HUDU Limited

Data Processing Agreement

Version 0.1  |  Applies to all licence types  |  March 2026 

BETA PLATFORM — This Data Processing Agreement applies to HUDU.vu during its Beta testing phase. The Platform is experimental and under active development. Data practices and technical arrangements described here reflect our current Beta operation and may evolve as the Platform develops, with appropriate notice to users. 

Legal Framework — Three Separate Instruments

Your use of the Platform is governed by three separate legal documents, each of which requires independent acceptance: 

  • The End User Licence Agreement ("EULA"), which governs your licence to use the Platform, your permitted and prohibited conduct, usage allowances, payment terms, liability, and intellectual property. 

  • The Privacy Policy ("Privacy Policy"), which explains how HUDU Limited collects, uses, stores, and shares your personal data as data controller in connection with your account and use of the Platform. 

  • This Data Processing Agreement ("DPA"), which governs the processing of personal data relating to third parties that may be contained in documents you upload to the Platform, and under which HUDU Limited acts as data processor on your behalf as data controller. 

Each document must be accepted independently during registration or first login. Acceptance of this DPA does not constitute acceptance of the EULA or the Privacy Policy. Acceptance of any one document does not constitute acceptance of either of the others. All three documents are published in full at www.hudu.vu

In the event of conflict between these documents: this DPA takes precedence on all matters relating to the processing of third-party personal data contained in uploaded documents; the Privacy Policy takes precedence on all matters relating to the processing of your own personal data as a user of the Platform; and the EULA governs on all other matters. 

IMPORTANT: Please read all three documents carefully before using HUDU.vu. By accepting this DPA during registration or first login, you confirm that you have read and understood it independently of the EULA and Privacy Policy. If you do not agree to this DPA, you must not upload any document containing personal data relating to third parties.

IMPORTANT: By uploading any document to the Platform, you confirm that you are the data controller in respect of any personal data it contains, that you have a lawful basis for sharing that personal data with HUDU as processor, and that doing so does not breach any confidentiality obligation or applicable law. If you are not certain of your authority to upload a document, do not upload it. 

1.  Definitions

1.1  "Controller" means the User — the individual or organisation who determines the purposes and means of processing personal data uploaded to or generated on the Platform. 

1.2  "Processor" means HUDU Limited, acting on the Controller's instructions in processing personal data through the Platform. 

1.3  "Personal Data", "Data Subject", "Processing", "Supervisory Authority", and "Special Categories of Personal Data" have the meanings given in the UK GDPR. 

1.4  "Platform Data" means personal data contained in documents uploaded by the User, account and registration data, usage and interaction data, and chat interaction data, as further described in Schedule 1. 

1.5  "Sub-processor" means any third party engaged by HUDU to process Platform Data on HUDU's behalf, as listed in Schedule 2. 

1.6  "Security Incident" means any confirmed or reasonably suspected unauthorised access to, disclosure of, alteration of, or destruction of Platform Data. 

2.  Roles and Responsibilities

2.1  The parties acknowledge that in respect of personal data contained in documents uploaded by the User and processed through the Platform, the User acts as Controller and HUDU acts as Processor. 

2.2  In respect of personal data relating to the User's own account and registration (such as the User's name, email address, and job title), HUDU acts as independent Controller under its Privacy Policy. This DPA does not govern that processing. 

2.3  The Controller is solely responsible for: (a) ensuring it has a lawful basis under UK GDPR Article 6 (and Article 9 where applicable) for sharing personal data with HUDU; (b) ensuring the accuracy, adequacy, and relevance of personal data uploaded; (c) complying with its own obligations as Controller, including provision of appropriate privacy notices to data subjects; and (d) ensuring it does not upload Special Categories of Personal Data (as defined in UK GDPR Article 9) without explicit prior written agreement with HUDU. 

2.4  The Controller warrants that it has full authority to instruct HUDU to process Platform Data in accordance with this DPA, and that such processing does not breach any confidentiality obligation, third-party intellectual property right, or applicable law. 

3.  HUDU's Obligations as Processor

HUDU agrees to: 

3.1  Process Platform Data only on documented instructions from the Controller, which are set out in this DPA, the EULA, and the Privacy Policy. HUDU will inform the Controller if it believes any instruction infringes UK GDPR or other applicable law. 

