Legal
How we collect, use, and protect the data you trust us with.
Last updated: 17 May 2026
This Privacy Policy explains how H1 Global Ltd ("H1G", "we", "us", "our") collects, uses, shares and protects personal data when you visit our websites, sign up for or use the Habita platform (the "Service"), or otherwise interact with us. Habita is owned and operated by H1 Global Ltd. This policy applies to every visitor, applicant, customer, end-user, advertiser and service provider who engages with Habita.
Where Habita is offered to you by a management company, housing association, building owner or similar organisation (your "Organisation"), that Organisation is the controller of the personal data it submits and instructs us to process about its residents, employees and contractors. H1G acts as the processorfor that data on the Organisation's behalf. For data we collect directly from you (e.g. when you sign up, fill in our forms, or browse our public site) H1G is the controller.
Habita is a trading product of H1 Global Ltd. If you have any question about this policy, or wish to exercise the rights described below, please contact us using the details above.
This policy applies to personal data we process when you:
It does not cover third-party websites or services we link to. Those have their own policies; please review them.
Under the UK GDPR and EU GDPR we may only process your personal data when at least one legal basis applies. The table below sets out the main purposes for which we process data and the legal basis we rely on for each.
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Provide and maintain the Service to you and your Organisation | Identity, contact, account, content, usage | Contract; legitimate interests |
| Process payments, subscriptions and invoicing | Billing, payment-token, transaction | Contract; legal obligation (tax/accounting) |
| Send transactional communications (ticket updates, invoices, sign-in links, security alerts) | Identity, contact, account | Contract; legitimate interests |
| Provide AI-assisted features (translation, drafting, ticket triage, meeting summaries) | Content, language, role | Contract; legitimate interests |
| Detect, prevent and investigate fraud, abuse, spam and security incidents | Identity, device, usage, location (IP) | Legitimate interests; legal obligation |
| Improve the Service through aggregated, pseudonymised analytics | Usage, device | Legitimate interests |
| Marketing emails and product news to prospects and existing customers | Identity, contact, preferences | Consent (prospects); legitimate interests / soft opt-in (existing customers) |
| Comply with applicable laws and respond to lawful requests from authorities | Any relevant category | Legal obligation |
| Establish, exercise or defend legal claims | Any relevant category | Legitimate interests |
Where we rely on legitimate interests, we have carried out a balancing test and are satisfied that our interests are not overridden by your rights. You can ask us for a copy of the balancing assessment at [email protected].
We share personal data only when necessary and only with:
We do not sell your personal data. We do not use your content to train public AI models.
We engage trusted sub-processors to operate the Service. Each is bound by a written data processing agreement consistent with Article 28 of the UK GDPR and EU GDPR. The table below describes the categories of sub-processor we use and the regions in which they process personal data.
| Category of sub-processor | Purpose | Region of processing |
|---|---|---|
| Cloud hosting and CDN provider | Application servers, DNS, content delivery and DDoS protection | UK / EU / global edge |
| Managed database, authentication and file storage | User accounts, application data and uploaded files | EU (Ireland) |
| Payment processor | Subscriptions, invoicing and card processing | EU / US (SCCs in place) |
| Transactional email and messaging gateways | Service emails, marketing emails, WhatsApp and SMS | EU / US (SCCs in place) |
| AI / large-language-model provider | Translation, drafting, summarisation and triage | EU / US (SCCs in place; zero data retention configuration) |
| Ephemeral cache provider | Rate-limit and webhook idempotency | EU (Ireland) |
| Bot and abuse protection provider | Spam and abuse prevention on public forms | EU / US |
| Error monitoring provider | Crash reports and exception tracking | EU |
| Product analytics provider | Pseudonymised usage measurement | EU |
The current named list of sub-processors is available on request from [email protected]. We will give reasonable advance notice to Organisation customers of any change. To object to a new sub-processor, contact us within 30 days of the notice and we will work with you to find a reasonable alternative or, failing that, allow you to terminate the affected services.
Some of our sub-processors are located outside the UK or European Economic Area, principally in the United States. Where we transfer personal data outside these regions, we rely on one or more of:
You can request a copy of our transfer safeguards by emailing [email protected].
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, including for the purposes of satisfying any legal, accounting or reporting requirements.
| Category | Retention period |
|---|---|
| Active account & profile data | Duration of your account, plus up to 90 days after closure for backups |
| Content created in the Service (tickets, posts, documents) | Controlled by your Organisation; deleted on Organisation request or account closure |
| Billing records, invoices, tax records | 7 years from the end of the relevant accounting period (UK statutory) |
| Security and abuse logs | Up to 24 months |
| Marketing preferences and unsubscribe records | Indefinitely, to honour your choices |
| Anonymised analytics | Indefinitely |
| Customer support correspondence | Up to 3 years from last contact |
| Cookies | Per the lifetime stated in section 12 |
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include:
Despite our efforts, no method of transmission or storage is 100% secure. If you believe your account has been compromised, contact [email protected] immediately.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and will notify you without undue delay where the law requires.
Subject to applicable law, you have the following rights with respect to your personal data. We will respond to requests within one calendar month, extendable by a further two months for complex requests.
To exercise any of these rights, email [email protected] from the address associated with your account. We may ask for additional information to verify your identity before acting on a request. Where the requested data was provided to us by an Organisation, we may need to direct your request to that Organisation.
We send marketing emails only where the law allows: with your consent, or to existing customers about similar products and services on a soft opt-in basis. Every marketing email contains an unsubscribe link. You can also email [email protected] to opt out at any time. Transactional messages (security alerts, billing notices, ticket updates) are not marketing and will continue while your account is active.
We use the following categories of cookies and similar technologies:
| Category | Purpose | Lifetime |
|---|---|---|
| Strictly necessary | Sign-in session, CSRF protection, load balancing, security | Session to 30 days |
| Functional | Remember language and accessibility preferences | Up to 12 months |
| Analytics | Aggregated usage measurement (pseudonymised) | Up to 13 months |
| Security & fraud | reCAPTCHA, bot detection | Up to 6 months |
Strictly necessary cookies do not require consent. For analytics cookies we ask for your consent on your first visit and you can change your preferences at any time via your browser settings or our cookie banner. Blocking strictly necessary cookies may prevent parts of the Service from working.
Habita uses AI to translate posts and tickets between languages, draft suggested replies, triage incoming tickets, and summarise meeting minutes. These features are designed to assist a human, not to replace one. We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing.
Content sent to our AI provider for processing is transmitted under contractual terms that prohibit training the provider's public models on your data. Where available, we use zero-data-retention configurations so that prompts and responses are not retained by the provider beyond the time needed to return a response.
The Service is intended for use by adults. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data without parental consent, please contact [email protected] so we can delete it.
Our public site and the Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with personal data.
We may update this Privacy Policy from time to time. When we make material changes we will notify you, for example by email or by a prominent notice in the Service, before the change takes effect. The "Last updated" date at the top tells you when this version was published. Previous versions are available on request.
If you have any question, request or complaint regarding this Privacy Policy or our processing of your personal data, please contact:
Our Data Protection Officer is here to help.