Privacy Policy

1. Data Controller

The data controller for personal data processed in connection with the Service is:

Where your employer or organisation (“Customer”) subscribes to the Service, the Customer is an independent data controller for data about their own contracts and suppliers. Hidbrain Ltd acts as a data processor on the Customer's behalf for that data (see Section 10).

2. What Personal Data We Collect

We collect the following categories of personal data:

We do not knowingly collect special category data (Article 9 UK GDPR) such as health, racial origin, political opinions, or biometric data. Please do not include such data in documents uploaded to the Service.

3. Legal Basis for Processing (Article 6 UK GDPR)

We process personal data only where a lawful basis applies:

Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a legitimate interests assessment confirming that our interests are not overridden by your fundamental rights and freedoms. You may request a copy of this assessment by contacting us at privacy@hidbrain.com.

4. How We Use Your Personal Data

We use personal data to:

• Create and manage your account and company workspace;
• Deliver contract management, reminder, and reporting features;
• Process subscription payments and manage your billing relationship;
• Send transactional emails including contract renewal alerts, password resets and account notices;
• Provide customer support and respond to enquiries;
• Monitor, maintain and improve the security and performance of the Service;
• Comply with our legal and regulatory obligations under UK and EU law;
• Enforce our Terms of Service and protect the rights of other users.

5. Sharing & Disclosure of Personal Data

We do not sell or rent personal data. We share data only in the following circumstances:

6. International Data Transfers

Some of our sub-processors are based in the United States. Where personal data is transferred outside the UK, we rely on:

• UK adequacy regulations — for transfers to countries with an adequacy decision granted by the UK Secretary of State;
• UK International Data Transfer Agreements (IDTAs) or the EU Standard Contractual Clauses (“SCCs”) as adapted for UK use under Schedule 21 DPA 2018, for transfers to the US and other countries lacking adequacy;
• Supplementary technical and organisational measures where required to ensure an essentially equivalent level of protection.

You may request a copy of the relevant transfer mechanism documents by contacting privacy@hidbrain.com.

7. Data Retention

After the applicable retention period, personal data is securely deleted or irreversibly anonymised.

8. Your Rights Under UK GDPR

Under Articles 15–22 of the UK GDPR and Part 3 of the DPA 2018, you have the following rights. To exercise them, contact privacy@hidbrain.com. We will respond within one calendar month (extendable by two further months for complex requests).

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by phone on 0303 123 1113.

9. Cookies & Similar Technologies

We use cookies in accordance with the Privacy and Electronic Communications Regulations 2003 (“PECR”). We use only the following categories of cookie:

We do not use advertising, tracking or third-party social cookies.

10. Data Processing Agreement

Where a Customer uses Timemy to store and process personal data about their employees, contractors or third-party contacts, Hidbrain Ltd acts as a data processor and the Customer is the data controller for that data (Article 28 UK GDPR). Our standard Data Processing Agreement (“DPA”) is available upon request at privacy@hidbrain.com. The DPA incorporates:

• A description of the processing activities, nature, purpose and duration;
• The obligations and rights of both parties;
• Technical and organisational security measures (Article 32 UK GDPR);
• Sub-processor obligations and notification requirements;
• Assistance with data subject rights requests and breach notifications.

11. Security

We implement appropriate technical and organisational measures in accordance with Article 32 UK GDPR, including:

• TLS 1.2+ encryption in transit for all data;
• AES-256 encryption at rest for stored documents;
• Row-level security (RLS) in our database layer ensuring data isolation between Customer organisations;
• Regular dependency and vulnerability scanning;
• Access controls with principle of least privilege;
• Secure password hashing (bcrypt via Supabase Auth).

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by Article 33–34 UK GDPR.

12. Children

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately at privacy@hidbrain.com.

13. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 30 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

14. Contact & Complaints

For any privacy-related queries, to exercise your rights, or to raise a concern, please contact our Data Protection Officer at dpo@hidbrain.com or write to us at the address in Section 1. Alternatively, use our contact form.

If we are unable to resolve your concern, you may contact the ICO: