LegalGDPR & UK GDPR Privacy Policy

GDPR & UK GDPR Privacy Policy

Business Contacts & B2B Data Processing

Identity and Contact Details of the Data Controller

The Data Controller in respect of personal data processed in connection with this policy is:

  • Legal Name: HMCTS LLC
  • Incorporation: State of Delaware, United States of America
  • Company Number: 5137554
  • EIN: 37-2155102
  • Registered Address: 131 Continental Drive, Newark, Delaware 19713, USA
  • Phone: +1 (302) 599-1401
  • Email: info@hmctsllc.com
  • Website: www.hmctsllc.com

HMCTS LLC is not a registered company in the United Kingdom. However, by reason of its active marketing of software services to UK-based hotel operators and its processing of personal data of individuals located in the United Kingdom, HMCTS LLC is subject to the UK GDPR pursuant to Article 3(2) thereof (the 'targeting' ground). HMCTS LLC is similarly subject to the EU GDPR in respect of personal data of individuals located in European Economic Area member states, to the extent such individuals are targeted by or interact with its services.

Scope and Application of This Policy

This policy applies to the processing of personal data relating to:

  • Named individuals at prospective and existing B2B client organisations (e.g. hotel operators, property managers, hospitality groups)
  • Individual sole traders or partnerships that engage with HMCTS LLC as business customers
  • Named representatives of partner organisations, integration providers, and third-party vendors
  • Individuals who contact HMCTS LLC via its website, telephone, or email in a professional capacity
  • Named individuals in respect of whom HMCTS LLC processes data as part of its software platform operation

Note on B2B and GDPR Applicability

GDPR applies to personal data of natural persons. Where a business contact is an identifiable individual — including a named employee, director, sole trader, or professional — their data constitutes personal data and is subject to full GDPR protections regardless of the business context in which it arises. This policy reflects that legal position accurately.

This policy does not govern the processing of personal data of hotel guests or end-users of HMCTS LLC's platform by its hotel operator clients. Those operators act as independent Data Controllers in respect of their guests' data. Where HMCTS LLC processes such data on behalf of an operator as a Data Processor, that processing is governed by a separate Data Processing Agreement.

The Personal Data We Process

3.1 Data Collected Directly

We collect the following categories of personal data directly from you or your organisation:

  • Identity data: first name, last name, job title, and employer or business name
  • Contact data: business email address, telephone number, and business postal address
  • Communications data: records of correspondence, enquiries, and demo requests
  • Contractual data: data contained in or arising from service agreements, invoices, and purchase records
  • Financial data: payment method details processed via our third-party payment providers (we do not store full card details)
  • Technical data: IP address, browser type, device identifiers, and usage data collected when you access our website or platform

3.2 Data Collected Indirectly

We may obtain personal data from third-party sources including company directories, professional networking platforms, referrals from existing clients, and publicly available business registers, where we have a legitimate purpose for doing so.

3.3 Data We Do Not Collect

We do not intentionally collect, and do not require for our business purposes, any special categories of personal data as defined in Article 9 GDPR (including health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or sexual orientation).

Purposes and Lawful Bases for Processing

We process personal data only where we have identified a valid lawful basis under Article 6 of the GDPR / UK GDPR. The table below sets out our processing activities, their purposes, and the corresponding lawful bases.

Processing ActivityPurposeLawful Basis (Art. 6)
Responding to demo requestsTo engage with prospective clients and take steps prior to entering into a contractArt. 6(1)(b) — Performance of a contract; or at the data subject's request
Delivering contracted softwareTo fulfil obligations under service agreementsArt. 6(1)(b) — Performance of a contract
Invoicing and payment processingTo manage billing and financial recordsArt. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (accounting)
Account management and customer supportTo maintain the client relationship and resolve issuesArt. 6(1)(b) — Contract / Art. 6(1)(f) — Legitimate interests
Marketing and service updatesTo inform existing and prospective clients of servicesArt. 6(1)(f) — Legitimate interests (with opt-out rights); or Art. 6(1)(a) — Consent
Website analytics and performanceTo improve website functionality and user experienceArt. 6(1)(f) — Legitimate interests; or Art. 6(1)(a) — Consent
Legal compliance and regulatory obligationTo comply with applicable US and UK legal requirementsArt. 6(1)(c) — Legal obligation
Fraud prevention and securityTo protect the company, its clients, and its platformArt. 6(1)(f) — Legitimate interests

Legitimate Interests Assessment

Where we rely on Article 6(1)(f) (legitimate interests), we have assessed that our interests in operating a commercial software business and maintaining client relationships are not overridden by the rights and freedoms of data subjects in a B2B context. Data subjects retain the right to object to processing based on legitimate interests at any time.