3.2  Ensure that personnel authorised to process Platform Data are subject to binding obligations of confidentiality. 

3.3  Implement and maintain appropriate technical and organisational security measures in accordance with clause 6 of this DPA. 

3.4  Engage Sub-processors only in accordance with clause 5 of this DPA. 

3.5  Assist the Controller, insofar as reasonably practicable and proportionate to the nature of processing, in responding to Data Subject requests to exercise rights under UK GDPR (access, rectification, erasure, restriction, portability, objection). The Controller remains responsible for responding to such requests within statutory timeframes. 

3.6  Assist the Controller in meeting its obligations under UK GDPR Articles 32 to 36, including in relation to security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with the Information Commissioner's Office (ICO). 

3.7  On termination or expiry of the User's licence, delete or return Platform Data in accordance with clause 8 of this DPA and clause 6 of the EULA. 

3.8  Make available to the Controller such information as is reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to reasonable audits or inspections, subject to HUDU's confidentiality obligations to other users and third parties. 

4.  Controller's Instructions

4.1  The Controller's instructions to HUDU are set out in this DPA. The primary instruction is: process Platform Data to provide the Platform services under the User's licence, as described in the EULA and Privacy Policy. 

4.2  The Controller may issue further documented instructions by written notice to privacy@hudu.uk. HUDU will comply unless doing so would require processing beyond the scope of this DPA, infringe UK GDPR, or impose disproportionate operational burden, in which case HUDU will notify the Controller before proceeding. 

4.3  HUDU may process Platform Data beyond the Controller's instructions only where required to do so by UK law, in which case HUDU will notify the Controller of that legal requirement before processing, unless the law prohibits such notification. 

5.  Sub-processors

5.1  The Controller grants HUDU general written authorisation to engage Sub-processors to assist in delivering the Platform services. Current Sub-processors are listed in Schedule 2. 

5.2  HUDU will notify the Controller of any intended changes to Sub-processors (additions or replacements) by updating Schedule 2 and publishing the updated list at www.hudu.vu with at least 14 days' notice before the change takes effect. The Controller may object to a new Sub-processor on reasonable data protection grounds by written notice to privacy@hudu.uk within 14 days of notification. If the Controller objects and HUDU cannot accommodate that objection, the Controller may terminate its licence on written notice, and HUDU will refund any prepaid fees for the unused portion of the licence period. 

5.3  HUDU will impose data protection obligations on each Sub-processor equivalent to those in this DPA, by way of a written contract. HUDU remains fully liable to the Controller for the performance of each Sub-processor's obligations. 

5.4  Where a User configures an alternative AI provider for Know How agent use (as described in EULA clause 6.3 and Privacy Policy clause 6.4), that provider is not a Sub-processor of HUDU. The User assumes full responsibility for that choice, including compliance with UK GDPR requirements for any international data transfer involved. 

6.  Security

6.1  HUDU will implement and maintain appropriate technical and organisational measures to protect Platform Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: 

  • encryption of Platform Data in transit and at rest; 

  • access controls restricting Platform Data to authorised personnel and systems; 

  • secure deletion processes applied on termination and in response to erasure requests; 

  • monitoring and logging of access to Platform Data; and 

  • internal information security policies applicable to personnel who process Platform Data. 

6.2  During the Beta phase, security measures are subject to ongoing development and refinement. HUDU does not warrant that the Platform meets any specific security standard or certification during Beta. HUDU will progress towards recognised security certification as the Platform matures towards general availability. 

6.3  The Controller is responsible for the security of its own systems, devices, and credentials used to access the Platform. 

7.  Personal Data Breaches

7.1  HUDU will notify the Controller without undue delay upon becoming aware of a Security Incident affecting Platform Data. Notification will include, to the extent then known: (a) a description of the nature of the Security Incident; (b) the categories and approximate volume of Platform Data and data subjects affected; (c) the name and contact details of HUDU's data protection contact; (d) the likely consequences of the Security Incident; and (e) measures taken or proposed to address the incident and mitigate its effects. 

7.2  Where full information is not available at the time of initial notification, HUDU will provide information in phases as it becomes available. 

7.3  The Controller is responsible for determining whether the Security Incident constitutes a personal data breach requiring notification to the ICO under UK GDPR Article 33 and/or to affected data subjects under Article 34. HUDU will reasonably assist the Controller in making that assessment. 

