Back to studio Legal · Privacy

Privacy Policy

A complete account of what data hffenglan's products handle, on what legal basis, with which third parties, and how you can exercise your rights. We aim for clarity over legalese, but we've left the structure predictable so it can be scanned.

Effective: 1 July 2026 Last updated: 1 July 2026 Version: 6.0 Contact: contact@hffenglan.com
Contents (24 sections)

1. Scope & who's reading

This Privacy Policy ("Notice") applies to every product, website and service operated by hffenglan (the legal entity set out in §3), including but not limited to:

  • The consumer applications "ClauseKit", "Halation", "PracticeLog", "SideStack", "Hush" and "Atelier" (each, an "App" or collectively the "Apps"), and any past, present or future apps published under the developer accounts identified below.
  • Our marketing and documentation websites at hffenglan.com and its subdomains (each, a "Site" or collectively the "Sites").
  • Any associated backend services, subscription management, account sync, support portals and developer-facing APIs (collectively, the "Services").

If you are reading this on behalf of a company or organisation, "you" refers to that entity and you confirm that you have authority to bind it.

This Notice is written for a global audience. Where local law provides stronger protections, those prevail. Specific regional addenda are listed in §12.

Plain-English summary. Our products are designed to keep your personal data on your device. We do not profile you, we do not sell your data, and we use a small number of carefully chosen partners only where the App's core function requires it (e.g. ad mediation, optional backup). Off-switches are exposed inside every App.

2. Definitions

The following terms are used throughout this Notice:

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
  • "User Content" means the files you choose to create, import or process inside an App (contracts, photos, practice logs, financial entries, materials inventory, health notes, audio recordings).
  • "Device Data" means technical information about the hardware and software of the device on which an App runs (model, OS version, locale, time zone, free storage). It is collected only to the extent needed for crash diagnostics and fraud prevention, and is not linked to your identity in our Apps.
  • "Advertising Identifier" means the IDFA (iOS) or GAID (Android) or any successor identifier used by ad platforms to serve ads.
  • "SDK" means a third-party software development kit integrated into an App.

3. Data controller & contacts

The data controller for the Apps, Sites and Services is:

hffenglan Ltd. (a private limited company registered in England & Wales)
Registered office: Exeter Science Park, 6 Babbage Way, Exeter, Devon, EX5 2FX, United Kingdom
Company number: 00000000 (placeholder)
VAT number: GB 000 0000 00 (placeholder)
Information Commissioner's Office (ICO) registration: ZA000000 (placeholder) — covers the UK GDPR regime.
Email: contact@hffenglan.com
For privacy-specific requests, please write "Privacy Request" in the subject line.

Where processing is performed on behalf of a third party under a written contract, that third party is the controller and we are the processor. In those cases this Notice does not apply and you should consult the controller's privacy notice.

For the sake of EU GDPR Article 27, our EU representative is:

hffenglan EU Representative GmbH, Friedrichstraße 68, 10117 Berlin, Germany. Email: eu-rep@hffenglan.com (placeholder).

For the sake of UK GDPR, the controller above (hffenglan Ltd., Exeter) is the UK point of contact.

4. What data we handle

4.1 Data we do not collect by design

  • Your real name, email, phone number, photo or any account-style identifier — none of the Apps require registration, account creation or sign-in.
  • The contents of your contracts, photos, practice logs, ledgers, health notes, audio or inventory items. These stay on your device by default.
  • Cross-app tracking identifiers. We do not use the IDFA or GAID for cross-app profiling.
  • Precise location data. We do not access GPS or cell-tower location.

4.2 Data we do handle

The categories below are what we — or our carefully chosen sub-processors listed in §9 — handle to operate the Apps and Sites. We describe purpose, basis and retention for each in the following sections.

