Skip to content

Terrain Systems Ltd ("Terrain", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, share and protect personal data when you use our products, including the Terrain Apps bespoke internal software and the Terrain CAFM facility management service (together, the "Services"), and when you visit this website. It is written for compliance with the UK GDPR and the Data Protection Act 2018.

1. Who we are

Terrain Systems Ltd is a company registered in England & Wales (company number 17234123). If you have any question about this policy or how we handle your personal data, contact us at terraincafm@gmail.com.

2. Our role: controller and processor

Our data protection role depends on how you interact with us.

  • When we deliver the Services to a business customer (for example a facilities management or consulting firm), that customer decides what audit, building and personnel data is entered into the platform. In that relationship the customer is the data controller and we act as a data processor, processing personal data on the customer's documented instructions under a Data Processing Agreement. If you are an end user of a customer's deployment (for example a member of staff, a reviewer, or a building contact), please refer first to that organisation's privacy notice; they are the controller of your data.
  • When you visit this website, contact us, or we administer our own business (billing, support, marketing, recruitment), we are the data controller.

3. Personal data we collect

3.1 Data within the Services (we act as processor)

Each deployment of Terrain Apps, and the Terrain CAFM service, may process the following on behalf of our customers:

  • Account and identity data: name, email address, job role, organisation, and authentication identifiers.
  • Audit and operational content: audit reports, observations, comments, building and asset records, and any personal data the customer chooses to include.
  • Photographs: images captured during site inspections, which may incidentally contain individuals.
  • Digital signatures: signatures applied to finalise reports.
  • Usage and audit-trail data: records of actions taken in the platform for compliance and accountability.

We do not control what personal data customers choose to upload. Customers are responsible for ensuring they have a lawful basis for the data they process through the Services.

3.2 Data we collect as controller

  • Account administrators and billing contacts: name, business email, phone number, company details and billing information.
  • Website visitors: IP address, browser and device information, and pages visited (see Cookies below).
  • Enquiries and support: any information you provide when you contact us.
  • Marketing contacts: name and business email where you have opted in or where we have a legitimate interest.

We do not seek to collect special category data (such as health, ethnicity or biometric data) as part of our own controller activities. Customers should avoid placing special category data into the Services unless they have established an appropriate lawful basis and informed us in writing.

4. How we use personal data and our lawful bases

As processor (within the Services). We process personal data only to provide the Services to our customers, in accordance with their instructions and the Data Processing Agreement, for example to host, store, display, transmit and generate reports from the data they enter. The lawful basis is determined by our customer as controller.

As controller, we rely on the following lawful bases under Article 6 of the UK GDPR:

  • Providing, maintaining and securing the Services, and account administration, billing and support: performance of a contract.
  • Keeping records and meeting legal and accounting obligations: legal obligation.
  • Improving and securing our products, preventing fraud and abuse, and sending service and security notifications: legitimate interests.
  • Responding to enquiries: legitimate interests.
  • Marketing to business contacts: consent or legitimate interests.

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights. You can object at any time (see Your rights).

5. Sub-processors and third-party services

We use the following service providers to operate the Services. They process personal data on our behalf, or on our customer's behalf where we act as processor, under contractual data protection terms. Where a provider is outside the UK, transfers are protected by appropriate safeguards (see International transfers).

  • Clerk, Inc.: user authentication and identity management (United States).
  • Cloudflare, Inc.: file and image storage, website and application hosting, and network/CDN services (United States and global edge network).
  • Neon, Inc.: managed PostgreSQL database hosting (United States / EU).
  • Fly.io, Inc.: application and real-time service hosting (United States / EU).
  • Functional Software, Inc. (Sentry): application error and performance monitoring (United States).
  • Better Stack (BetterStack s.r.o.): uptime and availability monitoring (EU).
  • Doppler, Inc.: secrets and configuration management; does not process customer audit content (United States).

We maintain an up-to-date list of sub-processors and give advance notice to controller-customers of any intended changes, in accordance with the applicable Data Processing Agreement. Each Terrain Apps customer is deployed against their own isolated database, authentication application and storage; customer data is not pooled across deployments.

6. International transfers

Some sub-processors are located outside the United Kingdom. Where personal data is transferred outside the UK, we ensure an appropriate safeguard is in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or a transfer to a country covered by UK adequacy regulations. You can request more information about the safeguards we use by contacting us.

7. How long we keep data

  • Service data (as processor): retained for the duration of the customer's contract and deleted or returned in accordance with the Data Processing Agreement after it ends, subject to any legal retention requirement.
  • Account, billing and contractual records (as controller): retained for the relationship and for up to 6 years afterward to meet legal and accounting obligations.
  • Website and analytics data: retained no longer than necessary for the purpose collected.
  • Marketing contacts: retained until you unsubscribe or object.

8. How we protect data

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS); private file storage served only via short-lived, time-limited signed links; encrypted, centrally managed secrets; a managed identity provider with role-based access control and multi-factor authentication; tenant isolation; audit logging; and continuous monitoring. See our Security page for detail. No method of transmission or storage is completely secure, but we work to protect your data and maintain these safeguards on an ongoing basis.

9. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to individuals, we will notify the relevant controller and/or the Information Commissioner's Office (ICO) without undue delay and, where required, within 72 hours of becoming aware, in line with the UK GDPR. Where we act as processor, we will notify the affected customer-controller without undue delay so they can meet their own obligations.

10. Your rights

Under UK data protection law you have the right to be informed; to access your data; to request rectification or erasure; to restrict or object to processing; to data portability; to withdraw consent at any time where processing is based on consent; and to object to direct marketing at any time.

If you are an end user of a customer's deployment, please direct your request to that organisation (the controller); we will assist them in responding. For data where we are the controller, contact us at terraincafm@gmail.com and we will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk, though we would welcome the chance to address your concerns first.

11. Cookies and analytics

This website and the Services use cookies and similar technologies that are strictly necessary to operate, for example to keep you signed in securely. We do not use advertising or cross-site tracking cookies. Where we use any non-essential analytics or marketing cookies, we will request your consent through a cookie banner. You can manage cookies through your browser settings, but blocking strictly necessary cookies will prevent you from signing in to the Services. See our Cookie Policy for full detail.

12. Children

The Services are intended for use by businesses and their staff. They are not directed at children, and we do not knowingly collect personal data from anyone under 16.

13. Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new "Last updated" date, and where changes are material we will provide reasonable notice to affected customers.

14. Contact

Questions about your data or this policy? Email terraincafm@gmail.com.