Legal
Privacy notice
Last updated 4 May 2026
This privacy notice explains how Hovermarks ("we", "us") handles personal data when you use our websites at hovermarks.com / hovermarks.co.uk or the Hovermarks platform.
Who we are
Hovermarks is a UK-based asset inspection and compliance platform. Our trading entity, registered office, and ICO data-protection-fee registration number will be published here on incorporation and ICO registration. In the meantime, our data-protection contact is listed at the bottom of this page.
For data processed inside the platform on behalf of customers, we act as the data processor and you (our customer) are the data controller. Our customers' end-users should refer to their employer's privacy notice in the first instance.
For data we collect through our website, recruitment, sales, and support functions, we act as a data controller.
What we collect — website visitors
- Cookies and analytics. See the dedicated Cookies section below for the full list of cookies we set and what each does.
- Contact form submissions. Name, work email, company, employee count, and the message you send us. Used solely to respond to your enquiry.
- Waitlist consent record. Where you tick the consent box on the waitlist form, we record the email address, the timestamp, and the verbatim wording shown to you, as proof of consent.
- Server logs. IP address, request URL, user agent — retained 30 days for security and abuse prevention.
Cookies
We follow UK PECR Reg 6 and the ICO 2023 guidance on consent for analytics. You can change your choices at any time via Cookie preferences in the footer.
| Cookie / Tracker | Category | Purpose | Lifetime / Storage |
|---|---|---|---|
ARRAffinity | Strictly necessary | Azure Static Web Apps load-balancer affinity — keeps each visitor on the same backend instance. | Session (deleted when browser closes) |
ARRAffinitySameSite | Strictly necessary | Same as above for cross-site request flows. | Session |
| Plausible Analytics | Analytics | Aggregated, anonymised page-view counts. No cookies set. Uses no device storage. UK/EU only. | n/a — no storage |
hovermark.cookie-consent.v1 | Strictly necessary | Records your cookie choices in localStorage on your device so we don't keep asking. | 12 months or until you clear it |
We do not set advertising cookies, do not run any cross-site or behavioural tracking pixels, and do not share visitor data with third-party advertisers. Strictly-necessary cookies are exempt from PECR consent because the site can't function without them.
Anonymous fault reports
When you scan an asset's QR code, our customer (the organisation that printed the sticker) may allow you to submit a fault report without creating an account. If you choose to use that form, we collect:
- The description and photos you provide.
- Optionally, the name and email you choose to enter.
- Your IP address and browser user-agent — these are stored on the report row and are used solely for abuse triage (rate-limiting, spam filtering, and identifying coordinated misuse). They are not used for marketing, analytics, or shared with third parties.
- The submission timestamp.
The legal basis for processing IP and user-agent is legitimate interest — specifically, protecting our customers and our infrastructure from abuse of an anonymous public-facing endpoint. You can submit without entering name or email; the IP / user-agent capture is required and not optional.
If you include personal information about other people in your description or photos (for example, a colleague visible in a photo), please consider that the report will be visible to the asset owner's facilities team. Don't submit material that's better handled through a whistleblowing or grievance channel — the public fault-report form is for reporting asset faults only.
What we collect — customers and prospects
- Account data. Names, work emails, job titles of users administering the platform.
- Billing data (once billing is enabled). Company name, billing address, VAT number, payment method tokens. Card numbers are handled directly by our PCI-DSS certified billing provider; we never see them. The provider will be named in our sub-processor list before billing is switched on.
- Communications. Email correspondence, support tickets, demo recordings if you consented.
Lawful basis
- Contract — for everything we do to deliver the service to a paying customer.
- Legitimate interest — for sales follow-up, product improvement analytics, and security monitoring. You can object at any time.
- Consent — for any marketing emails to non-customers. Always opt-in, always one-click unsubscribe.
- Legal obligation — for tax records and statutory retention.
Where we process data
Inside the platform, customer data is processed in Microsoft Azure (UK). We never replicate primary customer data outside the UK without your written consent.
For our own corporate use of CRM, helpdesk, and email tools, data may transit through EU and US data centres operated by sub-processors listed in our DPA at /legal/dpa. Where transfers leave the UK, we rely on UK International Data Transfer Agreements.
Sharing
We do not sell personal data. We share it with the sub-processors listed below, strictly to deliver the service. The same list is mirrored in our DPA at /legal/dpa and is version-controlled.
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting, storage, identity | UK |
| Microsoft Entra ID | Authentication / SSO | UK / EU |
| Microsoft Graph | Transactional and notification email via Microsoft 365 | UK / EU |
| Plausible Analytics | Marketing-site analytics ONLY (the in-app dashboard does not run Plausible) | EU |
| Cloudflare, Inc. | Fraud and abuse prevention — Turnstile bot-protection on the public fault-report form | EU / US |
Cloudflare, Inc. — Provides Turnstile, an invisible bot-protection challenge on the public fault-report form. Your IP address and browser fingerprint are sent to Cloudflare to determine whether the submission is human-driven. Cloudflare's privacy policy: cloudflare.com/privacypolicy.
We will share data with law enforcement only on lawful, written request, and we will notify the affected customer unless legally prohibited.
Retention
- Website contact form submissions: 24 months after last interaction.
- Customer account data: lifetime of the contract plus 30 days.
- Audit logs: 90 days on Trial and Starter, 13 months on Professional, 7 years on Enterprise — applied automatically by a weekly retention sweep. Operators can request bespoke retention windows on Enterprise.
- Backups: encrypted Azure SQL backups retained for 30 days, then permanently deleted.
Anonymous fault reports are retained on the same per-plan schedule as the audit log:
| Plan | Fault-report retention |
|---|---|
| Trial | 90 days |
| Starter | 90 days |
| Professional | 13 months |
| Enterprise | 7 years |
Photos uploaded with reports are stored in private blob storage and are deleted on the same schedule (with a 30-day soft-delete window after the row delete).
Your rights
Under UK GDPR you have the right to access, correct, port, restrict, object to, or erase your personal data. To exercise any of these, email us at the address below. We respond within one calendar month.
You can complain to the Information Commissioner's Office (ICO) if you're not happy with how we've handled a request.
Contact us
- Data protection contact: privacy@hovermarks.com
- Postal correspondence address available on request from the address above
- ICO data-protection-fee registration: pending. Our registration number will be published here once issued.
You can also raise a complaint directly with the Information Commissioner's Office at ico.org.uk/make-a-complaint.
This notice was last updated on 4 May 2026.
This document is a launch placeholder. Final wording will be reviewed by our DPO and external counsel before general availability.