CategoryExamplesSourceWhere stored
User ContentPDFs, photos, audio, JSON project files, CSV exportsGenerated by you, inside the AppYour device (encrypted)
App PreferencesTheme, language, units, ordering, last opened fileThe App, on first useYour device
Optional Backups (opt-in)Encrypted snapshots of User ContentCreated only if you enable backupYour iCloud / Google Drive, never our servers
Crash & PerformanceSymbolicated stack trace, OS version, locale, free RAMTriggered by a crash or ANRSymbolication service, 90 days
Ad Request Metadata (opt-in)Country (ISO-2), language tag, device class, ad-unit IDAd SDKs (only when an ad is requested)Ad-platform servers, per their policies
Storefront ReceiptsAnonymous transaction ID, store country, currencyApp Store / Play Store (validate subscription)Apple / Google servers, never our servers
Support correspondenceYour email, message body, any files you attachYou, when you write to usMail provider + ticketing tool, 24 months
Newsletter subscriptionYour email addressYou, via the newsletter form on /news.htmlMail provider, until you unsubscribe + 30 days

5. Legal basis & purpose

Under EU/UK GDPR Article 6 (and analogous provisions in other regimes), we rely on the following bases:

PurposeData categoryBasis (GDPR)Basis (other regimes)
Operate the App's core functionUser Content, preferencesPerformance of a contract (Art. 6(1)(b))Performance / legitimate operation
Crash diagnostics & stabilityCrash & performanceLegitimate interest (Art. 6(1)(f))Legitimate interest
Display advertising (free tier)Ad request metadataConsent via in-app ATT / CMPConsent (CCPA/CPRA opt-in; PIPL separate consent)
Optional cloud backupOptional backupsConsent (opt-in)Affirmative opt-in
Support correspondenceSupport emailsPerformance / legitimate interestPerformance / legitimate interest
NewsletterEmail addressConsent (double opt-in)Express consent
Legal compliance & defenceAnyLegal obligation / legitimate interestLegal obligation

We do not process Special Categories of Personal Data (Art. 9). If you choose to enter such content into an App (e.g. health notes in Hush), you do so at your own discretion and it remains on-device.

6. App Store & storefront policies

Our Apps are distributed through the stores identified in their respective listings. Each store has its own rules, which we treat as binding addenda to this Notice:

6.1 Apple App Store & App Store Connect

  • Developer Program. hffenglan Ltd. is enrolled in the Apple Developer Program under a registered organisation team. A D-U-N-S number is on file with Apple.
  • App Review Guidelines. Every release is audited against Apple's App Review Guidelines (current at submission), including the requirements for privacy nutrition labels, "Data Used to Track You" disclosures, encryption export compliance (see App Store submission §6.2 of App Review Guidelines), and the "Account Deletion" requirement introduced in §5.1.1(v).
  • Privacy nutrition labels. We declare every App's data practices on its App Store page, in line with the categories Apple specifies (Contact Info, Health & Fitness, Financial Info, Usage Data, Diagnostics, etc.).
  • App Tracking Transparency (ATT). Where an App uses the Advertising Identifier for any purpose, the App shows the ATT prompt before any tracking activity. If you decline, no IDFA is accessed and the App's ad stack serves contextual ads only.
  • Account deletion. Apps that ever offered account-based features expose a one-tap "Delete My Data & Account" path in Settings, in line with §5.1.1(v). Where the App does not collect account data, we still expose a "Erase personal data" path for transparency.
  • Kids category. Apps in the "Kids" age band disable advertising entirely and do not embed any third-party SDKs (§1.3 of the Guidelines).
  • In-app purchases & subscriptions. Subscriptions are processed by Apple; we never see payment card numbers. Server-side receipt validation is performed via App Store Server API over TLS, and we store only the anonymised transaction ID and the expiry timestamp, not the receipt itself.
  • Encrypted export compliance. Where an App uses standard encryption (HTTPS, AES-GCM, file-level encryption), we make the appropriate Annual Self-Classification Report to BIS and the French Ministry of Economy where required.

6.2 Google Play Store & Play Console

  • Developer account. hffenglan Ltd. operates a verified D-U-N-S-linked Google Play developer account.
  • Data safety form. Each App's Play listing carries a complete Data safety section (data collected, shared, security practices) reviewed before every release.
  • Families policy. Apps designated for children in Play Console disable third-party SDKs, ads, and analytics.
  • Permissions & user data policy. We restrict access to the Advertising ID (com.google.android.gms.permission.AD_ID) to the ad mediation stack only, and we declare the permission use on Play Console.
  • Billing & subscriptions. Processed via Google Play Billing v6; we never see card data. The same anonymised transaction record is stored.
  • Target API level. Each release targets the latest Android API level at submission, meeting Play's policy requirements.

