Legal
Privacy Policy
Last updated: 5 April 2026 · Version 1.0
This Privacy Policy explains how Visual Hive Ltd ("we", "us", "our") collects, uses and protects personal data when you use EventHive at eventhive.io. We are committed to handling your data lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Visual Hive Ltd
Company number: 11878215
Registered office: 29 Pomeroy Street, 14 Harriet Court, London, Greater London, England, SE14 5BW
Email: hello@visualhive.co
Visual Hive Ltd is the data controller for personal data processed through EventHive. We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration number: [ICO REGISTRATION NUMBER — add before go-live].
2. Data Protection Officer
Our Data Protection Officer (DPO) is Richard Osborne, CTO of Visual Hive Ltd.
You can contact our DPO at any time:
Email: richard@visualhive.co
Post: Data Protection Officer, Visual Hive Ltd, 29 Pomeroy Street, 14 Harriet Court, London, SE14 5BW
3. What Data We Collect and Why
We only collect personal data that is necessary for the purpose stated. The table below sets out each category of data, why we collect it, and the legal basis under UK GDPR Article 6.
3.1 Account and Profile Data
Collected when you register or update your profile.
| Data | Purpose | Legal Basis |
|---|---|---|
| Full name | To identify you and personalise the service | Contract (Art. 6(1)(b)) |
| Email address | Account login, transactional emails (welcome, password reset) | Contract (Art. 6(1)(b)) |
| Password (hashed with bcrypt) | Secure account authentication. Your plain-text password is never stored. | Contract (Art. 6(1)(b)) |
| Job title, company name, company size | Personalise tool recommendations and onboarding experience | Contract (Art. 6(1)(b)) |
| Onboarding questionnaire responses | Tailor your EventHive experience to your role and event type | Contract (Art. 6(1)(b)) |
3.2 Usage and Security Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Session token (httpOnly cookie) | Maintain your login session securely. Session cookies are never accessible to JavaScript. | Legitimate interest — security (Art. 6(1)(f)) |
| Last login timestamp | Account security monitoring and detecting inactive accounts | Legitimate interest — security (Art. 6(1)(f)) |
| Password reset tokens (hashed) | Allow you to reset your password securely. Tokens expire after use. | Legitimate interest — security (Art. 6(1)(f)) |
3.3 Tool Data (EventHive-Hosted Mode)
When you use EventHive tools in hosted mode (where your data is stored on our servers rather than locally in your browser), the event management data you enter — such as task lists, budget records, run sheets, speaker details, exhibitor records, and similar operational data — is stored in our database linked to your account.
Legal basis: Contract (Art. 6(1)(b)) — storage and retrieval of your tool data is a core function of the hosted service you have requested.
Please note: This data may include details about third parties (e.g. your event speakers, exhibitors or sponsors). You are responsible for ensuring you have the right to store and process that data on their behalf. See Section 11 (Your Responsibilities) for more information.
3.4 AI and Inbox Intelligence Features
EventHive includes AI-powered features. Some are provided as part of the platform; others are optional and require your explicit action to enable.
| Feature | Data processed | AI Provider | Legal Basis |
|---|---|---|---|
| Inbox triage & smart briefings (Hive Inbox) | Email/message subject lines, summaries and metadata from your connected channels | Groq Inc (Llama 3.3 model) | Contract (Art. 6(1)(b)) — this is a core feature of the Inbox service |
| AI draft generation (Hive Inbox) | Email/message context and your writing style profile (derived from connected accounts) | Groq Inc (Llama 3.3 model) | Contract (Art. 6(1)(b)) |
| Erleah AI Assistant (optional) | Your queries and relevant platform context | Anthropic PBC (Claude models) — only when you provide your own Anthropic API key | Consent (Art. 6(1)(a)) — you must explicitly opt in and provide your own key |
When AI features process your data, we act as a data controller and the AI provider acts as a data processor under a Data Processing Agreement (DPA). See Section 7 (Sub-Processors) for details.
