DATA PRIVACY POLICY

Last Updated: June 8, 2025

This Privacy Policy describes how Low Carbon Materials Hub Pty Ltd ("we," "us," or "our") collects, uses, stores, and protects information in connection with your use of our SaaS product, Nulla (the "Service").

We are committed to protecting your privacy and handling your data in an open and transparent manner. Please read this Privacy Policy carefully to understand our practices regarding your data and how we will treat it.

1. Introduction and Scope

This Privacy Policy applies to personal data we collect when you use our Service. It is important to distinguish between:

  • Data for which we are the Data Controller: This typically includes information we collect about you as a user of our Service (e.g., account registration details, billing information). We determine the purposes and means of processing this data.
  • Data for which we are the Data Processor: This refers to the Material Takeoff Quantities Documents (e.g., BOQ, BQ, BIM off-take) and any personal data contained within them that you upload to our Service. For this data, you are the Data Controller, and we process it strictly on your behalf to provide the Service. Our obligations as a Data Processor are outlined in our Data Processing Agreement (DPA) with you.

2. Information We Collect (Where We Are the Data Controller)

We collect information to provide and improve our Service. This includes:

2.1. Information You Provide to Us

  • Account Information: When you register for an account, we collect your name, email address, company name and job title.
  • Billing Information: If you subscribe to our paid plans, we collect billing details such as credit card information (processed by a third-party payment processor) and billing address.
  • Communication Data: When you contact us for support, send us emails, or interact with our customer service, we collect the content of your communications.
  • Marketing Preferences: Your preferences for receiving marketing communications from us.

2.2. Information We Collect Automatically

  • Usage Data: Information about how you access and use the Service, such as the features you use, the time and duration of your activities, and error logs.
  • Device and Log Data: Information about the device you use to access the Service, including IP address, browser type, operating system, and unique device identifiers.
  • Cookies and Tracking Technologies: We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. This helps us personalize your experience and analyze Service usage.

3. How We Use Information (Where We Are the Data Controller)

We use the information we collect as a Data Controller for the following purposes:

  • To Provide and Maintain the Service: To operate our Service, manage your account, and provide customer support.
  • To Process Transactions: To process your payments for the Service.
  • To Improve and Personalize the Service: To understand how you use the Service, develop new features, and tailor your experience.
  • To Communicate with You: To send you service-related notifications, updates, security alerts, and marketing communications (where you have consented).
  • For Security and Fraud Prevention: To protect our Service, users, and data from unauthorized access, fraud, and other malicious activity.
  • To Comply with Legal Obligations: To meet our legal and regulatory requirements.

4. Data We Process on Your Behalf (Where We Are the Data Processor)

When you upload Material Takeoff Quantities Documents (e.g., BOQ, BQ, BIM off-take) to our Service, you are providing us with data that may contain business information. For this data:

  • You are the Data Controller: You determine the purposes and means of processing this data.
  • We are the Data Processor: We process this data strictly according to your instructions and solely for the purpose of generating embodied carbon reports for your building project. This includes mapping material quantities to carbon coefficients from generic databases and our EPD database.
  • Our Obligations: Our obligations regarding the processing of this data, including security measures, confidentiality, and sub-processing, are detailed in the Data Processing Agreement (DPA) between us.

We do not use the data you upload for any purpose other than to provide you with the Service, enhance the Service and to fulfill our contractual obligations to you. We do not sell or share this data with third parties for their own purposes.

5. Sharing Your Information

We may share the information we collect (where we are the Data Controller) with:

  • Service Providers: Third-party vendors who perform services on our behalf, such as payment processing, cloud hosting, analytics, and customer support. These service providers are contractually obligated to protect your data and use it only for the purposes for which we disclose it to them.
  • Legal Requirements: If required to do so by law or in response to valid requests by public authorities (e.g., a court order or a government agency).
  • Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction.
  • With Your Consent: We may share your information with third parties when we have your explicit consent to do so.

For data where we are the Data Processor, we will only share it as per your instructions and as outlined in our DPA.

6. Data Security

We implement a variety of technical and organizational security measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • All data transmissions through the web are encrypted using HTTPS (TLS 1.2). Data at rest is protected by a combination of encryption and strict data retention policies.
  • We follow the SOC2 type II requirements for access controls and audit logs maintenance, and we are working towards the SOC2 Type II certification which will then mandate an annual security audit on our platform.
  • We regularly review our security practices to consider appropriate new technology and methods.

7. Data Retention

We retain your personal data (where we are the Data Controller) for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

For data where we are the Data Processor, we retain your data according to the terms of our Data Processing Agreement (DPA) and your instructions.

8. International Data Transfers

Your information, including personal data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction.

If you are located outside Australia and choose to provide information to us, please note that we transfer the data, including Personal Data, to Australia and process it there.

We ensure that any international transfers of personal data are conducted in accordance with applicable data protection laws, typically by implementing appropriate safeguards such as Standard Contractual Clauses approved by the European Commission, or other legally recognized mechanisms.

9. Your Data Protection Rights

Depending on your location and applicable data protection laws (e.g., GDPR, CCPA), you may have the following rights regarding the personal data we hold about you (where we are the Data Controller):

  • Right to Access: The right to request copies of your personal data.
  • Right to Rectification: The right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • Right to Erasure (Right to be Forgotten): The right to request that we erase your personal data under certain conditions.
  • Right to Restrict Processing: The right to request that we restrict the processing of your personal data under certain conditions.
  • Right to Object to Processing: The right to object to our processing of your personal data under certain conditions.
  • Right to Data Portability: The right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
  • Right to Withdraw Consent: Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at nulla@lcmhub.com. We will respond to your request in accordance with applicable data protection laws.

10. Third-Party Services

Our Service may leverage other external services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

However, when selecting the services we use in our platform, we ensure that the services are SOC 2 Type II compliant and adhere to data privacy policies that align with our policy.

11. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. We encourage you to review this Privacy Policy periodically for any changes.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

By email: nulla@lcmhub.com