Privacy Notice — Obvis customers
Purpose of this notice
This notice explains how Obvis Limited collects, holds, and uses personal data about individuals in the context of its software products and professional services — including software sales, licences, technical support, and training. It applies to you if you are:
- an employee, contractor, or representative of an organisation that purchases or uses Archie-M or reveal4d software;
- a named contact for purchasing, invoicing, licence registration, or renewals;
- an IT contact or system administrator at a customer organisation responsible for deploying, managing, or administering Archie-M or reveal4d on behalf of your organisation;
- someone who has contacted Obvis for technical support or raised a bug report or feature request;
- someone who has registered for, attended, or been invoiced for an Obvis training course, CPD event, or structured course;
- someone whose contact details were exchanged at a conference, exhibition, or CPD event for follow-up; or
- someone who has received direct email from Obvis about training courses or software updates on the basis of a prior support or sales relationship.
This notice does not cover website visitors or mailing list subscribers — those are covered by our separate website privacy notice.
Obvis Limited — Customer Privacy Notice
Who we are
We are Obvis Limited, a company registered in England and Wales under company number 03944400, with our registered address at Melrose House, Pynes Hill, Rydon Lane, Exeter, EX2 5AZ.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Obvis Limited is the data controller for the personal data described in this notice.
Any questions about this notice or our data practices should be directed to: privacy@obvis.com.
What personal data we collect and how
Contact and organisational details
When you or your organisation engages with us — whether by email, telephone, web enquiry, conference, or other means — we may collect your name, job title, organisation name and address, email address, and telephone number. These contact records are held in Airtable (our customer relationship and sales database).
Licence and account records
When a licence for Archie-M or reveal4d is purchased, we record details of the licence holder organisation and named contacts. This may include contact name, email address, and licence entitlement details.
Support correspondence
When you contact us for technical support — by email, via our HelpScout support desk, or by telephone — we collect the content of your communications, your name and contact details, and a record of the support case, including any bug reports, diagnostic information, or feature requests you provide.
Training records
When you register for an Obvis training course or CPD event, we collect your name, email address, and organisational details. If your employer pays for the course, we may also hold invoicing details. We retain a record of training attendance and, where applicable, completion.
Conference and event contacts
Where we meet you at a conference, exhibition, or CPD event and you provide your contact details for follow-up, we record those details (typically name, organisation, email address, and the context in which we met).
Invoice and financial records
Where Obvis issues an invoice to your organisation, we hold records of the transaction, including contact details for the relevant individual at your organisation for invoicing purposes.
Why we collect it and our legal basis
| Purpose | Lawful basis |
|---|---|
| Deliver software licences, manage entitlements, process licence renewals | Contract (or steps taken at the request of the individual prior to entering a contract) |
| Provide technical support in response to enquiries | Contract |
| Retain support history to deliver consistent and effective support | Legitimate interest |
| Maintain a record of past contacts and interactions with customers and users | Legitimate interest — effective customer relationship management, enabling us to provide continuity of service and relevant follow-up |
| Register for and deliver training courses | Contract |
| Issue and retain invoices and financial records | Legal obligation (Companies Act / HMRC record-keeping requirements) |
| Send direct emails about upcoming Archie-M or reveal4d training courses to individuals with whom we have an existing support or sales relationship | Legitimate interest / PECR soft opt-in (see note below) |
| Follow up with conference or event contacts about products or services relevant to their interests | Legitimate interest |
PECR soft opt-in — training notifications by email
Training course announcements are sent directly from the Obvis sales email address based on a manual review of prior support or sales contact history. PECR Regulation 22 applies to direct marketing by electronic mail regardless of whether bulk mailing software is used.
We rely on the PECR soft opt-in exception (Regulation 22(3)), which applies where:
- Your contact details were obtained in the course of a sale or negotiations for a sale of a product or service;
- The marketing relates to similar products or services — training for Archie-M or reveal4d to someone who has used or enquired about those products qualifies; and
- You were given a clear opportunity to opt out at the time of collection and in each subsequent message.
For direct one-to-one emails, a reply asking to stop receiving such communications is sufficient as an opt-out. We will honour all opt-out requests promptly and record them to ensure you are not contacted again.
Note: The Archie-M mailing list is entirely separate from this direct email process and is not used for training notifications.
Sharing your data with third parties
Bill Harvey Associates Ltd.
Obvis Ltd. works closely with Bill Harvey Associates Ltd. (https://www.billharveyassociates.com). Bill Harvey Associates Ltd. acts as a data processor for Obvis Ltd., providing software development, infrastructure management, and support services, and therefore processes personal data on our behalf. This relationship is governed by a written data processing agreement in accordance with Article 28 of the UK GDPR.
Third party processors
We use third party services to support our operations, including for support ticket management, licence management, and financial record-keeping. In UK GDPR terms, these are data processors acting on our behalf, governed by written data processing agreements.
