Data Processing Policy

Last updated: May 14, 2025


Introduction and Scope

HIVESCOPE (a trading name of Tin Man Holdings Ltd, Company No. 13470376) is committed to compliance with the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). As a data controller, HIVESCOPE ensures compliance with data protection principles and implements appropriate technical and organisational measures to protect personal data. When acting as a data processor on behalf of clients, we follow their documented instructions and maintain security, noting that processors have more limited obligations under the UK GDPR.

This policy applies to all personal data collected and used by HIVESCOPE in the course of our services (including lead generation and marketing) and business operations. We handle data such as names, contact details (email, phone), and company information (name, address, registration number) related to business contacts. HIVESCOPE does not collect or process any special category (sensitive) data. The policy covers processing activities wherever they take place, including internationally, in accordance with applicable law.


Types of Data Collected

We collect personal data about our customers, leads, and business contacts. This includes:

  • Identity and role: name, job title, and associated company
  • Contact details: business email addresses and telephone numbers
  • Company information: company name, registration number, and business address
  • Communications and interactions: records of emails, calls or meetings relating to our services

    • No special category (sensitive) personal data is processed by HIVESCOPE.


    Purpose of Processing

    We process personal data for legitimate business purposes in line with instructions from our clients and our service delivery. These purposes include:

  • Generating sales leads and expanding our business network
  • Sending marketing and promotional communications (with opt-out options) to business contacts
  • Delivering our services and fulfilling client contracts (e.g., setting up automation and CRM solutions)
  • Managing customer accounts, billing, and customer support
  • Complying with legal and regulatory requirements (such as financial record-keeping)

    • Legal Basis

    HIVESCOPE processes personal data only where we have a valid legal basis under Article 6 of UK GDPR. Our common bases include:

  • Consent: where individuals have explicitly agreed to processing for specific purposes (e.g., marketing communications).
  • Contract: when processing is necessary to perform a contract with a customer or to take steps at their request before entering a contract.
  • Legal obligation: where processing is needed to comply with statutory requirements (for example, financial record-keeping).
  • Legitimate interests: necessary for our legitimate business interests (such as lead generation and marketing), provided these interests are balanced against individuals’ rights.

    • Roles and Responsibilities (Controller vs Processor)

    The UK GDPR distinguishes between data controllers and data processors. A controller determines the purposes and means of processing personal data, while a processor handles the data on behalf of the controller. HIVESCOPE may act as both, depending on the context:

  • Data Controller: When acting as a controller (e.g., for our own marketing or lead data), HIVESCOPE decides how and why personal data is used. Controllers are responsible for compliance with UK GDPR principles and must be able to demonstrate that compliance.
  • Data Processor: When providing services to clients (e.g., CRM or automation support), HIVESCOPE processes personal data under the client’s instructions. As a processor, our obligations are more limited – we follow the controller’s instructions and ensure data security as specified in our agreements.

    • Use of Third-Party Services

    HIVESCOPE relies on third-party services (for example, CRM software, cloud hosting, no-code automation platforms and portals) to process and store personal data. We select providers based on their compliance with UK data protection standards. We have written Data Processing Agreements with each provider (as required by Article 28 UK GDPR) that include terms obliging the processor to act only on our instructions, maintain data confidentiality, and implement appropriate security measures. These agreements also require providers to assist us with data subject requests and to delete or return all personal data at the end of their service engagement.


    International Transfers

    HIVESCOPE may transfer personal data outside the UK (for example, to cloud service providers or international partners). Any such transfer will comply with the UK GDPR’s rules on international data transfers. We only transfer data to countries subject to UK adequacy regulations, or when we have put in place approved safeguards (such as the UK Addendum to Standard Contractual Clauses or Binding Corporate Rules) that ensure equivalent protections for personal data.


    Data Security Measures

    HIVESCOPE implements appropriate technical and organisational measures to protect personal data. These include:

  • Data encryption in transit and at rest
  • Access controls such as strong passwords, multi-factor authentication, and role-based permissions
  • Secure network and system configurations (firewalls, secure hosting environments)
  • Regular software updates, security testing, and vulnerability management
  • Regular data backups and disaster recovery procedures
  • Staff training on data protection, confidentiality, and incident response

    • All personnel with access to personal data are bound by confidentiality obligations and trained to handle data securely.


    Data Subject Rights

    Under the UK GDPR, individuals have several rights regarding their personal data. These include:

  • Right of access: Individuals can request a copy of the personal data we hold about them, along with supplementary information.
  • Right to rectification: Individuals can require us to correct or complete any inaccurate or incomplete personal data.
  • Right to erasure: Individuals can request deletion of their personal data in certain circumstances, also known as the “right to be forgotten”.
  • Right to restrict processing: Individuals can ask us to suspend or limit the processing of their personal data in specific cases.
  • Right to data portability: Individuals can obtain and reuse their personal data for their own purposes across different services.
  • Right to object: Individuals can object to processing of their personal data, including for direct marketing purposes.

    • Requests to exercise these rights may be submitted to HIVESCOPE at any time (see Contact Information below). We will respond to valid requests without undue delay and in any event within one month, as required by law. If we are unable to comply with a request, we will inform the individual of the reasons and of their right to lodge a complaint with the ICO.


    Data Retention

    HIVESCOPE will retain personal data only for as long as necessary to fulfil the purposes outlined above and to comply with legal requirements. We abide by the UK GDPR’s storage limitation principle, meaning we do not keep data longer than needed. Specific retention periods depend on the nature of the data: for example, financial and contractual records may be kept for up to 6–7 years for tax or audit purposes, while marketing lead data may be deleted after a defined period of inactivity. When personal data is no longer needed, it is securely deleted or anonymised.


    Contact Us

    If you have any questions or concerns about this policy or our data handling practices, or if you wish to exercise any of your data protection rights, please contact us at:

    HIVESCOPE, a trading name of Tin Man Holdings Ltd
    29 Percy Rd, Isleworth TW7 7HD, UK
    England TW7 7HD
    United Kingdom
    Email: support@hivescope.co.uk
    Phone: (+44) 07398395391