Privacy Policy

Safeguarding your personal information.

Last updated: 10 February 2025

1. Introduction

In line with our company ethos and the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Hey iO Limited ("we", "us", "our"), a company registered in England and Wales, is committed to respecting and protecting your privacy.

This privacy policy explains how we collect, use, store, share, and protect your personal data when you visit our website at www.heyio.co.uk ("our website"), use our services, or otherwise interact with us. By using our website you accept and consent to the practices described in this policy.

We are the data controller and are responsible for your personal data. Our designated data protection contact can be reached via our contact page.

2. What Personal Data We Collect

We may collect, use, store, and transfer different kinds of personal data about you, grouped as follows:

  • Identity Data: first name, last name, job title, company name.
  • Contact Data: email address, telephone number, postal address.
  • Enquiry Data: the subject of your enquiry, your message content, any attachments you provide, and your preferred deadline or timeline.
  • Technical Data: Internet Protocol (IP) address, browser type and version, time-zone setting, browser plug-in types and versions, operating system and platform, device type, screen resolution, and other technology on the devices you use to access our website.
  • Usage Data: information about how you use our website, including full Uniform Resource Locators (URLs), clickstream data (to, through, and from our website), pages viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
  • Marketing & Communications Data: your preferences in receiving marketing from us and your communication preferences.
  • Transaction Data: details of services we have provided to you, invoicing information, and payment records.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also do not collect any information about criminal convictions or offences.

3. How We Collect Your Data

Contact & Enquiry Forms

When you complete our "Contact Us" form or submit a Request for Proposal (RFP), we use the information you provide solely to reply and respond to your enquiry. This information is not added to any marketing database or disclosed to any third party (other than those listed in Section 7) without your explicit permission.

Sign-Up Forms & Newsletters

Where we offer sign-up forms, your consent is required. By ticking the consent checkbox you agree to us keeping in touch via email, post, or telephone regarding our services, solutions, and industry insights. By signing up, you consent to your personal information being added to our internal sales and marketing database. Your personal information will not be shared with any third party (other than those listed in Section 7) without your consent.

Website Analytics

We use Google Analytics to understand how visitors interact with our website. This requires collecting Technical Data including your IP address, browser type, device information, and Usage Data. Google Analytics may identify the organisation that your IP address is registered to. Data obtained through website analytics is retained for a period of 26 months only. Please note that Google's own data-handling processes are governed by their own privacy policy.

Cookies

Our website uses cookies to provide you with the best possible experience. Cookies are small text files placed on your device that help us analyse web traffic and improve our site. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. If you disable cookies, some parts of our website may become inaccessible or not function properly.

We use the following types of cookies:

  • Strictly Necessary Cookies: Required for the operation of our website (e.g. session management, security).
  • Analytical/Performance Cookies: Allow us to recognise and count visitors and see how visitors move around our website, helping us to improve how our website works.
  • Functionality Cookies: Used to recognise you when you return to our website, enabling us to personalise content and remember your preferences.

Third-Party & Publicly Available Sources

We may receive personal data about you from various third parties and public sources, including Technical Data from analytics providers (such as Google), Identity and Contact Data from publicly available sources (such as Companies House), and referral information from business partners.

4. Lawful Bases for Processing

We will only use your personal data when the law allows us to. Most commonly, we rely on the following lawful bases:

  • Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g. marketing communications). You may withdraw consent at any time by contacting us.
  • Performance of a Contract: Where processing is necessary for the performance of a contract we have with you, or to take steps at your request before entering into such a contract.
  • Legitimate Interests: Where processing is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests include operating and improving our business, managing customer relationships, and marketing our services. We carry out a balancing test to ensure your rights are protected.
  • Legal Obligation: Where processing is necessary to comply with a legal or regulatory obligation (e.g. tax reporting, responding to lawful requests from authorities).

5. Purposes of Processing

We use your personal data for the following purposes:

  • To respond to your enquiries and provide you with the information, products, or services you request.
  • To register you as a new customer and manage our relationship with you.
  • To perform and manage contracts, including invoicing and payment processing.
  • To send you marketing communications, industry insights, newsletters, and service updates (where you have opted in or we have a legitimate interest to do so).
  • To administer and protect our business and website, including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data.
  • To improve our website, services, marketing, customer relationships, and user experiences through analytics and feedback.
  • To comply with legal and regulatory requirements.

6. Marketing Communications

You will receive marketing communications from us if you have requested information from us, opted in via a sign-up form, or if you are an existing client and we are marketing similar services. You will always have the option to opt out.

