Effective Date: April 10, 2025
Introduction
Welcome to Hatchly! Hatchly Ltd (“Hatchly”, “we”, “us”) is a UK-based subscription design company committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard your personal data when you use our website and services. We comply with the UK General Data Protection Regulation (UK GDPR) and relevant data protection laws applicable to users in the United Kingdom, European Union, and the United States. By using our services, you agree to the practices described in this Privacy Policy.
Personal Data We Collect
We collect various types of personal information to provide you with our design services and to operate our business. This may include:
• Identity Information: Your name and, if applicable, your company or organization name.
• Contact Information: Your email address and any other contact details you provide (such as a phone number, if you choose to share it).
• Billing Information: Payment details and billing address for subscription purchases. Note: We use a secure payment processor (e.g. Stripe) for credit card transactions, so we do not store your full card details ourselves .
• Account & Subscription Details: Information related to your account creation and subscription with Hatchly, such as username/login credentials, subscription plan, start and end dates, and preferences.
• Project Files and Content: Any files, graphics, logos, or project briefs you submit for design work. These may include images or other media you provide to us for use in your projects.
• Communications: Records of your communications with us, including emails, contact form submissions, project requests, and customer support inquiries.
• Usage Data: Technical data collected when you interact with our website, such as your IP address, browser type, device information, pages visited, and browsing actions. We collect this through cookies and similar tracking technologies as described below.
How We Collect Personal Data
We collect personal data from you in several ways:
• Directly from You: You provide personal data when you fill out forms on our site (for example, our contact form or account signup page), subscribe to a plan, request design services, or communicate with us via email or chat. This includes when you sign up for our newsletter or provide feedback.
• Through Our Services: When you use our design service platform (for instance, our client portal powered by ManyRequests), we collect data such as your project requests, files uploaded, and any information entered into the portal as part of using the service.
• Payments: If you make a purchase or subscription payment, you will provide information like your name, billing address, and payment details at checkout. This information is collected via our third-party payment processor (Stripe) and then shared with us (excluding sensitive card numbers) so we can process your order and keep records.
• Cookies & Automated Technologies: When you visit our website, we use cookies and similar tracking technologies to automatically collect Usage Data (like IP address, device info, and browsing behavior). For example, Google Analytics may collect information about how you navigate our site. (See Cookies and Tracking Technologies below for more details.)
• Third-Party Sources: We may receive certain information from third-party services that we integrate with. For example, if you make a payment, Stripe confirms to us that your payment was successful and provides details like the last four digits of your card or the transaction ID. Similarly, if you were referred to us via a partner or clicked an ad, we might receive referral data. (In such cases, we ensure any third-party source is compliant with relevant privacy laws.)
How We Use Your Personal Data
Hatchly uses your personal data for the following purposes:
• To Provide Design Services: We use the information and files you provide to create and deliver your design projects. For example, our designers will use your project brief, brand assets, and feedback to produce the design work you requested.
• To Manage Your Account and Subscription: We process your data to maintain your account, manage your subscription plan, and provide you with customer support. This includes sending you important service updates, invoices, login details, and responding to your inquiries or project requests.
• To Process Payments: Your billing information is used to charge subscription fees and payments for our services. We work with Stripe to securely handle credit card transactions and billing , and we keep records of your purchases and payment history for accounting and subscription management.
• To Communicate with You: We may send administrative emails and messages related to your projects or account (e.g. project updates, design previews, approvals needed, password resets, and notifications about changes to our service or policies). We also respond to your messages, questions, and support requests using your contact information.
• To Send Marketing Communications: If you have opted in to our newsletter or marketing emails, or if you are an existing customer (as permitted by law), we will use your name and email to send you newsletters, offers, surveys, or information about new services. (You can opt out of these communications at any time – see Marketing Communications & Opt-Out below.)
• To Improve Our Services: We analyze how clients use our website and services in order to improve functionality and user experience. Data like feedback you provide, support queries, and analytics on website usage help us troubleshoot issues, optimize our offerings, and develop new features.
• To Ensure Security and Prevent Fraud: We may use personal data (like IP addresses or account activity) to monitor for suspicious or fraudulent activity and to maintain the security of our website and client portal. This helps protect both you and us from fraud, abuse, or unauthorized access.
• To Comply with Legal Obligations: In some cases we need to process or retain your information to fulfill legal requirements. For example, we keep transaction records for accounting and tax purposes, and we may use or disclose personal data to comply with court orders, law enforcement requests, or regulatory requirements.
