Privacy Policy
Hemera Intelligence Ltd · Last updated: [pending — effective date] · Version 1.0
1. Who we are and our role under UK data protection law
Hemera Intelligence Ltd (“Hemera”, “we”, “us”, “our”) is a company registered in England and Wales, company number [pending — Companies House], with its registered office at [pending — registered address]. We trade under the product name HemeraScope.
We operate in two distinct roles under the UK GDPR:
- Data controller. For personal data we collect directly — website visitors, marketing contacts, job applicants, and the user accounts our clients set up to access HemeraScope. This Privacy Policy explains how we handle that data.
- Data processor. For supplier and spend data our clients upload into HemeraScope. Our processing of that data is governed by the Data Processing Agreement in place with the client, not by this Privacy Policy.
We are registered with the Information Commissioner's Office (ICO) under registration number [pending — ICO registration].
2. What personal data we collect and why
| Category | Examples | Purpose | Lawful basis |
|---|---|---|---|
| Website visitor data | IP address, browser, pages viewed, session timestamps | Operating and securing the site, measuring traffic, debugging | Legitimate interests |
| Account data | Name, work email, employer, role, password hash (via Clerk) | Creating and securing HemeraScope accounts | Contract |
| Client contact data | Name, work email, phone, company, role | Responding to enquiries, delivering the service, billing | Contract + legitimate interests |
| Marketing data | Email address, preferences | Sending the HemeraScope newsletter | Consent / legitimate interests (B2B) |
| Support correspondence | Message content, attachments, call notes | Answering support requests and keeping a record | Legitimate interests |
| Billing data | Name, billing address, company, payment references | Taking payment and meeting tax obligations | Contract; legal obligation |
We do not knowingly process special category data (health, ethnicity, political opinion etc.) in the ordinary course of running HemeraScope. If a client uploads documents that contain such data, we process it strictly as their processor.
3. Where we get personal data from
Most of the personal data we hold comes directly from you — when you fill in a form on our website, sign up for an account, email us, or engage us as a client.
We also collect:
- Cookies and similar technologies when you visit our website (see our Cookie Statement).
- Public company registries — Companies House, HSE, SBTi, CDP, and similar public sources. We use these to build supplier intelligence data in HemeraScope. This data is about organisations, not individuals.
4. Who we share personal data with
We share personal data only with:
- Our sub-processors and service providers — the current list is available on our Trust page at [pending — trust page URL]. As of the last update these include Clerk, Inc. (US-based authentication), our hosting provider, our database host, our email provider and any analytics or error-monitoring tools.
- Professional advisers — lawyers, accountants, auditors, insurers — under duties of confidentiality.
- Authorities where we are legally required to.
- Successors in the event of a merger, acquisition or sale of our business.
We do not sell personal data. We do not use client data to train general-purpose AI models.
5. International transfers
Some of our sub-processors — notably Clerk, Inc. — are based in the United States. When personal data is transferred out of the UK we use a valid UK GDPR Article 46 transfer mechanism: the UK Extension to the EU–US Data Privacy Framework, the UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs, together with supplementary technical and organisational measures.
6. How long we keep data
| Data | Retention |
|---|---|
| Active account data | Duration of the contract + 12 months |
| Billing and tax records | 6 years from the end of the accounting period (HMRC) |
| Support correspondence | 3 years from last contact |
| Marketing contacts | Until you unsubscribe; a minimal suppression record is kept indefinitely |
| Website analytics | Up to 26 months |
| Security logs | 12 months |
7. Your rights under UK GDPR
You have the right to:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase data in certain circumstances;
- restrict processing in certain circumstances;
- data portability;
- object to processing based on legitimate interests, including direct marketing;
- withdraw consent at any time where we rely on consent;
- not be subject to solely automated decisions with legal or similarly significant effects — we do not make such decisions about individuals.
To exercise any of these rights, email [pending — privacy email, e.g. privacy@hemerascope.com]. We'll respond within one month. You can also complain to the ICO at ico.org.uk/make-a-complaint.
11. Anonymised and aggregated data after termination
When a client stops using HemeraScope, we delete or return the personal and client-identifiable data we hold as their processor, in line with our contractual commitments.
Separately, and only after the data has been irreversibly anonymised and aggregated so that it cannot be linked back to the client, any individual supplier, or any natural person, Hemera retains statistical information derived from the work. Examples of the kind of retained information:
- “UK universities in our benchmark have on average 12 transport-sector suppliers.”
- “Across professional-services clients, average modern-slavery risk score in the construction category is 2.3 out of 5.”
- “Reported scope 3 emissions intensity for higher-education clients: x tCO₂e / £m spend.”
This retained information does not include:
- the identity of any client (even indirectly — we apply a minimum cohort size);
- supplier names, company numbers, contact details, or any other direct or indirect identifier of a supplier;
- any personal data of any natural person.
We rely on UK GDPR Recital 26, which provides that the principles of data protection do not apply to truly anonymous information. Because this retained information is not personal data, it is not subject to UK GDPR access, rectification, erasure or portability rights. Clients acknowledge and agree to this retention in the Terms and Conditions (Section 6) and the DPA.
13. Contact us
- Email: [pending — privacy email, e.g. privacy@hemerascope.com]
- Post: Hemera Intelligence Ltd, [pending — registered address]