Privacy Policy
Effective Date: 8 July 2026 · Rubberdesk Pty Ltd · ABN: 18 163 716 247
1. Introduction
bolta.space is a product operated by Rubberdesk Pty Ltd (ABN 18 163 716 247), an Australian proprietary limited company. In this Privacy Policy, references to “we”, “us”, “our”, or “Rubberdesk” are references to Rubberdesk Pty Ltd.
Rubberdesk operates the bolta.space platform, a cloud-based software-as-a-service (“SaaS”) solution for commercial property professionals. We are committed to protecting the privacy and security of the personal information we collect and process.
This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in connection with the bolta.space platform (“Platform”) and our related services. It applies to all users of the Platform, including Brokers (tenant representatives), Leasing Agents (property owners and their representatives), and any other individuals whose personal information we collect or process.
We comply with the Australian Privacy Act 1988 (Cth) and the thirteen Australian Privacy Principles (“APPs”), the Privacy and Other Legislation Amendment Act 2024 (Cth), and, to the extent applicable to our operations in the United Kingdom, the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (UK).
2. Who We Are
For the purposes of applicable data protection laws:
- Data Controller: Rubberdesk Pty Ltd is the data controller for personal information collected directly through the Platform for our own purposes (such as account management, billing, and platform improvement).
- Data Processor: Where we process personal information on behalf of our Subscribers (Brokers and their organisations) – for example, property deals, client contact details, and shortlist data – we act as a data processor on their behalf.
Our contact details:
Entity: Rubberdesk Pty Ltd
ABN: 18 163 716 247
Email: privacy@bolta.space
Australia: 9 Castlereagh Street, Sydney NSW 2000, Australia
United Kingdom: 10 Bloomsbury Way, London WC1A 2SL, United Kingdom
3. Information We Collect
3.1 Information You Provide Directly
| Category | Types of Information | When Collected |
|---|---|---|
| Account Information | Name, email address, phone number, job title, company name, business address | When creating an account or updating profile |
| Billing Information | Payment card details (processed by third-party payment processor), billing address, ABN/VAT number | When subscribing to a paid plan |
| Property Deal Data | Client names, contact details, property requirements, budget ranges, location preferences, industry information | When Brokers create property deals |
| Submission Data | Property details, floor plans, lease terms, pricing, building specifications, proposals, contracts | When Leasing Agents respond to deals through the Platform |
| Communication Data | Messages, notes, feedback, support requests | When communicating through the Platform or with our support team |
| Verification Data | Mobile phone number and country dial code, used to send a one-time SMS verification code (delivered by our SMS provider); your country is derived from the dial code | When verifying your identity at sign-up or when changing your phone number |
| Organisation Branding | Your organisation's logo and brand colours, retrieved from your organisation's public website | When your organisation is set up on the Platform |
3.2 Information Collected Automatically
- Device information: browser type and version, operating system, device identifiers
- Usage data: pages visited, features used, click patterns, time spent on Platform
- Log data: IP address, access times, referring URLs, error logs
- Cookie and tracking data: see Section 10 (Cookies) below
3.3 Activity, Audit, and Visitor Logs
To keep the Platform secure, accurate, and auditable, we maintain several server-side logs. These are not cookies and do not depend on your browser settings.
- Activity and audit logs: We keep an internal record of actions taken in the Platform, including who performed the action (user identifier and display name at the time), what entity was affected (such as a deal, building, listing, or shortlist), what changed (before-and-after values of changed fields), and when. These records support security, fraud prevention, accountability, dispute resolution, and compliance with legal obligations.
- Visitor logs (signed-in users): When you sign in to the Platform, we record the IP address, browser, and operating system you used, together with the date of each visit. These records support security, abuse detection, and incident investigation.
- Anonymous viewer logs (shared content): When a visitor opens a tenant report, shortlist, or marketing page that has been shared with them through the Platform, we record the IP address, browser, and referring page of that visit, along with the time of access. These records support security, abuse detection, and platform analytics. We collect this information whether or not the viewer has an Account with us.