7.4  Notification by HUDU under this clause does not constitute an acknowledgement of fault or liability. 

8.  Retention and Deletion

8.1  HUDU will retain Platform Data for the periods specified in the Privacy Policy (v0.2, clause 8.3) and the EULA (clause 6.5). In summary: 

  • Document embeddings: deleted within 30 days of written request (extendable to 90 days for technically complex erasure, with notice to the Controller within 30 days). Separately, embeddings will be deleted within 100 days of 3 consecutive months of account inactivity. 

  • Account data: retained for the licence duration plus a reasonable period required by law (typically up to 6 years under the Limitation Act 1980). 

  • Interaction and usage data: up to 24 months from collection. 

  • Project data: for the Project Licence duration and a reasonable period thereafter. 

8.2  On termination or expiry of a licence, HUDU will delete the Controller's Platform Data in accordance with the timelines above, unless retention is required by applicable law. 

8.3  HUDU does not store copies of original uploaded documents beyond what is technically required for processing. Original documents are not retained as source files on HUDU's systems once processing is complete. 

8.4  The Controller may request deletion of embeddings at any time by contacting privacy@hudu.uk. 

9.  International Data Transfers

9.1  HUDU aims to process Platform Data within the UK, EU, or EEA. Where processing occurs in a country outside the UK that does not benefit from an adequacy decision, HUDU will ensure that appropriate transfer safeguards are in place in accordance with UK GDPR Chapter V, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses. 

9.2  During the Beta phase, specific infrastructure arrangements may evolve. HUDU will maintain and publish an up-to-date list of Sub-processors and their data locations at www.hudu.vu

9.3  Where the Controller configures a user-selected AI provider under EULA clause 6.3, any international transfer of Platform Data to that provider is the Controller's sole responsibility. HUDU does not act as Processor in respect of data transmitted to a user-configured provider. 

10.  Prohibition on Special Category Data

10.1  The Platform is designed for the review of construction and engineering documentation. It is not designed or intended for the systematic processing of Special Categories of Personal Data as defined in UK GDPR Article 9 (including health data, biometric data, trade union membership, criminal records, and related categories). 

10.2  The Controller must not upload documents whose primary content constitutes Special Category Data without prior written agreement with HUDU. Written agreement must be obtained from privacy@hudu.uk before any such upload. 

10.3  Construction and engineering documents may incidentally contain references to individuals (such as accident reports referencing health data, or personnel records). The Controller is responsible for assessing whether any such content constitutes Special Category Data and for obtaining the appropriate lawful basis under UK GDPR Article 9 before uploading. 

10.4  HUDU accepts no liability for any consequence arising from the Controller's upload of Special Category Data in breach of this clause. 

11.  AI Processing — Specific Commitments

11.1  HUDU will not use Platform Data (including uploaded documents or derived embeddings) to train any AI or machine learning model, whether operated by HUDU or any third-party provider. 

11.2  HUDU will not share Platform Data with any AI provider for training, fine-tuning, or model development purposes. 

11.3  HUDU does not transmit full copies of original uploaded documents to any external AI provider. Only relevant text fragments are transmitted for the purpose of AI analysis, as described in the EULA clause 6 and Privacy Policy clause 2.3. 

11.4  HUDU may review chat interaction data internally to improve its own AI agents and prompt frameworks, on the basis of its legitimate interests as described in the Privacy Policy clause 5.1. The Controller (and individual users) may object to this processing at any time by contacting privacy@hudu.uk. 

12.  Data Subject Rights

12.1  Where HUDU receives a request directly from a data subject exercising rights under UK GDPR (such as a right of access, erasure, or restriction), HUDU will, without undue delay, notify the Controller and provide such assistance as is reasonably practicable. 

12.2  The Controller remains solely responsible for responding to data subject requests within UK GDPR timeframes. HUDU's role is to assist, not to respond on the Controller's behalf. 

12.3  Where a data subject's request relates to personal data for which HUDU acts as independent Controller (such as account data), HUDU will handle that request directly under its Privacy Policy. 

13.  Audit Rights

13.1  The Controller may request information from HUDU to verify compliance with this DPA. Requests should be submitted to privacy@hudu.uk with reasonable advance notice. 

