Privacy Notice — Hidden Insight Labs

Who we are
What data we collect
How we use it
Lawful basis
Who we share it with
International transfers
How long we keep it
Your rights
Security
Cookies
Changes to this notice
How to contact us

    Who this notice applies to
    This privacy notice applies to clients of Hidden Insight Labs — individuals and organisations who engage us for UX evaluation, software testing, or programme management advisory services. It explains how we collect, use, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
  

1. Who we are

Hidden Insight Labs is a UK-registered limited company providing UX testing, software evaluation, and programme management services to B2B clients. We are the data controller in respect of the personal data we hold about our clients and their representatives.

Registered company details

Company name: Hidden Insight Labs Ltd
Registered address: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ
Company number: 16941841
Contact email: privacy@hiddeninsightlabs.com

We are registered with the Information Commissioner's Office (ICO). ICO registration number: ZC149156.

2. What personal data we collect

We collect the minimum personal data necessary to deliver our services and manage the client relationship. This may include:

Category	Examples	Source
Identity & contact	Name, job title, company name, business email address, phone number	Provided directly by you or your organisation
Contract & engagement	Signed agreements, statements of work, project briefs, correspondence	Created or received during the engagement
Financial	Invoice details, payment records, billing address	Provided by you or your finance team
Technical	Access credentials we create on your behalf for testing environments, software or systems you share with us	Provided by you for service delivery
Communications	Emails, meeting notes, written feedback, project updates	Generated through our working relationship
Website visitors	IP address, browser type, pages visited, time of visit (via cookies — see Section 10)	Automatically collected when you visit our website

We do not intentionally collect special category data (e.g. health, ethnicity, biometric data) from clients. If any such data is shared incidentally as part of your product or materials submitted for testing, it will be handled with additional care and not retained beyond the project scope.

3. How we use your personal data

We use your personal data for the following purposes:

Delivering contracted services — performing UX evaluations, usability testing, software assessments, and programme management work as agreed
Communicating with you — responding to enquiries, managing project delivery, sharing deliverables and reports
Contract management — drawing up, administering, and enforcing our service agreements and NDAs
Financial administration — issuing invoices, processing payments, maintaining accounting records
Legal compliance — meeting our obligations under UK tax law, company law, and data protection law
Service improvement — understanding how our services are used to improve them (using anonymised or aggregated data where possible)
Marketing communications — sending relevant updates about our services, where you have opted in or where we have a legitimate interest and you are an existing client (you may opt out at any time)

4. Lawful basis for processing

Under the UK GDPR, we must have a lawful basis for processing personal data. Our bases are:

Processing purpose	Lawful basis (UK GDPR Article 6)
Delivering services under a signed agreement	Contract — Art. 6(1)(b): processing necessary for the performance of a contract
Responding to pre-contract enquiries	Contract — Art. 6(1)(b): steps taken at your request prior to entering a contract
Accounting, invoicing, tax obligations	Legal obligation — Art. 6(1)(c): UK tax and company law requirements
Maintaining business records, managing disputes	Legitimate interests — Art. 6(1)(f): our legitimate interest in operating a lawful business
Marketing to existing clients (email updates)	Legitimate interests — Art. 6(1)(f): we balance this against your interests and you may opt out at any time
Marketing to new contacts (newsletter opt-in)	Consent — Art. 6(1)(a): you have given clear, specific consent

Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests do not override your rights. You may request details of this assessment by contacting us.

5. Who we share your data with

We do not sell your personal data. We share it only where necessary:

Service providers acting as processors

We use a small number of trusted third-party tools to operate our business. Where these providers act as data processors on our behalf, they are contractually bound to process data only as we instruct:

Email & communication — Proton Mail AG (Switzerland; end-to-end encrypted; subject to the Swiss Data Protection Act and covered by the UK–Switzerland adequacy arrangement)
File storage — Dropbox, Inc. (US; transfers covered by Standard Contractual Clauses / IDTA) and Google Drive / Google LLC (US; transfers covered by Standard Contractual Clauses / IDTA). Client files and internal working documents are stored here.
Website hosting — GitHub, Inc. / GitHub Pages (US; transfers covered by Standard Contractual Clauses / IDTA). Static site files are hosted via GitHub; no personal data is processed by GitHub beyond standard server logs.
Transactional email — Resend, Inc. (US; transfers covered by Standard Contractual Clauses). Enquiry submissions made via our contact form are transmitted to us through Resend's email delivery infrastructure. Enquiry data is processed only to deliver the email to us and is not retained by Resend beyond their standard log retention period.
Serverless compute — Cloudflare, Inc. (US; transfers covered by Standard Contractual Clauses). Contact form submissions are processed by a Cloudflare Worker before being passed to Resend. Cloudflare may retain request logs for a short period for security and operational purposes.
Website analytics — Google Analytics 4 / Google LLC (US; transfers covered by Standard Contractual Clauses / IDTA). We use Google Analytics to understand aggregate website usage. See Section 10 for full details of cookies and how to opt out.

