Privacy Policy

This privacy policy explains how we handle personal information at YardBooked.

YardBooked is a trading name of Obsynia Ltd, a company incorporated in England and Wales (Companies House number [INSERT]). Our registered office is at 7 Franklin Place, East Kilbride, Glasgow G75 8LT, United Kingdom. We are registered with the UK Information Commissioner's Office under registration number [INSERT, or state: Registration in progress with the UK Information Commissioner's Office].

In this policy, "we", "us", and "our" refer to Obsynia Ltd trading as YardBooked. "You" refers to any individual whose personal information we handle, whether you are a builder customer, a prospective builder customer, a homeowner whose enquiry is being processed through our service, or a visitor to yardbooked.com.

For all privacy enquiries, contact us at hello@yardbooked.com or by post at the registered office address above.

This policy applies to the personal information we handle in four situations.

It applies when you visit yardbooked.com or interact with any of our digital properties. It applies when you contact us, book a discovery call, sign up for our service, or correspond with us in any way. It applies when you are a homeowner whose details are processed through the YardBooked system on behalf of a builder customer of ours. It applies when you engage with our marketing on third-party platforms including Meta, Google, and email.

This policy applies to personal information regardless of where you live. We have specific obligations to UK residents under UK data protection law and to Australian residents under the Australian Privacy Act. These are addressed separately later in this policy.

We act in two different legal roles depending on whose data is being handled. This matters because it determines who is legally responsible and who you should contact about your rights.

4.1 When we are the data controller

We are the data controller when we decide how and why personal information is processed. We are the controller in these circumstances.

When you visit yardbooked.com. When you book a discovery call with us. When you become or apply to become a builder customer. When you communicate with us by email, phone, or messaging platform. When you engage with our marketing.

If you are a builder customer or a prospective builder customer, this entire policy applies to you and we are responsible for your personal information.

4.2 When we are a data processor

We are a data processor when we handle personal information on behalf of one of our builder customers. This is the case when our system handles homeowner enquiries on behalf of a builder.

In this scenario, the builder is the data controller. The builder decides what personal information is collected, what it is used for, how long it is kept, and who it is shared with. We act on the builder's documented instructions under a written data processing agreement.

If you are a homeowner whose details have been handled through the YardBooked system, the builder you contacted is the data controller of your information. You should direct requests about access, correction, deletion, or other rights to that builder in the first instance. We will support the builder in responding to your request. If you cannot identify which builder holds your information, contact us at hello@yardbooked.com and we will help you locate the correct controller.

We collect different categories of personal information depending on who you are.

5.1 From builder customers and prospective builder customers

We collect the following categories of information about builder businesses and the individuals who operate them.

5.2 From homeowners (handled on behalf of builder customers)

When you make an enquiry to one of our builder customers, the YardBooked system processes the following information on the builder's behalf.

Your name, phone number, email address, and suburb. The details of your project enquiry, including the project type, your approximate budget range, your approximate timeline, your site type, your council approval status, and your property type. The full audio recording of any conversation you have with our AI agent and the text transcript of that conversation. Any SMS and email correspondence between you and the system. The details of any survey appointment you book into the builder's calendar.

We collect personal information in three ways.

We process personal information for the following purposes.

• To deliver the YardBooked service to our builder customers. This includes operating the AI voice agent that handles homeowner enquiries, qualifying those enquiries against the builder's criteria, booking surveys into the builder's calendar, sending reminders to homeowners, and reporting results to the builder.
• To administer our contractual relationship with builder customers. This includes invoicing, processing payments, providing support, communicating about service changes, and enforcing our terms.
• To market YardBooked to prospective builder customers. This includes running advertising campaigns, sending marketing emails where we have the right to do so, measuring marketing performance, and following up on enquiries.
• To improve and secure the service. This includes monitoring system performance, investigating technical problems, protecting against fraud and abuse, training internal staff, and reviewing the quality of conversations handled by the AI agent.
• To comply with legal obligations. This includes keeping accounting records, responding to lawful requests from regulators and courts, and meeting our reporting obligations under UK and Australian law.

Under UK GDPR Article 6, we identify a lawful basis for each processing activity. Our bases are as follows.

8.1 Contract performance

We rely on contract performance to process personal information that is necessary to provide the YardBooked service to a builder customer who has signed an agreement with us. This includes account administration, service delivery, payment processing, and support.

8.2 Legitimate interests

We rely on legitimate interests to process personal information for the following purposes. Marketing to prospective builder customers in a business-to-business context. Measuring the effectiveness of our marketing. Preventing fraud and abuse. Securing our systems and data. Improving the service. Communicating with you about your enquiry before a contract is signed.

For each legitimate interest, we have completed a balancing assessment to confirm that our interests do not override the rights and freedoms of the individuals whose data we process. You can request a summary of any balancing assessment by writing to hello@yardbooked.com.

