Legal
Privacy Policy
Last updated 7 July 2026
Hyper Portal provides branded, secure client-progress portals to professional firms - the place a firm and its clients track a case, and exchange messages. This policy explains what personal data we handle, why, and the rights you have over it. It is written to meet the UK GDPR and the Data Protection Act 2018.
Hyper Monkey ("Hyper Portal", "we", "us") operates the service. Our registered office is [Registered office address] (company number [Company number]). We are registered with the UK Information Commissioner's Office under [ICO registration number]. You can reach us about anything in this policy at hello@hypermonkey.co.uk.
Who is responsible for your data
How we treat personal data depends on who you are, because our platform sits between two kinds of people:
- Firms and their team (admins and staff). When you sign up, run a firm account or are invited as a team member, we are the data controller for your account, profile and billing data - we decide how it is used to provide the service.
- A firm's own clients. When a firm uploads or creates information about its clients in the portal - client contact details, case details, and messages - that firm is the data controller and we act only as its data processor, handling the data on the firm's instructions to run their portal.
If you are a client of a firm that uses Hyper Portal and you have questions about the personal data held about you in your case - or you want it corrected or erased - please contact the firm that invited you, as they control that data. We will support them in responding to your request.
What data we collect
- Account and profile data: your name, email address, the firm's name, your role, and a password. Passwords are managed securely by our authentication provider - we never have access to them.
- Branding assets: any logo and brand colours an admin uploads to theme their portal.
- Billing data: subscription status and the customer, subscription and invoice identifiers issued by our payment processor. Card payments are taken by Stripe - we do not see or store full card numbers.
- Portal content: client records, case details and stages, and messages together with their metadata, created by firm users in the course of using the portal.
- Audit and security logs: tamper-resistant records of significant actions (who did what, and when) which we keep for security, troubleshooting and compliance.
- Technical data: your IP address, browser and device information, and the strictly necessary cookies and server logs needed to operate the service and keep it secure.
How we use your data, and our legal bases
We only use personal data where the law lets us. Our purposes and the legal bases we rely on are:
- To provide, operate and maintain the portal and its features - performance of our contract with you.
- To authenticate users, enforce tenant isolation and keep accounts and data secure - performance of our contract and our legitimate interest in a secure service.
- To take payment and manage subscriptions and invoices - performance of our contract and compliance with our legal obligations.
- To send essential service messages such as email verification, invitations and billing notices - performance of our contract.
- To keep audit logs, detect and prevent abuse, and investigate incidents - our legitimate interest in protecting the service and our legal obligations.
- To comply with the law and respond to lawful requests - compliance with a legal obligation.
We do not use your data for advertising and we do not sell it. We will only send marketing if you have asked us to, and you can opt out at any time.
Where your data is stored and international transfers
Your portal data - including account, profile, client and case records, messages and files - is stored on Google Cloud Platform (GCP) servers in Google's London, United Kingdom data centre region (europe-west2). The application that processes this data runs on Google Cloud servers in Belgium (europe-west1), within the European Economic Area. Because the UK recognises the EEA as providing an adequate level of data protection, this UK-to-EEA processing needs no additional safeguards.
Some of our other providers may process data outside the UK and European Economic Area. Where that happens, the transfer is protected by an approved safeguard - either a UK adequacy decision for the destination country, or Standard Contractual Clauses and the UK International Data Transfer Addendum - so your data keeps an equivalent level of protection.
How long we keep data
- Account and billing data is kept while your account is active and for a limited period afterwards to meet legal, accounting and tax obligations.
- Portal content is kept for as long as the firm needs it, subject to the retention period the firm configures; our scheduled cleanup automatically removes data once that period passes.
- Audit logs are retained for security and compliance and are create-only, so they are not edited or deleted through the app during their retention period.
- When data is erased - on account closure or on a valid erasure request - we delete it from our live systems, and it cycles out of routine backups shortly after.
Automated retention schedules are also applied at the account level:
- Cancelled subscriptions: if a firm cancels its subscription, its account is suspended immediately and portal access is blocked. We retain the firm's data for 30 days from the cancellation date - during this window you can contact us to reactivate the account or request an export of your data - after which it is permanently deleted. Deletion is irreversible: the data cannot be recovered and we keep no backup of it.
- Abandoned sign-ups: if a firm starts the sign-up process but does not complete payment within 90 days, the reserved account (which holds no customer data) is automatically removed.
- Dormant accounts: if an active account has no open cases and nobody signs in for 90 days, we email the firm's administrators to warn that the account is scheduled for deletion in 30 days. Signing in at any point before that date cancels the deletion. If no one signs in, the account and all its data are permanently deleted on that date. Deletion is irreversible - the data cannot be recovered and we keep no backup of it - so please export anything you are required to retain before then.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you and receive a copy.
- Have inaccurate data corrected.
- Have your data erased in certain circumstances.
- Restrict how we use your data in certain circumstances.
- Object to processing carried out on the basis of our legitimate interests - we will stop unless we have compelling grounds that override your interests.
- Receive certain data in a portable, machine-readable format.
- Withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not carry out any automated decision-making or profiling.
To exercise any of these rights, email us at hello@hypermonkey.co.uk. We will respond within one month. If your request is about case data held by a firm that uses Hyper Portal, please contact that firm, as they are the controller of it. If you are unhappy with how we handle your data you can complain to the Information Commissioner's Office at ico.org.uk, though we would welcome the chance to resolve it first.
How we protect your data
Security is built into the platform, not bolted on. Among other measures:
- Each firm's data is strictly isolated from all others, enforced at multiple levels across the system, so one firm can never access another's data.
- All data is encrypted in transit between your browser and our servers.
- Sign-in sessions use secure, server-only cookies that cannot be read by browser scripts. Invitation links are protected so they cannot be reused or guessed.
- Tamper-resistant audit logs record significant actions so activity can be reviewed and cannot be quietly altered.
Messages and case notes
The portal includes a messaging feature that lets firms and their clients exchange messages within a case. There are important security characteristics you should be aware of:
- Messages are encrypted in transit and at rest. They are not end-to-end encrypted: the content is accessible to authorised members of the firm handling your case, not only the direct recipient.
- Each message triggers an email notification to the other party. These emails are delivered via standard email infrastructure; the level of encryption in transit depends on what your email provider supports.
- Messages are part of the portal content category of data and are subject to the data retention period configured by the firm.
- Sending and receiving messages is recorded in the audit log (who sent a message, and when).
If the content of your messages is sensitive, we recommend discussing with the firm whether a separate secure channel is more appropriate for that particular exchange.
The portal also includes an internal case notes feature, visible only to firm members (admins and staff) - never to clients. Important characteristics of case notes:
- Case notes are encrypted in transit and at rest. They are not end-to-end encrypted: any authorised firm member (admin or staff) can read case notes, not only the person who created them.
- Case notes are never visible to clients. They are strictly internal to the firm and are not included in any client-facing response.
- Case notes are part of the portal content category of data and are subject to the data retention period configured by the firm.
- Creating and deleting case notes is recorded in the audit log.
Children
The service is intended for businesses and their adult clients. It is not directed at children, and we do not knowingly collect data from anyone under 16.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the date below, and for significant changes we will give you reasonable notice through the service or by email.
Contact us
If you have any questions about this policy or how we handle your data, contact Hyper Monkey at hello@hypermonkey.co.uk.