cursor
Unhectic
Policies and statements

Privacy Policy

Document version 1.0 — published 2026-05-04

Document owner: Unhectic Limited (company number 17194284)

Reviewed at least annually

Contact for questions about this document: [email protected]

Who we are

Unhectic Limited is the data controller for the personal data described in this policy. We are a company registered in England and Wales under company number 17194284, with our Registered Office at 66 Paul Street, London EC2A 4NA, United Kingdom. “Unhectic” is the trading name we use; the legal entity behind it is Unhectic Limited.

We can be contacted about anything in this policy at [email protected]. We do not currently have a statutory Data Protection Officer because our processing does not meet the thresholds in UK GDPR Article 37, but the contact email above reaches the person responsible for data protection within our business and they will respond.

What personal data we collect

The personal data we hold falls into three groups, depending on how you interact with us.

Website visitors

When you visit unhectic.com we receive standard server log information: your IP address, browser user-agent string, the referring URL (if any), and timestamps for each request. If you accept analytics cookies, we also receive whatever the analytics tool records (see our Cookie Policy and Cookie List). Beyond that, we do not collect data from passive browsing.

Contact-form submitters

When you complete a form on this site — for example to send us an enquiry — we collect the fields you fill in. That typically means your name, your company, a work email address, and the free-text message you write. You may optionally tell us how you heard about us. We also record the timestamp the form was submitted, for our own audit trail.

Clients and prospects

When we are talking to you about a potential engagement, or delivering one, we hold business contact details (your name, role, company, email, and where relevant phone number), the commercial correspondence we share with you, and the content of any files you provide as part of the engagement. We treat any client material we hold under engagement-specific confidentiality terms in addition to this policy.

Lawful basis for processing

Most of our processing is on the basis of legitimate interest — running our business, responding to enquiries, keeping records of who we have spoken to, and improving our website. We have considered the rights of the people whose data we hold and are satisfied this basis is appropriate.

Some processing is on the basis of contract performance — specifically, anything we do to deliver the services we have agreed with you in a signed engagement. Cookie-based analytics is on the basis of consent, which you give or withhold via the cookie banner.

How we use the data

We use personal data to respond to enquiries, to deliver and account for the services we are engaged to provide, to send commercial correspondence relevant to a live engagement (e.g. project updates and invoices), to comply with legal obligations such as tax record-keeping, and to understand how the website is used so we can improve it. We do not use the data to make automated decisions that have legal or similarly significant effects on you, and we do not profile you for advertising.

Who we share data with

We share personal data with a small number of carefully chosen sub-processors that help us deliver our services — cloud hosting, email, transactional email, and (when activated) analytics. The current list is published at Sub-processors and we update it when it changes.

We do not sell personal data to anyone, ever. We do not share it with third parties for their own marketing. We disclose to law enforcement or regulators only when we are legally required to do so, and we take legal advice before disclosing if there is any doubt.

International transfers

Some of our processing happens at our Engineering Hub in Mumbai, India. The UK Information Commissioner’s Office has not adopted general adequacy regulations for India, so transfers from the United Kingdom to our Mumbai operation rely on the UK International Data Transfer Agreement (or, where appropriate, the UK Addendum to the EU Standard Contractual Clauses) together with our internal access controls. Our other sub-processors are reached either under UK ICO adequacy regulations (for example, the EEA) or under Standard Contractual Clauses or the IDTA. Specific transfer mechanisms for each sub-processor are listed on the Sub-processors page.

Retention

We keep personal data only for as long as we have a clear reason to keep it.

  • Server logs — 30 days, then deleted.
  • Contact-form submissions — 24 months from the last interaction with you.
  • Client engagement records — 7 years after the engagement ends, to meet UK statutory tax and audit obligations.
  • Marketing email lists — until you unsubscribe, after which we keep a minimal suppression record so we do not contact you again.

Your rights under UK GDPR

Under UK GDPR you have eight rights in respect of personal data we hold about you.

  • Right of access — ask for a copy of the personal data we hold about you. See our Subject Access Requests procedure for how.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete data, where there is no overriding reason for us to keep it.
  • Right to restrict processing — ask us to pause processing while a question is resolved.
  • Right to data portability — ask for data you provided to us in a portable format.
  • Right to object — object to processing based on legitimate interest or to direct marketing.
  • Right to withdraw consent — where we relied on your consent, you can withdraw it at any time.
  • Right to complain to the ICO — you can complain to the UK supervisory authority (see Complaints below).

To exercise any of these rights, email [email protected]. We will respond within one calendar month, and will tell you sooner if your request is straightforward or if we need to extend the deadline (which UK GDPR permits in some cases).

Cookies

This site uses a small number of cookies. The full detail is in our Cookie Policy, and the precise list of cookies we set is at Cookie List.

Complaints

If something we have done with personal data has worried you, we would much rather hear about it ourselves first — please use our Complaints Procedure. Most concerns are resolved that way.

You also have the right to complain directly to the UK supervisory authority. The Information Commissioner’s Office (ICO) can be reached at ico.org.uk, by phone, or by post. You do not need to come to us first.

Changes to this policy

We review this policy at least once a year, and earlier if our practice changes materially. The version number and publication date at the top of this page reflect the current version. When we make a material change we will surface it via the version banner.