Rubberdesk Privacy & Cookie Policy

Last updated: 24 February 2026

This Privacy Policy explains how Rubberdesk collects, uses, stores and discloses personal information in connection with the Site and our marketplace services.

1. Scope

This policy applies to your use of the Site and services provided through it. Rubberdesk operates internationally and this policy is intended to apply worldwide, subject to local legal requirements.

The Site includes rubberdesk.com, rubberdesk.co.uk, rubberdesk.ie and rubberdesk.com.au (including any subdomains/portals), and any associated mobile applications and APIs.

2. Controllers and contact details

The controller of your personal data depends on the location of the relevant Space (and related services):

For Spaces located in Australia (and services related to those Spaces), the controller is:

Cadigal Rubberdesk Pty Ltd (trading as Rubberdesk Australia)
ABN: 12 636 544 459
Address: Level 24, 9 Castlereagh Street, Sydney, NSW 2000, Australia
Email: [email protected]

For all other Spaces (and all other Site usage), the controller is:

Rubberdesk UK Ltd (company number 12434978)
Registered address: 10 Bloomsbury Way, London, WC1A 2SL, United Kingdom
Email: [email protected]

The domain or subdomain used to access the Site does not change which controller applies; Space location does.

3. Laws we comply with

We aim to comply with privacy and marketing laws that apply to our services in the countries where we operate or target users. In particular:

For processing under Rubberdesk UK Ltd, we comply with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) to the extent applicable. Where the EU/EEA GDPR applies (for example, if we target individuals in the EU/EEA), we will also comply with GDPR requirements to the extent they apply.
For processing under Cadigal Rubberdesk Pty Ltd, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) to the extent applicable.
For users located in California, we comply with the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”) to the extent applicable. See Section 11B for California-specific rights.
For users located in Canada, we comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy legislation (including Quebec’s Act respecting the protection of personal information in the private sector (“Law 25”)) to the extent applicable. See Section 11C for Canada-specific rights.
If other laws apply to our processing in a particular location, we will comply to the extent those laws apply to our activities in that location.

4. Personal information we collect

We may collect personal information including: - contact details (name, business email, phone number) - business information (company name, role) - enquiry details and preferences (location, size, dates, budget) - communications with Rubberdesk and Operators - information provided by Operators (e.g., tour outcomes, pricing updates, transaction status) - CRM identifiers and interaction history (where relevant) - usage and device information (IP address, browser/device type, pages viewed) - cookies and similar tracking identifiers (see Cookies section)

5. How we collect personal information

We collect information: - when you submit an enquiry or otherwise provide information to us - from Operators when they provide updates about enquiries or transactions - automatically when you use the Site (cookies, logs) - from third parties you authorise or that provide services to us (e.g., analytics)

6. How we use personal information

We use personal information to: - operate the marketplace and facilitate enquiries and introductions - respond to enquiries and provide support - improve the Site and services, including analytics and product development - prevent fraud, protect security, and enforce our terms - comply with legal obligations and resolve disputes - send direct marketing to business users where permitted (you can opt out at any time)

UK / Rubberdesk UK Ltd: Where UK GDPR applies, we process personal data on the following legal bases: (a) contract (to take steps at your request and facilitate enquiries/intros); (b) legitimate interests (operating and improving the marketplace, preventing fraud, securing the Site, and business communications), balanced against your rights; (c) legal obligation (compliance and record-keeping); and (d) consent (where required, including certain cookies/marketing).

Australia / Cadigal Rubberdesk Pty Ltd: Where the Privacy Act applies, we collect and use personal information for the purposes described in this policy (primarily to operate the marketplace and facilitate enquiries and introductions), and we will not use it for a secondary purpose unless an exception applies or you consent.

Direct marketing

We may send marketing communications to business users where permitted by law and consistent with our legitimate interests. You can opt out at any time using the unsubscribe link in emails or by contacting us at [email protected]. We do not send marketing where consent is required unless we have that consent.

We share personal information with relevant Operators so they can respond to your enquiry, provide availability/pricing, arrange tours and negotiate a Space Agreement, including sharing your name, business contact details and enquiry requirements.

We may share personal information with: - relevant Operators (to respond to your enquiry and negotiate a Space Agreement) - service providers (hosting, email, analytics, CRM) who process data on our instructions (where applicable) and are required to protect personal information - professional advisers (lawyers, accountants) and regulators where required - purchasers or successors to our business (subject to appropriate safeguards)

8. International transfers

Your information may be processed in countries other than where you are located (including where our service providers operate). Where UK GDPR applies and personal data is transferred outside the UK, we implement appropriate safeguards such as UK adequacy regulations and/or the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as applicable. Where the Australian Privacy Act applies, we take reasonable steps to ensure overseas recipients handle personal information in accordance with the Australian Privacy Principles.