6.3 Other storefronts

If we publish to additional storefronts (e.g. Huawei AppGallery, Samsung Galaxy Store, Microsoft Store), those channels are added to §9 with the same notices and the same level of compliance.

7. Advertising & ad platforms

Our Apps may display advertising on the free tier, using a small, audited set of third-party ad platforms listed in §9. The paid tier (where offered) is always ad-free.

We integrate ad platforms exclusively through Google AdMob's Mediation stack (or an equivalent mediation platform) with the partners listed in §9, waterfalled and optimised in real time.

What we configure for compliance. Every release goes through an internal privacy review before submission, ensuring that:

  • The relevant SDKs are declared in the Apple App Privacy and Google Data Safety forms;
  • The App Tracking Transparency prompt is shown before any IDFA access (iOS);
  • For users under 18 (or such higher age as local law requires), all personalised advertising and all measurement is disabled;
  • For users in the EU/UK, only contextual ads are served unless consent is recorded via our CMP;
  • For users in California, ad personalisation respects the global privacy control ("GPC") signal;
  • For users in mainland China, only the ad vendors approved on the relevant PIPL consent flow are initialised.

What we do not configure. We do not allow our ad partners to:

  • Use User Content for ad personalisation;
  • Cross-reference our users with other apps or publishers through the use of hashed identifiers supplied by other parties;
  • Engage in fingerprinting or probabilistic cross-device tracking.
App-ads.txt. All our Apps support the IAB Tech Lab app-ads.txt standard. We publish the file at /app-ads.txt on every domain that hosts an App; only the reseller lines in that file are considered authorised to sell our inventory. Buyers should reject any bid whose seller is not on that list. See §10.

8. Ad units we use

The following ad unit types are integrated. Each unit is mapped below to where it appears, what it requires, and what controls apply.

Ad unit typeWhat it isTypical placementPersonalised by default?User control
Banner ads
320×50, 728×90, 320×100, adaptive
Small fixed-height strip rendered at top or bottom of a screen. App footer, settings screen footer. Only if consent given; otherwise contextual. Off-switch (paid tier), ATT opt-out, in-app preferences.
Interstitial ads
full-screen image / video, app-level
Full-screen ad shown at natural transition points (e.g. after saving an export, between unrelated screens). Post-export, post-onboarding, between unrelated sessions. Only if consent given; otherwise contextual. Capped frequency (≤ 1 per session per user), opt-out via paid tier, frequency cap respected.
Rewarded video ads
opt-in, user-initiated
Full-screen skippable video shown only when the user explicitly opts in (e.g. "Watch a short video to unlock a Pro feature for 24h"). Premium-feature unlock prompt, in-app reward flow. Always contextual; personalisation disabled for rewarded video. User must tap a button to initiate; can always decline; no auto-play.
Splash / open ads
app-level, cold start
Full-screen ad shown on cold start of the app, before the first screen. App launch only. Only if consent given; otherwise contextual. Off-switch via paid tier; never shown on warm/hot starts; can be disabled in EU/UK if no consent.
Native ads
in-feed, contextual
Native-format ad rendered as part of a contextual recommendations strip. "Tips", "Discover" or "Featured" panels. Only if consent given; otherwise contextual. Off-switch (paid tier), per-campaign frequency cap.

Independent of consent: we never serve personalised advertising, never use IDFA/GAID, and never engage in cross-app tracking for users who are under the age defined in §11 or who reside in jurisdictions requiring an opt-in (EU/UK, China, Brazil). Contextual ads — based on coarse, non-personal signals such as country, language and device class — may still be shown.

9. Ad platforms in our stack

The following ad platforms, mediation layers and measurement providers are integrated in one or more of our Apps. We only enable each integration where local consent has been recorded (where required) and where the in-app preference allows. The list is reviewed quarterly.

