Privacy Policy
Last updated: February 2026
|Version 2.0
1. Introduction
Hopin Property Compliance ("Hopin", "we", "our", or "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003.
This Policy applies to all users of our mobile application, website, and related services (collectively, "Services").
By using our Services, you acknowledge that you have read and understood this Privacy Policy. We rely on various legal bases for processing, as detailed in Section 5.
2. Data Controller
2.1 Controller Details
Hopin App Ltd is the data controller responsible for your personal data.
Contact Details:
- Registered Company: Hopin App Ltd
- Company Number: 16502645
- Registered Address: 24 Wardour Street, London, W1D 6QJ, United Kingdom
- All Enquiries: support@hopin.app
2.2 Data Processor Role
When you use our Services to manage compliance data relating to your properties, tenants, or employees, you are the data controller for that data, and Hopin acts as a data processor on your behalf. Processing in this capacity is governed by our Data Processing Agreement (DPA), available upon request.
3. Data We Collect
3.1 Account Information (Controller)
Data you provide when creating and managing your account:
| Data Type | Examples | Mandatory |
|---|---|---|
| Identity Data | Full name, job title, professional role | Yes |
| Contact Data | Email address, telephone number | Yes |
| Organisation Data | Company name, company registration number, business type | Yes |
| Authentication Data | Password (stored hashed), multi-factor authentication details | Yes |
| Preference Data | Notification settings, language preferences | No |
3.2 Property and Compliance Data (Processor)
Data you upload about your properties and compliance status:
| Data Type | Examples | Notes |
|---|---|---|
| Property Data | Addresses, postcodes, building characteristics | You are the controller |
| Compliance Records | EICR, PAT, Fire Safety, HACCP certificates and dates | You are the controller |
| Risk Assessment Data | Survey responses, inspection notes, photographs | You are the controller |
| Third-Party Data | Contractor details, inspector information | You warrant you have lawful basis |
Important: If you upload personal data of third parties (employees, tenants, contractors), you are responsible for ensuring you have a lawful basis to share that data with us.
3.3 Usage and Technical Data (Controller)
Data collected automatically through your use of the Services:
- Device Data: Device type, operating system, unique device identifiers
- Log Data: IP address, access times, pages viewed, app features used
- Location Data: Approximate location derived from IP address (not precise GPS)
- Performance Data: Crash reports, error logs, performance metrics
3.4 Payment Information (Controller)
Payment data processed via our payment provider:
- Billing Address: Stored by Hopin (required for invoicing)
- Payment Method: Processed by Stripe (Hopin does not store full card numbers)
- Transaction History: Stored by Hopin (retained for 7 years per tax requirements)
Stripe's privacy policy applies to payment processing: https://stripe.com/privacy
4. How We Use Your Data
4.1 Service Delivery
We use your data to:
- Create and manage your account
- Provide property compliance and risk assessment services
- Generate compliance reports and risk scores
- Send compliance deadline reminders and alerts
- Process your subscription and payments
- Provide customer support
Legal Basis: Contract performance (Article 6(1)(b) UK GDPR)
4.2 Service Improvement
We use your data to:
- Analyse usage patterns to improve features
- Identify and fix bugs and performance issues
- Develop new features based on user behaviour
- Create anonymised, aggregated benchmarking data
Legal Basis: Legitimate interests (Article 6(1)(f) UK GDPR)
4.3 Marketing (With Consent Only)
With your explicit consent, we may:
- Send newsletters and product updates
- Share information about new features or offers
- Conduct satisfaction surveys
Legal Basis: Consent (Article 6(1)(a) UK GDPR). You may withdraw consent at any time.
4.4 Risk Scoring and Analytics
Our Services generate risk scores and compliance assessments using algorithmic processing of your property data.
Important Disclosure (Article 22 UK GDPR):
- Logic: Risk scores are calculated using factors including compliance certificate status, expiry dates, property characteristics, historical data, and industry benchmarks.
- Significance: Scores may influence your insurance optimisation recommendations and compliance prioritisation.
- Consequences: Lower scores indicate higher assessed risk but do not determine actual compliance status or insurance outcomes.
- Safeguards: You may request human review of any automated assessment by contacting support@hopin.app.
