Legal

Privacy

Cuan is built EU-first and GDPR-aligned. This summary explains, in plain terms, how personal data flows through the platform.

Last updated June 2026

Who is the controller?

For the owner, resident, director and contractor data inside a workspace, the managing agency (or the OMC) is the data controller. Cuan acts as the data processor on the agency's instructions, under a Data Processing Agreement signed at onboarding. See our DPA summary.

Where data is hosted

All hosting and subprocessors are EU-based — including our database, email and AI providers. Personal data is not transferred outside the EEA in normal operation.

Sensitive data

Arrears information and any “vulnerable” flags are treated as elevated-sensitivity data, with stricter access controls and full audit logging. Directors see arrears in aggregate by default — never neighbour-by-neighbour — unless a board explicitly configures otherwise for legal action.

Your rights

Access, rectification and portability — structured export is available at any time.
Erasure — honoured except where financial records must be retained under Irish statutory obligations, with the legal basis documented.
Objection and restriction, in line with GDPR.

Audit trail

Every write action is recorded in an immutable audit log (actor, action, object, before and after, IP, timestamp) retained for at least seven years. Cuan support access is visibly bannered and logged.

For more on our technical and organisational measures, see the Security & GDPR page.

This page is a plain-language summary published during Cuan's founding build. The definitive agreement is the signed contract and Data Processing Agreement provided during onboarding. Questions? Email hello@cuan.ie.