The lawful basis for this processing under the UK GDPR is our legitimate interest in operating a secure and accountable Platform. Retention periods for these logs are set out in Section 7.
3.4 Information from Third Parties
- Identity verification services
- Publicly available business directories and company registers
- Third-party integrations authorised by you (e.g., CRM systems)
- Market data providers for property market information
4. How We Use Your Information
4.1 Lawful Basis for Processing (UK GDPR)
Where the UK GDPR applies, we process personal information on the following lawful bases:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Providing the Platform | Contract performance | Necessary to deliver the services you have subscribed to |
| Account management | Contract performance | Managing your account and subscription |
| Billing and payments | Contract performance | Processing subscription payments |
| Platform improvement | Legitimate interests | Improving features, performance, and user experience |
| Market insights | Legitimate interests | Generating aggregated, anonymised market data and analytics |
| Marketing communications | Consent | Sending promotional materials (opt-in only) |
| Legal compliance | Legal obligation | Complying with applicable laws and regulations |
| Security and fraud prevention | Legitimate interests | Protecting the Platform, users, and Rubberdesk from threats |
4.2 Purposes Under the Australian Privacy Principles
Under the APPs, we collect and use personal information only for purposes that are directly related to our functions and activities, and only where it is reasonably necessary for those purposes. Specifically, we use your information to:
- Provide, maintain, and improve the Platform and related services
- Process and manage your account and subscription
- Facilitate the creation and distribution of property deals
- Enable Leasing Agents to respond to deals through the Platform
- Generate shortlists and facilitate property transactions
- Send transactional communications (e.g., account confirmations, deal notifications, shortlist alerts)
- Send marketing communications (with your consent, which you may withdraw at any time)
- Provide customer support and respond to enquiries
- Generate aggregated and anonymised market insights and analytics
- Detect, prevent, and address technical issues, fraud, and security threats
- Comply with applicable laws, regulations, and legal processes
- Enforce our Terms and Conditions
5. Disclosure of Your Information
We may disclose your personal information to the following categories of recipients:
5.1 Within the Platform Ecosystem
The Platform enables Users to share information with each other in the course of commercial property transactions. When you upload, distribute, or share information through the Platform, it may be made available to other Users in the following ways:
- Broker-to-Agent: When a Broker distributes a deal, the deal and associated information is shared with the Leasing Agents and Operators the Broker selects as recipients through the Platform. The Broker (not Rubberdesk) determines who receives the deal.
- Agent-to-Broker: When a Leasing Agent or Operator submits property information, buildings, listings, proposals, or other Content in response to a deal, that information is shared with the Broker who created the deal.
- Shortlist Sharing: When a Broker shares a shortlist with their client through the Platform, the client can view the shortlist contents.
Where you choose to share information with other Users through the Platform, those recipients are not sub-processors of Rubberdesk. They receive the information as independent parties under their own confidentiality, professional, and legal obligations (including, where applicable, the confidentiality obligations imposed by clause 8.3 of the Terms and Conditions, which require recipients to treat confidential Deal information as confidential and use it only for the purpose of responding through the Platform).
You are responsible for choosing which Users to share information with through the Platform, and for ensuring that any disclosure of third-party personal information through the Platform is lawful and has any necessary consents.
5.1A Sharing Within Rubberdesk's Own Products
bolta.space and Rubberdesk's flexible-workspace marketplaces (including rubberdesk.com.au and rubberdesk.co.uk) are operated by the same legal entity, Rubberdesk Pty Ltd, and share certain information with each other. In particular: listing, availability, and pricing information published on the Rubberdesk marketplace — together with the business contact details of the person who manages those listings (name, business email address, business phone number) — is displayed on bolta.space so that Brokers can find and contact workspace operators, and is used to notify those operators when a Broker shortlists or enquires about their space. If you manage listings on the Rubberdesk marketplace, you may therefore receive communications from bolta.space about your listings even if you have not created a bolta.space account; each such communication explains why you received it, and you can contact privacy@bolta.space with any questions or objections.
