Hamar← Back to home

Legal · v3-2026-05-19

Privacy Policy

Last updated: 19 May 2026

1. Who controls your data

HAMAR SOLUTIONS LTD(Co. No. 15630253), registered in England & Wales, is the data controller for personal data you provide while using Hamar™. For data your clients provide to you (which you then enter into Hamar to issue them quotes/invoices), you are the data controller and Hamar is your data processor.

Contact for data matters: hello@hamar.io.

2. What data we collect

To provide the service, we collect:

  • Account data — name, email, password (hashed), the email of the device that signed you up.
  • Business data — your business name, trading address, VAT registration, contact email, phone, logo, brand colours.
  • Client data you enter — names, contact details, addresses, internal notes about your clients.
  • Transactional data — quotes, invoices, line items, payment status, chase history.
  • Audit data — IP address and browser when you accept/decline a quote, when you submit a bug report, and when you sign in.
  • Technical data — basic logging from Vercel (request paths, response codes, timing) for debugging and abuse prevention.

3. Why we use it (lawful bases under UK GDPR)

  • To provide the service — performance of our contract with you.
  • To send transactional emails (verification, quote/invoice notifications, chase reminders, welcome) — performance of our contract with you.
  • To prevent fraud and abuse — our legitimate interests in keeping the service safe.
  • To improve the service based on usage patterns and bug reports — our legitimate interests, balanced against your privacy.
  • To comply with HMRC record-keeping rules — legal obligation.

We do not sell your data to anyone. We do not use it for advertising, profiling for marketing, or share it with brokers.

4. Sub-processors

Hamar uses these third-party services to operate. Each is contractually bound to handle your data in line with UK GDPR:

ServiceUsed forRegion
SupabaseDatabase, authentication, file storageEU (Ireland)
VercelHosting, edge network, application logsEU + global edge
ResendTransactional email deliveryUS (delivery global)
StripeCard payment processingUK (Stripe Payments UK Ltd)

Where data leaves the UK/EU (e.g. to Resend in the US), it moves under Standard Contractual Clauses providing equivalent protection.

5. How long we keep it

  • Account data (clients, quotes, invoice content, notes, business profile, uploaded logo) — for as long as your account is active. If you cancel your subscription, this data is kept on ice for 60 days so you can pick up where you left off if you return.
  • At the end of the 60-day windowwe email you a ZIP file containing a complete copy of your business records (quotes, invoices, clients, line item templates, logo, business profile) for your own record-keeping. After we’ve sent it, we remove our copy. You always end up with your data — we never delete without handing it back first.
  • Financial records (invoices, payments) — anonymised at the 60-day mark but retained for 6 years from the end of the relevant financial year, in line with HMRC requirements. The retained record is stripped of personal data — it exists only to satisfy our tax-compliance obligations.
  • Bug reports — retained for 12 months for analysis and product improvement, then anonymised.
  • Server logs — typically retained by Vercel for 30 days.

6. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data — most can be done directly in the app under Settings → Business profile.
  • Erase your data ("right to be forgotten") subject to our HMRC retention obligation for financial records.
  • Restrict or object to certain processing.
  • Data portability — quotes, invoices, and clients are exportable as CSV at any time from inside the app.
  • Withdraw consent where processing is based on consent.
  • Complain to the ICO— the UK Information Commissioner's Office at ico.org.uk.

To exercise any of these, email hello@hamar.io. We'll respond within one calendar month.

7. Cookies & tracking

Hamar uses essential cookies only — to keep you signed in (Supabase auth session) and remember your preferences. We do not use third-party tracking, advertising, or analytics cookies during the alpha. If we add product analytics later, we'll ask for consent first.

8. Security

All data is encrypted in transit (TLS) and at rest (AES-256). Passwords are hashed with bcrypt by Supabase Auth. Access to the production database is restricted to the authorised administrator and audited.

In the event of a data breach affecting your personal data, we'll notify you and the ICO within 72 hours of becoming aware, in line with UK GDPR Article 33.

9. Young users (13-17)

Hamar welcomes 13-17 year-olds running their own ventures — Young Founders. We take extra care with their data:

  • Under-13s: we do not accept signups and do not knowingly collect personal data from under-13s, in line with the UK GDPR digital age of consent.
  • 13-15 year-olds:we require verified consent from a parent or legal guardian before activating the account. The parent’s email address is collected only to send the approval link; we don’t use it for marketing or share it with third parties. Approval is recorded in a parental_approvals table with a unique token and timestamp.
  • 16-17 year-olds:can sign up directly under standard UK GDPR rules. Card payment features (Stripe Connect) remain locked until they turn 18, per Stripe’s own terms.
  • Same retention rules apply: 60-day cancellation grace + ZIP-return + HMRC anonymisation, as described in section 5 above. Young Founders are not treated as a separate data category for retention purposes.
  • Parents/guardians’ rights:can request access to or deletion of their child’s account by emailing hello@hamar.io with evidence of their relationship to the account holder.

10. Changes to this policy

Material changes to this policy will be communicated by email before they take effect.

Version v3-2026-05-19 · 19 May 2026