Legal
Privacy Policy
Oruma Spec Limited
Company Number 17076427
Church House, Walkhampton, Yelverton, PL20 6JY, United Kingdom
Version 1.0 · Effective 29 June 2026
This policy explains how Oruma Spec Limited (“we”, “us”, or “our”) collects, uses and protects your personal data when you use OrumaSpec.
1. Introduction
1.1 Important information and who we are
Welcome to Oruma Spec Limited's Privacy and Data Protection Policy (“Privacy Policy”).
At Oruma Spec Limited we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 and all other mandatory laws and regulations of the United Kingdom.
This Privacy Policy explains how we collect, process and keep your data safe. It describes your privacy rights, how the law protects you, and the obligations of our employees and staff when processing data.
The individuals from whom we may gather and use data include:
- Customers and prospective customers (including individuals at architecture practices who enquire about, register for or use our service); and
- Any other people that the organisation has a relationship with or may need to contact.
This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.
1.2 Your Data Controller
Oruma Spec Limited is your Data Controller and is responsible for your Personal Data. We are not obliged by the GDPR to appoint a data protection officer and have not voluntarily appointed one at this time.
Enquiries about your data should be sent by email to support@orumaspec.com or by post to Church House, Walkhampton, Yelverton, PL20 6JY, United Kingdom.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
1.3 Processing data on behalf of a Controller
In discharging our responsibilities as a Data Controller we have employees who deal with your data on our behalf (known as “Processors”). The Data Controller and our Processors are responsible for ensuring that:
- All processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see section 2.2);
- Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Appropriate technical and organisational measures are implemented to ensure a level of security appropriate to the risk;
- Prior authorisation of the Controller is obtained before engaging another Processor;
- The Controller is assisted in responding to requests for exercising data subject rights;
- Information necessary to demonstrate GDPR compliance is made available to the Controller and audits are permitted;
- A record of processing activities carried out on behalf of a Controller is maintained;
- The supervisory authority is cooperated with on request;
- Persons with access to Personal Data process it only on instructions from the Controller; and
- The Controller is notified without undue delay after becoming aware of a Personal Data Breach.
2. Legal basis for data collection
2.1 Types of data
“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of Personal Data about you. Not all of the following will necessarily be collected from you, but this is the full scope of data we may collect and when we collect it:
- Identity & Account Data: your name, job title, the name of the architecture practice you work for, and the username and password associated with your account (if you register).
- Contact Data: your name, email address, postal address and telephone number.
- Usage & Technical Data: how you access and use our website and platform, including IP address, browser type, device information, login data and features used.
- Content Data: specifications, documents and other content you create, upload or store using the platform (if you use the service).
- Marketing & Communications Data: your preferences in receiving marketing from us.
- Payment & Transaction Data: billing details and payment records. Card and bank details are processed by Stripe; we do not store your full card or bank details (if you subscribe to a paid plan).
- Support & Correspondence Data: records of your communications with us.
Where data is described as collected when you register, use the service or subscribe, we only collect it if you choose to do so. You can browse our website without providing most of this data.
We do not collect Special Categories of Personal Data (such as health, ethnicity, or religious beliefs) or information about criminal convictions and offences.
2.2 Legal basis for collecting data
Under the GDPR, the main legal bases we rely on are:
- Consent: for example when you opt in to marketing communications.
- Contractual Obligations: information required to provide the service you have signed up for.
- Legal Compliance: where we are required by law to collect or retain certain data.
- Legitimate Interest: where processing is reasonably expected as part of running our business and does not materially affect your rights.
3. How we use your personal data
3.1 Our data uses
We will only use your Personal Data when the law allows us to.
Set out below is a table containing the different types of Personal Data we collect and the lawful basis for processing that data. Please refer to section 2.2 for more information on the lawful basis listed in the table below.
Examples provided in the table below are indicative in nature and the purposes for which we use your data may be broader than described, but we will never process your data without a legal basis for doing so and it is for a related purpose. For further enquiries please contact us.
| Activity | Type of data | Lawful basis | Purpose |
|---|---|---|---|
| When you visit our website | Usage & Technical Data | Legitimate Interest | To operate and secure our website, understand how it is used and improve it |
| When you make an enquiry or contact us | Contact Data; Support & Correspondence Data | Legitimate Interest | To respond to your enquiry and provide the information or support you request |
| When you join our waitlist | Contact Data (name and email address) | Consent | To register your interest, keep you updated about our launch and send you the communications you have asked for |
| When you opt in to marketing communications | Marketing and Communications Data | Consent | We need to process this data so that we know who and where to send marketing information |
| When an architecture practice creates an account (only if you sign up) | Identity & Account Data; Contact Data | Contractual Obligations | To create, administer and secure your account and to provide the service to you |
| When you use the platform, e.g. writing specifications (only if you sign up) | Usage & Technical Data; Content Data | Contractual Obligations; Legitimate Interest | To deliver the service, store your work, provide support and improve the product |
| When you subscribe to a paid plan (only if you sign up) | Payment & Transaction Data (via Stripe) | Contractual Obligations; Legal Compliance | To take payment for your subscription and to keep accounting and tax records as required by law |
Activities marked “only if you sign up” apply only where an architecture practice registers for an account or subscribes to a paid plan. If you only browse our website or contact us with an enquiry, we will not collect account, platform-usage or payment data from you.