8.3 Consent

We rely on consent for the following processing activities. Non-essential cookies and similar tracking technologies. Marketing emails to individuals in jurisdictions where opt-in consent is required by law. The recording of discovery calls. The use of voice data and call recordings for AI model training and quality assurance.

Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

8.4 Legal obligation

We rely on legal obligation to process personal information where the law requires it. This includes tax record-keeping under HM Revenue & Customs requirements, anti-money laundering checks where applicable, and responses to lawful requests from regulators or courts.

8.5 Homeowner data processed for builder customers

Where we process homeowner data on behalf of a builder customer, we do so under written instructions from the builder. The builder is the controller and is responsible for establishing the lawful basis for processing under UK GDPR Article 6 and the equivalent requirements under the Australian Privacy Act. Our processing agreement with each builder requires the builder to confirm a valid lawful basis for the data they collect through our system.

The YardBooked service uses artificial intelligence to handle homeowner enquiries on behalf of our builder customers. You should know how this works and what your rights are.

9.1 What the AI does

When a homeowner contacts a builder customer using our system, an AI voice agent answers the call, has a conversation with the homeowner, asks qualifying questions about the project, and either books a survey appointment into the builder's calendar or notifies the builder that the enquiry did not meet the builder's stated qualification criteria.

The AI agent uses the builder's qualification criteria, which the builder configures during onboarding. Criteria typically include project type, project budget, timeline, location, and council approval status.

9.2 What it does not do

The AI agent does not make decisions that produce legal effects or other similarly significant effects within the meaning of UK GDPR Article 22. The AI agent does not decide whether to enter a contract with the homeowner. The AI agent does not assess creditworthiness. The AI agent does not make any binding commitment on behalf of the builder.

The AI agent's role is to gather information and book appointments. The builder retains full control over whether to proceed with any enquiry and over the ultimate decision to take on any project.

9.3 Your rights

If you are a homeowner whose enquiry has been handled by the AI agent and you believe the outcome was wrong, you have the right to request human review by contacting the relevant builder directly. The builder is the controller of your information and the decision-maker about your enquiry. We will support the builder in providing human review where requested.

You can also request information about the criteria the builder used to qualify enquiries. We will share this with you on request, subject to the builder's confidentiality interests in their commercial criteria.

Calls handled by the AI agent are recorded. This section explains why, how we comply with Australian law, and what your rights are.

10.1 Why we record

We record calls for the following purposes. Quality assurance and training of the AI agent. Compliance with the builder customer's record-keeping obligations. Dispute resolution if a homeowner or builder questions what was said. Improvement of the service.

10.2 Disclosure

At the start of every call, the AI agent discloses that the call may be recorded. We do not begin recording before disclosure is given.

10.3 Compliance with Australian state law

Australia regulates the recording of conversations at state level. The relevant statutes are the Surveillance Devices Act 2007 (New South Wales), the Surveillance Devices Act 1999 (Victoria), the Invasion of Privacy Act 1971 (Queensland), the Surveillance Devices Act 1998 (Western Australia), the Listening and Surveillance Devices Act 1972 (South Australia), and the Listening Devices Act 1991 (Tasmania).

In each Australian state, our recording practice complies with applicable law because we are a party to the conversation (the AI agent acts on behalf of the builder customer, who is a party) and because disclosure of recording is given at the start of the call. Continuation of the call after disclosure constitutes consent to recording in those states where consent is required.

10.4 Retention

Call recordings are retained for 24 months from the date of the call, after which they are deleted from our active systems. Backup copies are deleted on the rolling 35-day backup cycle.

10.5 Your rights

If you are a homeowner and want to access, correct, or delete a recording of a call you participated in, contact the relevant builder customer in the first instance. They are the controller. If you cannot identify the builder, contact us at hello@yardbooked.com and we will help.

We share personal information with the categories of third party listed below. We do not sell personal information to anyone.

11.1 Sub-processors

We use the following categories of sub-processor to operate the YardBooked service.

• An AI voice conversation and call-handling infrastructure provider, located in the United States.
• A customer relationship management and automation platform, located in the United States.
• Advertising platforms, located in the United States.
• Email and SMS delivery providers, located in the United States and Australia.
• Cloud hosting and content delivery network providers, located in the United Kingdom and the United States.
• A payment processor, located in Ireland and the United States.
• An analytics provider, located in the United States.
• Calendar booking infrastructure, located in the United States.
• Communications and messaging platforms, located in the United States.

Each sub-processor is bound by a written agreement that imposes data protection obligations equivalent to those under UK GDPR Article 28. Sub-processors process personal information only on our documented instructions and only for the purposes set out in our agreement with them.

