Legal

Privacy Policy

We are committed to protecting your personal data. This policy explains what we collect, why we collect it, and how we protect it.

Last updated: 1 June 2025

1. Who We Are

DnDHive Ltd (“DnDHive”, “we”, “us”, or “our”) is the data controller responsible for your personal data. We are registered in England and Wales. Contact: privacy@dndhive.com

2. Data We Collect

2.1 Information You Provide Directly

  • Account data: First name, last name, email address, encrypted password, phone number, nationality.
  • Assessment data: Questionnaire answers including nationality, travel history, employment status, financial information, purpose of travel, previous visa history, and supporting document details.
  • Payment data: Payment is processed by Stripe. We do not store your full card number. We retain transaction records, payment amounts, and Stripe transaction IDs.
  • Communication data: Messages sent to consultants or our support team, notes in your case file.
  • Document data: Files you upload for document review (e.g. passport scans, bank statements). These are stored encrypted.
  • Booking data: Consultation preferences, preferred dates, notes about your case.

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used, session duration, assessment completion rates.
  • Technical data: IP address, browser type and version, operating system, device type, referring URLs.
  • Cookies: See Section 8 below.

3. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

  • Service delivery (Contract): Generating your AI assessment score and report; facilitating your consultation; processing your service application.
  • Account management (Contract): Creating and maintaining your account; sending transactional communications (receipts, booking confirmations, status updates).
  • Payment processing (Contract): Processing and recording payments; handling refund requests.
  • Fraud prevention (Legitimate Interest): Detecting and preventing fraudulent use of the platform.
  • Service improvement (Legitimate Interest): Analysing aggregated, anonymised usage data to improve the accuracy of our AI models and the quality of our Service.
  • Legal compliance (Legal Obligation): Retaining records as required by applicable law, responding to lawful requests from authorities.
  • Marketing (Consent): Sending promotional communications only if you have explicitly opted in. You may withdraw consent at any time.

4. Sharing of Your Data

We do not sell your personal data. We share your data only in the following circumstances:

  • Assigned consultants: When a consultant is assigned to your case, they receive your name, contact details, nationality, and your assessment report to enable them to advise you.
  • Service providers: We use third-party processors to operate our platform (hosting: cloud providers; payments: Stripe; email: SMTP providers; file storage: AWS S3). All processors are bound by data processing agreements.
  • Legal requirements: We may disclose data when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights or the safety of users.
  • Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity, subject to equivalent privacy protections.

5. International Transfers

Your data is primarily stored and processed within the United Kingdom and European Economic Area. Where we transfer data outside the UK/EEA (e.g. to US-based cloud providers), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK ICO or the European Commission.

6. Data Retention

  • Account and assessment data: Retained for the duration of your account plus 7 years after account closure, to comply with legal and regulatory obligations.
  • Payment records: Retained for 7 years as required by financial regulations.
  • Uploaded documents: Retained for 12 months after your case is closed, then permanently deleted unless you request earlier deletion.
  • Marketing data: Retained until you withdraw consent or request deletion.
  • Anonymised data: May be retained indefinitely for research and improvement of our AI systems.

7. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your personal data (subject to legal retention obligations).
  • Right to restrict processing: Request that we limit how we use your data.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Rights relating to automated decision-making: Request human review of any decision made solely by automated means that significantly affects you.

To exercise any right, contact us at privacy@dndhive.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

Essential cookies: Required for the Service to function (authentication sessions, CSRF protection). Cannot be disabled.

Analytics cookies: Used to understand how users interact with our platform. These are anonymised and do not identify you personally. You may opt out via your browser settings.

Preference cookies: Remember your settings and preferences across sessions.

We do not use advertising or tracking cookies for third-party marketing purposes.

9. Data Security

We implement industry-standard technical and organisational security measures, including: AES-256 encryption for data at rest; TLS 1.3 encryption for data in transit; access controls and role-based permissions; regular security audits; encrypted storage for uploaded documents. However, no system is completely secure. We cannot guarantee the absolute security of your data and are not liable for any unauthorised access beyond our reasonable control.

10. Children's Privacy

Our Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it without delay.

11. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the “Last updated” date and, where required, by email notification. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related queries: privacy@dndhive.com
For legal matters: legal@dndhive.com