Privacy Policy
Last updated: February 2026
1. Introduction
Hibba Limited ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at https://hibba.co (the "Website") or engage with our services.
This policy is provided in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Please read this policy carefully to understand our practices regarding your personal data and how we will treat it.
2. Data Controller
The data controller responsible for your personal data is:
Hibba Limited
Registered in England & Wales
London, United Kingdom
Email: info@hibba.co
If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.
3. What Personal Data We Collect
We may collect and process the following categories of personal data:
3.1 Information You Provide to Us
- Contact form submissions: Name, email address, phone number, company name, and the content of your message when you use our contact form or enquiry forms.
- Email correspondence: Your email address, name, and any personal data contained within emails you send to us.
- Service enquiries: Details about your business requirements, project specifications, and technical needs shared during consultations.
- Newsletter subscriptions: Your email address and name if you subscribe to receive updates or marketing communications from us.
3.2 Information Collected Automatically
- Technical data: Internet Protocol (IP) address, browser type and version, operating system, time zone setting, browser plug-in types and versions, and device information.
- Usage data: Pages visited, time spent on pages, page interaction information (such as scrolling, clicks, and mouse-overs), navigation paths through the Website, and referring URLs.
- Cookie data: Information collected through cookies and similar tracking technologies (see our Cookie Policy for full details).
3.3 Information from Third Parties
- Analytics providers: Aggregated and anonymised usage data from analytics services.
- Security services: Data processed by Cloudflare for website security, performance optimisation, and DDoS protection.
4. How We Use Your Personal Data
We process your personal data for the following purposes and on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Responding to your enquiries and contact form submissions | Legitimate interest / Performance of a contract |
| Providing IT consulting, cloud, cybersecurity, analytics, and property investment tool services | Performance of a contract |
| Sending service-related communications and updates | Performance of a contract / Legitimate interest |
| Sending marketing communications (where you have opted in) | Consent |
| Improving our Website, services, and user experience | Legitimate interest |
| Analysing Website traffic and usage patterns | Legitimate interest / Consent (for non-essential cookies) |
| Ensuring Website security and preventing fraud | Legitimate interest |
| Complying with legal obligations | Legal obligation |
5. Data Retention
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are:
- Contact form data: Retained for up to 24 months from the date of your last interaction with us, unless a contractual relationship is established.
- Client and contract data: Retained for the duration of our business relationship and for 6 years following its conclusion, in accordance with HMRC requirements and the Limitation Act 1980.
- Marketing data: Retained until you withdraw your consent or unsubscribe. We will also review marketing lists every 24 months and remove inactive contacts.
- Analytics and cookie data: Retained in accordance with the retention periods set by the relevant analytics provider, typically no longer than 26 months.
- Website server logs: Retained for up to 12 months for security and troubleshooting purposes.
When personal data is no longer required, we will securely delete or anonymise it.
6. Third-Party Services
We use the following third-party services that may process your personal data:
6.1 Cloudflare
We use Cloudflare for website security, content delivery network (CDN) services, and DDoS protection. Cloudflare may process your IP address, HTTP request headers, and other technical data. Cloudflare acts as a data processor on our behalf and processes data in accordance with their Privacy Policy. Data may be transferred to and processed in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement.
6.2 Google Fonts
Our Website may use Google Fonts to display web fonts. When you access our Website, your browser may connect to Google's servers to retrieve font files, during which your IP address and browser information may be transmitted to Google. Google's processing of this data is governed by Google's Privacy Policy. Where possible, we self-host fonts to minimise third-party data transfers.
6.3 Analytics Services
We may use analytics services to understand how visitors interact with our Website. These services may collect data such as pages visited, time on site, and referral sources. Where analytics cookies are used, we will obtain your consent before setting non-essential cookies (see our Cookie Policy).
7. International Data Transfers
Some of the third-party services we use may transfer your personal data outside the United Kingdom. Where such transfers occur, we ensure that appropriate safeguards are in place, including:
- Transfers to countries that have received an adequacy decision from the UK Secretary of State.
- Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO).
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
- Other appropriate safeguards as permitted under the UK GDPR.
8. Your Rights
Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of Access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one month of receiving your request.
- Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
- Right to Erasure ("Right to Be Forgotten"): You have the right to request the deletion of your personal data where there is no compelling reason for us to continue processing it.
- Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data.
- Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to request that we transfer it to another controller where technically feasible.
- Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the legal basis. You also have the absolute right to object to processing for direct marketing purposes.
- Right to Withdraw Consent: Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing carried out before the withdrawal.
- Rights Relating to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently engage in automated decision-making.
To exercise any of these rights, please contact us at info@hibba.co. We will respond to your request within one month. In complex cases, we may extend this period by a further two months, but we will notify you of any extension within the initial one-month period.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Telephone: 0303 123 1113
9. Cookies
Our Website uses cookies and similar tracking technologies to enhance your browsing experience, analyse Website traffic, and understand where our visitors come from. Cookies are small text files placed on your device when you visit our Website.
We use the following types of cookies:
- Strictly Necessary Cookies: Essential for the Website to function properly. These cannot be disabled.
- Analytics Cookies: Help us understand how visitors interact with our Website by collecting and reporting information anonymously.
- Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences.
For full details on the cookies we use and how to manage your preferences, please see our Cookie Policy.
10. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. Our security measures include:
- SSL/TLS encryption for all data transmitted between your browser and our Website.
- Cloudflare security services including Web Application Firewall (WAF) and DDoS protection.
- Regular security assessments and vulnerability testing.
- Access controls to limit who can access personal data within our organisation.
- Secure data storage with encryption at rest where appropriate.
- Staff training on data protection and information security best practices.
While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining robust protections.
11. Children's Privacy
Our Website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will take steps to delete that information as soon as possible. If you believe that we may have collected data from a child, please contact us immediately at info@hibba.co.
12. Links to Third-Party Websites
Our Website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.
Where changes are significant, we may also notify you by email or by placing a prominent notice on our Website.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us at:
Hibba Limited
Email: info@hibba.co
Website: https://hibba.co
We aim to respond to all enquiries within 5 working days.