5.2 Service Providers
We engage trusted third-party service providers to assist in operating the Platform. These providers are contractually required to protect your information and may only use it for the purposes for which it was disclosed. The current list of service providers is published at https://bolta.space/subprocessors. Our service providers include:
- Cloud hosting and infrastructure providers
- Payment processing providers
- Email delivery and communication services
- Analytics and monitoring services
- Customer support tools
5.3 Legal and Regulatory
We may disclose your information where required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
5.4 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.
6. International Data Transfers
As Rubberdesk operates in both Australia and the United Kingdom, your personal information may be transferred to and stored in countries other than your country of residence.
6.1 Australia to UK (and vice versa)
We transfer personal information between our Australian and UK operations as necessary to provide the Platform. Under APP 8 of the Australian Privacy Principles, before disclosing personal information to an overseas recipient, we take reasonable steps to ensure the overseas recipient does not breach the APPs.
6.2 UK GDPR Transfers
For transfers of personal information from the UK to countries outside the UK that are not subject to an adequacy decision, we implement appropriate safeguards as required by the UK GDPR, including the use of the International Data Transfer Agreement or Standard Contractual Clauses.
6.3 Sub-processors
Some of our service providers may process personal information in jurisdictions outside Australia and the UK, including the United States. We ensure appropriate data protection agreements are in place with all sub-processors. The current list of sub-processors is available at https://bolta.space/subprocessors.
7. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account information | Duration of subscription plus 2 years | Contractual and legal compliance |
| Billing records | 7 years after transaction | Tax and accounting requirements |
| Property deal and shortlist data | Duration of subscription plus 30 days | Service delivery and data export |
| Usage and analytics data | 2 years | Platform improvement |
| Marketing consent records | Duration of consent plus 1 year | Compliance with marketing laws |
| Support correspondence | 3 years after resolution | Service quality and dispute resolution |
| Activity and audit logs | Up to 7 years | Security, accountability, dispute resolution, legal compliance |
| Visitor logs (signed-in users) | Up to 12 months | Security and abuse detection |
| Anonymous viewer logs (shared content) | Up to 6 months | Security, abuse detection, and platform analytics |
Upon termination of a subscription, we will make Customer Data available for export for thirty (30) days, after which it will be securely deleted in accordance with our data destruction procedures. Deletion does not extend to copies of information that you (or your organisation's users) shared with other Users through the Platform before termination — for example, a deal sent to a recipient, or a quote or listing submitted on a deal. Those copies remain part of the recipient's own records and are retained under the recipient's subscription, consistent with the Terms and Conditions. We may retain anonymised and aggregated data indefinitely for analytical and statistical purposes.
The retention periods set out above are upper limits. We may delete personal information earlier where it is no longer necessary for the purposes for which it was collected, where storage constraints require it, or where you exercise a right of erasure (subject to any applicable legal exceptions).
8. Data Security
We implement and maintain appropriate technical and organisational measures to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
8.1 Technical Measures
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
- Secure authentication mechanisms, including multi-factor authentication for sensitive operations
- Regular security assessments and vulnerability testing
- Automated monitoring for unauthorised access attempts
- Regular backup and disaster recovery procedures
- Role-based access controls limiting access to personal information
8.2 Organisational Measures
- Staff training on data protection and information security
- Confidentiality obligations for all staff and contractors
- Incident response procedures for data breaches
- Regular review and updating of security policies and procedures
- Secure development practices incorporating privacy by design principles
8.3 Data Breach Response
In the event of a data breach that is likely to result in serious harm to individuals (as defined under the Notifiable Data Breaches scheme in the Privacy Act 1988) or that presents a risk to the rights and freedoms of individuals (under the UK GDPR), we will:
- Notify the Office of the Australian Information Commissioner (OAIC) and/or the UK Information Commissioner’s Office (ICO) as required by law
- Notify affected individuals as soon as practicable
- Take all reasonable steps to contain the breach and mitigate any harm
- Document the breach and the steps taken in response
9. Your Rights
9.1 Rights Under the Australian Privacy Principles
Under the APPs, you have the right to:
- Access: Request access to the personal information we hold about you (APP 12).
- Correction: Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information (APP 13).
