GDPR Compliance
Last updated: 26 April 2026 — Draft pending solicitor review
GDPR compliance is foundational to how we build and operate the Rubo platform — not an afterthought. Rubo Ltd, a company registered in England and Wales, serves users in the United Kingdom and is committed to meeting the obligations of the UK GDPR and the EU GDPR (where applicable to UK-established services dealing with EU residents). This page summarises our approach to data protection and your rights as a data subject.
1. Our Roles Under GDPR
Data Controller: Rubo Ltd is the data controller for personal data you provide when creating an account, contacting us, or using our marketing site.
Data Processor: When brokers upload client data or process client communications through the Rubo platform, Rubo acts as a data processor on behalf of the broker (the data controller). We process that data only on the broker's documented instructions and for the purpose of providing the Service.
A Data Processing Agreement (DPA) is available to all Business and Enterprise customers and governs our processing activities as a data processor. View our standard DPA →
2. Data Residency
All primary data storage is in the EU (Frankfurt, Germany) region via Supabase. No personal data is stored outside the EU as part of primary storage.
Where sub-processors based outside the EU process personal data (e.g. for AI inference), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, and ensure appropriate supplementary safeguards are in place.
3. Sub-processors
We use the following sub-processors to deliver the Service:
| Provider | Location | Purpose |
|---|---|---|
| Supabase Inc. | EU (Frankfurt, Germany) | Database, authentication, and file storage |
| Anthropic, PBC | United States (SCCs in place) | AI model inference for draft generation |
| Stripe Inc. | United States (SCCs in place) | Payment processing |
| Meta Platforms | United States (SCCs in place) | WhatsApp Business API for message delivery |
| Vercel Inc. | EU region configured | Web application hosting |
4. Security Measures
Technical and organisational measures include:
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption for data at rest.
- Row-level security (RLS) policies in our database layer.
- Multi-factor authentication enforced for all Rubo staff.
- Role-based access control with least-privilege principles.
- Regular penetration testing and security audits.
- Automated vulnerability scanning in our CI/CD pipeline.
- Incident response and data breach notification procedures.
5. Your Rights
As a data subject, you have the following rights under the GDPR:
Access
Art. 15Request a copy of all personal data we hold about you.
Rectification
Art. 16Ask us to correct inaccurate or incomplete data.
Erasure
Art. 17Request deletion of your personal data where no legal obligation to retain it exists.
Restriction
Art. 18Ask us to limit how we use your data in specific circumstances.
Portability
Art. 20Receive your data in a structured, machine-readable format to transfer elsewhere.
Objection
Art. 21Object to processing based on our legitimate interests.
To exercise any of these rights, email privacy@askrubo.ai. We will respond within 30 calendar days.
6. Data Breach Notification
In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. We will notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms.
7. Data Protection Officer
Rubo has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance programme.
Data Protection OfficerRubo Ltd
Registered in England and Wales (registration number pending — see /privacy for the latest entity details)
Email: dpo@askrubo.ai
8. Supervisory Authority
You have the right to lodge a complaint with your local supervisory authority:
- UK users: Information Commissioner's Office (ICO) — ico.org.uk