Special Categories of Data

HMCTS LLC does not process special category personal data (as defined in Article 9 GDPR) in the ordinary course of its B2B operations. In the unlikely event that special category data is inadvertently received (for example, if included in a communication by a data subject), HMCTS LLC will not retain or further process such data beyond what is strictly necessary to respond to the relevant communication, and will not use it for any other purpose.

HMCTS LLC does not process personal data relating to criminal convictions or offences within the meaning of Article 10 GDPR.

International Data Transfers

HMCTS LLC is incorporated and operates in the United States of America, which is not currently the subject of an adequacy decision by the UK Secretary of State under the UK GDPR, nor by the European Commission under the EU GDPR. Accordingly, the transfer of personal data from the UK or EEA to HMCTS LLC's US infrastructure constitutes a restricted transfer and requires an appropriate safeguard.

6.1 Mechanism for UK-to-US Transfers

For transfers of personal data from the United Kingdom to the United States, HMCTS LLC relies on the International Data Transfer Agreement (IDTA) approved by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018, as the appropriate safeguard pursuant to Article 46 UK GDPR. Where applicable, HMCTS LLC may also rely on the UK Addendum to the EU Standard Contractual Clauses.

6.2 Mechanism for EEA-to-US Transfers

For transfers of personal data from the European Economic Area to the United States, HMCTS LLC relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Specifically, HMCTS LLC relies on Module One (Controller-to-Controller) SCCs as appropriate.

6.3 Supplementary Measures

In accordance with the guidance issued by the European Data Protection Board (EDPB) in Recommendations 01/2020, HMCTS LLC has assessed the legal framework of the recipient country and implemented the following supplementary technical measures:

  • Encryption of personal data in transit using TLS 1.2 or higher
  • Encryption of personal data at rest using AES-256 or equivalent
  • Role-based access controls limiting access to personal data to authorised personnel only
  • Pseudonymisation of data where technically feasible and appropriate

Copies of the relevant IDTA or SCCs are available on written request to the contact details in Section 14.

Data Retention

HMCTS LLC retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:

Data CategoryRetention PeriodBasis
Client contact and contractual dataDuration of contract + 6 yearsLimitation Act 1980 (UK); Delaware statute of limitations
Pre-contractual enquiry and demo records2 years from last contactLegitimate interests — potential dispute resolution
Financial records and invoices7 years from financial year endLegal obligation — UK and US accounting requirements
Marketing consent recordsUntil consent withdrawn + 2 yearsLegal obligation — evidencing lawful basis
Website technical/analytics data13 months rollingLegitimate interests — industry standard
Security and access logs12 monthsLegitimate interests — security and incident response

At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. HMCTS LLC maintains an internal Record of Processing Activities (RoPA) as required by Article 30 GDPR, which documents retention periods in further detail. A copy of the RoPA is available to supervisory authorities upon request.

Data Security

HMCTS LLC implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk of processing, as required by Article 32 GDPR / UK GDPR. These measures include:

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
  • Role-based access control (RBAC) restricting access to personal data on a need-to-know basis
  • Regular security assessments and vulnerability testing of platform infrastructure
  • Multi-factor authentication for access to systems containing personal data
  • Incident response procedures enabling detection, reporting, and investigation of data breaches
  • Staff training on data protection obligations and information security

Personal Data Breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, HMCTS LLC will notify the relevant supervisory authority (the UK ICO and/or the competent EEA supervisory authority, as applicable) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR / UK GDPR. Where a breach is likely to result in a high risk to individuals, HMCTS LLC will also notify affected data subjects without undue delay.

