Privacy Policy

1. Who we are

Hyperflash Ltd ("we", "us", "our") is a company registered in England and Wales (company number 15068915). We provide managed AI operations services to businesses, including AI agents, workflow automation, and operational audits.

For the purposes of the UK GDPR and the Data Protection Act 2018, Hyperflash Ltd is the data controller for the personal data described in this policy.

Contact: [email protected]
Address: 14 Swinton Street, Oldham, Greater Manchester, OL4 1QS, United Kingdom

2. What personal data we collect and why

2.1 Contact form submissions

When you submit a message through our website contact form, we collect your name, email address, and message content.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — you have initiated contact with us for business purposes and we process your data to respond.

Retention: 12 months from the date of your last interaction with us, or longer if you become a client.

2.2 B2B outreach (cold email)

We may send marketing emails to individuals at corporate organisations (limited companies, LLPs, and other incorporated entities) where we have identified a potential business interest in our services. The data we process includes your name, business email address, job title, and organisation name.

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — promoting our services to businesses that may benefit from them. This processing is also permitted under the Privacy and Electronic Communications Regulations 2003 (PECR) for corporate subscribers.

Data sources: Publicly available sources such as company websites and public business directories.

Retention: 12 months from the date of our last interaction with you, or 6 months after our final follow-up email if there is no response.

Your right to object: You can object to this processing at any time by replying "stop" to any email, clicking the unsubscribe link, or contacting us at [email protected]. We will stop processing your data and add you to our suppression list.

2.3 Client data

If you engage our services, we process additional personal data as necessary to deliver those services. The terms are governed by our signed agreement, including any applicable data protection schedules.

Legal basis: Performance of a contract (Article 6(1)(b) UK GDPR).

Retention: For the duration of the engagement and as required by applicable legal and regulatory obligations thereafter.

2.4 Website analytics and cookies

We use minimal analytics to understand how visitors use our website. Where cookies are placed that are not strictly necessary, we will seek your consent at the point of first visit.

Legal basis: Consent (Article 6(1)(a) UK GDPR) for non-essential cookies; legitimate interests (Article 6(1)(f) UK GDPR) for strictly necessary technical functions.

2.5 Suppression list

When you opt out of marketing communications, we retain a record of your email address and the date of your opt-out.

Legal basis: Legal obligation (Article 6(1)(c) UK GDPR) — we are required under PECR to honour opt-out requests and maintain a record to prevent future marketing to suppressed contacts.

Retention: Indefinitely, for the purpose of ensuring you are not contacted again.

2.6 Anonymized data for AI training and service improvement

We may use data submitted to our services (including through client engagements and website interactions) to improve our AI models, develop new features, conduct analytics, and enhance service quality.

How we protect your privacy:

• Before any data is used for these purposes, we apply automated PII redaction to remove all personally identifiable information.
• Removed identifiers are replaced with synthetic data.
• The resulting data retains only non-personal business context (for example, that a submission relates to an accountancy business or a retail website) without any information that could identify an individual.
• Once redaction and synthetic replacement are complete, the data is no longer "personal data" under UK GDPR.

Legal basis: Where the redaction process is successful and the resulting data is truly anonymized, UK GDPR does not apply to such data. Where the data has not yet been fully anonymized, we rely on legitimate interests (Article 6(1)(f) UK GDPR) in improving our services, balanced against your privacy rights through our redaction process.

Retention: Anonymized data may be retained indefinitely for research, development, and service improvement purposes.

Your rights: Because properly anonymized data is not personal data, data subject rights under UK GDPR do not apply to it. If you believe any retained data is not properly anonymized, contact us at [email protected] and we will review and rectify.

3. How we use your data

We use your personal data for: responding to enquiries; sending relevant B2B marketing communications (where permitted by law); delivering contracted services; preventing abuse and securing our services; complying with legal obligations; and developing and improving our AI models and services using anonymized data (see Section 2.6).

4. Who we share your data with

We do not sell your personal data. We may share your data with service providers who process data on our behalf under written data processing agreements (e.g., email delivery providers, hosting providers); professional advisers where necessary; and regulators or law enforcement where required by law.

We do not transfer your data outside the United Kingdom unless adequate safeguards are in place.

5. How we protect your data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include access controls, encryption of sensitive data, and secure hosting infrastructure.

6. Your rights

Under the UK GDPR, you have the following rights:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data (subject to legal exceptions)
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — request transfer of your data to another controller
• Right to object — object to processing based on legitimate interests or direct marketing
• Rights relating to automated decision-making — not applicable; we do not make automated decisions with legal or similarly significant effects

To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month.

7. Complaints

If you have a concern about how we handle your personal data, please contact us first at [email protected].

You also have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk/concerns
• Telephone: 0303 123 1113

8. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent changes. Material changes will be communicated through our website or by email where appropriate.

9. Third-party links

Our website may contain links to third-party websites. This privacy policy applies only to our website and services. We are not responsible for the privacy practices of other websites.