You can ask us to stop sending you marketing messages at any time by following the unsubscribe link in any marketing email, or by contacting us. Where you opt out of marketing, this will not affect processing carried out for other lawful purposes.

7. Disclosure of Your Data

We may share your personal data with the following categories of third parties:

  • Email service providers (e.g. SMTP2Go, Mailchimp) — to deliver transactional and marketing emails. We share your name and email address for this purpose.
  • Analytics providers (e.g. Google Analytics) — we share Technical Data (IP address, browser data) for website performance analysis.
  • Accounting software providers (e.g. Xero) — we share your Identity, Contact, and Transaction Data for invoicing and accounting purposes.
  • Professional advisers — including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
  • HM Revenue & Customs, regulators and other authorities — acting as processors or joint controllers who require reporting of processing activities in certain circumstances.
  • Business transfers — third parties to whom we may choose to sell, transfer, or merge parts of our business. If a change happens to our business, the new owners may use your personal data in the same way as set out in this policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third-party service providers to use your personal data for their own purposes; they may only process it for specified purposes and in accordance with our instructions.

8. International Transfers

Some of our third-party service providers are based outside the United Kingdom. Whenever we transfer your personal data outside the UK, we ensure an appropriate level of protection is afforded to it by implementing at least one of the following safeguards:

  • Transferring only to countries that have been deemed to provide an adequate level of protection for personal data.
  • Using specific contracts approved for use in the UK (International Data Transfer Agreements or Addendums to the EU Standard Contractual Clauses) that give personal data equivalent protection.
  • Relying on binding corporate rules or other approved mechanisms where applicable.

Please contact us if you want further information on the specific safeguards applied to the export of your personal data.

9. Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include:

  • Encryption of data in transit (TLS/SSL) and at rest where appropriate.
  • Access controls limiting personal data access to employees, agents, contractors, and other third parties who have a business need to know.
  • Regular security assessments and updates to our software, firewalls, and anti-virus protection.
  • Staff training on data protection and information security.

We also have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

10. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. Specific retention periods are as follows:

  • Enquiries that do not proceed: all personal data is deleted within 60 days of the enquiry date, unless you have opted in to marketing communications (in which case we retain only your name and email address).
  • Active and completed contracts: personal data is retained for up to six years following contract termination, in line with the Limitation Act 1980.
  • Newsletter subscribers: name, organisation name, and email address are retained until you unsubscribe.
  • Website analytics data: retained for 26 months by Google Analytics.
  • Job applicants (unsuccessful): data is stored for 6 months following receipt of the application, after which all personally identifiable data is deleted.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

11. Your Legal Rights

Under data protection law you have the following rights in relation to your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you (a Data Subject Access Request — DSAR).
  • Right to Rectification: You have the right to request that we correct any incomplete or inaccurate personal data we hold about you.
  • Right to Erasure: You have the right to request that we delete or remove your personal data where there is no good reason for us continuing to process it.
  • Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
  • Right to Object: You have the right to object to processing where we are relying on a legitimate interest and there is something about your particular situation that makes you want to object. You also have the absolute right to object to direct marketing at any time.
  • Right to Withdraw Consent: Where we rely on consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdrew consent.

To exercise any of these rights, please reach out via our contact page or write to us at our registered office. We will respond within one month. No fee is usually required, however we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may need to verify your identity before processing your request.

You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO, so please contact us in the first instance.

12. Third-Party Websites

Our website may contain links to websites and services operated by third parties. These links are provided for your convenience and do not signify our endorsement of such websites. We have no control over the content or privacy practices of third-party sites and accept no responsibility or liability for their privacy policies. We encourage you to read the privacy policy of every website you visit.

13. Children's Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

14. Job Applicants

We are committed to maintaining the security of your personal information and to being compliant with UK GDPR. By applying for one of our vacancies, you consent to us collecting, storing, and processing your personal information for the sole purpose of assessing your suitability for the role. Unsuccessful candidates will have their data stored for a period of 6 months following receipt of the application, after which any personally identifiable data will be deleted.

15. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any changes will be posted on this page with an updated revision date. Where changes are significant, we may also notify you by email or through a notice on our website. We encourage you to review this policy periodically.

16. Contact Information

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us at:

Hey iO Limited
Data Protection Contact
Contact Us

Ready to elevate your business?

Let's chat and create something amazing together. Reach out to us and start your journey with Hey iO today!

Connect on WhatsApp
Everything Digital.
Contact Us
Company
Legal

Copyright © Hey IO Limited. All rights reserved.

Hey IO Limited is registered in England and Wales. Company No. 16589609.