Law enforcement and legal obligations
We may disclose your data where we are legally required to do so, or to prevent or detect fraud or crime.
Transfers of personal data outside the UK
Some of our third party processors are located outside the UK. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place under UK GDPR:
- EEA and adequacy-covered countries: no additional safeguards required.
- USA and other third countries: we rely on appropriate UK transfer mechanisms, including the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or (for legacy contracts entered before September 2022) the EU Standard Contractual Clauses as continued in UK law under transitional provisions.
The following processors involve transfers outside the UK:
| Processor | Location | Transfer basis |
|---|---|---|
| Concept Software, Inc. (dba SoftwareKey.com) | USA | 2010 EU SCCs Module 2 (controller–processor) — valid under ICO transitional provisions; TRA completed April 2026 |
| HelpScout (Help Scout Inc.) | USA | EU SCCs Module 2 + UK International Data Transfer Addendum (Annex C of HelpScout DPA v1.5, Oct 2022 — auto-incorporated into ToS, no execution required) |
| Xero Limited (Obvis account) | EU (primary for UK customers) | UK Addendum to EU SCCs Module 2 (auto-incorporated into ToS, effective 14 Apr 2025) |
| Airtable, Inc. | USA | UK SCCs (IDTA/UK Addendum) via Airtable online DPA form (DPA v2025-12-05, signed 2026-04-22; BHAL signatory, processing Obvis data under it) |
| Stripe Payments Europe, Limited / Stripe, LLC | USA | UK Extension to EU-U.S. DPF (Stripe, LLC; HR + Non-HR Data; verified 28 Apr 2026); UK IDTA fallback (DTA s.5); DPA counterparty: SPEL (DPA v18 Nov 2025, auto-incorporated) |
| Process Street, Inc. | USA | UK Extension to EU-U.S. DPF (Non-HR Data; verified 2026-04-28). Operative mechanism for Archie-M order data (customer names, emails, PO details). |
| Celonis SE (Make.com) | EU (EEA-hosted) | No transfer — EU zone; UK → EEA is adequate. |
How long we keep your data
- Invoice and financial records: at least six years after the end of the relevant financial year, as required by HMRC. Invoice records in our accounting system form part of our accounting archive and cannot be individually deleted — they are retained for the life of our accounting system account. Where invoices are addressed to an organisation rather than an individual, we will minimise the personal data held in contact records where possible.
- Archie-M licence records and associated support correspondence: retained for 20 years from the date of the last structural assessment in which the licensed software version was used. Archie-M is used for the structural assessment of masonry bridges and similar infrastructure. The 20-year period reflects the longest applicable UK limitation period for negligence claims (the long negative prescription under the Prescription and Limitation (Scotland) Act 1973, applicable to Scottish customers including public authorities), and covers our professional indemnity obligations. Licence records and related support correspondence form part of our PI defence record and cannot be separated from the technical record. The right to erasure under Article 17(3)(b) UK GDPR does not apply to this category because retention is necessary for the establishment, exercise, or defence of legal claims. Note: this period may be extended if required by our professional indemnity insurer.
- Customer contact records (Airtable — sales and contact database): approximately seven years from the date of last contact (2557 days — covers six years from the end of our 31 March financial year in the worst case). We do not apply a shorter period for contacts where no transaction arose; the volume is low and the operational overhead of differential retention is disproportionate.
-
reveal4d and general support correspondence (HelpScout — Archie Sales and Reveal 4D Support inboxes): approximately seven years from the date of your last reply to us (2557 days, applied automatically via HelpScout). This covers six years from the end of our financial year in the worst case. We do not apply a shorter period for contacts where no transaction arose.
-
Training and event records: six years from the date of the event, covering HMRC invoice retention requirements and the contract limitation period.
- Conference and event contacts where no subsequent transaction arises: two years from the event date.
Your rights
Under UK GDPR you have rights in relation to your personal data, including the right to:
- access a copy of the personal data we hold about you;
- rectify inaccurate personal data;
- erase your personal data in certain circumstances;
- restrict processing of your personal data in certain circumstances;
- object to processing based on legitimate interest;
- data portability in certain circumstances; and
- complain to the Information Commissioner's Office (ico.org.uk) if you believe we are not handling your personal data in accordance with the law.
To exercise any of these rights, or for any other enquiry about our data practices, please contact us at privacy@obvis.com or write to Obvis Limited, Melrose House, Pynes Hill, Rydon Lane, Exeter, EX2 5AZ. We will respond within one calendar month.
Changes to this notice
We may update this notice from time to time. When we do, we will update the date below and, where the changes are material, notify affected individuals directly.
This notice was last updated on 2026-04-30.
This version published: 2026-04-30 (source commit 7361e474526b71c589c978c652bc29d90db6bf30)