Platform / SDKProviderRoleTypical data handledSelf-serve opt-out link
Google AdMobGoogle LLC (US)Primary mediation & waterfallAd request metadata, IDFA/GAID (with consent), IP, coarse locationhttps://adssettings.google.com/
Google Ad ManagerGoogle LLC (US)Header-bidding for direct dealsSame as AdMobhttps://adssettings.google.com/
AppLovin MAXAppLovin Corporation (US)Mediation / biddingAdvertising ID, IP, coarse geohttps://www.applovin.com/opt-out/
Meta Audience NetworkMeta Platforms, Inc. (US)Mediation partnerHashed email (if logged-in), device IDshttps://www.facebook.com/ads/preferences
Unity LevelPlay (IronSource)Unity Technologies / ironSource (US/IL)Mediation partnerAdvertising ID, IPhttps://www.ironsource.com/opt-out/
ironSource (legacy SDK)ironSource / Unity (US/IL)Direct adapter where still activeAdvertising ID, IPhttps://www.ironsource.com/opt-out/
Vungle (now part of Liftoff)Liftoff Mobile, Inc. (US)Video ad networkAdvertising ID, IP, device modelhttps://vungle.com/opt-out/
Pangle (ByteDance)ByteDance Ltd. (CN / SG)Video ad network (ex-CN)Advertising ID, IPhttps://www.pangleglobal.com/opt-out/
InMobiInMobi Technology Services Pvt. Ltd. (IN)Banner / native / videoAdvertising ID, coarse locationhttps://www.inmobi.com/opt-out/
TapjoyTapjoy, Inc. (US)Rewarded video, offerwallAdvertising ID, countryhttps://www.tapjoy.com/opt-out/
ChartboostChartboost, Inc. (US)Mediation partnerAdvertising ID, IPhttps://www.chartboost.com/opt-out/
AdColonyDigital Turbine (US)Video / interstitialAdvertising ID, IPhttps://www.adcolony.com/opt-out/
MyTarget (Mail.ru)VK Group (RU)Mediation partner (CIS markets)Advertising ID, IPhttps://target.vk.com/privacy
Yandex Ads (YSA)Yandex LLC (RU)Mediation partner (CIS markets)Advertising ID, IPhttps://yandex.com/support/ads/legal-privacy.html
Smaato (Smaato SSP)Smaato, Inc. (US/DE)Real-time biddingAdvertising ID, coarse geohttps://www.smaato.com/privacy/
PubNative / SympaticoPubNative GmbH (DE)Header bidding (in-app)Advertising ID, IPhttps://pubnative.net/privacy-policy/
BidMachineBidMachine, Inc. (US)Mediation / biddingAdvertising ID, IPhttps://bidmachine.net/privacy/
OguryOgury Ltd. (UK/FR)Brand interest contextualCoarse geo, device classhttps://www.ogury.com/privacy/
MintegralMintegral International Ltd. (CN/HK)Video / playableAdvertising ID, IPhttps://www.mintegral.com/en/privacy
Digital Turbine / FyberDigital Turbine (US)Mediation partnerAdvertising ID, IPhttps://www.fyber.com/privacy/
DT FairBidDigital Turbine (US)In-app biddingAdvertising ID, IPhttps://www.fyber.com/privacy/
HyprMXHyprMX Mobile LLC (US)Mediation partnerAdvertising ID, IPhttps://www.hyprmx.com/privacy/
Liftoff (Vungle + GameRefinery)Liftoff Mobile, Inc. (US)Mediation / analyticsAdvertising ID, IPhttps://www.liftoff.io/privacy/
MolocoMoloco, Inc. (US/KR)In-app biddingAdvertising ID, IPhttps://www.moloco.com/privacy
SharethroughSharethrough, Inc. (US/CA)Native programmaticAdvertising ID, IPhttps://www.sharethrough.com/privacy/
TripleLiftTripleLift, Inc. (US)Native programmaticAdvertising ID, IPhttps://www.triplelift.com/privacy/
OpenXOpenX Technologies, Inc. (US)Header biddingAdvertising ID, IPhttps://www.openx.com/privacy/
PubMaticPubMatic, Inc. (US)Header biddingAdvertising ID, IPhttps://pubmatic.com/legal/privacy/
Index ExchangeIndex Exchange, Inc. (US/CA)Header biddingAdvertising ID, IPhttps://www.indexexchange.com/privacy/
SovrnSovrn Holdings, Inc. (US)Header biddingAdvertising ID, IPhttps://www.sovrn.com/privacy-policy/
TaboolaTaboola.com Ltd. (IL)Content recommendationsAdvertising ID, IPhttps://www.taboola.com/privacy/
OutbrainOutbrain Inc. (US/IL)Content recommendationsAdvertising ID, IPhttps://www.outbrain.com/legal/
Yahoo Advertising (OATH)Yahoo (US)Header biddingAdvertising ID, IPhttps://policies.yahoo.com/privacy/
Microsoft Advertising (Xandr)Microsoft Corporation (US)Header biddingAdvertising ID, IPhttps://about.ads.microsoft.com/en-us/legal/privacy
CriteoCriteo SA (FR)Retargeting (off by default)Hashed email, advertising IDhttps://www.criteo.com/privacy/
TabMo / SaasTabMo (FR)Server-side bidding (where used)Advertising ID, IPhttps://tabmo.io/privacy-policy/
Adjust (attribution)Adjust GmbH (DE)Attribution / measurementAdvertising ID, install referrerhttps://www.adjust.com/privacy/
AppsFlyer (attribution)AppsFlyer Ltd. (IL)Attribution / measurementAdvertising ID, install referrerhttps://www.appsflyer.com/privacy/
Singular (attribution)Singular Labs, Inc. (US)Attribution / measurementAdvertising ID, install referrerhttps://www.singular.net/privacy/
Branch (attribution)Branch Metrics, Inc. (US)Attribution / measurementAdvertising ID, install referrerhttps://branch.io/privacy/
Kochava (attribution)Kochava, Inc. (US)Attribution / measurementAdvertising ID, install referrerhttps://www.kochava.com/privacy/
Sift (fraud)Sift Science, Inc. (US)Anti-fraud / install validationHashed device signalshttps://sift.com/privacy
Playrix Privacy / IARPVarious (industry standards)In-app risk / brand-safetyURL snippetshttps://www.inappic.com/privacy/

