Legal · GDPR

GDPR & Your Data Rights

Last updated: 10 April 2025  ·  Applies to: Hive UK app & hive-uk.co.uk  ·  Controller: Hale Technology, Cheshire, England, UK

UK GDPR: Hive UK is subject to the UK General Data Protection Regulation (UK GDPR) — retained EU law as defined in the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This page explains how we meet our obligations and how you can exercise your rights.

1 Our GDPR Commitment

Hale Technology Limited is committed to handling personal data responsibly and transparently. We treat data protection not as a compliance checkbox but as a core part of how we build and operate Hive UK. Our key commitments:

  • We collect only the minimum data necessary to operate the service (data minimisation)
  • We never sell or share your data with advertisers
  • We use appropriate technical and organisational security measures
  • We respond to all data subject requests within 30 days
  • We maintain records of our processing activities (ROPA) as required by Art. 30 UK GDPR
  • We notify the ICO of eligible data breaches within 72 hours of becoming aware of them

2 Data Controller

For the purposes of UK GDPR, the data controller is:

Hale Technology

Registered in England and Wales

Registered office: Cheshire, England, United Kingdom

Privacy & DPO contact: dpo@hive-uk.co.uk

3 UK GDPR Principles We Follow

Under Art. 5 UK GDPR, personal data must be processed in accordance with the following principles. Here is how Hive UK meets each one:

PrincipleHow We Meet It
Lawfulness, fairness & transparencyWe publish clear privacy notices and rely on documented legal bases for all processing.
Purpose limitationData is collected for specific, explicit purposes (running the networking platform) and not further processed incompatibly.
Data minimisationWe collect only what is necessary. No payment data, no government IDs, no ad identifiers.
AccuracyUsers can edit most profile data directly in-app. We respond to rectification requests promptly.
Storage limitationData is deleted within 30 days of account deletion. Security logs purged after 12 months.
Integrity & confidentialityHTTPS/TLS, hashed passwords, JWT auth, encrypted device storage, restricted database access.
AccountabilityWe maintain a ROPA, conduct DPIAs for high-risk processing, and document our compliance measures.

4 Your Rights as a Data Subject

UK GDPR grants you the following rights. All are exercisable free of charge by contacting privacy@hive-uk.co.uk:

👁 Art. 15

Right of Access

Obtain confirmation of whether we process your data and receive a copy of it (Subject Access Request).

✏️ Art. 16

Right to Rectification

Have inaccurate personal data corrected. Most profile data can be edited directly in the app.

🗑️ Art. 17

Right to Erasure

Request deletion of your personal data ("right to be forgotten") in qualifying circumstances.

⏸️ Art. 18

Right to Restriction

Request that we restrict how we process your data while a dispute or verification is pending.

📦 Art. 20

Right to Portability

Receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV).

🚫 Art. 21

Right to Object

Object to processing based on our legitimate interests. We will cease unless we can demonstrate compelling grounds.

🤖 Art. 22

Automated Decisions

We do not use solely automated decision-making that produces legal or similarly significant effects.

↩️ Art. 7(3)

Withdraw Consent

Where we rely on consent (e.g. push notifications), you can withdraw it at any time in your device settings.

5 How to Exercise Your Rights

To submit a data subject request, email us at privacy@hive-uk.co.uk with the subject line "Data Subject Request". Please include:

  • Your full name and the email address registered to your Hive UK account
  • The specific right(s) you wish to exercise
  • Any relevant details to help us locate your data

We may ask you to verify your identity before processing the request. Here is what happens next:

1

Acknowledgement — within 5 working days

We confirm receipt of your request and let you know if we need any additional information to verify your identity.

2

Processing — up to 30 days

We action your request. For complex or multiple requests we may extend this by a further 2 months, in which case we will inform you.

3

Response — within 30 days of receipt

We provide you with the requested information or data, or explain why we are unable to fulfil the request and your right to complain to the ICO.

All requests are free of charge. We may charge a reasonable fee only for manifestly unfounded or excessive requests.

6 Legal Bases for Processing

Processing ActivityLegal BasisUK GDPR Article
Account creation and managementPerformance of a contractArt. 6(1)(b)
Displaying your public profile to other membersPerformance of a contractArt. 6(1)(b)
Nearby-professionals map (city-level)Performance of a contractArt. 6(1)(b)
Push notificationsConsentArt. 6(1)(a)
Security monitoring and fraud preventionLegitimate interestsArt. 6(1)(f)
Anonymised analytics to improve the appLegitimate interestsArt. 6(1)(f)
Compliance with legal obligationsLegal obligationArt. 6(1)(c)

7 International Data Transfers

Our primary data storage is within the United Kingdom. Where we use third-party processors whose infrastructure may be located outside the UK or EEA (such as Google/Firebase for push notification delivery), we rely on one of the following transfer mechanisms permitted by UK GDPR Chapter V:

  • Adequacy regulations: Where the destination country benefits from a UK adequacy decision.
  • International Data Transfer Agreements (IDTAs): The UK's equivalent of EU Standard Contractual Clauses, approved by the Secretary of State.
  • Binding Corporate Rules (BCRs): Where applicable for large multinational processors.

We assess the adequacy of these protections and will update this page if our transfer mechanisms change.

8 Data Processors

We use a small number of third-party data processors, all bound by appropriate Data Processing Agreements (DPAs):

ProcessorPurposeLocation
Google LLC (Firebase)Push notification delivery (FCM)USA (IDTA/SCCs in place)
Hosting providerPHP/MySQL backend hostingUnited Kingdom

We do not use any advertising networks, data brokers, or analytics platforms that profile individual users.

9 Data Breach Notification

In the event of a personal data breach, we will:

  • Assess the risk to individuals immediately upon becoming aware
  • Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals (Art. 33 UK GDPR)
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 UK GDPR)
  • Document all breaches in our internal breach register, including those not required to be reported

To report a suspected security issue: security@hive-uk.co.uk

10 Supervisory Authority & Complaints

If you are unsatisfied with how we have handled your personal data or a data subject request, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113 (Mon–Fri, 9am–5pm)

Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Online report form: ico.org.uk/make-a-complaint

We encourage you to contact us first at privacy@hive-uk.co.uk so we can try to resolve your concern directly.

11 Contact

For all GDPR and data protection enquiries:

Data Controller: Hale Technology

Privacy & data subject requests: privacy@hive-uk.co.uk

Data protection officer: dpo@hive-uk.co.uk

Security disclosures: security@hive-uk.co.uk

ICO (supervisory authority): ico.org.uk  ·  0303 123 1113