Skip to main content

Data protection policy

About this policy

As Hackworth Ltd (hereafter referred to as the Company) is a private limited company governed by the laws of the United Kingdom, the Company and its members are bound by the terms of the UK's Data Protection Act 2018, or as it is informally known, the UK General Data Protection Regulation (UK GDPR). (This policy will hereafter refer to it as the UK GDPR.)

However, our own data protection policy goes well beyond those statutory requirements. The purpose of this policy is to explain how we protect the data of our customers, members, and anyone else who shares their personal data with us.

Note that this policy is currently written only with the needs of our public web site and advertising & marketing campaigns in mind. Specifically, it does not address the policy needs of our products. The policy will be modified to accommodate our applications when we get closer to product launch.

This policy contains many technical terms relevant to data protection (e.g., personal data). Some of these terms even have legal definitions. We will not define these terms in this policy, as they are defined elsewhere and we do not wish to repeat these definitions here. However, this policy's glossary provides links to third party resources where accurate and up-to-date definitions can be found.

Data Protection Officer

The Company will, at all times, have an appointed Data Protection Officer (DPO). The DPO is responsible for maintaining, interpreting, and executing this policy across the entire Company. The decisions of the DPO as they relate to this policy are final, and can only be overridden by the Director.

The current DPO is Drew Hess. He can be reached in this capacity by email at dpo@hackworthltd.com.

At this time, the Company has not registered a public DPO with the UK ICO, nor with the European Union (EU). We are not currently required to disclose the personal contact details of the DPO. However, this is expected to change in the future, at which time this policy will be updated with those contact details and the rules for when and how they must be disclosed.

Note that the same clause that exempts us from publicly disclosing our DPO's contact details also exempts us from documenting our processing activities. However, in the interest of establishing best practices as part of our culture, we have chosen not to take this exemption, and will rigorously document all of our processing activities from the onset.

Personal data is a liability

As the complexity, details, management overhead, and legal requirements of the UK GDPR and this data protection policy should make clear, the Company views personal data as a liability, not as an asset. We only ever intentionally collect and retain personal data in the following circumstances:

  • when we believe that the business value of collecting that data outweighs the liability (e.g., for marketing);
  • when the data is essential to offering a product (e.g., customer account data);
  • for security purposes (e.g., IP addresses in server logs);
  • when the data is essential to running the business (e.g., for payroll or customer payments); or
  • when we are legally required to do so (e.g., to verify lawful employment).

By default, we prefer not to collect personal data, but prefer instead to rely on third parties to collect and aggregate or otherwise anonymize data before presenting it to us in actionable form. If you believe the Company is unintentionally collecting personal data, or that data the Company believes to be anonymous could potentially be used to personal identify someone, either directly or indirectly, inform the DPO immediately.

The EU GDPR and UK GDPR

For the foreseeable future, in an attempt to reduce the management overhead of conforming to multiple data protection regulations not to mention because the Company believes in consumers' fundamental right to privacy we will conform all of our data protection policies to the most strict jurisdiction in which we operate, no matter where a person (technically called a data subject) resides. This means we will operate under the constraints of the UK GDPR, which, for our intents and purposes, is currently materially the same as the EU GDPR.

UK ICO's guidance

The UK ICO's guidance on data protection in the UK can be found here. Any information and/or statements in this policy that contradict that guide, or the text of the actual UK GDPR, should be brought to the attention of the DPO. It is our intention that the UK ICO guidance should be followed at all times.

Last updated on