Huggg

Data Protection Policy

Here's everything you need to know about how we handle data.

Introduction

Last Updated: June 2025

At Huggg, safeguarding personal data is fundamental to our operations and our responsibility as a data controller. We are committed to managing all personal data with integrity, in accordance with applicable data protection legislation, including the UK GDPR, the Data Protection Act 2018, and the EU GDPR where applicable.

We are dedicated to the principles of data minimisation, transparency, and security, and we strive to maintain a privacy-first approach across all services, platforms, and business processes.


 

Lawful Basis and Purpose of Processing

These may include consent, contractual necessity, legal obligation, or legitimate interests. All personal data is processed fairly, transparently, and strictly for defined purposes related to the provision of Huggg services.

Where applicable, we undertake Legitimate Interests Assessments (LIAs) and ensure Data Protection Impact Assessments (DPIAs) are conducted for higher-risk processing activities.


 

Data minimisation and retention

We collect and retain only the personal data strictly necessary to fulfil the intended purpose. Data is processed in a proportionate manner and retained only for as long as is necessary, in line with statutory requirements or contractual commitments.

Where data no longer serves a lawful purpose, it is securely deleted or anonymised. We conduct periodic data audits to ensure compliance and accuracy of our records.

 

Data Deletion and Retention Periods

Our data retention practices align with statutory obligations and best practices:

  • Most data is linked to active user accounts or voucher transactions and is retained for a minimum of six (6) years in accordance with UK accounting and tax laws.
     
  • Data not subject to statutory retention is reviewed periodically and deleted in accordance with internal schedules.
     
  • Client-specific retention requirements (for large or bespoke projects) are agreed upon contractually and reviewed periodically.
     
  • Deletion processes are managed by our designated technical and operational teams under secure protocols.

Accountability and governance

Huggg implements a governance framework that includes:

  • Comprehensive internal policies and procedures.
     
  • Regular data protection reviews and internal audits.
     
  • Maintenance of a Record of Processing Activities (ROPA).
     
  • Designated responsibilities at senior levels for data protection oversight.
     

We take full responsibility for the data we handle and document how and why personal data is used across the organisation.

Data Protection Officer (DPO)

Huggg has appointed a qualified Data Protection Officer who advises the organisation on data protection compliance and oversees our obligations under relevant legislation.

You may contact our DPO using this enquiry form for any data protection queries or concerns.

Confidentiality and Access Control

All Huggg employees, contractors, and third-party suppliers are contractually obligated to maintain the confidentiality and integrity of personal data. Access to data is role-based and strictly limited to those with a legitimate need to process it.

We enforce these obligations through training, contractual safeguards, and routine monitoring.
 

Rights of data subjects

We fully support and facilitate the exercise of all rights granted to individuals under data protection laws, including:

  • The right to access personal data.
     
  • The right to rectification or erasure.
     
  • The right to restrict or object to processing.
     
  • The right to data portability.
     
  • Rights relating to automated decision-making and profiling.
     

Details on how to exercise these rights can be found in our Privacy Policy.

Security Measures

Huggg implements technical and organisational security measures appropriate to the nature, scope, and context of the data we handle. These include:

  • Secure cloud infrastructure hosted primarily in the UK and EU.
     
  • Use of encryption, access controls, firewalls, and intrusion detection systems.
     
  • Regular vulnerability assessments and penetration testing.
  • Strict processor selection and oversight protocols.
     

    Where data is processed or stored outside the UK/EU by subprocessors, we ensure that adequate safeguards are in place following a risk-based assessment.


 

Staff Training and Awareness

All Huggg personnel receive mandatory data protection and cybersecurity training upon joining and at regular intervals thereafter. Additional role-based training is provided where relevant. Data handling practices are subject to ongoing supervision and spot checks.
 


 

Use of Data Processors

We engage third-party processors only where necessary, and only after conducting robust due diligence. All processors are contractually required to:

  • Process personal data only on our documented instructions.
     
  • Implement appropriate security controls.
     
  • Support Huggg in meeting its obligations (e.g., with data subject rights).

     

We ensure our data processing agreements comply with Article 28 of the UK/EU GDPR.

Huggg as a Data controller

Huggg acts as a Data Controller in respect of the personal data it collects, stores, and uses to deliver its services. We determine the purposes and lawful bases for data processing and take responsibility for compliance with all applicable obligations.


 

Marketing and ePrivacy Compliance

Huggg complies with the Privacy and Electronic Communications Regulations (PECR), UK GDPR, and related marketing legislation. We ensure:

  • All marketing communications are transparent and lawful.
     
  • Prior consent is obtained where legally required.
     
  • Individuals can easily withdraw consent or opt out at any time.

Policy review and updates

We review this policy annually, or sooner if there are significant changes in legal requirements, business processes, or technology. The latest version is always available via our website or upon request.

Contact and Further Information

For questions or to make a data protection request, please use our enquiry form.