Privacy Policy

Last updated: 24 April 2026

This Privacy Policy explains how HULKCLAW COMMERCE LTD (“HULKCLAW”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data in the course of operating our website and providing our business-to-business services. We take data protection seriously and align our practices with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the EU General Data Protection Regulation where applicable, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

1. Data Controller

The data controller responsible for your personal data is:

Data protection enquiries, subject access requests and complaints may be directed to the above email address. We do not currently operate a separate Data Protection Officer role because our processing does not meet the mandatory thresholds under Article 37 UK GDPR; however, the same email address is monitored for all data protection matters and is treated as the privacy contact channel.

2. What Personal Data We Collect

We collect only the personal data we reasonably need to operate our business. The categories of data we may process are:

• Contact details — name, business email address, job title, company name, phone number, where voluntarily provided by a prospect or client through email, a signed engagement document or a business enquiry.
• Commercial records — contracts, statements of work, purchase orders, invoices, payment records and correspondence related to the provision of our Services.
• Service usage data — for subscription clients, technical telemetry such as API request counts, timestamps, error rates, tenant identifiers and aggregate usage metrics, used to enforce tier limits, maintain security and diagnose faults.
• Content submitted by clients — where a client uploads or transmits data to our platform for processing by our automation or video production pipelines, we process it strictly as instructed, for the purpose of delivering the Services.
• Website interaction data — basic server-side request logs (IP address, user agent, timestamp, URL requested) retained for security and diagnostic purposes. We do not operate any advertising, behavioural or cross-site tracking technology on this website.

We do not knowingly collect personal data from children under the age of 16. Our Services are directed exclusively at business users.

3. Legal Basis for Processing

We process personal data only where we have a valid legal basis under Article 6 UK GDPR. Depending on the context, the relevant basis is one or more of the following:

• Performance of a contract (Art. 6(1)(b)) — where processing is necessary to enter into or perform a contract with the client, for example invoicing, access provisioning or delivery of agreed work product.
• Legitimate interests (Art. 6(1)(f)) — where we have a lawful business need, such as maintaining platform security, preventing fraud, analysing aggregate service usage, keeping accurate commercial records, and responding to business enquiries, provided those interests are not overridden by the rights of data subjects.
• Legal obligation (Art. 6(1)(c)) — where processing is necessary to comply with UK law, for example retaining accounting records under the Companies Act 2006 or responding to lawful requests from regulators or HMRC.
• Consent (Art. 6(1)(a)) — in the limited cases where we rely on consent, for example if a subscriber opts in to an optional commercial newsletter, consent may be withdrawn at any time without affecting the lawfulness of prior processing.

4. Purposes of Processing

Personal data is processed for the following purposes: delivering the Services agreed with the client; invoicing, accepting payment and enforcing payment terms; operating and improving our platform, including security monitoring and incident response; responding to sales, support and partnership enquiries; complying with applicable legal, accounting and tax obligations; and enforcing or defending legal claims. We do not use personal data for automated decision-making with legal or similarly significant effects on data subjects, and we do not engage in profiling.

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account any statutory retention obligations. As a general rule:

• Financial and commercial records are retained for seven (7) years after the end of the relevant accounting year, in line with UK tax and company-law requirements and our ISO 27001-aligned audit policy.
• Operational service data (API logs, request metrics, short-lived runtime caches) is retained for thirty (30) days, after which it is automatically deleted or anonymised.
• Sales and prospect correspondence is retained for up to twenty-four (24) months from the last meaningful interaction, unless a business relationship is established, in which case the applicable contractual retention period applies.
• Website server logs are retained for up to ninety (90) days for security and diagnostic purposes.

Once a retention period ends, personal data is deleted or, where appropriate, irreversibly anonymised so that it can no longer be associated with an identified or identifiable person.

6. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data, exercisable free of charge in most cases:

• Right of access (Art. 15) — to obtain confirmation of and a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17) — to request deletion of personal data where one of the grounds under UK GDPR applies. We operate an internal automated erasure workflow and will generally action valid requests within thirty (30) days.
• Right to restriction of processing (Art. 18) — to request that we limit our processing in certain circumstances.
• Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used and machine-readable format, where technically feasible.
• Right to object (Art. 21) — to object to processing based on legitimate interests, including for direct marketing purposes.
• Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time.

To exercise any of these rights, please email razvantarnu1987@gmail.com. We may need to verify your identity before acting on a request, to ensure we do not disclose data to the wrong person. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) if you believe our processing infringes data protection law.

7. International Transfers

Our primary infrastructure is located in the United Kingdom and the European Economic Area. Where we use sub-processors or cloud service providers that process personal data outside the UK/EEA (for example, specific GPU compute providers used in our automated video pipeline), we rely on appropriate safeguards required by Chapter V of the UK GDPR, such as the International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or transfers to jurisdictions covered by a UK adequacy decision. A list of current sub-processors is available on written request.

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include encryption in transit and at rest for sensitive credentials, role-based access control, secret management via an operating-system credential locker, audit logging of privileged actions, regular backups, and internal controls aligned with the ISO 27001 framework. No information system is completely secure; however, we are committed to continuously improving our security posture and to notifying affected parties and supervisory authorities of any personal data breach within the timeframes required by law.

9. Cookies

This website is a static informational site. It does not set advertising, analytics, tracking, or cross-site cookies, and it does not use local storage or fingerprinting techniques to identify visitors. Only strictly necessary technical state (such as browser scroll position managed by the browser itself) may be held on the device, and we do not read or transmit this state. If we introduce any non-essential cookies in the future, this Policy will be updated and, where required by PECR, consent will be requested before such cookies are stored.

10. Sharing with Third Parties

We do not sell personal data to any third party under any circumstances. We may share personal data with trusted service providers acting as processors on our behalf (for example, our accountants, our payment service providers, our cloud hosting providers and, where agreed in the SOW, specific AI model providers used to deliver the Services). Each processor is bound by a written data processing agreement consistent with Article 28 UK GDPR. We may also disclose personal data where required to do so by law or by a valid order of a court or regulator.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. The “Last updated” date at the top of this page will always indicate the date of the latest revision. Where the changes are material, we will notify affected clients in advance using the primary contact we hold for the relationship.

12. Contact

For any question about this Privacy Policy, to exercise any of your rights, or to raise a data protection concern, please contact us at razvantarnu1987@gmail.com. We will respond within one UK business day to acknowledge receipt, and substantively within the statutory timeframe of one month (extensible by two further months where the request is complex, with notice given within the first month).