We will only use your personal data for the purposes above and will not further process it in a way that is incompatible with those purposes. If we need to use your data for a new purpose, we will update this Privacy Policy and, if required, seek your consent.
Lawful Bases for Processing
For individuals in the UK and EU, we must have a valid lawful basis under the GDPR to process your personal data. Depending on the context, Hatchly relies on the following legal grounds:
• Performance of a Contract: We process personal data to provide the services you have requested under our contract with you . For example, we need to use your name, contact details, and project information to deliver design work and fulfill our subscription agreement with you.
• Legitimate Interests: We may process your data as necessary for our legitimate business interests, provided that those interests are not overridden by your data protection rights. This includes things like improving and personalizing our services, communicating with existing customers about similar services, preventing fraud, and securing our platform. When relying on legitimate interests, we always consider and balance any potential impact on your rights.
• Consent: For certain activities, we rely on your consent. For instance, we will only send you promotional emails or newsletters if you have given us your consent (such as by signing up for our mailing list). We also obtain consent for non-essential cookies (see the Cookies section). Where we rely on consent, you have the right to withdraw it at any time .
• Legal Obligation: We process personal data when we need to comply with a legal obligation. For example, we may retain invoice records for tax law compliance or disclose information if required by law (such as responding to a court order or regulatory inquiry). In such cases, the law constitutes the basis for processing.
If you have questions about the specific lawful basis applicable to any particular processing of your personal data, feel free to contact us (see Contact Us below) and we will provide additional information.
Cookies and Tracking Technologies
Cookies are small text files that websites place on your device to store information. Hatchly uses cookies and similar tracking technologies to ensure our website functions properly, to analyze traffic, and to provide a better user experience. We categorize the cookies we use as follows:
• Strictly Necessary Cookies: These cookies are essential for the website to operate. They enable core functionality such as security, authentication, and network management. For example, if our client portal uses a login cookie to keep you logged in, that is a necessary cookie. You cannot disable these cookies via our banner because the site cannot function without them.
• Functional Cookies: These cookies allow the website to remember choices you make and provide enhanced, more personal features. For instance, they might remember your preferences (like language or region) or other customizations. While not strictly necessary, they help personalize your experience.
• Analytics/Performance Cookies: These cookies collect information about how visitors use our site, so we can improve it. For example, we use Google Analytics to gather data on page visits, traffic sources, and user interactions. This may include your IP address (which we anonymize if required), browser type, and usage patterns. The information collected is aggregated and not used to identify you directly. It helps us understand what content is popular or if users experience errors on certain pages, so we can enhance our services.
• Advertising/Marketing Cookies: We currently do not run third-party ads on our site, but if we ever use marketing or retargeting cookies, they would be used to track your browsing habits and serve you with relevant advertisements on other platforms. Additionally, if you receive our marketing emails, they may contain a small tracking pixel (a tiny image file) that tells us if you open the email or click a link. This functions similarly to a cookie in that it helps us gauge engagement with our communications. We will always obtain your consent before using marketing cookies or pixels.
When you first visit our website, we (or our third-party analytics providers) will ask for your consent to set any cookies that are not strictly necessary. You can choose to accept or reject analytics and marketing cookies via the cookie banner. Even after accepting, you can always manage or delete cookies through your browser settings. Please note that if you disable certain categories of cookies (like functional or analytics cookies), some features of our site may not work as intended. Our Cookie policy (if available) provides more details on the specific cookies we use.
Third-Party Service Providers
To operate our business and provide our services, we rely on several trusted third-party companies who process personal data on our behalf. We share your data with these providers only to the extent necessary for them to perform their services. Our key service providers include:
• Stripe (Payment Processing): We use Stripe to process subscription payments and credit card transactions. When you make a payment, your card details are sent directly to Stripe; we do not store your sensitive payment information. Stripe is certified to the PCI-DSS security standards for handling payment data , which helps ensure your payment information is processed securely. Stripe may collect identifying information about you and your transaction for fraud prevention and receipt issuance. (You can review Stripe’s Privacy Policy on their website for more information on how they handle your data.)
• ManyRequests (Client Portal Software): Hatchly uses the ManyRequests platform as our client portal to manage design requests and projects. When you create an account or submit a design request through our portal, the data (such as your name, email, project details, and files) is stored on ManyRequests’ servers. ManyRequests acts as a “data processor” for us – meaning they only process your data on our instructions and for our purposes. They are contractually obligated to keep your information confidential and secure .
• Dropbox (Cloud File Storage): We may use Dropbox to store and share project files and completed designs with you. This means that any files you provide to us (or that we create for you) might be uploaded to our secure Dropbox cloud storage. Dropbox will process these files to the extent necessary to store and allow authorized access to them. We protect access to folders containing client work, and Dropbox is a reputable cloud service with its own robust security and privacy measures in place.
• Adobe Creative Cloud (Design Tools): Our design team utilizes Adobe Creative Cloud applications (such as Photoshop, Illustrator, etc.) to produce your designs. In some cases, project files may be synced to Adobe’s cloud services (for example, if we use Adobe’s cloud storage for collaboration or backup). Adobe may thus handle some of your project files or data indirectly. Adobe is a company based in the US, and it maintains its own privacy program and compliance with data protection requirements when handling user content.
• Google Analytics (Website Analytics): As noted under Cookies, we use Google Analytics to collect information about how visitors use our website. Google acts as our data processor for analytics, meaning it processes usage data (e.g., IP address, device identifiers, site navigation data) on our behalf. Google may process this data on servers located outside your country (commonly in the United States). We have configured Google Analytics in compliance with privacy requirements (for instance, by accepting Google’s Data Processing Addendum and, if applicable, enabling IP anonymization for EU/UK visitors).
• Mailchimp (Email Marketing): We use Mailchimp (The Rocket Science Group LLC) to manage our email newsletter and marketing communications. If you subscribe to our mailing list, Mailchimp will store your name and email address for the purpose of sending out our newsletters or promotional emails. Mailchimp may also collect statistics on email open rates and link clicks to help us gauge the effectiveness of our campaigns. Mailchimp is a US-based provider that participates in privacy frameworks and uses standard safeguards to protect personal data.
Each of these third-party service providers only receives the information necessary for their function, and they are contractually prevented from using your data for any other purpose . We do not share or sell your personal data to third parties for their own marketing or advertising purposes. All our service providers have their own privacy policies and comply with applicable data protection laws. If you’d like more information about how these providers handle personal data, we encourage you to visit their respective privacy policy pages (for example, Stripe’s and Mailchimp’s websites contain detailed privacy notices).
International Data Transfers
Because Hatchly and some of our third-party service providers are based in different countries, your personal data may be transferred to and stored in countries outside of your own. In particular, if you are located in the UK or EU, be aware that the data you provide may be processed in the United States or other jurisdictions which do not have the same data protection laws as your home country. For example, data handled by Stripe, ManyRequests, Dropbox, Adobe, Google, or Mailchimp may be transferred to or accessed in the US for processing.
Whenever we transfer personal data out of the UK (or EU/EEA), we take steps to ensure that an equivalent level of data protection is maintained. Hatchly will take all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy, and no transfer will take place to an organization or a country unless adequate controls are in place to protect your information . These safeguards may include:
• Standard Contractual Clauses: We utilize the European Commission’s approved Standard Contractual Clauses (SCCs) and the UK’s International Data Transfer Addendum as applicable. These are legal contracts that require the recipient of the data in the third country to protect your personal data to GDPR standards.
• Privacy Frameworks: Where applicable, we may rely on recognized international data transfer frameworks or certifications. (For example, if a provider is certified under a scheme approved for data transfers, we will take that into account.)
• Adequacy Decisions: In some cases, your data may be sent to countries that have been deemed by the UK (or EU) authorities to have adequate data protection laws, which means those transfers are treated the same as domestic transfers.
• Our Contracts and Policies: All our service providers must contractually agree to protect any personal data they process for us, implement appropriate security measures, and, where relevant, commit to GDPR principles.
If you would like more details about the specific safeguards we use for international data transfers, please contact us. We will happily provide you with additional information or a copy of the relevant contractual protections, where required.
Data Security
Hatchly is committed to keeping your personal data secure. We implement appropriate technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These security measures include:
• Secure Hosting: Our websites and databases are hosted on secure servers with modern encryption protocols. We use HTTPS (SSL/TLS) encryption for all data transmissions on our site and client portal, which means information you enter is encrypted in transit between your device and our servers.
• Access Controls: Personal data is accessible only to those Hatchly staff and contractors who need it to perform their duties (for example, our designers will have access to your project files, and our billing team will see your transaction records). All such access is protected by authentication measures, and our team is trained on confidentiality and data protection.