Provider policies. Each provider above maintains its own privacy notice and self-serve opt-out. Where a provider transfers Personal Data outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, or another valid Article 46 mechanism. A list of our Standard Contractual Clauses executed by sub-processors is available on request to contact@hffenglan.com.

Limiting data. We configure each provider's SDK to send the minimum data necessary for serving an ad (e.g. we disable precise location, we disable access to user-agent details, we disable the "limit ad tracking" reverse engineering attempts). We use the latest SDK versions available at release time and avoid pre-release ("alpha") integrations in production traffic.

10. app-ads.txt & sellers.json

We are an app-ads.txt-compliant publisher. The file is hosted at the root of every App's associated web property, e.g. hffenglan.com/app-ads.txt. Buyers integrating through authorised supply-side platforms (SSPs) should reject bids from any supply chain path that includes a seller not listed in our app-ads.txt.

We also publish a sellers.json entry identifying the publisher and the systems we use to sell our own inventory. Should you find an unauthorised reseller advertising our Apps' inventory, please report it to contact@hffenglan.com with the subject line "Ads.txt Violation".

An empty placeholder /app-ads.txt is shipped with every new App release and is populated on store submission; SSP onboarding is performed by the release engineer via a documented runbook before the App becomes publicly available.

11. Age assurance & minors

We treat age as a first-class privacy signal. Our approach, designed to exceed the requirements of the US Children's Online Privacy Protection Act (COPPA), the EU GDPR provisions concerning minors, the UK Age-Appropriate Design Code (the "Children's Code"), the California Consumer Privacy Act's protections for minors, Brazil's LGPD provisions for children, and China's PIPL special protections for minors, is:

  • Default minimum age. We consider a user to be a child unless they have affirmatively declared they are 18 or older (or such higher age as local law may require to consent to the processing of Personal Data independently).
  • No third-party tracking under 18. For all users we treat as under 18, we disable personalised advertising, all cross-app tracking, all attribution, and any SDK that processes Personal Data for any purpose other than serving a contextual ad.
  • No purchase nudges for minors. Apps in the Kids age band (iOS) or Designed for Families age band (Play) disable all in-app purchase UI. Where a paid upgrade exists for older users, it is gated behind an age gate on first launch.
  • No behavioural profiles for minors. We do not allow any of our analytics, A/B or product-internal experimentation tools to build a behavioural profile of users we have identified as under 18.
  • Verifiable parental consent. Where local law requires verifiable parental consent (COPPA, GDPR-K in Italy / Spain / France, the German TTDSG as amended, the Korean PIPA special protections for under-14s, and PIPL special protections for under-14s in China), we trigger a consent flow that uses one of the approved methods listed by the relevant regulator (e.g. credit-card verification, signed consent form, government-ID verification through a partner).
  • Age assurance UI. Our age gate is presented on first launch, before any ad SDK is initialised. The user can change their declared age at any time from inside the App, which re-runs the consent flow.
  • Detection of likely minors. Where we can infer with reasonable confidence that a user is under 18 (e.g. through a school-issued Apple ID Education account, an explicit device-side signal, or an unsupported locale known to host a young demographic), we apply the under-18 defaults even before a declaration is made.
  • School-based accounts. If a feature ever supports Apple School Manager or Google Workspace for Education, all processing in that context is governed by a separate Addendum and the under-18 defaults described above.
  • Communication. We do not send push notifications or marketing communications to users identified as under 18.

12. Country-specific notices

The following regional addenda apply if you are in or using our services from the named jurisdiction. They supplement — and where conflicting, prevail over — the body of this Notice.

12.1 European Economic Area & United Kingdom (GDPR / UK GDPR)

  • Lawful basis is detailed in §5.
  • Your rights include: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and the right to lodge a complaint with your local supervisory authority.
  • EEA lead supervisory authority: determined by our EU representative (§3). UK ICO: Wycliffe House, Water Lane, Wilmslow, SK9 5AF, contact via ico.org.uk.
  • Consent or pay. We do not operate a "consent or pay" model. If you decline tracking ads, you can still use the App on the free tier with contextual ads; the paid tier is always available regardless.

12.2 United States — California (CCPA / CPRA)

  • Categories of personal information collected are described in §4. We collect none of the "sensitive personal information" categories enumerated in CPRA §1798.140(ae).
  • Sale or sharing. We do not sell or "share" (as defined in CPRA) Personal Information. We do not knowingly sell or share the Personal Information of consumers under 16.
  • Rights. Right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to opt-out of sale/sharing, right to non-discrimination.
  • Global Privacy Control (GPC). Our App honors valid GPC signals as a universal opt-out of sale/sharing under §1798.135(b).
  • Shine the Light. California Civil Code §1798.83 permits California residents to request information about the categories of personal information disclosed to third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

12.3 United States — Other States (CPA, CTDPA, VCDPA, UCPA, TDPSA, OCPA, etc.)

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, New Hampshire, Delaware, Maryland, Minnesota, Rhode Island, New Jersey, Kentucky and any other US state that enacts a comprehensive privacy statute are entitled to the rights enumerated in the corresponding law. We extend the CCPA/CPRA protection baseline to all US residents, irrespective of state.

12.4 Brazil (LGPD)

  • Basis. Same as GDPR: consent, contract, legitimate interest, legal obligation.
  • ANPD. You may lodge a complaint with the Autoridade Nacional de Proteção de Dados.
  • Children. LGPD Art. 14 best-interest standard applies. Consent for processing Personal Data of children under 12 must be given by a parent or lawful guardian; we apply the equivalent of GDPR's verifiable parental consent in our implementation.

12.5 Mainland China (PIPL)

  • Separate consent. PIPL Art. 13, 14, 23 and 25 apply. Each ad SDK that performs Personal Information processing within the People's Republic of China is gated by a separate consent step in our in-app Consent Management Platform (CMP); if a partner is not on our PRC-approved list, the SDK is not initialised on PRC IP addresses.
  • Cross-border transfer. Personal Information we collect from users in the PRC is processed inside the PRC unless a separate cross-border transfer consent has been obtained. We retain PRC user data on servers hosted in the PRC (currently a partner facility operated by Alibaba Cloud) and have filed the requisite Security Assessment Report where applicable.
  • Minimum Necessary Principle. §5 of the PIPL "Identifying Standards for the Sensitive Personal Information" is enforced at the SDK level — only strictly required SDKs are bundled in PRC builds.
  • Minor protections. PIPL Art. 31 special protections for under-14s apply.