No AI model is trained on your data. Groq and Anthropic's APIs process your data in real time and do not use it for model training by default under their enterprise/API terms.
3.5 Email and Calendar Integrations (Optional)
If you choose to connect your email or messaging accounts (Gmail, Microsoft Outlook, Microsoft Teams, Slack), we will process:
- OAuth access and refresh tokens (encrypted at rest using AES-256-GCM)
- Your provider email address and provider user ID
- Message metadata and content (subject, sender, snippet, body) for triage purposes
- A writing style profile derived from your sent emails (used to generate draft replies in your tone)
Legal basis: Contract (Art. 6(1)(b)) — these integrations are features you explicitly request. You can disconnect any integration at any time from your Connections page, which will immediately revoke and delete stored tokens.
Connecting a channel also triggers the relevant OAuth provider's own terms and privacy policies (Google, Microsoft, Slack). We only request the minimum OAuth scopes necessary to provide the service.
3.6 Analytics (PostHog)
We use PostHog for product analytics to understand how the platform is used and improve it. PostHog is configured in privacy-respecting mode:
- No cross-site tracking
- IP addresses are not stored
- Analytics are hosted on EU infrastructure (PostHog EU Cloud or a self-hosted instance on our Hetzner server in Germany)
Legal basis: Legitimate interest (Art. 6(1)(f)) — we have a legitimate interest in understanding how the platform is used to improve it for all members. No personally identifiable behavioural profiles are built or sold.
If you object to analytics tracking, you can contact us at richard@visualhive.co and we will exclude your account.
4. Cookies
EventHive uses only one cookie: a session cookie named session. This cookie:
- Is httpOnly — it cannot be accessed by JavaScript, protecting against XSS attacks
- Is Secure — only transmitted over HTTPS
- Is a session-only cookie — it is deleted when you close your browser
- Contains a randomly generated token (not your personal data)
- Is strictly necessary for the service to function
We do not use advertising cookies, third-party tracking cookies or fingerprinting. No cookie consent banner is required for our session cookie as it is strictly necessary.
PostHog analytics may set its own cookies. These are first-party cookies used for session analysis only and do not track you across other websites.
5. How We Store and Protect Your Data
Data location
All EventHive data is stored on servers operated by Hetzner Online GmbH in Frankfurt, Germany — within the European Economic Area (EEA).
Security measures
- Passwords are hashed using bcrypt (industry-standard adaptive hashing algorithm). We never store your plain-text password.
- OAuth tokens (for email/calendar integrations) are encrypted at rest using AES-256-GCM before being stored in the database.
- Transport encryption: all connections to EventHive are encrypted in transit using TLS (HTTPS).
- Session security: sessions use cryptographically random tokens stored in httpOnly cookies.
- Access control: strict role-based access. Only authorised Visual Hive staff with a legitimate need can access the database.
- Database: PostgreSQL on a private Hetzner instance, not publicly accessible.
6. International Data Transfers
Some of our sub-processors are based outside the UK/EEA. Where we transfer personal data internationally, we ensure appropriate safeguards are in place:
| Processor | Location | Safeguard |
|---|---|---|
| Groq Inc | United States | Standard Contractual Clauses (SCCs) under UK IDTA / EU SCCs |
| Anthropic PBC | United States | Standard Contractual Clauses (SCCs) — only when you use optional AI features with your own API key |
| Hetzner Online GmbH | Germany (EU) | No transfer — within EEA |
| Brevo SAS | France (EU) | No transfer — within EEA |
| PostHog Inc | EU (EU Cloud) or Germany (self-hosted) | No transfer — within EEA |
7. Sub-Processors
We use the following third-party data processors. Each operates under a Data Processing Agreement with us and is contractually bound to process your data only for the purposes we specify.
| Sub-Processor | Purpose | Data Shared |
|---|---|---|
| Hetzner Online GmbH | Cloud server hosting (infrastructure) | All data stored in EventHive (as the hosting provider) |
| Brevo SAS | Transactional email (welcome emails, password reset) | Your name and email address |
| Groq Inc | AI inference for Inbox triage, briefings and draft generation | Message metadata and content snippets from connected channels |
| Anthropic PBC | Optional AI assistant (Erleah) — only when you provide your own API key | Your queries and relevant platform context |
| PostHog Inc | Product analytics | Anonymised usage events (no PII by default) |
We do not sell your personal data to any third party. We do not share your data with any third party except those listed above.