• Third-Party Security: We choose reputable service providers (like those listed above) who have strong security practices. For instance, Stripe is PCI-DSS compliant for payment security , Dropbox and Adobe use encryption for stored files, and Mailchimp and Google have robust security for their platforms. We also enter into Data Processing Agreements with our providers to ensure they protect your data.
• Organizational Policies: We have internal policies to govern how we handle personal data and respond to security incidents. We limit the download or local storage of personal data to what is necessary, and we use tools like password management and device encryption to protect any data we do handle outside of cloud systems.
While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. However, we continuously review and improve our security measures to adapt to new threats and to ensure a high level of security is maintained. In the unfortunate event of a data breach that poses a risk to your rights, we will follow all applicable breach notification laws – including informing you and the relevant supervisory authority (such as the ICO in the UK) as required by law.
Data Retention
We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. How long we keep your information depends on the type of data and our relationship with you:
• Account and Subscription Data: If you have a Hatchly account or active subscription, we will keep your personal data for as long as your account is active or as needed to provide you with our services. If you decide to cancel your subscription or delete your account, we will remove or anonymize personal data associated with your account within a reasonable period after your request, except for any data we are required to retain for legal reasons (see below).
• Project Files: We retain the design project files and assets you provide or that we create for you for the duration of your subscription and for a period after your subscription ends (for example, we might keep your files for a certain number of months in case you return or need to re-download them). If you request that project files be deleted sooner, we can do so – bearing in mind that deleting files may limit our ability to provide future support or revisions on those past projects.
• Communication Records: Emails, support tickets, and chat records are typically retained as long as necessary to resolve your inquiry or provide support, and for a short period thereafter in case you have follow-up questions. Important communications that form part of our service record (e.g., instructions related to a project) may be kept alongside the project history.
• Billing and Transaction Data: We are legally required to keep records of financial transactions. Therefore, we will retain invoicing information, payments received, and related billing details for at least the minimum period required by UK tax law (which is generally 6 years). This data may include your name, contact information, and transaction history, as reflected on invoices and receipts.
• Analytics Data: Data collected via Google Analytics and other cookies is typically retained as per Google’s standard retention settings (which we may configure, e.g., 26 months or as needed). Analytics data is usually aggregated, but any personal elements (like IP addresses) are either anonymized or deleted when no longer needed for analysis.
After the applicable retention period, we will either delete your personal data or anonymize it (so it can no longer be associated with you). For example, we may remove identifying details from old records so they can be used for statistical purposes without affecting your privacy. If complete deletion is not immediately feasible (for instance, because the data is stored in secure backups), we will isolate and protect that data until deletion is possible.
Please note that in some cases we may retain certain minimal information to honor your requests. For instance, if you unsubscribe from marketing emails, we will retain your email on a suppression list to ensure we do not accidentally send you further emails. Similarly, if you request deletion of your data, we will keep a record that a deletion took place (e.g., to maintain auditability and comply with legal obligations).
Your Rights
You have rights regarding your personal data, and Hatchly is committed to honoring them. Below is a summary of your key data protection rights:
• Right to Access: You have the right to request a copy of the personal data we hold about you . We will provide you with a summary of that information, along with an explanation of why we have it and how we use it, within the timeframe required by law (typically within one month).
• Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to ask us to correct it. You can also update certain information yourself by logging into your Hatchly account (for example, you can change your contact details). We encourage you to keep your information up to date, and we will promptly make corrections upon verification .
• Right to Erasure: Also known as the “right to be forgotten,” this allows you to request deletion of your personal data in certain circumstances. For instance, if you no longer want to use our services, you can request that we delete information we hold about you. We will honor this right provided there is no overriding lawful reason for us to keep the data (for example, we may need to retain certain records to comply with legal obligations) .
• Right to Restrict Processing: You have the right to ask us to suspend or limit the processing of your personal data in specific situations. For example, if you contest the accuracy of your data, you can request we restrict processing until the accuracy is verified. Or if you object to processing based on our legitimate interests, you can request restriction while we consider your objection. During a restriction, we can store the data but not use it (unless necessary for legal claims, etc.).
• Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests or involves direct marketing . If you object to direct marketing, we will stop using your data for that purpose immediately. If you object to processing based on other legitimate interests, we will evaluate your request and will stop or adjust processing unless we have a compelling legitimate ground that overrides your rights (or if it’s needed for legal claims).