12.6 Canada (PIPEDA & Quebec Law 25)

  • The grounds for processing parallel GDPR lawful bases.
  • Quebec residents: an explicit, separate consent for any cross-border transfer to a jurisdiction that does not provide "equivalent" protection is recorded by our CMP. We have evaluated equivalent jurisdictions based on the criteria published by the CAI.

12.7 United Kingdom — additional notes

The UK Age-Appropriate Design Code applies to our Sites. Sites that are likely to be accessed by children have been audited; the default settings of every Site ensure a high-privacy baseline, the minimisation of data, and the prohibition of detrimental design patterns. Please refer to the ICO's published code for the specific 15 standards.

12.8 Australia (Privacy Act 1988)

Under the Australian Privacy Principles we provide the same rights of access and correction as under GDPR, and we extend the notifiable data breaches scheme protections to all users irrespective of residence.

12.9 Singapore (PDPA), Japan (APPI), South Korea (PIPA), Hong Kong (PCPDO), India (DPDP)

Local rules on cross-border transfer, consent and minor protections apply. Our CMP implements the relevant granular selections; consent records are kept for the legally required minimum (e.g. 5 years for Korea, 3 years for Brazil).

12.10 European Union — Digital Services Act (DSA) / Digital Markets Act (DMA)

Where the DSA applies, our Sites and Apps are categorised as follows and we maintain a single point of contact for regulatory correspondence: dsa-contact@hffenglan.com (placeholder).

13. Retention & storage

We store data for as long as needed to deliver the feature or for the minimum period required by law. Specific periods:

CategoryDefault retentionLegal minimum
User ContentOn device until you delete it; if a backup is enabled, on iCloud/Google Drive until you remove the backup file.n/a
App PreferencesOn device; backup retention as for User Content.n/a
Crash & Performance90 days from collectionAs long as needed to investigate regressions
Ad Request MetadataPer ad partner retention (typically 30–180 days)Per partner DPA, never less than 13 months
Storefront Receipts10 years (HMRC requirements)6 years for UK tax records
Support correspondence24 months from last interaction6 years for financial records, where applicable
Newsletter subscriptionUntil you unsubscribe + 30 daysn/a
Consent records (CMP)3 years from collection5 years (Korea), 3 years (EU/UK)

At the end of the retention period, the data is either deleted from primary storage within 30 days and from backups within 90 days, or anonymised so it can no longer be associated with you.

14. Your rights

Regardless of where you reside, we extend the following rights to everyone. To exercise them, write to contact@hffenglan.com with the subject line "Privacy Request" and we will respond within the legally required window — typically 30 days, but most requests are answered within 5 working days.

  • Right of access — ask what Personal Data we hold about you and obtain a copy.
  • Right to rectification — correct anything that is wrong or incomplete.
  • Right to erasure — ask us to delete your Personal Data. Most data can be deleted inside the App directly.
  • Right to restrict processing — pause processing while a dispute is resolved.
  • Right to data portability — receive your Personal Data in a structured, commonly used, machine-readable format.
  • Right to object — object to processing based on our legitimate interests.
  • Right to opt out of sale / sharing — we do not sell or share, but you may still record your wish.
  • Right to opt out of automated decision-making — we do not perform automated decision-making with legal or similarly significant effects, but you may still request human review.
  • Right to lodge a complaint — with your local supervisory authority (the ICO for the UK, CNIL for France, AGESIC for Belgium, ANPD for Brazil, CACICP for China, etc.). We encourage you to write to us first; we will not retaliate.
  • Right to withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect processing already carried out lawfully before withdrawal.
  • Right against automated profiling — see above.
  • Right to designate a representative — where you are unable to act on your own behalf, you may appoint a representative to exercise the above.

To protect you, we may need to verify your identity before responding. Verification is lightweight — typically a confirmation from the email address on file — and we will tell you what we need and why.

