Last updated: 30 May 2026

Privacy Policy

Effective date: 30 May 2026 Last updated: 30 May 2026 Version: 1.0

This Privacy Policy explains how Visual Hive Ltd (“Visual Hive”, “we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you:

Visit our website at visualhive.co and any subdomains we operate.
Interact with us through email, sales calls, demos, events, or social channels.
Use Erleah, our Intelligent Event Operating System, either directly or as an attendee, exhibitor, speaker, sponsor, or organiser at an event where Erleah has been deployed.
Use DataHive, our event data visualisation product.
Engage us under a commercial contract, consulting engagement, or partnership.

We take privacy seriously. This policy is written to be readable, but it is also the legally operative document that governs how we handle personal data. If you only read one section, read Section 4 (What we collect and why) and Section 11 (Your rights).

1. Who we are and how to contact us

Data controller: Visual Hive Ltd, a company registered in England and Wales.

Trading name: Visual Hive
Registered office: [Registered office address, United Kingdom]
Company number: [Companies House number]
ICO registration number: [ICO registration reference]
General contact: hello@visualhive.co
Privacy contact: privacy@visualhive.co
Postal address for data protection matters: [Postal address]

If you are based in the European Economic Area (EEA) and wish to contact us about EU GDPR matters, please use privacy@visualhive.co. We will appoint an EU representative under Article 27 GDPR where this is legally required and will list their details here.

We have not formally appointed a Data Protection Officer (DPO) because we are not currently required to under UK GDPR Article 37. The point of contact for all privacy matters is privacy@visualhive.co.

2. Scope of this policy

This policy applies to personal data processed by Visual Hive as a controller. Where we process personal data on behalf of a customer (for example, when an event organiser deploys Erleah and uploads exhibitor, attendee, or speaker data), we act as a processor. In those cases:

The event organiser, exhibition company, or other contracting party is the controller of the personal data they upload or that is collected through their event.
Visual Hive processes that data strictly on their documented instructions under a Data Processing Agreement (DPA).
The controller’s own privacy notice governs the relationship with data subjects, not this policy.

Section 7 explains the controller/processor split in more detail.

This policy does not cover:

Third-party websites or services we link to.
Events run by organisers who use Erleah, beyond the processing we perform on their behalf.
Anonymous or aggregated data that cannot be linked back to an identified or identifiable person.

3. Legal framework

We process personal data in accordance with:

The UK General Data Protection Regulation (UK GDPR) as incorporated into UK law.
The Data Protection Act 2018.
The Privacy and Electronic Communications Regulations (PECR).
Where applicable to EEA data subjects, the EU General Data Protection Regulation (Regulation (EU) 2016/679).
Where applicable, sector-specific rules and the data protection laws of other jurisdictions in which we operate.

For the purposes of UK and EU GDPR, the lawful bases we rely on are set out in Section 5.

4. What personal data we collect and why

We collect personal data in four broad contexts. We have separated them so you can find the part that applies to you.

4.1 Website visitors (visualhive.co)

When you visit our website, we may collect:

Technical data: IP address (truncated where possible), browser type and version, device type, operating system, referring URL, pages viewed, time on page, and approximate location derived from IP.
Usage data: clicks, scroll depth, navigation paths, and interactions with forms.
Voluntary data: any information you submit through contact forms, demo requests, newsletter sign-ups, or download forms. This typically includes name, business email address, company, job title, and the content of your message.
Cookie and similar technology data: see Section 9.

Purpose: to operate the website, secure it against abuse, understand how it is used, improve content and functionality, respond to enquiries, and where you have opted in, send marketing communications.

Lawful basis: legitimate interests (running and improving our website and responding to business enquiries); consent (for non-essential cookies and marketing emails to individual subscribers); and performance of a contract or steps prior to entering one (where you have requested information about our services).

4.2 Prospects, customers, and business contacts

When you engage with us as a business contact (for example, a sales prospect, customer, partner, supplier, or consultant) we may collect:

Identification and contact data: name, job title, employer, business email, business phone number, LinkedIn or other professional profile.
Commercial data: company size, industry, location, the products or services you are interested in, procurement information, and contractual terms.
Communications data: emails, meeting notes, recordings of meetings where all participants have consented, call transcripts, and Slack or chat messages exchanged during the engagement.
Event and meeting data: calendar information, attendance, and notes from discovery, demo, and consulting sessions.
Billing and payment data: for paying customers, billing contact, billing address, VAT or tax identifiers, and payment references. We do not store full payment card numbers; payments are handled by our payment processors.

