Legal

Privacy Policy

ArchAdemia for Studios · Last updated: February 2026

This Privacy Policy explains how ArchAdemia Ltd (“we”, “us”, “our”) collects, uses, discloses, and safeguards your personal data when you access or use ArchAdemia for Studios (the “Service”). This policy applies to all users of the Service, including practice administrators, team members, and any individuals whose data is processed through the Service.

This policy is intended for UK/EU users; if you are in another jurisdiction, additional rights may apply.

1. Data Controller

ArchAdemia Ltd, company no. 13602105, registered address Independence House, 6 Tapton Way, Liverpool, Merseyside, United Kingdom, L13 1DA, is the data controller for the purposes of the UK GDPR / UK Data Protection Act 2018 and applicable EU data protection laws.

2. What Information We Collect

2.1 Account and Registration Data

Name, email address, username, password, billing information, country of residence, payment method details (but not full card numbers), practice/company name, company registration number (if provided), and role within the practice.

2.2 Subscription and Entitlement Data

Subscription status (e.g., trial, annual), seat count, renewal dates, cancellation status, feature entitlements, AI Credit balances and usage history, and pricing tier.

2.3 Practice and Team Data

Team member names, email addresses, roles, permissions, time tracking entries, assigned courses, training progress, and CPD records. For practice administrators: staff capacity, utilisation data, and onboarding checklists.

2.4 Project Data

Project names, descriptions, RIBA stage information, milestone dates, fee structures, consultant details, client names and contact details (as entered by you), project progress data, and any documents or notes you upload.

2.5 Financial Data

This is a critical section given the nature of the Service.

a) Data you enter manually: Invoice details, fee proposals, project budgets, expense records, and cash flow forecasts that you create within the platform.

b) Data retrieved via Open Banking (TrueLayer): If you choose to connect your bank account, we retrieve the following data via TrueLayer (our authorised Open Banking provider, regulated by the FCA):

Bank account names, types, and identifiers
Account balances (current and available)
Transaction history (dates, amounts, descriptions, merchant names)
Account holder identity information

This data is retrieved only with your explicit consent, obtained through the Open Banking authorisation flow where you authenticate directly with your bank. You can disconnect your bank at any time.

c) Data retrieved via accounting software (Xero / QuickBooks): If you choose to connect your Xero or QuickBooks account, we retrieve:

Invoice data (numbers, amounts, dates, payment status)
Client/contact names and details
Expense and bill records
Payment records

This data is retrieved only with your explicit consent via the relevant provider's OAuth authorisation flow. You can disconnect at any time.

d) Derived financial data: We calculate and store derived financial metrics including: monthly burn rate, runway estimates, cash flow forecasts, overdue invoice summaries, and business health scores. These are generated from the data sources above.

2.6 Usage Data

Date/time of access, login history, feature usage, IP address, device information, browser and network data.

2.7 User Content

Any content you post via the Drawing Board (projects, comments, messages), documents you upload, and notes you create.

2.8 AI Tool Interaction Data (Including CORB)

Data related to your use of CORB or other AI tools: inputs you provide, outputs generated, usage metrics, and AI Credit consumption. Your AI prompts may include text you type, questions you ask, and any context you choose to provide.

2.9 Communications Data

Correspondence with us (via email, in-app messages), support requests.

2.10 Marketing and Preferences

Your communication preferences, marketing consent, newsletter subscription.

2.11 Cookies and Similar Technologies

We use cookies and tracking technologies to analyse usage, personalise your experience and for analytics. See our Cookie Policy for details.

3. Purposes and Legal Bases for Processing

We process your personal and business data for the following purposes:

Purpose	Legal Basis
Register and administer your account and practice	Performance of contract
Provide the Service (projects, finance tools, training, AI tools, Drawing Board)	Performance of contract
Retrieve and process bank data via Open Banking (TrueLayer)	Consent (you explicitly authorise each bank connection)
Retrieve and process accounting data via Xero/QuickBooks	Consent (you explicitly authorise each connection)
Calculate financial metrics (runway, burn rate, business health)	Performance of contract / Legitimate interest
Generate financial alerts and notifications	Performance of contract
Process billing, payments and subscriptions	Performance of contract
Administer free trials, renewals, and entitlements	Performance of contract
Provide team management, time tracking, and capacity planning	Performance of contract
Track training progress and CPD hours for your team	Performance of contract
Monitor, analyse and improve the Service	Legitimate interest
Send service-related notices, updates and administrative messages	Performance of contract / Legitimate interest
Send marketing communications (where consented)	Consent
Personalise your experience and recommend content	Legitimate interest
Detect and prevent fraud, unauthorised access or misuse	Legitimate interest
Enable user-to-user interactions on the Drawing Board	Legitimate interest
Process your interactions with CORB and other AI tools	Performance of contract / Legitimate interest

4. Financial Data — Additional Safeguards

Given the sensitivity of financial data, we apply the following additional safeguards:

4.1 Open Banking (TrueLayer)

TrueLayer is authorised and regulated by the Financial Conduct Authority (FCA) as an Account Information Service Provider (AISP).
We never see or store your bank login credentials. Authentication happens directly between you and your bank via TrueLayer's secure interface.
We access your bank data in read-only mode. We cannot move money, make payments, or alter your bank account in any way.
Access tokens are encrypted at rest and never exposed to the browser or frontend.
You can revoke access at any time from within the Service or directly via your bank.

