Privacy Policy

1. Who We Are

HEX GROUP DIGITAL SOLUTIONS LTD ("we", "our", or "us") operates the website hexgroup.org. This privacy policy explains how we collect, use, and protect your personal information when you use our website and services.

2. Information We Collect

2.1 Information You Provide Directly

When you contact us through our contact form, we collect:

• Name: To identify and address you personally
• Email address: To respond to your enquiry
• Subject and message: To understand and respond to your request

2.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• IP address: For security and spam prevention
• Browser information: To ensure website compatibility
• Usage data: To improve our website performance

3. How We Use Your Information

We use your personal information for the following purposes:

• Responding to enquiries: To provide customer support and answer questions
• Security: To prevent spam, fraud, and abuse of our services
• Legal compliance: To comply with applicable laws and regulations
• Website improvement: To analyse usage and improve our services

4. Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following specific lawful bases:

4.1 Consent (Article 6(1)(a))

• Contact form submissions: When you voluntarily provide information
• Marketing communications: For newsletters or promotional content (if opted in)
• Non-essential cookies: Analytics, marketing, and preference cookies

4.2 Legitimate Interests (Article 6(1)(f))

• Website security: IP logging, spam prevention, fraud detection
• Business communications: Responding to enquiries and customer support
• Service improvement: Website performance analysis and user experience
• Legal protection: Defending against legal claims and protecting intellectual property

4.3 Legal Obligation (Article 6(1)(c))

• Regulatory compliance: Meeting PECR, ICO, and financial reporting requirements
• Law enforcement: Cooperation with legal investigations when required
• Tax and accounting: Business record keeping for statutory periods

4.4 Vital Interests (Article 6(1)(d))

• Emergency situations: Protecting life, health, or safety when other bases don't apply

5. Data Retention and Deletion

We retain personal information only for as long as necessary to fulfil the purposes outlined in this policy:

5.1 Contact Form Data

• Active enquiries: Until resolved plus 6 months
• Completed enquiries: 12 months from final communication
• Business enquiries: 24 months for relationship management
• Legal enquiries: 7 years (limitation period)

5.2 Technical and Security Data

• Access logs: 90 days for security monitoring
• Error logs: 30 days for technical support
• Security incidents: 7 years for audit trail
• Rate limiting data: 24 hours for spam prevention

5.3 Analytics and Cookies

• Cookie consent records: 3 years for compliance audit
• Analytics data: 26 months (Google Analytics default)
• Performance data: 12 months for service improvement
• Session data: Until browser session ends

5.4 Legal and Compliance

• GDPR requests: 7 years for regulatory compliance
• Consent records: 7 years post-withdrawal
• Breach incidents: 7 years for ICO requirements
• Audit trails: 7 years for business continuity

5.5 Automated Deletion

We implement automated systems to ensure timely deletion:

• Scheduled cleanup: Daily automated deletion of expired data
• Monitoring alerts: Notifications for manual review requirements
• Verification logs: Audit trail of all deletion activities
• Exception handling: Legal hold procedures when deletion must be delayed

6. Data Sharing and Processor Relationships

We do not sell, trade, or rent your personal information to third parties. As data controller, we may share data with processors under strict conditions:

6.1 Data Processors

We engage the following categories of data processors:

• Hosting providers: Secure server infrastructure (UK/EU based)
• Email services: Contact form notifications and business communications
• Analytics providers: Website usage analysis (with consent)
• Security services: Fraud prevention and security monitoring
• Backup services: Data protection and disaster recovery

6.2 Processor Requirements

All data processors must:

• Sign Data Processing Agreements (DPAs): Comprehensive contracts under UK GDPR Article 28
• Implement technical safeguards: Encryption, access controls, security monitoring
• Maintain compliance: ISO 27001, SOC 2, or equivalent certifications
• Provide transparency: Regular compliance reports and audit access
• Notify breaches: Immediate notification of any security incidents

6.3 Disclosure Circumstances

We may disclose personal data in limited circumstances:

• Legal obligations: Court orders, regulatory investigations, law enforcement
• Vital interests: Emergency situations affecting life, health, or safety
• Public interest: Prevention of crime, national security (with warrant)
• Business transfers: Mergers, acquisitions (with 30-day notice and same protections)

6.4 Joint Controllers

For certain services, we may act as joint controllers:

• Affiliate services: BlazeNet hosting services (shared customer support)
• Shared responsibilities: Clear allocation of obligations under UK GDPR Article 26
• Joint arrangements: Transparent information about responsibilities

7. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

• Encrypted data transmission (HTTPS)
• Secure database storage with access controls
• Regular security monitoring and updates
• Staff training on data protection
• Incident response procedures

8. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your personal data
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a portable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for voluntary submissions

To exercise these rights, contact us at hello@hexgroup.org. We will respond within 30 days.