Purpose: to provide our products and services, manage commercial relationships, deliver consulting and partnership engagements, send service communications and updates, comply with our legal obligations (including tax and accounting), and pursue our legitimate interests in growing the business.

Lawful basis: performance of a contract; legitimate interests (managing and growing business relationships); legal obligation (for tax, accounting, and statutory record-keeping); and consent (where required, such as for certain marketing channels).

4.3 Erleah users and event participants

Erleah is the Intelligent Event Operating System that Visual Hive provides to event organisers. When Erleah is deployed for an event, several types of personal data may be processed depending on the configuration agreed with the organiser. These may include:

Profile data about exhibitors, attendees, speakers, sponsors, and organisers, including name, role, organisation, photo (where supplied), biography, session details, stand details, and contact preferences.
Behavioural and intent data generated through interactions with Erleah, such as content viewed, sessions saved, matches accepted or declined, search terms, recommendations clicked, and meeting requests.
Inferred and modelled data generated by Erleah’s intelligence layers. This includes derived insights about declared and revealed intent, likely interests, suggested matches, and engagement patterns. These are model outputs based on the inputs above and are used to support the experience the organiser is delivering.
Identity and authentication data where Erleah users sign in directly, including email, hashed credentials, and session tokens.
Technical and device data while using Erleah, such as IP address, browser, device type, and timestamps.

Roles: for the vast majority of Erleah deployments, the event organiser is the controller of this data and Visual Hive is the processor. We process the data on the organiser’s documented instructions under our DPA. The organiser is responsible for providing a lawful basis, informing data subjects, and handling rights requests in the first instance. Where Visual Hive determines the purposes and means of processing for its own internal purposes (for example, security monitoring, fraud prevention, aggregated product analytics, and model improvement on data that has been appropriately de-identified or where permitted by the DPA), we act as a controller for that limited processing.

No automated decisions with legal or similarly significant effects: Erleah’s recommendations, matches, and inferences are decision-support outputs. They do not produce legal effects or similarly significant effects on individuals within the meaning of UK GDPR Article 22. Final decisions about who attends, who exhibits, who is matched, and how an event is run rest with the organiser and with the participants themselves.

4.4 DataHive users

When you use DataHive, our event data visualisation product, we process:

Account and authentication data for users who sign in.
Customer-supplied data that you upload or connect to DataHive in order to visualise it. This may contain personal data depending on what you choose to load. As with Erleah, in this context Visual Hive typically acts as a processor and you act as the controller of the data you upload.
Usage and technical data about how the product is used.

The same controller/processor split described for Erleah generally applies.

4.5 Special category data

We do not seek to collect special category personal data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, data concerning health, or data concerning a person’s sex life or sexual orientation).

If special category data is processed within Erleah or DataHive because a customer has chosen to upload it, the customer must have a valid Article 9 condition and must have informed data subjects. Customers must not upload special category data to our systems without first agreeing this with us in writing.

4.6 Children’s data

Our products and services are designed for business-to-business use. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@visualhive.co and we will delete it.

5. Lawful bases for processing

Under UK and EU GDPR we rely on the following lawful bases, depending on the activity:

Performance of a contract (Article 6(1)(b)): to provide our products and services to customers and to take steps at your request before entering a contract.
Legitimate interests (Article 6(1)(f)): to operate, secure, and improve our website and products; to manage business relationships; to conduct direct marketing to corporate contacts in line with PECR; to detect and prevent fraud and abuse; and to develop and improve our products, including the underlying models, in ways that do not override the rights and interests of data subjects.
Consent (Article 6(1)(a)): for non-essential cookies, certain marketing communications, and any processing for which consent is the most appropriate basis. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legal obligation (Article 6(1)(c)): to comply with our obligations under tax, accounting, anti-money-laundering, and other applicable laws.
Vital interests and public task (Article 6(1)(d) and (e)): rarely relied on, but available in narrow scenarios such as responding to genuine emergencies.