9. Data retention

We retain personal information for as long as necessary for the purposes described in this policy, including to manage enquiries, comply with legal obligations, and resolve disputes, and then securely delete or de-identify it. We typically retain enquiry and transaction records for up to 7 years to support audit, dispute resolution, fraud prevention and legal compliance, unless a longer period is required or a shorter period is appropriate.

10. Security

We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

10A. Data breach notification

We maintain procedures to detect, assess and respond to personal data breaches. In the event of a personal data breach that meets the applicable notification threshold, we will notify the relevant supervisory authority and affected individuals in accordance with applicable law, including: - the UK GDPR requirement to notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of a qualifying breach; - the Australian Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)) requirement to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches likely to result in serious harm; and - any other applicable data breach notification obligations in jurisdictions where we operate.

11. Your rights and choices

Depending on the Controller and applicable law, you may have rights to access, correct, delete, restrict or object to processing, and to withdraw consent where we rely on consent. You can contact us at [email protected]. We will acknowledge your request promptly and respond within the timeframes required by applicable law, including: - UK GDPR: within one calendar month of receipt (extendable by a further two months for complex requests, with notice); - CCPA/CPRA: within 45 calendar days of receipt (extendable by a further 45 days with notice); and - Australian Privacy Act: within 30 calendar days of receipt.

UK/EU (where applicable): You may also have rights to data portability and to lodge a complaint with a supervisory authority.

Australia: You may request access and correction under the Australian Privacy Principles.

11A. Complaints

If you have a complaint about how we handle personal information, contact us at [email protected] and we will respond within a reasonable time. UK: You may also lodge a complaint with the UK Information Commissioner’s Office (ICO). Australia: You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

11B. California residents — CCPA/CPRA rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA):

(a) Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting or selling it, and the categories of third parties with whom we share it.

(b) Right to delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.

(c) Right to correct. You have the right to request that we correct inaccurate personal information we maintain about you.

(d) Right to opt-out of sale/sharing. You have the right to opt out of the “sale” or “sharing” of your personal information (as those terms are defined under the CCPA/CPRA). Rubberdesk does not sell personal information in the traditional sense. To the extent that any disclosure of personal information to third parties (such as analytics providers) constitutes a “sale” or “sharing” under the CCPA/CPRA, you may opt out by contacting us at [email protected].

(e) Right to limit use of sensitive personal information. You have the right to limit the use and disclosure of sensitive personal information to purposes permitted by the CCPA/CPRA. Rubberdesk does not collect or use sensitive personal information beyond what is necessary to provide the services described in this policy.

(f) Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying you services, charging different prices, or providing a different level of service.

To exercise any of these rights, contact us at [email protected]. We will verify your identity before processing your request and will respond within the timeframes required by law.

11C. Canadian residents — PIPEDA and provincial privacy rights

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Quebec’s Law 25), including:

(a) Consent. We collect, use and disclose your personal information with your knowledge and consent, except where permitted or required by law. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us at [email protected]. Withdrawal of consent may affect our ability to provide certain services to you.

(b) Access. You have the right to request access to the personal information we hold about you, subject to limited exceptions under PIPEDA.

(c) Correction. You have the right to challenge the accuracy and completeness of your personal information held by us and request correction.

(d) Complaints. If you have a concern about our handling of your personal information, you may contact us at [email protected]. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada or, where applicable, the relevant provincial privacy commissioner (including the Commission d’accès à l’information du Québec for Quebec residents).

12. Cookies

We use cookies and similar technologies for: (a) Strictly necessary cookies (to operate the Site and security); (b) Functional cookies (preferences); (c) Analytics cookies (understanding usage and improving performance); and (d) Marketing cookies (where used, to measure campaigns and deliver relevant ads).

Where required by law, we will ask for your consent before placing non-essential cookies and you may withdraw or change your preferences at any time using the cookie settings tool on the Site (where available) or your browser settings. Third-party providers (such as analytics and advertising partners) may set cookies or use similar technologies when you use the Site. Consent requirements for cookies vary by location; we will seek consent where required and honour applicable opt-out mechanisms.

13. Children

Our services are intended for business users and not directed to children. We do not knowingly collect personal information from children.

14. Changes to this policy

We may update this policy from time to time by publishing an updated version on the Site. The “Last updated” date indicates the effective date.

15. Contact

For privacy questions or requests, email [email protected].