13.2  HUDU will respond to reasonable information requests within 30 days. Where an on-site audit is requested, HUDU may require the Controller to meet reasonable costs and to give at least 30 days' notice. HUDU may decline to provide information that would reveal confidential information about other users or third parties, or that would compromise HUDU's own security. 

13.3  The Controller agrees to exercise audit rights in a manner that does not disproportionately disrupt HUDU's operations or those of other users. 

14.  Term and Termination

14.1  This DPA applies for the duration of the Controller's licence (including any trial period) and terminates automatically on permanent deletion of Platform Data in accordance with clause 8. 

14.2  Termination of the EULA for any reason automatically terminates this DPA, subject to any survival provisions. Clauses 7 (breach notification), 8 (retention and deletion), 10 (special category data prohibition), and 11 (AI commitments) survive termination. 

15.  Liability

15.1  Each party's liability under this DPA is subject to the limitations set out in the EULA clause 9, save that nothing in this DPA or the EULA limits either party's liability under Article 82 UK GDPR or for any other liability that cannot be excluded or limited by applicable law. 

15.2  The Controller indemnifies HUDU against any claims, fines, costs, or losses incurred by HUDU arising from the Controller's breach of this DPA, including (without limitation) the upload of personal data without lawful basis, the upload of Special Category Data in breach of clause 10, or any failure to comply with the Controller's own obligations under UK GDPR. 

16.  Governing Law

16.1  This DPA is governed by the laws of England and Wales. Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales, subject to the dispute resolution process set out in the EULA clause 13. 

17.  Contact and Notices

17.1  All data protection enquiries, objections, and requests under this DPA should be directed to: 

Email

privacy@hudu.uk 

Website

www.hudu.vu 

Post

HUDU Limited, Parkhill Studio, Walton Road, Wetherby, LS22 5DZ 

Schedule 1 — Processing Particulars 

The following particulars are provided in accordance with Article 28(3) UK GDPR. 

Processing Detail

Particulars

Subject matter

AI-assisted document analysis, embeddings generation, OCR, insight provision, Know How processing, and related platform operations as described in the EULA and Privacy Policy. 

Duration

For the duration of the User's licence (including any trial period) plus any retention period specified in the Privacy Policy or required by law. 

Nature of processing

Collection, storage, structuring, analysis, retrieval, transmission to AI sub-processors, and deletion of personal data contained in uploaded documents and user interactions. 

Purpose of processing

To provide the HUDU.vu platform services under the User's licence, including document review, AI-generated insights, Know How processing, and collaboration features. 

Types of personal data

Names, contact details, job titles, and professional information of individuals referenced in uploaded documents; account and registration data; usage and interaction data; content of chat interactions; project participation data. Special category data must not be uploaded (see clause 5). 

Categories of data subjects

Users; members of the User's organisation; third parties referenced in uploaded documents (such as project team members, client contacts, subcontractor personnel, and other individuals named in construction and engineering documentation). 

Schedule 2 — Approved Sub-processors 

The following Sub-processors are approved as at the effective date of this DPA. HUDU will notify the Controller of any changes in accordance with clause 5.2. The current list is always available at www.hudu.vu

Sub-processor

Data Location

Processing Activity

Mistral AI (default AI provider)

EU / EEA 

AI model inference for Know How responses and AI-assisted analysis. Data transmitted as text fragments only; no full documents transmitted. 

Cloud infrastructure provider(s)

UK / EU / EEA (target) 

Platform hosting, data storage, and compute infrastructure. Operated under appropriate DPAs. 

Payment processor

Subject to processor's own policy 

Payment card processing for licence fees and top-ups. HUDU does not store full card details. 

OCR / document processing services

UK / EU / EEA (target) 

Optical character recognition and document conversion services where applicable. 

Beta notice: During the Beta phase, infrastructure and AI provider arrangements may evolve as the Platform develops. HUDU will update this Schedule and provide notice as required by clause 5.2 when any change is made. 

Schedule 3 — User Acknowledgement 

The following acknowledgement is presented to each User on first login or registration and must be accepted before the Platform can be accessed. Acceptance is logged by HUDU with a timestamp and the User's email address. 