A current list of named sub-processors is available on written request to hello@yardbooked.com.

11.2 Professional advisers

We share personal information with our professional advisers including lawyers, accountants, and auditors where necessary for legal advice, accounting, or audit work. These advisers are bound by professional confidentiality obligations.

11.3 Regulators and law enforcement

We disclose personal information to regulators, courts, and law enforcement where required by law. We will assess the legality of any request before complying and will challenge requests that are unlawful or disproportionate.

11.4 Business transfers

If we are involved in a merger, acquisition, restructuring, or sale of assets, personal information may be transferred to a successor entity. We will notify affected individuals if such a transfer takes place and the successor entity will be required to honour this policy.

11.5 Our builder customers

Where we are processing homeowner data on behalf of a builder customer, the data is accessible to that builder in their dashboard. This is the core function of the service. Builders are bound by a data processing agreement that requires them to handle homeowner data in compliance with applicable law.

The YardBooked service involves transferring personal information across borders. We make these transfers using recognised legal safeguards.

12.1 Where data is transferred

Personal information we hold is transferred to and processed in the following jurisdictions. The United Kingdom (Obsynia Ltd's home jurisdiction). The Republic of Indonesia (operational location). Australia (where our builder customers and homeowner end-users are based, and where some sub-processors operate). The United States (where many of our technology sub-processors are based).

12.2 Transfer mechanisms

For transfers from the United Kingdom to the United States, we rely on the UK Extension to the EU-US Data Privacy Framework where the recipient is certified under that framework, and otherwise on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the UK Addendum).

For transfers from the United Kingdom to Indonesia, we rely on the UK International Data Transfer Agreement (the IDTA) or the UK Addendum, supplemented by additional contractual and technical safeguards including written processor agreements imposing UK GDPR Article 28 equivalent obligations.

For transfers from the United Kingdom to Australia, we rely on the UK International Data Transfer Agreement or the UK Addendum. Australia is not currently the subject of a UK adequacy decision for general transfers.

12.3 Your right to ask

You can request a copy of the safeguards we apply to any specific international transfer by writing to hello@yardbooked.com.

This section explains the cookies and tracking technologies we use on yardbooked.com.

13.1 Categories

We use three categories of cookie and tracking technology.

13.2 Server-side tracking

In addition to browser cookies, we use server-side tracking and conversion APIs to share marketing performance data with advertising platforms. Where this involves personal information about UK or EEA visitors, we only send data after you have consented through our cookie banner.

13.3 Cookie banner and consent

UK and EEA visitors see a cookie banner on first visit and can adjust consent at any time using the cookie preferences link in the website footer. Australian visitors are presented with the same banner. Australian law does not require opt-in consent for non-sensitive cookies, but we apply the same standard to maintain a consistent practice.

13.4 Do Not Track

Some browsers send a "Do Not Track" signal. There is no consistent industry standard for interpreting this signal. We do not change our behaviour in response to Do Not Track signals. Instead, we honour the choices you make through our cookie banner.

We retain personal information for the periods set out below. After the retention period expires, we delete the information from our active systems. Backup copies are deleted on our rolling 35-day backup cycle.

• Builder customer account data is retained for the duration of the contract plus 7 years after termination. This period is set to meet our tax, accounting, and contractual record-keeping obligations.
• Homeowner enquiry data processed on behalf of builder customers is retained for 24 months from collection by default. The builder, as controller, may instruct us to apply a different retention period through our processing agreement.
• Marketing prospect data is retained until consent is withdrawn or for 36 months from the date of last engagement, whichever is earlier.
• Call recordings, including AI agent recordings and discovery call recordings where consented to, are retained for 24 months from the date of the call.
• Website analytics data is retained for 26 months in line with our analytics sub-processor's default configuration.
• Server logs are retained for 90 days.
• Backup data is retained for 35 days on a rolling cycle and then overwritten.

We apply the following security measures to protect personal information.

We do not currently hold ISO 27001 or SOC 2 certification. We will update this policy if and when we obtain a recognised security certification.

If you are in the United Kingdom or the European Economic Area, you have the following rights over your personal information.

16.1 The right of access

You can ask us to confirm whether we hold personal information about you, and if we do, to provide a copy and explain how we use it.

16.2 The right to rectification

You can ask us to correct personal information that is inaccurate or incomplete.

16.3 The right to erasure

You can ask us to delete personal information in certain circumstances, including where it is no longer needed for the purpose it was collected, where you withdraw consent, or where you object to processing and we have no overriding legitimate ground.

16.4 The right to restrict processing

You can ask us to stop using your personal information while we investigate a complaint or correction request.

16.5 The right to data portability

You can ask us to provide your personal information in a structured, commonly used, machine-readable format. This right applies to information you provided to us under consent or under a contract.

