Legal & Compliance

Privacy Policy

GTM Hive Ltd  ·  Last updated: 27 March 2026

1. Introduction

This privacy policy explains how GTM Hive Ltd ("we", "us", "our") collects, uses, stores and protects your personal data when you use our services, including The Vault online membership platform, our consulting and advisory services, our website (gtmhive.com), and any associated digital content or communications.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). This policy is designed to meet the standards set by the Information Commissioner's Office (ICO).

2. Data Controller

The data controller responsible for your personal data is:

GTM Hive Ltd

Registered address: Sevenoaks, Kent, United Kingdom

Email: [email protected]

Website: gtmhive.com

If you have any questions about this policy or about how we handle your personal data, please contact us using the details above.

3. What Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Information you provide directly

  • Full name and job title
  • Business email address and telephone number
  • Company name and business address
  • Payment and billing information (processed securely via our third-party payment provider)
  • Account credentials for The Vault membership platform
  • Communications you send to us (emails, enquiry forms, feedback)
  • Responses to surveys or questionnaires

3.2 Information collected automatically

  • IP address and approximate geographic location
  • Browser type, device type and operating system
  • Pages visited, time spent on pages, and navigation paths on our website
  • Cookies and similar tracking technologies (see Section 10)
  • Referral source (how you found us)

3.3 Information from third parties

  • Publicly available business contact information from LinkedIn or company websites, used for legitimate business outreach
  • Data enrichment services we use to verify and supplement business contact details
  • Analytics data from platform providers (e.g. website hosting, email marketing tools)

4. Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis for processing your personal data. The bases we rely on are set out below.

Lawful Basis When We Use It Examples
Contract Processing is necessary to perform our contract with you Providing The Vault membership access, delivering consulting engagements, processing payments
Legitimate Interests Processing is necessary for our legitimate business interests, provided these do not override your rights Business development outreach, improving our services, website analytics, fraud prevention
Consent You have given clear, informed consent Email marketing newsletters, optional cookies for analytics and advertising
Legal Obligation Processing is necessary to comply with a legal obligation Tax records, regulatory compliance, responding to lawful requests from authorities

5. How We Use Your Personal Data

We use your personal data for the following purposes:

  • To create and manage your account on The Vault membership platform
  • To deliver consulting, training and advisory services you have engaged us for
  • To process payments and manage subscriptions
  • To send you service-related communications (e.g. login details, subscription confirmations, service updates)
  • To send marketing communications where you have opted in or where we have a legitimate interest (with an easy opt-out)
  • To personalise your experience on our platform and website
  • To analyse website usage patterns and improve our services
  • To conduct business development and outreach activities
  • To comply with legal and regulatory obligations
  • To protect our rights, property and safety and that of our users

6. Marketing Communications

We may send you marketing communications about our services, events, content and offers. We will only do so where you have given your consent, or where we are contacting you as an existing client or subscriber and the communication relates to similar services (the "soft opt-in" under PECR).

Every marketing email we send includes a clear and functional unsubscribe link. You can opt out at any time, and we will action your request promptly. Opting out of marketing will not affect service communications necessary for the performance of our contract with you.

7. Who We Share Your Data With

We do not sell your personal data to third parties. We may share your data with the following categories of recipients, strictly on a need-to-know basis:

  • Payment processors (e.g. Stripe) to handle transactions securely
  • Email marketing platforms (e.g. ConvertKit / Kit) to manage newsletters and communications
  • Website hosting and analytics providers (e.g. Wix, Google Analytics)
  • CRM and sales tools (e.g. Attio, Clay) for managing business relationships
  • Cloud storage providers for secure document storage
  • Professional advisers (accountants, lawyers) where necessary
  • Law enforcement or regulatory bodies where we are legally required to do so

All third-party processors we work with are required to process your data in accordance with UK GDPR, and we ensure appropriate contracts are in place with each provider.

8. International Data Transfers

Some of the third-party services we use may store or process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as the use of Standard Contractual Clauses (SCCs) approved by the ICO, reliance on an adequacy decision by the UK Secretary of State, or binding corporate rules.

If you would like further details about the specific safeguards applied to any international transfer of your data, please contact us.

9. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are as follows:

  • Active membership data: retained for the duration of your subscription plus 12 months after cancellation
  • Consulting engagement records: retained for 6 years after completion (in line with HMRC requirements)
  • Marketing consent records: retained for as long as your consent is active, plus 12 months after withdrawal
  • Website analytics data: retained in anonymised or aggregated form for up to 26 months
  • Financial and tax records: retained for 6 years as required by UK law
  • Correspondence and support enquiries: retained for 2 years after the last interaction

When personal data is no longer required, we securely delete or anonymise it.

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. Cookies are small text files placed on your device that help us understand how you use our website and improve your experience.

10.1 Types of cookies we use

  • Strictly necessary cookies: Required for the website to function (e.g. session management, security). These do not require consent.
  • Analytics cookies: Help us understand website traffic and usage patterns (e.g. Google Analytics). Set only with your consent.
  • Marketing cookies: Used to deliver relevant advertising and measure campaign effectiveness. Set only with your consent.
  • Functional cookies: Remember your preferences and settings. Set only with your consent.

10.2 Managing cookies

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your cookie preferences at any time through the cookie settings link in our website footer, or by adjusting your browser settings.

Please note that blocking certain cookies may affect the functionality of our website.

11. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Right of access: You can request a copy of the personal data we hold about you (a Subject Access Request).
  • Right to rectification: You can ask us to correct inaccurate or incomplete personal data.
  • Right to erasure: You can ask us to delete your personal data where there is no compelling reason for us to continue processing it.
  • Right to restrict processing: You can ask us to suspend processing of your personal data in certain circumstances.
  • Right to data portability: You can request that we transfer your data to another organisation in a structured, commonly used, machine-readable format.
  • Right to object: You can object to processing based on legitimate interests or direct marketing at any time.
  • Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at james@gtmhive.com. We will respond to your request within one calendar month, as required by UK GDPR. There is no fee for making a request, although we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive.

12. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Use of encrypted connections (HTTPS/TLS) across all platforms
  • Secure password policies and, where available, multi-factor authentication
  • Access controls limiting data access to authorised personnel only
  • Regular review of our data processing activities and security measures
  • Use of reputable third-party service providers with strong security practices

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We encourage you to use strong passwords and protect your account credentials.

13. Children's Data

Our services are designed for business professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

14. Links to Third-Party Websites

Our website and platform may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policy of any website you visit.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will notify you by email or by a prominent notice on our website. We encourage you to review this policy periodically.

The date at the top of this policy indicates when it was last updated.

16. How to Complain

If you are unhappy with how we have handled your personal data, we encourage you to contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: ico.org.uk

17. Contact Us

If you have any questions about this privacy policy or our data practices, please get in touch:

James Barker

GTM Hive Ltd

Email: james@gtmhive.com

Website: gtmhive.com

GTM Hive Ltd  ·  Registered in England  ·  gtmhive.com  ·  james@gtmhive.com