15. Security

We implement controls aligned to ISO/IEC 27001:2022 and SOC 2 Type II service criteria, on a "privacy by design" basis. The measures below are appropriate to the sensitivity of the data:

  • Encryption in transit. TLS 1.3 minimum, with HSTS, modern cipher suites and OCSP stapling enforced on every Site.
  • Encryption at rest. AES-256-GCM for all cloud storage; user-level keys where feasible.
  • Per-App sandboxing. iOS and Android enforce isolated app sandboxes; we never share data between our own Apps via side-channels.
  • Key management. iOS Keychain / Android Keystore for short-lived secrets; HSM-backed key management for long-lived signing keys.
  • Access control. Least privilege, MFA enforced for every internal system, audit trails for any access to user data.
  • Vulnerability management. Quarterly third-party penetration tests; continuous static and dependency scanning in CI; a public security disclosure inbox at security@hffenglan.com (placeholder).
  • Backups. Encrypted, signed, tested for integrity quarterly.
  • Vendor management. Every sub-processor is reviewed under a documented due-diligence process and remains subject to ongoing monitoring.
  • Incident response. A documented runbook with mean-time-to-detect < 24h for privacy incidents. Notifiable breaches are reported within 72 hours where required by GDPR Art. 33, within 30 days where required by US state laws, and within the 1-hour window required by Korea PIPA where applicable.

We publish an annual transparency report summarising categories of incidents, volume and remediation. The most recent report is available on request.

16. International transfers

We are a UK-based company; data we process is hosted primarily in the EEA, the UK and the United States. Where Personal Data is transferred outside the recipient's jurisdiction, we rely on:

  • EU Standard Contractual Clauses (Commission Decision 2021/914);
  • The UK International Data Transfer Addendum (where applicable);
  • The EU-US Data Privacy Framework / UK-US Data Bridge, where the recipient is certified;
  • Approved codes of conduct or certification mechanisms;
  • Adequacy decisions issued by the European Commission or the UK ICO, where applicable;
  • For transfers out of the People's Republic of China: PIPL Art. 38 standards plus the CACICP security assessment where the volume threshold is met.

For US transfers, our sub-processors maintain current certifications under the EU-US Data Privacy Framework and the UK Extension.

17. Data Processing Agreement

Where you are a controller and engage us as a processor (e.g. for client work), our standard Data Processing Agreement incorporates:

  • The EU Standard Contractual Clauses as the default safeguard;
  • The UK Addendum where applicable;
  • An optional set of pre-approved sub-processors (the same list as §9);
  • A breach notification window of 48 hours from our becoming aware;
  • Audit rights including the right to request a third-party report;
  • Data-return / data-deletion obligations at termination.

Our DPA template is countersigned within one business day and is available on request. Please write to contact@hffenglan.com with the subject line "DPA".

18. Cookies & SDK storage

Our Sites use a minimal set of cookies and similar storage technologies. We do not run third-party analytics, advertising or social-pixel trackers on our Sites.

NameProviderPurposeExpiryType
hff_consenthffenglan (first-party)Records your cookie/SKD preferences on the Sites12 monthsFunctional
hff_sessionhffenglan (first-party)Anti-CSRF and to remember form draft stateSessionFunctional, security

Within our Apps, the only persistent storage we explicitly set is:

  • User Content files (under the app sandbox or your iCloud / Google Drive if backups are enabled);
  • App Preferences stored via iOS UserDefaults / Android SharedPreferences and never sent off the device;
  • SDK storage set by ad partners as described in §9 — these can be cleared from the App's "Reset Ad ID" or "Clear SDK Storage" controls found in Settings → Privacy.

We deliberately do not use Google Analytics, Meta Pixel, Twitter Pixel, Hotjar, FullStory, Mixpanel, Amplitude or any other third-party analytics SDK on our Sites or our Apps. The data we collect is operationally necessary and listed in §4.

19. Changes to this notice

We update this Notice when we change a practice, when a sub-processor is added or removed, or when a regulator issues new guidance. For material changes we will:

  • Show an in-app banner explaining the change on next launch;
  • Re-request consent for any new ad partner that requires it;
  • Update the "Effective" and "Last updated" dates at the top of this Notice;
  • Email subscribers of our newsletter where the change materially affects them.

Previous versions of this Notice are kept on file and can be requested at any time.

20. Contact us

Questions, complaints, requests — please write to:

hffenglan Ltd.
Attn: Privacy Office
Exeter Science Park, 6 Babbage Way
Exeter, Devon, EX5 2FX, United Kingdom
Email: contact@hffenglan.com (subject: Privacy Request)

For security disclosures only: security@hffenglan.com — please use our PGP key (fingerprint: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000, placeholder) for sensitive material.

You can also reach us via the form on our contact page.

— end of notice —