Privacy Policy

Effective Date: 01/01/2026 Company Name: Hive Online Ltd Registered Address: 318a Mount Pleasant Road, London, N17 6HA, United Kingdom Contact Email: george@hiveonline.io Website: https://hiveonline.io

This Privacy Policy explains how Hive (“we”, “us”, “our”) collects, uses, and protects personal data in accordance with:

UK General Data Protection Regulation (UK GDPR)
EU General Data Protection Regulation (EU GDPR)
UK Data Protection Act 2018

1. Our Role Under Data Protection Law

Hive operates in two distinct roles:

A. Data Controller

We act as Data Controller when processing:

Website visitor data
Account registration data
Marketing and communication data
Billing and subscription data

B. Data Processor

We act as Data Processor when providing our SaaS platform to organisations.

In this context:

Our customers (organisations) are the Data Controllers
Hive processes personal data strictly on their documented instructions
This may include structured decision data, feedback submissions, votes, comments, governance records, and related organisational metadata

We enter into Data Processing Agreements (DPAs) with customers where required under Article 28 GDPR.

2. Categories of Personal Data Collected

A. Website and Account Data (Controller Role)

We may collect:

Name
Email address
Organisation name
Job title
Login credentials
Billing details
IP address
Device and browser information
Usage analytics data
Support communications

B. Organisational Decision Data (Processor Role)

When customers use Hive, we may process:

Member names and identifiers
Email addresses
Role or governance status
Votes and voting history
Comments and discussion contributions
Proposal submissions
Structured feedback responses
Participation metadata (timestamps, engagement metrics)
Files uploaded by users
Organisational configuration data

Hive does not determine the purpose or legal basis for this data. That responsibility remains with the customer acting as Data Controller.

3. Lawful Bases for Processing (Controller Activities)

Under Article 6 UK GDPR and EU GDPR, we rely on the following lawful bases:

Contract

To provide Hive services, manage accounts, and deliver subscriptions.

Legitimate Interests

For:

Improving platform performance
Ensuring security and fraud prevention
Internal analytics and product development

We assess and balance our legitimate interests against your rights.

Consent

For:

Marketing communications
Non-essential cookies

Consent may be withdrawn at any time.

Legal Obligation

To comply with tax, accounting, and regulatory requirements.

4. How We Use Personal Data

As Data Controller

We use personal data to:

Provide access to Hive
Manage subscriptions and billing
Authenticate users
Provide customer support
Send service updates
Improve platform functionality
Monitor security and prevent misuse
Comply with legal obligations

We do not sell or rent personal data.

As Data Processor

We process organisational data only to:

Host and store customer data
Enable structured decision workflows
Facilitate voting and feedback systems
Maintain governance records and audit trails
Provide analytics and reporting tools
Maintain system integrity and availability

Processing occurs solely under documented customer instructions.

5. Data Sharing

We may share personal data with:

Service Providers (Sub-Processors)

Including:

Cloud hosting providers
Infrastructure providers
Analytics providers
Email delivery services
Payment processors

All sub-processors are bound by written agreements compliant with Article 28 GDPR.

A current list of sub-processors is available upon request.

Legal Requirements

We may disclose data where required by law, court order, or regulatory authority.

Business Transfers

In the event of merger, acquisition, restructuring, or asset sale, personal data may be transferred as part of that transaction.

We do not share data for advertising purposes.

6. International Data Transfers

If personal data is transferred outside the UK or European Economic Area (EEA), we implement appropriate safeguards, such as:

UK International Data Transfer Agreement (IDTA)
EU Standard Contractual Clauses (SCCs)
UK Addendum to EU SCCs
Transfers to countries with adequacy decisions

7. Data Retention

Controller Data

We retain personal data only as long as necessary for:

Contract performance
Legal obligations
Legitimate business purposes

Processor Data

Organisational data is retained in accordance with customer instructions and deleted:

Upon contract termination
Upon written request
In line with agreed retention schedules

Backups are securely overwritten in accordance with system retention cycles.

8. Security Measures

We implement appropriate technical and organisational safeguards, including:

Encrypted data transmission (HTTPS/TLS)
Encryption at rest where appropriate
Role-based access controls
Multi-factor authentication (where enabled)
Secure cloud infrastructure
Logging and monitoring
Regular security updates

While we take reasonable steps to protect data, no system can guarantee absolute security.

9. Data Subject Rights (UK & EU)

Individuals have the following rights under UK GDPR and EU GDPR:

Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to object
Right to data portability
Right to withdraw consent

If Hive acts as Data Processor, data subjects should contact the relevant organisation (Data Controller). We will assist Controllers in fulfilling rights requests where required.

If Hive acts as Data Controller, rights requests can be submitted to:

[Insert Contact Email]

We may request identity verification before responding.

10. Supervisory Authorities

UK residents may lodge complaints with:

Information Commissioner’s Office (ICO)
https://ico.org.uk

EU residents may contact their local supervisory authority.

11. Automated Decision-Making

Hive does not engage in automated decision-making or profiling that produces legal or similarly significant effects under Article 22 GDPR.

12. Children’s Data

Hive is not directed to individuals under 16 years of age. We do not knowingly collect personal data from children.

13. Cookie Policy

13.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. They help websites function properly and provide usage insights.

13.2 Types of Cookies We Use

Strictly Necessary Cookies

Required for core functionality such as:

Authentication
Session management
Security

These cannot be disabled.

Performance and Analytics Cookies

Used to:

Measure website traffic
Understand user behaviour
Improve performance

These are used only with consent where required.

Functional Cookies

Used to:

Remember preferences
Enhance usability

Marketing Cookies

Hive does not use advertising or behavioural marketing cookies.

13.3 Legal Basis for Cookies

Under UK GDPR, EU GDPR, and the ePrivacy framework:

Non-essential cookies require prior user consent
Consent must be freely given, specific, informed, and unambiguous
Users must be able to withdraw consent at any time

13.4 Managing Cookies

Users can:

Adjust preferences via the cookie banner
Modify browser settings
Delete stored cookies

Disabling certain cookies may affect website functionality.

14. Data Processing Agreement (For Customers)

For customers using Hive as a SaaS platform:

We provide a Data Processing Agreement compliant with Article 28 GDPR
We process personal data only on documented instructions
We implement appropriate security measures
We assist with data subject rights requests
We notify customers of personal data breaches without undue delay

Customers remain responsible for:

Determining lawful bases for processing
Providing privacy notices to their members
Ensuring lawful use of Hive

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Updates will be published on this page with a revised effective date.