Identity and Contact Details of the Data Controller
The Data Controller in respect of personal data processed in connection with this policy is:
- Legal Name: HMCTS LLC
- Incorporation: State of Delaware, United States of America
- Company Number: 5137554
- EIN: 37-2155102
- Registered Address: 131 Continental Drive, Newark, Delaware 19713, USA
- Phone: +1 (302) 599-1401
- Email: info@hmctsllc.com
- Website: www.hmctsllc.com
HMCTS LLC is not a registered company in the United Kingdom. However, by reason of its active marketing of software services to UK-based hotel operators and its processing of personal data of individuals located in the United Kingdom, HMCTS LLC is subject to the UK GDPR pursuant to Article 3(2) thereof (the 'targeting' ground). HMCTS LLC is similarly subject to the EU GDPR in respect of personal data of individuals located in European Economic Area member states, to the extent such individuals are targeted by or interact with its services.
Scope and Application of This Policy
This policy applies to the processing of personal data relating to:
- Named individuals at prospective and existing B2B client organisations (e.g. hotel operators, property managers, hospitality groups)
- Individual sole traders or partnerships that engage with HMCTS LLC as business customers
- Named representatives of partner organisations, integration providers, and third-party vendors
- Individuals who contact HMCTS LLC via its website, telephone, or email in a professional capacity
- Named individuals in respect of whom HMCTS LLC processes data as part of its software platform operation
Note on B2B and GDPR Applicability
GDPR applies to personal data of natural persons. Where a business contact is an identifiable individual — including a named employee, director, sole trader, or professional — their data constitutes personal data and is subject to full GDPR protections regardless of the business context in which it arises. This policy reflects that legal position accurately.
This policy does not govern the processing of personal data of hotel guests or end-users of HMCTS LLC's platform by its hotel operator clients. Those operators act as independent Data Controllers in respect of their guests' data. Where HMCTS LLC processes such data on behalf of an operator as a Data Processor, that processing is governed by a separate Data Processing Agreement.
The Personal Data We Process
3.1 Data Collected Directly
We collect the following categories of personal data directly from you or your organisation:
- Identity data: first name, last name, job title, and employer or business name
- Contact data: business email address, telephone number, and business postal address
- Communications data: records of correspondence, enquiries, and demo requests
- Contractual data: data contained in or arising from service agreements, invoices, and purchase records
- Financial data: payment method details processed via our third-party payment providers (we do not store full card details)
- Technical data: IP address, browser type, device identifiers, and usage data collected when you access our website or platform
3.2 Data Collected Indirectly
We may obtain personal data from third-party sources including company directories, professional networking platforms, referrals from existing clients, and publicly available business registers, where we have a legitimate purpose for doing so.
3.3 Data We Do Not Collect
We do not intentionally collect, and do not require for our business purposes, any special categories of personal data as defined in Article 9 GDPR (including health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, or sexual orientation).
Purposes and Lawful Bases for Processing
We process personal data only where we have identified a valid lawful basis under Article 6 of the GDPR / UK GDPR. The table below sets out our processing activities, their purposes, and the corresponding lawful bases.
| Processing Activity | Purpose | Lawful Basis (Art. 6) |
|---|---|---|
| Responding to demo requests | To engage with prospective clients and take steps prior to entering into a contract | Art. 6(1)(b) — Performance of a contract; or at the data subject's request |
| Delivering contracted software | To fulfil obligations under service agreements | Art. 6(1)(b) — Performance of a contract |
| Invoicing and payment processing | To manage billing and financial records | Art. 6(1)(b) — Contract; Art. 6(1)(c) — Legal obligation (accounting) |
| Account management and customer support | To maintain the client relationship and resolve issues | Art. 6(1)(b) — Contract / Art. 6(1)(f) — Legitimate interests |
| Marketing and service updates | To inform existing and prospective clients of services | Art. 6(1)(f) — Legitimate interests (with opt-out rights); or Art. 6(1)(a) — Consent |
| Website analytics and performance | To improve website functionality and user experience | Art. 6(1)(f) — Legitimate interests; or Art. 6(1)(a) — Consent |
| Legal compliance and regulatory obligation | To comply with applicable US and UK legal requirements | Art. 6(1)(c) — Legal obligation |
| Fraud prevention and security | To protect the company, its clients, and its platform | Art. 6(1)(f) — Legitimate interests |
Legitimate Interests Assessment
Where we rely on Article 6(1)(f) (legitimate interests), we have assessed that our interests in operating a commercial software business and maintaining client relationships are not overridden by the rights and freedoms of data subjects in a B2B context. Data subjects retain the right to object to processing based on legitimate interests at any time.