16.6 The right to object

You can object to processing based on legitimate interests. You can object at any time to direct marketing. We will stop direct marketing immediately on request.

16.7 The right not to be subject to solely automated decisions

You can ask us not to subject you to decisions made solely by automated means that produce legal or similarly significant effects. As set out in section 9, our AI agent does not make decisions of this kind.

16.8 The right to withdraw consent

Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

16.9 The right to complain

You can complain to the UK Information Commissioner's Office at any time. Their website is ico.org.uk. Their helpline is 0303 123 1113.

If you are an Australian resident, you have the following rights under the Australian Privacy Act 1988 and the Australian Privacy Principles.

17.1 Access (APP 12)

You can ask us to give you access to the personal information we hold about you. We will respond within 30 days. Where the request is complex, we may extend this period and will tell you why.

17.2 Correction (APP 13)

You can ask us to correct personal information you believe is inaccurate, out of date, incomplete, irrelevant, or misleading.

17.3 Anonymity and pseudonymity (APP 2)

You have the option of not identifying yourself, or using a pseudonym, when dealing with us, where this is lawful and practicable.

17.4 Complaint

You can complain to the Office of the Australian Information Commissioner at any time. Their website is oaic.gov.au. Their helpline is 1300 363 992.

17.5 Homeowner data

If you are a homeowner and your personal information has been processed through the YardBooked system, the builder customer you contacted is the entity responsible for your information. Direct requests about access, correction, and complaints to that builder in the first instance. We will support the builder in responding.

To exercise any right under this policy, contact us at hello@yardbooked.com or by post at 7 Franklin Place, East Kilbride, Glasgow G75 8LT, United Kingdom.

18.1 What to include

In your request, tell us what right you want to exercise, what personal information your request relates to, and provide enough information for us to verify your identity. We may ask you for additional identity information if we cannot verify you from what you initially provide. This is a security measure to make sure we do not disclose your information to the wrong person.

18.2 Response time

We will acknowledge your request within 5 working days and respond substantively within 30 days. If your request is complex or we have received a large number of requests, we may extend this period by up to a further 2 months and will tell you why.

18.3 Cost

We do not charge for responding to requests. Where a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse the request, in line with the law.

If a personal data breach occurs, we follow these procedures.

We notify the UK Information Commissioner's Office within 72 hours of becoming aware of a breach where required under UK GDPR. We notify the Office of the Australian Information Commissioner as soon as practicable where the breach is an eligible data breach under Part IIIC of the Australian Privacy Act 1988.

We notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms under UK GDPR, or where it is likely to result in serious harm under the Australian Notifiable Data Breaches scheme.

Notifications include a description of the breach, the likely consequences, the measures we have taken or propose to take, and the contact details of our privacy contact.

We document every breach internally regardless of whether notification is required.

YardBooked is a business-to-business service intended for adult operators of Australian outdoor living businesses. The website and the service are not directed at individuals under 18.

We do not knowingly collect personal information from children under 18. If we become aware that we hold personal information about a child under 18, we will delete it promptly. If you believe we hold information about a child, contact us at hello@yardbooked.com.

We update this policy as our service evolves. The version number and last-updated date at the top of the policy reflect the current version.

For material changes, we notify active builder customers by email at least 30 days before the change takes effect. Material changes include any change that expands the categories of personal information we collect, the purposes of processing, the parties we share data with, or the international transfers we make.

We retain an internal archive of prior versions of this policy. A copy of any prior version is available on written request.

For visitors and customers in the United Kingdom and the European Economic Area, this policy is governed by the laws of England and Wales. The English courts have non-exclusive jurisdiction over disputes arising from this policy.

For Australian residents, nothing in this policy limits your rights under the Australian Privacy Act 1988 or the jurisdiction of the Office of the Australian Information Commissioner. Where consumer protection law in your jurisdiction gives you mandatory rights, those rights apply regardless of this policy.

For any matter relating to this policy or to your personal information, you can reach us using the following contacts.

Email: hello@yardbooked.com

Post: Obsynia Ltd, 7 Franklin Place, East Kilbride, Glasgow G75 8LT, United Kingdom

We aim to respond to all enquiries within 5 working days.

If you are not satisfied with our handling of your personal information, please contact us first at hello@yardbooked.com. We take complaints seriously and will work with you to resolve the issue.

If you remain dissatisfied, you have the right to complain to the relevant regulator.

In the United Kingdom, the supervisory authority is the Information Commissioner's Office. Website: ico.org.uk. Phone: 0303 123 1113. Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom.

In Australia, the supervisory authority is the Office of the Australian Information Commissioner. Website: oaic.gov.au. Phone: 1300 363 992. Address: GPO Box 5288, Sydney NSW 2001, Australia.

You may also contact the supervisory authority in your country of residence if it is in the European Economic Area.