Where we rely on legitimate interests, we have carried out a legitimate interests assessment (LIA) and balanced our interests against your rights and freedoms. You can request a summary of the relevant LIA by emailing privacy@visualhive.co.

6. How we use AI and automated processing

Visual Hive is an AI-first company. Erleah and DataHive use machine learning models, including large language models, to generate insights, recommendations, summaries, and visualisations.

The key points you should understand are:

Decision support, not automated decision-making. Our products are designed to assist humans (organisers, exhibitors, attendees, sponsors, speakers). They surface options, generate suggestions, and structure information. They do not make legally binding decisions about you and are not used for solely automated decisions with legal or similarly significant effects within the meaning of UK GDPR Article 22.
AI providers as sub-processors. We use third-party AI providers, including Anthropic (Claude), as sub-processors. They process data on our documented instructions to deliver the AI features of our products. We choose providers that offer enterprise-grade privacy and security commitments, including contractual restrictions on using customer data to train their general-purpose models.
No training on customer data without permission. We do not use customer-supplied data to train models for the benefit of other customers, unless the data has been fully de-identified in line with applicable guidance, or unless the customer has explicitly agreed in writing.
Human review. Outputs that have significant operational consequences are reviewed by Visual Hive personnel or by the customer’s own staff before being acted on.
Accuracy and limits. AI outputs can be incorrect, incomplete, or out of date. We document known limitations and recommend that customers treat AI outputs as inputs to human judgement, not substitutes for it.

If you have specific questions about how a particular AI feature processes personal data, contact privacy@visualhive.co.

7. Controller and processor roles in more detail

Different parts of our activity attract different roles under UK and EU GDPR.

Visual Hive acts as a controller for:

Personal data collected through visualhive.co.
Personal data about prospects, customers, partners, suppliers, and other business contacts where we determine why and how the data is used.
Personal data of users who hold direct accounts with us for billing, support, and account administration.
Personal data processed for our own internal purposes such as security monitoring, fraud prevention, financial administration, and aggregated product analytics.

Visual Hive acts as a processor for:

Customer-supplied data uploaded to or generated within Erleah and DataHive deployments, where the customer (typically an event organiser, venue, or enterprise client) determines the purposes and means of processing.

When we act as a processor, we operate under a Data Processing Agreement that meets Article 28 UK GDPR requirements. That DPA sets out:

The subject matter, duration, nature, and purpose of processing.
The categories of data subjects and types of personal data.
The obligations and rights of the controller.
Security measures, sub-processor terms, international transfer mechanisms, audit rights, breach notification commitments, and return or deletion of data at the end of the relationship.

If you are a data subject of a customer’s deployment and you want to exercise rights over your data, please contact the relevant controller (typically the event organiser) in the first instance. We will of course assist them in responding, as required by our DPA.

We share personal data only where necessary and only with parties subject to appropriate confidentiality and data protection obligations.

8.1 Categories of recipients

Sub-processors and service providers who help us deliver our products and services, including infrastructure, AI, communications, analytics, support, and security providers. Section 8.3 sets out the principal categories.
Customers and their authorised users where we are processing data on their behalf.
Professional advisers such as lawyers, accountants, auditors, and insurers, where required for legitimate business purposes.
Authorities where required to comply with law, regulation, court order, or legitimate request from law enforcement, and where we are satisfied that the request is valid.
Successors in interest in the event of a merger, acquisition, reorganisation, or sale of all or part of our business. We will inform you and provide choices where required by law.

We do not sell personal data and we do not share personal data with third parties for their own independent marketing purposes.

8.2 Principal sub-processors

We use the following categories of sub-processors. The specific providers we use change over time as we evolve our stack. The current list of named sub-processors is maintained at visualhive.co/subprocessors (or, until that page is published, available on request from privacy@visualhive.co).

