Information Security Policy

1. Overview

This Information Security Policy describes how HiveKeeper (operated by Culshaw Consulting Ltd, Company No. 16938477) collects, stores, processes and protects user data. It covers all systems used in the delivery of the HiveKeeper service.

HiveKeeper is a UK beekeeping management application accessible at gethivekeeper.com and via native iOS and Android apps. All processing is conducted in accordance with UK GDPR and the Data Protection Act 2018.

This document should be read alongside our Privacy Policy, which covers your data-protection rights in detail.

2. Systems and Third-Party Processors

System	Provider	Purpose	Data location
Supabase	Supabase Inc.	Database, authentication, file storage	AWS eu-west-2 (London, UK)
Cloudflare Workers	Cloudflare Inc.	API proxy for voice transcription, AI analysis, payments, iCal calendar	Cloudflare edge (UK/EU primary)
GitHub Pages	GitHub Inc. / Microsoft	Static web hosting for marketing pages — no user data stored	Global CDN
OpenAI Whisper	OpenAI Inc.	Voice transcription of inspection notes — processed in real time via paid API, not retained	US (via Cloudflare Worker)
Anthropic Claude	Anthropic PBC	AI frame analysis and beekeeping advice — processed in real time via paid API, not retained	US (via Cloudflare Worker)
Stripe	Stripe, Inc. / Stripe Payments UK Ltd	Subscription payment processing	UK / Ireland
Resend	Resend.com	Transactional and marketing email delivery	US
Open-Meteo	Open-Meteo GmbH	Live weather data per apiary — coordinates only, no personal data	EU (Germany)
postcodes.io / Nominatim	Open Source / OSM	Geocoding apiary locations — no personal data	UK / EU
Leaflet.js / ESRI	ESRI / OpenStreetMap	Satellite map tiles for apiary map — no personal data transmitted	Global CDN
Google Charts API	Google LLC	QR code generation — hive URLs only, no personal data	Google global CDN
HiveKeeper Analytics	Culshaw Consulting Ltd (via Supabase)	In-app usage analytics — screen views, feature usage, paywall interactions. No third party involved.	AWS eu-west-2 (London, UK)
Median	Median.co	Native app wrapper — no user data stored by Median itself	US

3. Data We Collect

Account data

Email address — required for account creation and authentication
Display name — optional, used for inspection records and sharing
Subscription tier — free, pro, or commercial
Referral code — auto-generated for the referral scheme

Apiary and hive data

Apiary names, locations (postcode or town), and GPS coordinates
Hive names, status, health scores, inspection records
Hive GPS positions on the apiary satellite map
Frame photos and hive cover photos
Varroa counts, harvest records, treatment logs
Voice inspection transcripts (processed via Whisper, stored as text)

What we do NOT collect

Payment card details — handled entirely by Stripe (or, for native apps, Apple App Store / Google Play)
Device identifiers or advertising IDs
Browsing history or cross-site tracking data
Third-party analytics or behavioural profiling data

4. How We Use Your Data

Data	How we use it	Lawful basis (UK GDPR Art. 6)
Email address	Account authentication, password reset, service notifications	Contract — necessary to provide the service
Apiary and hive data	Displaying your beekeeping records within the app	Contract — the core purpose of HiveKeeper
Inspection records and photos	Building your hive history, health scores, AI analysis (if requested)	Contract
GPS coordinates / postcode	Live weather data, nectar calendar, Asian Hornet Watch alerts, satellite map	Legitimate interests — core app functionality
Analytics events	Understanding how the app is used to improve features and fix bugs	Legitimate interests — product improvement. No personal content is logged.
Referral data	Tracking referral rewards and calculating incentives	Contract — part of the referral scheme you opt into
Policy consent timestamp	Recording that you have agreed to our policies	Legal obligation — UK GDPR compliance
SOS emergency contact	Sending an alert in an apiary emergency	Explicit consent — you provide this voluntarily

Data minimisation: We only collect data that is directly necessary for the purposes listed above. If we cannot justify collecting a piece of data, we do not collect it.

