Privacy Policy

The data controller responsible for personal data described in this notice is HYDRO ROBOTICS LTD, a company incorporated in England and Wales.

Registered office
128 City RoadLondonUnited KingdomEC1V 2NX

• Company number: 16091229
• Incorporation date: 20 November 2024
• Nature of business (Companies House): Engineering related scientific and technical consulting, and other research and experimental development on natural sciences and engineering

For privacy enquiries: [email protected] (also shown as info [at] hydro-robotics.com on our site).

This policy applies to personal data we process when you use our public website at hydro-robotics.com, our dashboard and related cloud services (including services we intend to offer under paid subscription plans), and when you communicate with us (for example via contact forms or email).

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data, together with the Privacy and Electronic Communications Regulations (PECR) where relevant to cookies and similar technologies.

If you are in the European Economic Area (EEA), Regulation (EU) 2016/679 (EU GDPR) applies to our processing where we offer goods or services to you or monitor your behaviour. We describe international transfers and safeguards in Section 7.

Nothing in this notice is intended to limit any statutory rights you have under mandatory consumer or data protection laws in your country of residence.

Depending on how you interact with us, we may process:

• Identity and contact data: name, email address, company name, job title, phone number, and message content you send us.
• Account and subscription data: account identifiers, organisation or facility identifiers, plan tier, billing status, and records of subscription changes (when you create an account or subscribe).
• Technical and usage data: IP address, approximate location derived from IP, browser type, device identifiers, timestamps, pages viewed, diagnostic logs, and security telemetry.
• Authentication data: security tokens and session identifiers stored in cookies or similar storage when you use the dashboard or authenticated areas.
• Industrial telemetry (customers): sensor readings and operational metrics you route through our systems, which may include limited personal data if you configure identifiers that relate to individuals. We treat such data in accordance with our agreements and this notice.
• Payment data: we do not store full payment card numbers on our servers; payments are handled by our payment service provider, which receives the data needed to process the transaction.

We process personal data on the following bases, as appropriate:

• Contract (Article 6(1)(b) GDPR / UK GDPR): to register your account, provide the dashboard and related services, process subscriptions and invoices, and communicate with you about the service.
• Legitimate interests (Article 6(1)(f)): to secure our systems, prevent abuse, improve reliability, analyse aggregated usage, and respond to enquiries — where we balance our interests against your rights.
• Consent (Article 6(1)(a)): for non-essential cookies and similar technologies, and for optional marketing communications where we ask for consent.
• Legal obligation (Article 6(1)(c)): to comply with tax, accounting, or regulatory requirements.

Where we process special categories of personal data (rare in our context), we will only do so where a specific legal condition applies and, where required, with your explicit consent.

We use cookies (small text files placed on your device) and similar technologies (for example local storage and SDK storage) as follows:

• Strictly necessary: required for core functionality and security, including load balancing, session management for the dashboard, authentication, fraud prevention, and cookie consent storage. These are used based on our legitimate interests and, where applicable, to perform our contract with you. They do not require consent under the ePrivacy rules in the UK and EU for strictly necessary purposes.
• Analytics (optional): where enabled, helps us understand aggregate traffic and product performance. We only enable these if you consent via our cookie banner (or equivalent control).
• Marketing (optional): where enabled, may be used to measure campaigns or personalise promotional content. We only enable these if you consent.

You can change your mind at any time using Cookie settings in the site footer (opens the preference panel where you can enable or disable optional categories and save), or use Clear choice & reload there to remove stored consent and see the banner again after refresh. You can also contact us. Browser settings can block cookies; blocking strictly necessary cookies may prevent the dashboard from working correctly.

Our public website is primarily informational. If you submit a contact form, we process the data you provide to respond to your request.

Our dashboard and related authenticated services process account and operational data to deliver the features you subscribe to (or trial). When we launch or expand paid subscription plans, we will process:

• subscription tier, seat counts or usage metrics as defined in the plan;
• billing contact details and transaction records;
• payment confirmation from our payment provider (not full card data on our servers);
• communications about renewals, material changes to terms or pricing, and service notices.

Specific commercial terms (including renewal, cancellation, and refunds) are set out in our Terms of Service and, where applicable, an order form or checkout screens at the time of purchase.

Public marketing website and related static assets are hosted in the Republic of Ireland on infrastructure operated by DigitalOcean, LLC (DigitalOcean).

The Hydro Robotics dashboard application, application databases, and related production data processing for subscribed customers are hosted in Frankfurt am Main, Germany (European Economic Area), on infrastructure operated by DigitalOcean.

We use DigitalOcean as a processor (and subprocessors as listed in DigitalOcean’s documentation) to host and operate our services. Where we introduce additional processors (for example payment services), we identify them at checkout or in your account and in updates to this policy.

Processing in Ireland and Germany keeps most personal data within the EEA and UK adequacy or comparable frameworks. If we transfer personal data to countries without an adequacy decision, we use appropriate safeguards such as the UK International Data Transfer Agreement / Addendum and the EU Standard Contractual Clauses, plus supplementary measures where required by transfer impact assessments.

We share personal data with service providers who process it on our instructions (processors), including infrastructure and, where applicable, authentication, email delivery, and payment processing. We may disclose information if required by law, court order, or to protect rights, safety, and security.

We do not sell your personal data in the sense of exchanging it for money with unaffiliated data brokers.

We retain personal data only as long as necessary for the purposes described, plus any period required by law (for example tax or accounting rules). Account data is retained for the life of the account and a reasonable period afterwards to resolve disputes or enforce terms. Marketing consents and logs are retained in line with regulatory guidance on evidence of consent.

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. No method of transmission over the Internet is completely secure; we encourage strong passwords and safe handling of credentials.

Subject to applicable law, you may have the right to: access your personal data; rectify inaccurate data; erase data; restrict processing; data portability; object to processing based on legitimate interests (including profiling in certain cases); and withdraw consent where processing is consent-based (without affecting the lawfulness of processing before withdrawal).

To exercise these rights, contact us at [email protected]. We may need to verify your identity before responding. You may also have the right to lodge a complaint with a supervisory authority (see Section 12).

UK:you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

EEA: you may contact your local data protection authority. A list of EU authorities is published by the European Data Protection Board at edpb.europa.eu.

Where Article 27 GDPR requires us to designate a representative in the Union, we will publish their identity and contact details in this section. Until such appointment is made public here, EEA data subjects may contact us at the registered office address above or at [email protected] for GDPR-related requests.

Our industrial AI features may assist operators with recommendations. We do not make solely automated decisions that produce legal or similarly significant effects concerning individuals in the sense of Article 22 GDPR without a lawful basis and appropriate safeguards. If this changes, we will update this notice and explain any meaningful human involvement or your rights.

Our services are not directed at children under 16 (or the higher age required in your jurisdiction). We do not knowingly collect personal data from children. If you believe we have done so, please contact us and we will take steps to delete it.

We may update this Privacy Policy from time to time. We will post the updated version on this page and change the “Last updated” date. Where changes are material and we are required to notify you (for example for subscription services), we will also use email or in-product notices.