- Complaint: Lodge a complaint about our handling of your personal information (APP 1).
We will respond to access and correction requests within thirty (30) days. If we refuse a request, we will provide written reasons for the refusal.
9.2 Rights Under the UK GDPR
Where the UK GDPR applies, you have the following additional rights:
- Right to erasure: You may request deletion of your personal data in certain circumstances (“right to be forgotten”).
- Right to restriction: You may request restriction of processing of your personal data.
- Right to data portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format.
- Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
- Rights relating to automated decision-making: You have rights in relation to automated decision-making and profiling.
- Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.
We will respond to UK GDPR rights requests within one (1) month. In complex cases, we may extend this period by up to two (2) additional months, and we will inform you of any extension.
9.3 How to Exercise Your Rights
To exercise any of your rights, please contact us at privacy@bolta.space. We may need to verify your identity before processing your request. We will not charge a fee for processing a request unless the request is manifestly unfounded or excessive.
9.4 Limits on Erasure for Audit and Security Records
Where you exercise a right of erasure (or equivalent), we will give effect to that right to the extent required by applicable law. However, we may retain limited information about you in our activity and audit logs after you close your account or after an erasure request, where retention is necessary for security, fraud prevention, accountability, dispute resolution, the establishment, exercise, or defence of legal claims, or compliance with a legal obligation. Where we do so, we will retain the minimum information necessary and, where appropriate, pseudonymise the records so that they cannot readily be linked to you.
10. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate, improve, and personalise the Platform. For full details, please refer to our Cookie Policy at bolta.space/cookies.
10.1 Types of Cookies We Use
We currently use only essential cookies — those required for the Platform to function, such as authentication, session management, and security. We do not use analytics, functionality, or marketing cookies. Full details of the cookies we set are available in our Cookie Policy at https://bolta.space/cookies.
10.2 Your Choices
You can block or delete cookies through your browser settings. Please note that disabling essential cookies will prevent the Platform from functioning correctly.
11. Automated Decision-Making and AI
The Platform may use automated processes and artificial intelligence to:
- Suggest property matches based on deal criteria
- Generate market data insights and analytics
- Recommend additions to shortlists
- Prioritise and rank property submissions
These automated processes are designed to assist Brokers and do not make final decisions about property transactions. All automated suggestions are subject to human review and override. In accordance with the Privacy and Other Legislation Amendment Act 2024 (Cth), where we use personal information in automated decision-making that has a significant effect on individuals, we will provide clear disclosure in our data collection notices.
12. Children’s Privacy
The Platform is designed for commercial property professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.
13. Marketing Communications
We may send you marketing communications about our products and services, including new features, industry insights, and promotional offers. We will only send marketing communications where:
- You have provided your explicit consent (opt-in); or
- We have an existing business relationship with you and the communications relate to similar products or services (soft opt-in), and you have not opted out.
You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email, updating your communication preferences in your Account settings, or contacting us at privacy@bolta.space.
We comply with the Spam Act 2003 (Cth) and the Privacy and Electronic Communications Regulations 2003 (UK) in relation to electronic marketing communications.
14. Third-Party Links and Services
The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services before providing your personal information.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform, updating the “Effective Date” at the top of this policy, and sending a notification to the email address associated with your Account.
We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after any changes constitutes your acceptance of the revised Privacy Policy.
16. Complaints
16.1 Internal Complaints
If you believe we have breached the APPs, the UK GDPR, or this Privacy Policy, you may lodge a complaint with us by contacting privacy@bolta.space. We will acknowledge your complaint within five (5) business days and will investigate and respond within thirty (30) days.
16.2 External Complaints
If you are not satisfied with our response, you may lodge a complaint with the relevant regulatory authority:
Australia: Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
United Kingdom: Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113
17. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
Privacy Officer
Rubberdesk Pty Ltd
Email: privacy@bolta.space
Australia: 9 Castlereagh Street, Sydney NSW 2000, Australia
United Kingdom: 10 Bloomsbury Way, London WC1A 2SL, United Kingdom
This Privacy Policy was last updated on 8 July 2026.