Privacy Policy
Who we are
Hypha Ltd is a company registered in England & Wales, company number 16444012, with registered office at The Granary Workshops, Long Dolver Drove, Soham, Ely, Cambridgeshire, CB7 5UP. In this policy "Hypha", "we", "us" and "our" refer to Hypha Ltd.
We are the data controller for the personal data described in this policy. You can contact us about data protection matters at:
- Email: [email protected]
- Telephone: 01223 954954
- Post: The Granary Workshops, Long Dolver Drove, Soham, Ely, Cambridgeshire, CB7 5UP
What personal data we collect
Enquiry form
When you submit an enquiry via our contact form, we collect your name, email address, company name (if provided), the service area you are interested in, and the content of your message.
Live chat (Chatwoot)
We operate a live chat widget powered by Chatwoot, which we self-host on our own infrastructure. If you interact with the chat widget, we collect the conversation content and any contact details (such as name or email) that you provide during the conversation. The widget is only loaded with your prior consent (see our Cookie Policy).
Server and security logs
Our web infrastructure generates standard server logs that may include your IP address, browser type, operating system, referring URL, and the pages and resources you access, along with the date and time of each request. These logs are retained for security, fraud prevention, and infrastructure monitoring purposes.
Why we collect your data and our lawful basis
- Responding to enquiries
- We use the information you submit via our contact form to respond to your enquiry and, where relevant, to take steps at your request prior to entering into a contract. Our lawful basis is legitimate interests (processing to communicate with prospective clients) and, where applicable, steps necessary to enter a contract (Article 6(1)(b) UK GDPR).
- Live chat
- Live chat data is processed on the basis of your consent (Article 6(1)(a) UK GDPR), which you give when you accept the use of functional cookies via our cookie consent banner. You may withdraw consent at any time by clearing your site data or using the cookie preference controls.
- Security and infrastructure logs
- Server logs are retained on the basis of our legitimate interests in maintaining the security, availability, and integrity of our systems (Article 6(1)(f) UK GDPR). We balance these interests against your rights and have determined that retention for a limited period is proportionate and necessary.
Who we share your data with
We do not sell, rent, or trade personal data with third parties for their own marketing purposes.
We rely on the following processors and infrastructure in delivering our services:
- CRM (Twenty): We self-host the Twenty CRM on our own infrastructure. Enquiry data may be recorded in our CRM to manage the client relationship.
- Live chat (Chatwoot): We self-host Chatwoot on our own infrastructure. Your conversation data is stored within this system.
- Email (Mailcow): We operate our own mail server using Mailcow. Emails sent to and from us are processed through this system.
- Cloudflare: We use Cloudflare as a content delivery network (CDN) and security layer. Web traffic to our site may transit Cloudflare's network, meaning your IP address and request data may be processed by Cloudflare as a sub-processor. Cloudflare is subject to appropriate data transfer safeguards.
We may also disclose personal data where required to do so by law, court order, or at the request of a regulatory authority.
Data retention
We retain enquiry and correspondence data only for as long as necessary to manage the business relationship and to comply with any applicable legal or regulatory obligations. Where an enquiry does not result in an ongoing relationship, data will typically be deleted within a reasonable period once the matter is resolved.
Server and security logs are retained for a limited period consistent with our security and monitoring purposes, after which they are deleted or anonymised.
International transfers
Your personal data is primarily processed within the United Kingdom. Where data transits third-party infrastructure such as Cloudflare, we rely on appropriate transfer mechanisms and data processing agreements to ensure adequate protection.
Your rights under UK GDPR
Under UK data protection law you have the following rights in respect of your personal data:
- Right of access, to obtain a copy of the personal data we hold about you.
- Right to rectification, to have inaccurate data corrected.
- Right to erasure, to request deletion of your data in certain circumstances.
- Right to restriction, to ask us to limit how we use your data.
- Right to object, to object to processing based on legitimate interests.
- Right to data portability, to receive your data in a portable format where processing is based on consent or contract.
- Right to withdraw consent, where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.
To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receiving your request (or within three months for complex or numerous requests, with notification of the extension within the first month).
Right to complain to the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. We encourage you to review this policy periodically.