Your Rights as a Data Subject

Under the UK GDPR and EU GDPR, you have the following rights in respect of your personal data. These rights apply subject to applicable exemptions and conditions set out in data protection law.

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data together with supplementary information about how it is processed. We will respond within one calendar month of receiving a valid request.

Right to Rectification (Art. 16)

You have the right to require us to correct any inaccurate personal data we hold about you, and to have incomplete personal data completed.

Right to Erasure (Art. 17)

You have the right to request deletion of your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the lawful basis); you object to processing under Art. 21 and we have no overriding legitimate grounds; or the data has been unlawfully processed. This right is not absolute and is subject to exemptions.

Right to Restriction of Processing (Art. 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where accuracy is contested or processing is unlawful.

Right to Data Portability (Art. 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.

Right to Object (Art. 21)

You have the right to object at any time to processing of your personal data that is based on legitimate interests (Art. 6(1)(f)), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.

Rights in Relation to Automated Decision-Making (Art. 22)

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Exercising Your Rights

To exercise any of these rights, please submit a written request to the contact details in Section 14. We will respond within one calendar month. Where requests are complex or numerous, we may extend this period by a further two months, and will notify you accordingly. We will not charge a fee for responding to valid requests unless they are manifestly unfounded or excessive.

Data Protection Officer

HMCTS LLC has assessed its processing activities against the mandatory DPO appointment criteria under Article 37 GDPR / UK GDPR (large-scale systematic monitoring of individuals or large-scale processing of special category data). HMCTS LLC is not currently required to appoint a Data Protection Officer on a mandatory basis by reason of the nature and scale of its B2B processing activities.

Data protection and privacy matters are managed by HMCTS LLC's designated compliance contact. All data subject rights requests, privacy queries, and complaints should be directed to the contact details in Section 14. HMCTS LLC reserves the right to voluntarily appoint a DPO as the organisation scales, and will update this policy accordingly.

Third-Party Processors and Recipients

HMCTS LLC may share personal data with third parties in the following circumstances:

11.1 Data Processors

We engage third-party service providers who process personal data on our behalf as Data Processors, including providers of: cloud hosting and infrastructure; payment processing; email delivery and CRM systems; customer support tooling; and website analytics. All processors are engaged under written data processing agreements that comply with Article 28 GDPR and impose equivalent data protection obligations.

11.2 Independent Data Controllers

We may share data with third-party organisations acting as independent Data Controllers, including professional advisers (legal, accounting), regulatory authorities, and law enforcement agencies where disclosure is required by law.

11.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of HMCTS LLC's business, personal data may be transferred to a successor entity. Affected data subjects will be notified in advance where required by applicable law.

11.4 Prohibition on Sale of Data

HMCTS LLC does not sell, rent, or trade personal data to any third party for that party's independent marketing or commercial purposes. This prohibition is absolute.

Automated Decision-Making and Profiling

HMCTS LLC does not carry out automated decision-making that produces legal or similarly significant effects on data subjects, within the meaning of Article 22 GDPR / UK GDPR. HMCTS LLC may use standard analytics tools to assess website usage patterns for the purpose of improving platform performance; such analytics do not result in individual profiling that has legal or equivalent effects on any data subject.

Changes to This Policy

HMCTS LLC will review this Privacy Policy at least annually and following any material change to its processing activities, applicable law, or regulatory guidance. Material changes will be communicated to affected data subjects by email or by prominent notice on the HMCTS LLC website prior to the change taking effect. The effective date at the top of this document will be updated on each revision. Data subjects are encouraged to review this policy periodically.

How to Contact Us and Lodge a Complaint

To exercise your data subject rights, raise a privacy concern, or request a copy of our Record of Processing Activities or applicable transfer mechanism documentation, please contact HMCTS LLC by any of the following means:

Right to Complain to a Supervisory Authority

If you are located in the United Kingdom and consider that our processing of your personal data infringes the UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are located in an EEA member state, you may lodge a complaint with the competent supervisory authority in your country of residence or place of work, or in the place where the alleged infringement occurred. A list of EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.

We would, however, welcome the opportunity to address any concern directly before you approach a supervisory authority and encourage you to contact us in the first instance.