5. Legal Basis for Processing
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Payment processing | Contract performance |
| Compliance tracking | Contract performance |
| Service communications | Legitimate interests |
| Usage analytics | Legitimate interests |
| Security monitoring | Legitimate interests |
| Marketing | Consent |
| Legal compliance | Legal obligation |
Legitimate Interests Assessments: We have documented LIAs for all processing based on legitimate interests. These are available upon request.
6. Data Sharing
6.1 Sub-Processors
We share your data with the following service providers:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | UK/EU data centres |
| Stripe | Payment processing | US (with UK data centre option) |
| Apple | App Store distribution, push notifications | US |
6.2 No Sale of Data
We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.
6.3 Aggregated Data
We may share anonymised, aggregated data (which cannot identify you) with industry bodies for benchmarking, research organisations for compliance trend analysis, and insurance partners for anonymised risk modelling.
7. Data Security
7.1 Technical Measures
We implement industry-standard security measures:
- Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
- Authentication: Secure password hashing (bcrypt), optional MFA, biometric options
- Access Control: Role-based access, principle of least privilege
- Monitoring: 24/7 security monitoring, intrusion detection, audit logging
- Testing: Annual penetration testing, regular vulnerability assessments
- Standards: Security practices aligned with ISO 27001
7.2 Data Breach Response
In the event of a personal data breach:
- Assessment: We will assess the breach within 24 hours of discovery
- ICO Notification: If required, we will notify the ICO within 72 hours
- User Notification: If the breach poses a high risk to your rights, we will notify you without undue delay
- Remediation: We will take immediate steps to contain and remediate the breach
8. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 7 years |
| Property/compliance data | Duration of account + 30 days (then deleted) |
| Transaction records | 7 years from transaction |
| Usage/analytics data | 2 years (then anonymised) |
| Support correspondence | 3 years from resolution |
Upon account termination, you may export your data within 30 days. Property and compliance data is deleted within 90 days. Backups are purged within 180 days.
9. Your Rights (UK GDPR)
You have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | Request a copy of your personal data | Settings > Privacy > Export Data |
| Rectification | Correct inaccurate or incomplete data | Edit in-app, or contact support |
| Erasure | Request deletion of your data | Settings > Privacy > Delete Account |
| Portability | Receive your data in machine-readable format | Settings > Privacy > Export Data (JSON/CSV) |
| Objection | Object to processing based on legitimate interests | Email support@hopin.app |
| Withdraw Consent | Withdraw marketing or analytics consent | Settings > Privacy > Preferences |
Response Timeframes
- We will acknowledge your request within 5 business days
- We will respond substantively within 30 days
- Complex requests may take up to 90 days with notice
Complaints
If you are unsatisfied with our response, you may complain to:
Information Commissioner's Office (ICO)
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
10. Cookies and Tracking
Mobile App
- Authentication tokens: Required for login and session management (essential)
- Local storage: Storing preferences and cached data (essential)
- Analytics SDK: Usage patterns and crash reporting (requires consent)
- Push notification tokens: Sending alerts and reminders (requires consent)
Website
- Strictly Necessary: Authentication, security, core functionality (no consent required)
- Functional: Remembering preferences (no consent required)
- Analytics: Understanding usage patterns (requires consent)
Manage preferences: App > Settings > Privacy > Analytics & Tracking
11. International Data Transfers
Your data is primarily stored within the United Kingdom at data centres operated by our sub-processors.
Where transfers outside the UK/EEA are necessary (e.g., Stripe payment processing, Apple services), we ensure appropriate safeguards including Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement (IDTA), and EU-US Data Privacy Framework.
You may request information about the specific safeguards in place for any international transfer.
12. Children's Privacy
Our Services are intended for business users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately at support@hopin.app.
13. Changes to This Policy
We may update this Privacy Policy periodically. For material changes, we will:
- Provide at least 30 days' advance notice via email
- Display an in-app notification
- Update the "Last updated" date
Continued use of the Services after changes take effect constitutes acceptance of the updated Policy. If you disagree with material changes, you may terminate your account.
14. Contact Us
For all enquiries including privacy, data protection, and general support:
Hopin App Ltd
- Email: support@hopin.app
- Address: 24 Wardour Street, London, W1D 6QJ, United Kingdom
- Company Number: 16502645
- In-App: Settings > Support