3.2 Marketing and content updates
You will receive marketing and new content communications from us if you have created an account and chosen to opt into receiving those communications. From time to time we may make suggestions about goods or services that may be of interest to you.
3.3 Change of purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Your rights and how you are protected
5.1 Your legal rights
Under certain circumstances, you have the following rights in relation to your personal data:
- Right to be informed — about our purposes, retention and sharing (as set out in this policy).
- Right of access — to receive a copy of the personal data we hold about you (see section 5.4).
- Right to rectification — to request correction of inaccurate or incomplete data.
- Right to erasure — to ask us to delete personal data in certain circumstances.
- Right to object — including to direct marketing or processing based on legitimate interests.
- Right to restrict processing — in certain circumstances, such as while accuracy is verified.
- Right to data portability — to receive your data in a structured, machine-readable format where applicable.
To make a request under any of these rights, contact us at support@orumaspec.com.
5.2 How we protect your data
Personal Data is accessible only to a limited number of employees with special access rights who are bound by confidentiality obligations. When we use subcontractors to store your data, we do not relinquish control of your Personal Data or expose it to security risks that would not have arisen had the data remained in our possession.
No transmission of data over the internet is guaranteed to be completely secure. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any Personal Data you transmit to us. Any such transmission is at your own risk.
5.3 Opting out of marketing
You can ask us to stop sending you marketing messages at any time by using the unsubscribe link at the bottom of each marketing email. Where you opt out, we will continue to retain other Personal Data from interactions not related to marketing preferences.
5.4 Requesting your data
You will not have to pay a fee to access your Personal Data. We may refuse clearly unfounded requests. We may need to verify your identity before responding, which helps ensure Personal Data is not disclosed to the wrong person.
6. Your data and third parties
6.1 Sharing your data
We may share Personal Data with interested parties in connection with a change of control, acquisition, or licensing of our technology. If Oruma Spec Limited is sold or makes a transfer, your Personal Data may be transferred as part of that transaction, subject to the acquiring entity's privacy policy.
We may also share Personal Data where required for legal reasons or to enforce our terms or this Privacy Policy.
6.2 Our sub-processors
We use trusted third-party service providers (“sub-processors”) who process Personal Data on our behalf. We only share the Personal Data necessary for them to perform their services, and we require each of them to provide appropriate safeguards for your data and to process it only on our instructions.
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Stripe | Payment processing and Direct Debit collection | USA / EU |
| Vercel | Hosting of our website and application front end | USA |
| Render | Hosting of our application back end and database | USA / EU |
| Resend | Sending transactional and marketing emails | USA |
| Attio | Customer relationship management, including managing waitlist sign-ups and enquiries | EU / USA |
This list may change as our service develops. Where Personal Data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place (see section 8).
7. How long we retain your data
We retain Personal Data only for as long as reasonably necessary to fulfil the purposes for which it was collected. We may retain data for longer if there is a complaint or we reasonably believe there is a prospect of litigation in respect of our relationship with you.
8. International transfer of data
Your information may be stored and processed in the United Kingdom or in other countries where Oruma Spec Limited or our service providers have facilities, including the sub-processors listed in section 6.2. By using OrumaSpec, you consent to the transfer of information, including Personal Data, outside the United Kingdom where appropriate safeguards are in place.
9. Changes to this policy
We keep this Privacy Policy under review and will place any updates on this page. This version is 1.0, effective 29 June 2026.
By using OrumaSpec, you consent to the collection and use of data as set out in this Privacy Policy. Continued use after changes constitutes acceptance of the updated policy.
10. Interpretation
All uses of “including” mean “including but not limited to”. Email addresses in this policy may be used only for the stated purpose. Unless required by law, we reserve the right not to respond to unrelated correspondence sent to those addresses.
Our staff are not authorised to contract on behalf of Oruma Spec Limited, waive rights or make representations. If anything in an email contradicts this policy, our terms or an official website announcement, the written policy or terms take precedence — except for genuine correspondence from our legal department.
Questions about this policy? Email support@orumaspec.com · Back to home