Special Categories of Data
HMCTS LLC does not process special category personal data (as defined in Article 9 GDPR) in the ordinary course of its B2B operations. In the unlikely event that special category data is inadvertently received (for example, if included in a communication by a data subject), HMCTS LLC will not retain or further process such data beyond what is strictly necessary to respond to the relevant communication, and will not use it for any other purpose.
HMCTS LLC does not process personal data relating to criminal convictions or offences within the meaning of Article 10 GDPR.
International Data Transfers
HMCTS LLC is incorporated and operates in the United States of America, which is not currently the subject of an adequacy decision by the UK Secretary of State under the UK GDPR, nor by the European Commission under the EU GDPR. Accordingly, the transfer of personal data from the UK or EEA to HMCTS LLC's US infrastructure constitutes a restricted transfer and requires an appropriate safeguard.
6.1 Mechanism for UK-to-US Transfers
For transfers of personal data from the United Kingdom to the United States, HMCTS LLC relies on the International Data Transfer Agreement (IDTA) approved by the UK Information Commissioner's Office under Section 119A of the Data Protection Act 2018, as the appropriate safeguard pursuant to Article 46 UK GDPR. Where applicable, HMCTS LLC may also rely on the UK Addendum to the EU Standard Contractual Clauses.
6.2 Mechanism for EEA-to-US Transfers
For transfers of personal data from the European Economic Area to the United States, HMCTS LLC relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021. Specifically, HMCTS LLC relies on Module One (Controller-to-Controller) SCCs as appropriate.
6.3 Supplementary Measures
In accordance with the guidance issued by the European Data Protection Board (EDPB) in Recommendations 01/2020, HMCTS LLC has assessed the legal framework of the recipient country and implemented the following supplementary technical measures:
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest using AES-256 or equivalent
- Role-based access controls limiting access to personal data to authorised personnel only
- Pseudonymisation of data where technically feasible and appropriate
Copies of the relevant IDTA or SCCs are available on written request to the contact details in Section 14.
Data Retention
HMCTS LLC retains personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. The following retention schedule applies:
| Data Category | Retention Period | Basis |
|---|---|---|
| Client contact and contractual data | Duration of contract + 6 years | Limitation Act 1980 (UK); Delaware statute of limitations |
| Pre-contractual enquiry and demo records | 2 years from last contact | Legitimate interests — potential dispute resolution |
| Financial records and invoices | 7 years from financial year end | Legal obligation — UK and US accounting requirements |
| Marketing consent records | Until consent withdrawn + 2 years | Legal obligation — evidencing lawful basis |
| Website technical/analytics data | 13 months rolling | Legitimate interests — industry standard |
| Security and access logs | 12 months | Legitimate interests — security and incident response |
At the end of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. HMCTS LLC maintains an internal Record of Processing Activities (RoPA) as required by Article 30 GDPR, which documents retention periods in further detail. A copy of the RoPA is available to supervisory authorities upon request.
Data Security
HMCTS LLC implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk of processing, as required by Article 32 GDPR / UK GDPR. These measures include:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
- Role-based access control (RBAC) restricting access to personal data on a need-to-know basis
- Regular security assessments and vulnerability testing of platform infrastructure
- Multi-factor authentication for access to systems containing personal data
- Incident response procedures enabling detection, reporting, and investigation of data breaches
- Staff training on data protection obligations and information security
Personal Data Breaches
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, HMCTS LLC will notify the relevant supervisory authority (the UK ICO and/or the competent EEA supervisory authority, as applicable) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR / UK GDPR. Where a breach is likely to result in a high risk to individuals, HMCTS LLC will also notify affected data subjects without undue delay.
Your Rights as a Data Subject
Under the UK GDPR and EU GDPR, you have the following rights in respect of your personal data. These rights apply subject to applicable exemptions and conditions set out in data protection law.