Independent data controllers we share data with

Some third parties receive personal data but act as independent data controllers under their own privacy notices — meaning they determine their own purposes for processing and you may need to contact them directly to exercise your rights in relation to data they hold:

Company administration — Quality Company Formations (Quality Formations Limited, ICO reg. ZA113958), who act as our registered office and company administration provider. They receive only the contact and identity information necessary to fulfil Companies House and HMRC obligations on our behalf. See their privacy policy at qualitycompanyformations.co.uk/privacy-policy.

Professional advisers

Legal advisers where necessary for compliance or dispute resolution, bound by professional confidentiality obligations.

Legal & regulatory authorities

HMRC, Companies House, or other authorities where we are legally required to disclose information.

We will not share your data with any other party without notifying you first, except where required by law.

6. International transfers

As a business operated from Japan by a UK-registered company, your data may be processed or accessed from Japan. Japan has received an adequacy decision from the UK (under Article 45 UK GDPR), meaning the UK recognises Japan's data protection standards as equivalent. No additional safeguards are required for this transfer.

Where we use third-party service providers based outside the UK or Japan (for example, cloud services based in the US), we ensure transfers are protected by one of the following mechanisms:

An adequacy decision issued by the UK Secretary of State
International Data Transfer Agreements (IDTAs) approved by the ICO
Standard Contractual Clauses (as adapted for UK use)

You may request details of the specific transfer mechanisms in place for any particular service by contacting us at the address in Section 12.

7. How long we keep your data

We retain personal data only for as long as necessary for the purposes for which it was collected, and in line with our legal obligations. Specific retention periods:

Data type	Retention period	Reason
Client contracts and engagement records	6 years from project end	UK Limitation Act 1980 (contractual claims period)
Invoices and financial records	6 years from the end of the relevant financial year	HMRC tax record requirements
Project correspondence and deliverables	3 years from project completion	Operational need and potential dispute resolution
Marketing contact data (opt-in)	Until you withdraw consent or 2 years of inactivity	Consent-based; withdrawn consent triggers deletion
Pre-contract enquiries (not converted)	12 months	Legitimate interest in managing our sales pipeline

When data is no longer needed, it is securely deleted or anonymised.

8. Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

Right of access

Request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification

Ask us to correct inaccurate or incomplete data about you.

Right to erasure

Ask us to delete your data where there is no longer a lawful reason to hold it ("right to be forgotten").

Right to restrict processing

Ask us to pause processing of your data in certain circumstances.

Right to data portability

Receive your data in a structured, commonly-used format to transfer to another organisation.

Right to object

Object to processing based on legitimate interests, including direct marketing.

Right to withdraw consent

Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

Rights re: automated decisions

We do not use automated decision-making or profiling. This right would apply if we did.

To exercise any of these rights, contact us using the details in Section 12. We will respond within one calendar month of receiving your request. In complex cases we may extend this by a further two months and will notify you if so.

We will not charge a fee for exercising your rights in most cases. If a request is clearly unfounded or excessive, we may charge a reasonable fee or refuse the request, and will explain why.

9. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, or destruction. Measures include:

End-to-end encrypted email (Proton Mail) for sensitive communications
Strong password policies and multi-factor authentication on all accounts holding client data
Restricted access to personal data on a need-to-know basis
Encrypted file storage for sensitive documents
Regular review of our security practices

In the event of a personal data breach that is likely to pose a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you directly without undue delay.

10. Cookies & Analytics

Our website uses Google Analytics 4 (GA4) to collect anonymised data about how visitors use the site — including pages visited, time on page, and general geographic region (country level). This helps us understand which content is useful and improve the site.

GA4 sets cookies on your device to distinguish visitors and sessions. The data collected is aggregated and does not identify you personally. Your IP address is anonymised before any data is stored by Google.

Legal basis: We rely on legitimate interests (UK GDPR Art. 6(1)(f)) for analytics. Our interest is in understanding site performance; the data collected is minimal and anonymised.

Opt out: You can prevent GA4 from collecting data about your visit by installing the Google Analytics Opt-out Browser Add-on, or by using a browser privacy extension that blocks analytics trackers.

We do not use advertising cookies, retargeting cookies, or any tracking technologies beyond GA4. Your browser may also store technically necessary information (such as session state) as part of normal website operation.

11. Changes to this notice

We review this privacy notice at least annually and whenever there are material changes to how we process personal data. The "last reviewed" date at the top of this page will be updated accordingly.

Where changes are significant, we will notify active clients directly by email prior to the changes taking effect. Continued engagement with us after that date constitutes acknowledgement of the updated notice.

12. How to contact us

If you have any questions about this notice, wish to exercise your rights, or have a concern about how we handle your data, please contact us:

Data Controller Contact

Hidden Insight Labs Ltd

📧 Email: privacy@hiddeninsightlabs.com

📮 Post: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns directly before you contact the ICO.

Contents