  • These insights never include personal or identifiable information.

Sharing & processors

  • We use carefully selected service providers ("processors") who help us deliver and improve oBubble. Each operates under GDPR-compliant Data Processing Agreements and only accesses the data needed for their task.
  • We may also share aggregated, anonymised insights with trusted partners. These insights do not contain personal data and cannot be used to identify you.

Our key processors currently include:

  • Vercel – hosting and edge delivery
  • Google Firebase (Google Cloud Platform) – application hosting, authentication, and encrypted data storage. Data is hosted in the UK/EU region (London or equivalent). Where transfers outside the UK or EEA occur, they are protected by the EU Standard Contractual Clauses, UK Addendum, and Google's certification under the EU–US Data Privacy Framework.
  • Resend – email delivery and notifications
  • OpenAI, L.L.C. – provides our AI decoding engine that extracts and summarises policy information. For this purpose, oBubble transmits uploaded documents (which may include personal data) to OpenAI via its API. OpenAI acts as our processor under a Data Processing Agreement incorporating the EU Standard Contractual Clauses and UK Addendum, and is certified under the EU-US Data Privacy Framework. OpenAI does not use this data to train its models and deletes it after short-term processing (typically ≤ 30 days).
  • We do not sell, rent, or trade personal data.
  • If we transfer data outside the UK, we use appropriate safeguards (such as the UK IDTA or EU SCCs with UK Addendum) to protect your information.

Derived and anonymised data

  • In addition to the processors above, oBubble may create and retain anonymised or aggregated datasets derived from user documents. These datasets no longer contain personal information and are stored securely in our EU environment for the purpose of improving our AI models and generating statistical insights. No third party can re-identify individuals from this information.

Retention

We keep your data only as long as needed for the purposes described above:

  • Account and insurance data: kept while your account is active and deleted upon account deletion or within 30 days of a verified request (unless law requires longer).
  • Uploaded documents: stored securely for the duration of your active policy and up to 12 months thereafter (or longer if the policy itself runs longer, such as life insurance). You can delete your documents or account at any time.
  • Logs: typically retained 30–90 days for security.
  • Support threads: up to 24 months.
  • Backups: encrypted and roll off on scheduled cycles.
  • Anonymised datasets: may be retained indefinitely, but these contain no personal data and cannot be linked back to you.

Your choices

You control how your data is used:

  • You can opt out of marketing communications at any time.
  • You can request deletion or export of your documents, account data, or all records via privacy@obubble.co.uk.
  • We do not require consent for anonymised or aggregated data processing, as it cannot identify you.

Your rights (UK GDPR)

You have the right to:

  • Access your data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict or object to certain processing
  • Port your data to another provider
  • Withdraw consent where used

To exercise these rights, email privacy@obubble.co.uk.

You may also complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Security

We apply security by design and default, including:

  • Encryption in transit and at rest (where supported)
  • Role-based access control and least privilege
  • Environment-scoped secrets
  • Audit logging and anomaly detection
  • Regular backup and restore testing

Cookies & similar tech

  • See our Cookies Policy for full details.
  • We use essential cookies for core functionality and non-essential cookies (e.g., analytics) only with your consent.

Data Protection Impact Assessment (DPIA)

  • Because users may store sensitive insurance information, we maintain a DPIA and a Record of Processing Activities (ROPA). These documents describe how we manage privacy risks, security controls, and lawful bases for processing.

Changes

  • If we make material changes to this Privacy Policy, we'll notify you in-app or by email and update the "Last updated" date.

Contact: privacy@obubble.co.uk