Right of Access (Art. 15)
You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data together with supplementary information about how it is processed. We will respond within one calendar month of receiving a valid request.
Right to Rectification (Art. 16)
You have the right to require us to correct any inaccurate personal data we hold about you, and to have incomplete personal data completed.
Right to Erasure (Art. 17)
You have the right to request deletion of your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the lawful basis); you object to processing under Art. 21 and we have no overriding legitimate grounds; or the data has been unlawfully processed. This right is not absolute and is subject to exemptions.
Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict the processing of your personal data in certain circumstances, including where accuracy is contested or processing is unlawful.
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to Object (Art. 21)
You have the right to object at any time to processing of your personal data that is based on legitimate interests (Art. 6(1)(f)), including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to processing for direct marketing purposes.
Rights in Relation to Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Exercising Your Rights
To exercise any of these rights, please submit a written request to the contact details in Section 14. We will respond within one calendar month. Where requests are complex or numerous, we may extend this period by a further two months, and will notify you accordingly. We will not charge a fee for responding to valid requests unless they are manifestly unfounded or excessive.
Data Protection Officer
HMCTS LLC has assessed its processing activities against the mandatory DPO appointment criteria under Article 37 GDPR / UK GDPR (large-scale systematic monitoring of individuals or large-scale processing of special category data). HMCTS LLC is not currently required to appoint a Data Protection Officer on a mandatory basis by reason of the nature and scale of its B2B processing activities.
Data protection and privacy matters are managed by HMCTS LLC's designated compliance contact. All data subject rights requests, privacy queries, and complaints should be directed to the contact details in Section 14. HMCTS LLC reserves the right to voluntarily appoint a DPO as the organisation scales, and will update this policy accordingly.
Third-Party Processors and Recipients
HMCTS LLC may share personal data with third parties in the following circumstances:
11.1 Data Processors
We engage third-party service providers who process personal data on our behalf as Data Processors, including providers of: cloud hosting and infrastructure; payment processing; email delivery and CRM systems; customer support tooling; and website analytics. All processors are engaged under written data processing agreements that comply with Article 28 GDPR and impose equivalent data protection obligations.
11.2 Independent Data Controllers
We may share data with third-party organisations acting as independent Data Controllers, including professional advisers (legal, accounting), regulatory authorities, and law enforcement agencies where disclosure is required by law.
11.3 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of HMCTS LLC's business, personal data may be transferred to a successor entity. Affected data subjects will be notified in advance where required by applicable law.
11.4 Prohibition on Sale of Data
HMCTS LLC does not sell, rent, or trade personal data to any third party for that party's independent marketing or commercial purposes. This prohibition is absolute.
Automated Decision-Making and Profiling
HMCTS LLC does not carry out automated decision-making that produces legal or similarly significant effects on data subjects, within the meaning of Article 22 GDPR / UK GDPR. HMCTS LLC may use standard analytics tools to assess website usage patterns for the purpose of improving platform performance; such analytics do not result in individual profiling that has legal or equivalent effects on any data subject.
Changes to This Policy
HMCTS LLC will review this Privacy Policy at least annually and following any material change to its processing activities, applicable law, or regulatory guidance. Material changes will be communicated to affected data subjects by email or by prominent notice on the HMCTS LLC website prior to the change taking effect. The effective date at the top of this document will be updated on each revision. Data subjects are encouraged to review this policy periodically.
How to Contact Us and Lodge a Complaint
To exercise your data subject rights, raise a privacy concern, or request a copy of our Record of Processing Activities or applicable transfer mechanism documentation, please contact HMCTS LLC by any of the following means:
- Email (preferred): info@hmctsllc.com
- Telephone: +1 (302) 599-1401
- Postal Address: 131 Continental Drive, Newark, Delaware 19713, USA
Right to Complain to a Supervisory Authority
If you are located in the United Kingdom and consider that our processing of your personal data infringes the UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are located in an EEA member state, you may lodge a complaint with the competent supervisory authority in your country of residence or place of work, or in the place where the alleged infringement occurred. A list of EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.
We would, however, welcome the opportunity to address any concern directly before you approach a supervisory authority and encourage you to contact us in the first instance.