5. Business Transfer

In the event of a sale, merger, acquisition or transfer of HiveKeeper or Culshaw Consulting Ltd, user data forms part of the business assets and may transfer to the acquiring party. We will notify all registered users by email before any transfer takes effect and give users a minimum of 30 days to export and delete their data. User data will never be sold as a standalone asset.

6. Authentication and Access Control

Authentication is handled by Supabase Auth using email/password
Passwords are hashed using bcrypt — we never have access to plaintext passwords
Row Level Security (RLS) is enforced on all database tables — users can only access their own data
All admin accounts are protected with multi-factor authentication
API keys are stored as server-side secrets (Cloudflare Worker secrets) — never exposed in client code

7. Data Storage and Encryption

All data at rest is encrypted using AES-256 (managed by AWS/Supabase)
All data in transit uses TLS 1.2 or higher
Photos are stored in Supabase Storage with server-side encryption at rest
Local device data is stored in browser localStorage, subject to device-level security controls
Apiary map positions are stored locally and synced to Supabase — they are not shared with mapping providers

8. Data Retention

Data type	Retention
User account and hive data	Until account deletion is requested
Frame and cover photos	Until deleted by user or account deletion
Voice recordings (OpenAI Whisper)	Processed in real time — not retained by OpenAI under paid API terms
Photo data sent for AI analysis	Processed in real time — not retained by Anthropic under paid API terms
SOS emergency contact details	Until updated or account deleted
Deleted account data	Removed within 30 days; backups purged within 90 days
Invoices and subscription records	6 years (UK tax and accounting law)
Error logs and security logs	90 days
Inactive accounts	Reviewed at 24 months inactivity — user contacted before any deletion

9. Your Rights (UK GDPR)

Right	How to exercise
Access	Request a copy of all personal data held — we will provide a CSV export within 30 days
Rectification	Update data directly in the app, or contact us for corrections
Erasure	Use Settings → Start fresh, or email us for full account deletion
Data portability	Use Settings → Export all data to CSV at any time
Object to processing	Contact us — we will cease processing within 30 days where lawful
Withdraw consent	Delete your account at any time — no questions asked

To exercise any right, contact [email protected]. We will respond within 30 days.

10. Data Breach Procedure

In the event of a data breach, we will assess the risk within 72 hours of discovery
Where required, the ICO will be notified within 72 hours
Affected users will be notified directly by email without undue delay
A breach log is maintained internally regardless of whether external notification is required

11. Referral Scheme Data

Each user is assigned a unique referral code stored in their profile
Referral records link referrer and referred user by internal ID only — email addresses and personal details are never shared between users
Referral records are deleted when either account is deleted

12. Analytics

HiveKeeper uses its own privacy-first analytics system built on Supabase. No third-party analytics tools, tracking pixels, cookies or advertising networks are used.

What we record

Screen views — which screens you visit within the app
Feature usage — inspections saved, photos uploaded, reports viewed
Paywall interactions — when you reach a plan limit
Onboarding completion — whether setup was completed successfully

What we do not record

The content of your inspection notes or transcripts
Photos or any media
Your location beyond the apiary postcode you enter
Any data from outside the HiveKeeper app

13. Advertising

Ads are displayed on Free and Pro tiers only — not on Commercial, and not on Founding Beekeeper accounts
Ads are served from a static curated list within the app — no external ad network, no tracking pixels, no behavioural targeting
We do not sell or share user data with any advertiser

14. Age Restrictions

HiveKeeper is intended for users aged 18 or over. By signing up, you confirm that you are at least 18 years old. This reflects that paid subscriptions are processed via standard payment cards, which are generally only available to adults.

We do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up for HiveKeeper, please contact [email protected] and we will delete the account and any associated data as soon as reasonably possible.

15. Changes to This Policy

This policy will be reviewed annually or when significant changes to our systems occur. Users will be notified of material changes via the app and/or by email. The current version is always available at gethivekeeper.com/security-policy.html.

16. Contact and ICO Registration

Data Controller: Culshaw Consulting Ltd
Registered office: 30 Stanion Road, Brigstock, Northamptonshire NN14 3HW
Company No: 16938477
Privacy contact: [email protected]
Website: gethivekeeper.com

🛡️ ICO Registration No: CSN4273098

Culshaw Consulting Ltd is registered with the Information Commissioner's Office under registration number CSN4273098.