HUDU.vu — Platform Access Agreements

Step 1 of 3 — End User Licence Agreement

Please read the End User Licence Agreement (EULA v0.2) published at www.hudu.vu before proceeding. By clicking "I Accept the EULA" below, I confirm that: 

  1. I have read and understood the HUDU End User Licence Agreement (EULA v0.2) in full. 

  1. I agree to be bound by its terms, including the permitted and prohibited use provisions, usage allowances, payment terms, and limitation of liability. 

  1. I am at least 18 years of age, I am acting in a professional or business capacity and not as a consumer, and where I am accepting on behalf of an organisation I have authority to bind that organisation to the EULA. 

  1. I understand that the EULA is one of three separate legal documents governing my use of the Platform, and that accepting it does not constitute acceptance of the Privacy Policy or the Data Processing Agreement. 

[ I Accept the EULA ] [ I Do Not Accept — Exit ] 

Acceptance of the EULA is required to proceed. Your acceptance will be recorded with a timestamp, your email address, and the document version accepted.

Step 2 of 3 — Privacy Policy

Please read the Privacy Policy (v0.2) published at www.hudu.vu before proceeding. By clicking "I Accept the Privacy Policy" below, I confirm that: 

  1. I have read and understood the HUDU Privacy Policy (v0.2) in full. 

  1. I understand how HUDU Limited collects, uses, stores, and shares my personal data as data controller in connection with my account and use of the Platform. 

  1. I understand my rights under UK GDPR and the Data Protection Act 2018 as described in the Privacy Policy, including my right to object to certain processing and my right to contact privacy@hudu.uk at any time. 

  1. I understand that the Privacy Policy is one of three separate legal documents governing my use of the Platform, and that accepting it does not constitute acceptance of the EULA or the Data Processing Agreement. 

[ I Accept the Privacy Policy ] [ I Do Not Accept — Exit ] 

Acceptance of the Privacy Policy is required to proceed. Your acceptance will be recorded with a timestamp, your email address, and the document version accepted.

Step 3 of 3 — Data Processing Agreement

Please read the Data Processing Agreement (DPA v0.1) published at www.hudu.vu  before proceeding. By clicking "I Accept the DPA" below, I confirm that: 

  1. I have read and understood the HUDU Data Processing Agreement (DPA v0.1) in full. 

  1. I understand that where I upload documents containing personal data relating to third parties, I act as data controller and HUDU Limited acts as data processor in respect of that personal data, on the terms set out in the DPA. 

  1. I have, or will have at the point of upload, a lawful basis under UK GDPR (or applicable data protection law) to share any third-party personal data with HUDU as a third-party AI-powered processor. 

  1. I will not upload Special Categories of Personal Data (as defined in UK GDPR Article 9) without prior written agreement from HUDU at privacy@hudu.uk

  1. Where I am accepting this agreement on behalf of an organisation, I have authority to bind that organisation to the DPA. 

  1. I understand that uploading documents I do not have authority to share is a breach of the EULA and may constitute a breach of UK GDPR for which I and my organisation bear sole responsibility. 

  1. I understand that the DPA is one of three separate legal documents governing my use of the Platform, and that accepting it does not constitute acceptance of the EULA or the Privacy Policy. 

[ I Accept the DPA ] [ I Do Not Accept — Exit ] 

Acceptance of the DPA is required to proceed. Your acceptance will be recorded with a timestamp, your email address, and the document version accepted.

All three acceptances are required before you may access the HUDU.vu platform. Each acceptance is recorded independently. If you do not accept all three documents, you will not be granted access. Accepted documents and version numbers are available to review at any time at www.hudu.vu.

HUDU will log the following data at the point of acceptance: User email address, timestamp of acceptance (UTC), IP address, document version accepted (DPA v1.0, EULA v0.2, Privacy Policy v0.2), and platform version. This log constitutes the record of consent and contractual acceptance for audit purposes.

Executed on behalf of HUDU Limited 

Signed: 

Name: Matt Douglas 

Title: Director, HUDU Limited 

Date: March 2026 

Company No: 15583356 

Registered in England and Wales 

Parkhill Studio, Walton Road 

Wetherby, LS22 5DZ 

privacy@hudu.uk 

This agreement is executed by digital acceptance (Schedule 3) or by signature above for organisational users requiring a countersigned copy. Both forms of execution are equally binding.