Cloud hosting and infrastructure: server, storage, and networking infrastructure used to run our website and products.
AI model providers: providers of large language models and other AI capabilities used by Erleah and DataHive, including Anthropic.
Vector and operational databases: services used to store embeddings, structured records, and operational data.
Email delivery: providers used to send transactional and, where permitted, marketing emails.
Customer support and communications: tools used to communicate with customers and prospects.
Analytics and product telemetry: tools used to understand how our website and products are used.
Development, deployment, and monitoring: code hosting, CI/CD, logging, error tracking, and uptime monitoring.
Payments and finance: payment processors, accounting, and invoicing platforms.

Where we appoint a new sub-processor for customer-controlled data, we follow the process set out in the relevant DPA, including any notice and objection rights.

8.3 International transfers

We are based in the United Kingdom. Some of our sub-processors are located in the European Economic Area, the United States, or other jurisdictions. Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards under UK and EU GDPR, including:

The UK’s adequacy regulations or the European Commission’s adequacy decisions, where applicable.
The UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (2021).
Additional technical, organisational, and contractual measures where required following a transfer impact assessment.

You can request copies of the relevant transfer mechanisms by contacting privacy@visualhive.co.

9. Cookies and similar technologies

When you visit visualhive.co we use cookies and similar technologies. A separate Cookie Notice is available at visualhive.co/cookies (or, until that page is published, this section governs our use of cookies).

We use the following categories:

Strictly necessary cookies: required for the website to function, including session and security cookies. These are set without consent under PECR.
Analytics cookies: help us understand how the site is used. Set only with consent.
Functional cookies: remember preferences such as language or layout. Set only with consent where required.
Marketing cookies: used for advertising and remarketing. Set only with consent.

You can manage cookie preferences through our consent banner and withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

Browser-level controls and “Do Not Track” signals are honoured to the extent we are technically able to do so.

10. How long we keep personal data

We retain personal data only for as long as we need it for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

The main retention rules we apply are:

Website enquiries: up to 24 months after the last interaction, unless a commercial relationship continues.
Prospect records: up to 36 months after the last meaningful interaction, with periodic review and pruning.
Customer records: for the duration of the contract and for 7 years after termination, to meet statutory record-keeping obligations.
Billing and tax records: at least 7 years, as required by UK tax law.
Erleah and DataHive customer-controlled data: for the duration set by the customer in the relevant agreement. On termination, we return or delete the data in line with the DPA.
Marketing consents and preferences: for as long as the relationship lasts and for a reasonable period afterwards, to evidence consent.
Logs and security data: typically 30 days to 13 months, depending on the system.

Where data is no longer needed, we delete it, anonymise it irreversibly, or move it to secure cold storage with restricted access.

11. Your rights

If we process your personal data, you have the following rights under UK and EU GDPR, subject to the conditions and exemptions in the law:

Right of access: to obtain a copy of the personal data we hold about you and information about how it is processed.
Right to rectification: to ask us to correct inaccurate or incomplete data.
Right to erasure: to ask us to delete your data where we no longer have a lawful basis to keep it.
Right to restrict processing: to ask us to limit how we use your data in certain circumstances.
Right to data portability: to receive certain data in a structured, commonly used, machine-readable format, and to ask us to transmit it to another controller where technically feasible.
Right to object: including the right to object at any time to processing for direct marketing, and to object on grounds relating to your particular situation to processing based on legitimate interests.
Rights relating to automated decision-making: as noted in Section 6, we do not carry out automated decisions with legal or similarly significant effects. Where relevant, you have the right not to be subject to such decisions.
Right to withdraw consent: at any time where processing is based on consent.
Right to complain to a supervisory authority: see Section 17.

To exercise any of these rights, please contact privacy@visualhive.co. We will respond within one month, extendable by a further two months for complex requests, in line with UK GDPR Article 12. We may ask for information to verify your identity before acting on a request.

If your data is held by us as processor on behalf of a customer (for example, an event organiser using Erleah), please contact the controller directly. We will support them in responding within the timescales required by the DPA.

12. Security

We take a defence-in-depth approach to information security and apply technical and organisational measures appropriate to the risk. These include:

Encryption of data in transit using TLS and encryption of data at rest where supported by the underlying service.
Role-based access controls, least-privilege principles, and authentication on all production systems.
Network segmentation, hardened infrastructure, and monitored logging.
Secure software development practices, including code review and dependency management.
Vulnerability management, patching, and periodic security testing.
Staff training, confidentiality agreements, and background checks where appropriate.
Incident response procedures and a documented breach management process.