4.2 Accounting Software (Xero / QuickBooks)

We access your accounting data in read-only mode via the provider's official API.
Authentication uses OAuth 2.0 — we never see or store your Xero or QuickBooks login credentials.
Access tokens are encrypted at rest.
You can disconnect at any time from within the Service, or by revoking access in your Xero/QuickBooks settings.

4.3 Data Matching

We may automatically match bank transactions to invoices from your accounting software to provide payment tracking and project updates. This matching is performed algorithmically on our servers. You can review and correct any matches.

4.4 Data Retention for Financial Data

Bank balances and transactions are retained for as long as your bank connection is active, plus 12 months after disconnection (for historical reporting).
Invoice data is retained for as long as your accounting software connection is active, plus 12 months after disconnection.
Derived financial metrics (snapshots, runway calculations) are retained for the lifetime of your account.
Upon account closure, all financial data is deleted within 90 days, except where retention is required by law (e.g., tax/accounting records).

5. AI Tools (CORB) — Third-Party Processing

5.1 How CORB Works

When you use CORB, your inputs are processed to generate outputs. In the Studios context, CORB may have access to your practice data (projects, financials, team) to provide contextual answers. CORB is designed to answer architecture-related and practice management questions.

5.2 Third-Party Processor (Anthropic)

CORB is powered via an API integration with Anthropic. Your AI input text and resulting output text may be processed by Anthropic for the purpose of providing the AI response.

Anthropic states that, by default, it does not use inputs or outputs from its commercial API products to train its models, unless you explicitly choose to allow it.

5.3 Retention (Anthropic)

Anthropic states that for API users it automatically deletes inputs and outputs within 30 days, except in limited circumstances (e.g., if needed to enforce usage policy, or required by law).

5.4 Important User Guidance

Please do not submit to CORB:

Confidential client information (unless you have lawful basis and permission)
Personal data about third parties without lawful basis
Special category data unless strictly necessary and lawful
Bank account numbers, sort codes, or financial credentials

6. Disclosure and Sharing of Personal Data

We may disclose your personal data to:

Service providers and subcontractors — payment processors (Stripe), hosting providers (Vercel, Supabase), Open Banking provider (TrueLayer), analytics providers — only as necessary and under contractual protections
Accounting software providers — Xero and/or Intuit (QuickBooks) — only the authentication tokens necessary to retrieve your data on your behalf
Other users — via the Drawing Board, in relation to content you have chosen to share
Team members within your practice — practice administrators can view team-level data as configured by your practice's permissions
Legal or regulatory authorities — where required by law or to protect our rights
Third parties — in connection with a business restructuring, sale or merger, subject to appropriate safeguards
In anonymised or aggregated form — which cannot reasonably identify you or your practice

We do not sell your personal data to third parties for their own marketing purposes.

7. Data Processing — Practice Administrators and Team Members

7.1 Practice Administrators

If you are the administrator of a practice account, you act as a data controller for your team members' data within the Service. You are responsible for ensuring you have a lawful basis to provide your team members' data to us (typically employment contract or legitimate interest).

7.2 Team Members

If you are a team member added to a practice account, your practice administrator can view your usage data, time tracking, training progress, and other work-related data within the Service. This is standard for employer-provided workplace tools.

8. International Data Transfers

For EU/EEA residents, ArchAdemia complies with the UK GDPR and, where applicable, the EU GDPR. We maintain appropriate safeguards for international data transfers (Standard Contractual Clauses or equivalent).

Our primary data processors are based in:

United Kingdom (ArchAdemia)
United States (Supabase, Vercel, Anthropic, Stripe, Intuit/QuickBooks)
New Zealand (Xero)

Appropriate transfer mechanisms are in place for each.

9. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this Policy (including the period your account is active) and to comply with legal obligations. Specific retention periods:

Account data: Duration of account plus 12 months
Financial data: See Section 4.4 above
Training/CPD records: Duration of account plus 6 years (to support professional compliance)
AI interaction data: 90 days
Usage/analytics data: 24 months (anonymised thereafter)

When your account is closed, we will delete or anonymise your personal data in accordance with these retention periods.

10. Security

We implement appropriate technical and organisational measures to protect your personal and financial data, including:

Encryption of financial tokens and sensitive data at rest (AES-256)
All data transmitted over HTTPS/TLS
Row-level security on all database tables (users can only access their own data)
Regular security reviews and updates
Access controls and authentication for all API integrations

However, no system is entirely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials and for managing team access within your practice.

11. Cookies and Tracking Technologies

We use cookies and similar technologies. You may disable certain cookies through your browser settings, but this may affect your experience of the Service. For further information, see our Cookie Policy.

12. Your Rights

If you are a UK/EU resident, you have the following rights under data protection law:

Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure (“right to be forgotten”) in certain circumstances
Right to restrict or object to processing
Right to data portability
Right to withdraw consent — including consent for Open Banking and accounting software connections — at any time
Right to lodge a complaint with the UK Information Commissioner's Office (ICO) or relevant supervisory authority

To exercise any of these rights, contact us at the details below.

13. Children

The Service is designed for use by architectural professionals and practices. Users must be at least 18 years of age. We do not knowingly collect data from persons under 18.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you by posting the updated policy on the Service and indicating the date of revision. Material changes (particularly relating to financial data processing) will be notified via email. Your continued use of the Service after changes constitutes acceptance of the revised policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact:

Data Protection Officer

ArchAdemia Ltd
Email: hello@archademia.com

Independence House
6 Tapton Way
Liverpool, Merseyside
United Kingdom, L13 1DA

Corb

Your specialist architectural assistant

Hi! I'm Corb — here to help with your architectural projects and platform questions. What can I assist you with?