8. Data Retention
| Data category | Retention period |
|---|---|
| Account and profile data | For the duration of your account, then 6 months after closure or last activity |
| Tool data (hosted mode) | For the duration of your account, then 6 months after closure |
| Session tokens | Until you log out or the session expires (maximum 30 days) |
| Password reset tokens | 24 hours or until used (whichever is sooner) |
| OAuth tokens (email/calendar) | Until you disconnect the integration |
| Email messages (synced copies) | Until you disconnect the integration or delete your account |
| Analytics data (PostHog) | 12 months rolling |
If you request immediate deletion of your account and all associated data by emailing richard@visualhive.co, we will purge your data within 2 working days of receiving your request.
9. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, email our DPO at richard@visualhive.co. We will respond within one month (extendable by a further two months for complex requests, with notice).
Right of access (Article 15)
You can request a copy of all personal data we hold about you.
Right to rectification (Article 16)
You can ask us to correct inaccurate or incomplete personal data. You can also update your name, email, job title and company directly from your profile page within EventHive.
Right to erasure (Article 17 — "Right to be forgotten")
You can request deletion of your personal data. We will delete your account and all associated data within 2 working days of a written request to richard@visualhive.co. Some data may be retained where we have an overriding legal obligation.
Right to restriction of processing (Article 18)
You can ask us to restrict how we process your data in certain circumstances (e.g. while you contest its accuracy or are objecting to processing based on legitimate interest).
Right to data portability (Article 20)
Where processing is based on contract or consent and carried out by automated means, you can request your data in a structured, machine-readable format. You can export your tool data at any time from within the EventHive app.
Right to object (Article 21)
You can object to processing carried out on the basis of legitimate interests (e.g. analytics). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right not to be subject to automated decision-making (Article 22)
EventHive does not make any solely automated decisions that produce legal or similarly significant effects about you.
10. Right to Complain
If you are unhappy with how we handle your personal data, please contact our DPO first at richard@visualhive.co — we aim to resolve all concerns promptly.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are based in an EU member state, you may also contact your local supervisory authority.
11. Your Responsibilities as a Data Controller
When you use EventHive tools in hosted mode to manage data about third parties — such as event speakers, exhibitors, sponsors, attendees or suppliers — you act as a data controller for that third-party personal data, and Visual Hive Ltd acts as a data processor on your behalf.
You are responsible for:
- Ensuring you have a lawful basis to collect and process that third-party data
- Informing those individuals that their data is being processed and where
- Responding to any data subject requests from those individuals
- Not entering special category data (health data, biometric data, etc.) into EventHive tools unless you have explicit consent and a valid reason to do so
By using EventHive's hosted storage, you are entering into a data processing relationship with Visual Hive Ltd. Our obligations as your data processor are described in our Trust Centre.
12. Children's Data
EventHive is intended for professional use by adults. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has registered an account, please contact us immediately at richard@visualhive.co and we will delete the account.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by a prominent notice on EventHive at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
Continued use of EventHive after the effective date of a revised policy constitutes acceptance of the revised terms.
14. Contact Us
For any privacy-related enquiries, please contact:
Richard Osborne — Data Protection Officer
Visual Hive Ltd
Email: richard@visualhive.co
Post: 29 Pomeroy Street, 14 Harriet Court, London, SE14 5BW
For general enquiries about EventHive: hello@visualhive.co