No system is ever entirely secure. If a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware, and we will notify affected data subjects without undue delay where the breach is likely to result in a high risk, in line with UK GDPR Articles 33 and 34. Where we act as processor, we will notify the relevant controller without undue delay and assist them in meeting their notification obligations.

13. Marketing communications

We send marketing communications to corporate contacts where this is permitted by PECR and UK GDPR, typically on the basis of the “soft opt-in” or legitimate interests, and to individuals only with consent where required.

Every marketing email contains a clear unsubscribe link. You can also opt out of marketing at any time by emailing privacy@visualhive.co.

Opting out of marketing does not affect service communications, such as billing notices, security alerts, and important updates to our products or terms.

14. Linked services and integrations

Our products may integrate with third-party platforms (for example, event registration systems, CRMs, calendar tools, identity providers, and communication tools) where the customer asks us to do so. When data flows to or from those platforms, it is governed by the third party’s own terms and privacy notices, in addition to our agreement with the customer.

We are not responsible for the privacy practices of third parties that the customer chooses to connect to our products.

15. Public figures, journalists, and B2B contacts

We may collect publicly available information about business contacts from sources such as company websites, LinkedIn, industry directories, conference programmes, and press coverage. We treat this data as personal data and apply this policy to it. We rely on legitimate interests for this processing and we honour objection and erasure requests in line with Section 11.

16. Changes to this policy

We may update this policy from time to time. The “Last updated” and “Version” fields at the top of this document indicate when it was most recently changed.

For material changes, we will provide additional notice, such as a banner on the website or an email to active customers. Continued use of our website, products, or services after the effective date of an updated policy constitutes acceptance of the updated terms, where acceptance is the appropriate mechanism. Where the change requires renewed consent, we will ask for it.

A change log of material updates is maintained at the bottom of this page.

17. Complaints and supervisory authorities

If you have concerns about how we handle your personal data, please contact us first at privacy@visualhive.co. We take complaints seriously and will work with you to resolve them.

You also have the right to lodge a complaint with a supervisory authority.

United Kingdom: Information Commissioner’s Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Telephone: 0303 123 1113 Website: https://ico.org.uk

European Economic Area: You may complain to the supervisory authority in your country of residence, place of work, or the place where the alleged infringement occurred. A list is maintained by the European Data Protection Board at https://edpb.europa.eu.

18. Specific notices for Erleah and DataHive

This section supplements the rest of this policy with product-specific information.

18.1 Erleah

What Erleah is: an Intelligent Event Operating System used by event organisers, venues, and enterprise clients to orchestrate exhibitor, attendee, speaker, sponsor, and organiser workflows across the full event lifecycle.
Who controls the data: for the great majority of deployments, the event organiser (or other contracting customer) is the controller. Visual Hive is the processor.
What Erleah processes: profile, behavioural, intent, and inferred data as set out in Section 4.3.
How AI is used: to generate recommendations, matches, summaries, and other decision-support outputs, as described in Section 6.
Sub-processors: including Anthropic (Claude) for AI capabilities, and other infrastructure providers listed at visualhive.co/subprocessors (or available on request).
Retention: set by the customer in the relevant contract. On termination, data is returned or deleted in line with the DPA.
Data subject rights: to be exercised in the first instance with the controller (typically the event organiser). Visual Hive will support the controller’s response.

18.2 DataHive

What DataHive is: an event data visualisation product.
Who controls the data: customers who upload or connect data to DataHive are typically the controllers of that data. Visual Hive is the processor.
What DataHive processes: customer-supplied data plus account, authentication, usage, and technical data as set out in Section 4.4.
Sub-processors: as set out in Section 8.2 and at visualhive.co/subprocessors.
Data subject rights: to be exercised with the relevant controller in the first instance.

19. Contact summary

General: hello@visualhive.co
Privacy: privacy@visualhive.co
Security and breach notification: security@visualhive.co
Post: Visual Hive Ltd, [Postal address], United Kingdom

Change log

v1.0 — 30 May 2026: Initial publication.

Questions? privacy@visualhive.co

Back to Visual Hive