• Right to Data Portability: For data that you have provided to us and that we process by automated means under the lawful basis of contract or consent, you have the right to obtain a copy in a structured, commonly used, machine-readable format and/or to have that data transmitted to another service provider where technically feasible . In plain terms, this gives you the ability to take your data from us and reuse it elsewhere. (For example, you could ask us for a copy of the content you submitted and details of your projects if you wanted to import them into another service.)
• Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time . For instance, you can unsubscribe from our marketing emails or disable non-essential cookies. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it won’t affect processing under other lawful bases.
• Right to Lodge a Complaint: If you have concerns about our handling of your personal data, you have the right to complain to a data protection supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO). In the EU, you can contact the supervisory authority in the country where you live or work, or where you believe a breach may have occurred. We would, however, appreciate the chance to address your concerns before you approach a regulator, so we invite you to contact us first to resolve the issue.
These rights are subject to certain legal limits and exceptions. To exercise any of your rights, you can contact us using the information provided in the Contact Us section. We will need to verify your identity before fulfilling certain requests (for example, access or deletion requests) to ensure we don’t disclose data to the wrong person. We will respond to your request as soon as possible, and in any case within the timeframe required by law. Exercising your rights is free of charge in most cases. However, if a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on it, as permitted by law – but we will inform you of our decision and your options in such a scenario.
Hatchly extends the above rights and principles to all our users to the extent feasible. Even if you are based outside the UK/EU (for example, in the US), we will strive to give you similar control over your personal data. Notably, Hatchly does not sell personal information to third parties, and we respect opt-out requests for marketing from all users. If you are a California resident or otherwise entitled to additional rights under local laws, please know that this Privacy Policy is designed to meet those requirements as well, and you can contact us with any specific concerns.
Marketing Communications & Opt-Out
With your permission, we may send you marketing communications from time to time, such as newsletters, special offers, product updates, or event announcements. We will generally communicate with you via email for marketing purposes. You will receive such communications in the following scenarios:
• You explicitly subscribed to our newsletter or mailing list (for example, by entering your email and consenting to receive updates).
• You are an existing customer who has purchased a subscription or service from us, and we want to inform you about similar services or offers. (In such cases, we rely on our legitimate interest to keep you informed, but we will always provide a clear opt-out option and will not overwhelm your inbox.)
If you prefer not to receive marketing emails from Hatchly, you have the right to opt out at any time. You can do so by clicking the “unsubscribe” link included in every promotional email we send. Alternatively, you may contact us directly (by email or through your account settings, if available) and request to be removed from our marketing list. Once you opt out, we will promptly stop sending you marketing communications. Please note that even if you opt out of marketing messages, we may still send you transactional or service-related communications as needed. For example, we will still email you about important account issues, project updates, billing notices, or policy changes – these are not marketing communications but rather essential for us to provide our services to you.
We do not share your personal data with third parties for their own marketing purposes without your express consent. Hatchly also does not engage in “selling” personal information as defined under laws like the California Consumer Privacy Act (CCPA). If we ever consider a new marketing initiative that involves additional data sharing, we will update this Privacy Policy and seek your consent if required. Your privacy is important to us, and we strive to ensure that our marketing practices are transparent and permission-based.
Changes to This Privacy Policy
We may update or revise this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make any significant changes, we will notify you by appropriate means. For example, we may post a prominent notice on our website or send you an email notification explaining the updates. We will also update the “Effective Date” at the top of this policy to indicate when the latest changes took effect .
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information . Any changes to this Privacy Policy will become effective when posted on this page with the revised effective date. If the changes are material and you have an active Hatchly account or subscription, we may provide an additional notice to you (e.g., via email or a dashboard notification) prior to the changes becoming effective, so you have the opportunity to understand the new terms. By continuing to use our services after those changes become effective, you are deemed to have accepted the updated policy.
Contact Us
Hatchly Ltd is the data controller responsible for your personal data under this Privacy Policy. If you have any questions, concerns, or requests regarding your personal data or this policy, please do not hesitate to contact us:
• Email: info@hatchly.co.uk
• Postal Address: Hatchly Ltd, 14th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB
We are here to help and will respond as promptly as possible to address your inquiry. Whether you want to exercise your rights, report a problem, or just seek clarification about our privacy practices, please reach out. Your trust is important to us, and we welcome your feedback on any privacy matter.
Thank you for choosing Hatchly. We value your privacy and look forward to working with you in a secure and transparent manner.