9. Cookies and PECR Compliance

Our website complies with UK Privacy and Electronic Communications Regulations (PECR). We use cookies and similar technologies as follows:

9.1 Essential Cookies (No Consent Required)

• Session management: Login status, form progress, security tokens
• Security: CSRF protection, rate limiting, fraud prevention
• Technical functionality: Language preferences, accessibility settings

9.2 Functional Cookies (DUAA 2025 Exemption)

Under the Data Use and Access Act 2025, functional cookies may be processed under legitimate interest:

• User preferences: Theme selection, saved form data, site personalisation
• Performance: Load balancing, error reporting, service optimisation
• Communication: Chat preferences, notification settings

9.3 Analytics Cookies (Consent Required)

• Google Analytics: Website usage statistics, user journey analysis
• Performance monitoring: Page load times, error tracking
• A/B testing: Feature testing and improvement (if applicable)

9.4 Marketing Cookies (Explicit Consent Required)

• Advertising: Personalised advertisements (if implemented)
• Social media: Integration with platforms for sharing and tracking
• Retargeting: Follow-up marketing based on website visits

9.5 Cookie Management

You have full control over cookie settings:

• Granular consent: Accept or reject specific cookie categories
• Easy withdrawal: Change preferences at any time via footer link
• Browser controls: Configure cookie settings in your browser
• Automatic expiry: Consent expires after 6 months (PECR requirement)

9.6 PECR Compliance Statement

Our cookie implementation complies with:

• PECR Regulation 6: Consent for information storage and access
• ICO guidance: Cookie consent and privacy notices
• DUAA 2025: New exemptions for statistical and functional purposes
• UK GDPR Article 7: Conditions for consent

10. Third-Party Services

Our website may link to third-party services with their own privacy policies:

• GitHub: For our open-source projects
• Email providers: For contact form notifications

We are not responsible for the privacy practices of external websites.

11. International Data Transfers

Your data is primarily processed within the UK. However, some of our services involve international transfers:

11.1 Hosting and Infrastructure

• Primary hosting: UK-based servers with EU data residency
• Backup storage: EU-based secure facilities
• CDN services: Global content delivery with data minimisation

11.2 Service Providers

• Email services: UK/EU providers with adequate protection
• Analytics: Google Analytics (US) - see adequacy decisions below
• Support tools: Selected on basis of data protection standards

11.3 Transfer Safeguards

For transfers outside the UK/EU, we implement:

• Adequacy decisions: Countries recognised by UK ICO as providing adequate protection
• Standard Contractual Clauses (SCCs): EU Commission approved clauses
• Binding Corporate Rules: For multinational service providers
• Certification schemes: ISO 27001, SOC 2, or equivalent standards
• Data Processing Agreements: Comprehensive DPAs with all processors

11.4 Post-Brexit Considerations

Following UK's exit from the EU:

• EU adequacy decision: UK recognised as providing adequate protection
• Ongoing monitoring: Regular review of transfer mechanism validity
• Alternative safeguards: Backup arrangements if adequacy decisions change

11.5 US Data Transfers

For US-based services (e.g., Google Analytics, GitHub):

• Data Protection Framework: Providers certified under successor to Privacy Shield
• Additional safeguards: Enhanced SCCs and technical measures
• Data minimisation: Reduced data collection and retention periods
• User control: Opt-out mechanisms for non-essential transfers

12. Children's Privacy

Our services are not directed at children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

13. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will:

• Post the updated policy on our website
• Update the "Last Updated" date
• Notify you of significant changes via email (if you've provided contact details)

14. Contact Information

15. Data Breach Notification

In the unlikely event of a personal data breach, we have comprehensive procedures:

15.1 Breach Response

• Immediate containment: Stop the breach and secure affected systems
• Risk assessment: Evaluate impact on individuals and likelihood of harm
• ICO notification: Report to ICO within 72 hours (if high risk)
• Individual notification: Direct contact if high risk to rights and freedoms

15.2 Notification Timeline

• Discovery to containment: Immediate action within 4 hours
• Initial ICO report: Within 72 hours of discovery
• Individual notification: Without undue delay (typically 72 hours)
• Final report: Comprehensive analysis within 30 days

15.3 Notification Content

Breach notifications will include:

• Nature of breach: What happened and what data was affected
• Likely consequences: Potential risks and impacts
• Mitigation measures: Steps taken and recommended actions
• Contact information: How to get help and further information

16. Complaints and Redress

If you have concerns about how we handle your personal data, you have multiple options:

16.1 Direct Resolution

• Primary contact: hello@hexgroup.org
• Response time: Acknowledgment within 48 hours, resolution within 30 days
• Escalation: Senior management review for unresolved complaints

16.2 Regulatory Complaints

• UK ICO: Information Commissioner's Office (primary authority)
• European authorities: If you're in EU/EEA and breach involves cross-border processing
• Local authorities: Your national data protection authority

16.3 Alternative Dispute Resolution

• Ombudsman services: Sector-specific resolution services
• Mediation: Independent mediation for complex disputes
• Legal action: Court proceedings under UK GDPR Article 82

← Back to HEX GROUP DIGITAL SOLUTIONS LTD