· revenue enginePrivacy Notice
hyperpersonalised.com and the Hyper platform
1. About this notice
This privacy notice explains how Struan.ai Ltd ("Struan", "we", "us", "our") collects, uses, shares and protects personal data in connection with the hyperpersonalised.com website, the Hyper platform and the outbound prospecting activity that Struan operates on its own behalf and, where applicable, on behalf of customers.
It is written to meet the transparency requirements of the UK GDPR, the EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, the UK Privacy and Electronic Communications Regulations 2003 (PECR), the EU ePrivacy Directive 2002/58/EC, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), other US state privacy laws listed at section 14, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec Law 25 and Canada's Anti-Spam Legislation (CASL).
Where this notice must give different information to people in different countries or states, the country or state is called out in the heading.
2. Controller identity and contact details
2.1 Controller
Struan.ai Ltd, a private company limited by shares incorporated in Scotland with company number SC858161. We can be contacted at privacy@hyperpersonalised.com for privacy queries and at hello@hyperpersonalised.com for general queries.
Struan.ai Ltd is the data controller for the processing described in this notice, except where Struan acts as a processor for a customer of the Hyper platform. Where Struan acts as processor, the customer is the controller and this notice is informational only - the customer's own privacy notice governs.
Note: tryhyper.ai redirects to hyperpersonalised.com. Both domains are operated by Struan.ai Ltd.
2.2 How to contact us about privacy
Email: privacy@hyperpersonalised.com
Data Protection Officer: [outsourced DPO firm to be appointed]
2.3 EU representative (Article 27 UK GDPR / EU GDPR)
Because we are established in the United Kingdom but offer services to, and monitor the behaviour of, people located in the European Union, we have appointed an EU representative as required by Article 27. EU residents may contact the EU representative directly on matters relating to the processing of their personal data.
EU representative: [firm name to be inserted], [address], [email].
3. Who this notice applies to
- Visitors to the hyperpersonalised.com website and any Hyper-hosted landing pages.
- People who submit a demo request, newsletter signup or other form on hyperpersonalised.com.
- People whose business contact details are processed by Struan for outbound prospecting (email, LinkedIn, landing page personalisation).
- People whose business contact details are processed through the Hyper platform on behalf of a customer of Struan.
- Business contacts, customers and suppliers of Struan.
4. Categories of personal data we process
| Category | Examples |
|---|---|
| Identity data | Name, job title, employer, LinkedIn URL |
| Contact data | Work email address, work phone, business postal address |
| Enrichment data obtained from third parties | Firmographic data (company size, industry, funding stage, technology stack) and role-level signals obtained from B2B data and enrichment providers. The current list of named providers is available on request - email privacy@hyperpersonalised.com. |
| Intent and behavioural signals | Publicly-observable hiring signals (for example, a job advert), click activity on our emails and landing pages, session activity on hyperpersonalised.com |
| Device and online identifiers | IP address, approximate location derived from IP, user agent, cookie identifiers, consent records |
| Inferred data | Seniority, team size, role-fit score, estimated salary band for the role being hired for, inferred intent level |
| Visitor identification data | Where you consent (UK/EU) or where applicable US rules allow (US), the name, job title and employer of visitors to hyperpersonalised.com, obtained from a third-party visitor identification provider |
| Form content | Anything you type into a form on hyperpersonalised.com, including target account URLs, outcome statements and free-text questions |
| Account and transaction data (Hyper customers) | Billing contact, payment metadata (not card numbers - those go to the payment processor), contract details, usage logs |
We do not intentionally process special category data under Article 9 UK/EU GDPR (for example health, trade-union, religious or political data). If a visitor-identification provider inadvertently surfaces data that would amount to special category data, we do not act on it and delete it at the earliest opportunity.
5. Where we obtain personal data
- Directly from you when you use our website, fill in a form, sign a contract or email us.
- From our data enrichment providers - B2B contact and company databases, scraped public web content (including public job adverts), and profile data derived from professional networks. The current list of named providers is available on request - email privacy@hyperpersonalised.com.
- From our website visitor-identification provider (where consent or local law permits) - currently [provider name to be inserted].
- From publicly available sources such as company websites, Companies House, press releases and public social posts.
- From customers of the Hyper platform, who upload their own prospect data to Hyper for outbound and landing-page personalisation.
6. Purposes and lawful bases (UK GDPR / EU GDPR)
We rely on the following lawful bases under Article 6 UK/EU GDPR:
| Purpose | Lawful basis | Notes |
|---|---|---|
| Operate, secure and improve hyperpersonalised.com | Legitimate interests (Art 6(1)(f)) | Our interest in running a working, safe website. Balanced against your reasonable expectation of a functional site. |
| Respond to demo requests and contact form submissions | Performance of a contract / steps prior to contract (Art 6(1)(b)) | You asked us to contact you. |
| Send newsletters and marketing emails where you have signed up | Consent (Art 6(1)(a)) | You can withdraw at any time via the unsubscribe link. |
| B2B outbound prospecting (email, LinkedIn, landing page personalisation) run by Struan | Legitimate interests (Art 6(1)(f)) | Documented Legitimate Interests Assessment (LIA). See section 7. |
| Hyper platform services for customers | We act as processor; the customer is controller | Customer's lawful basis applies. Our processing is bound by the Data Processing Agreement. |
| Website visitor identification and personalisation | Consent for the cookie/SDK (PECR / ePrivacy) + Legitimate interests for the downstream personal data (Art 6(1)(f)) | UK/EU visitors: consent required before any visitor-ID tag fires. See section 8. |
| Billing, tax, accounting, statutory record-keeping | Legal obligation (Art 6(1)(c)) and legitimate interests | We have to keep certain records by law. |
| Detecting fraud, abuse, and enforcing our terms | Legitimate interests (Art 6(1)(f)) | Necessary to run the service securely. |
7. Outbound prospecting
When Struan runs outbound prospecting on its own behalf, we rely on legitimate interests (Article 6(1)(f)) as our lawful basis, supported by a written Legitimate Interests Assessment (available on request to our DPO). We only contact people in business roles about matters reasonably connected to their role and our business offering. We do not send marketing to private individuals about consumer products.
Under PECR in the UK, the corporate subscriber exemption permits unsolicited business email to limited companies, limited liability partnerships and Scottish partnerships, subject to the sender being clearly identified and providing a working unsubscribe. We rely on that exemption for UK corporate subscribers. Emails to sole traders, non-corporate partnerships and individuals rely either on consent or the soft opt-in.
Under Article 14 UK/EU GDPR we are required to give you this notice when we obtain your data from a third-party data enrichment provider. We do this at the latest in our first outbound email to you, by including a clear link to this notice.
In Germany, France, Italy, Spain, the Netherlands and certain other EU member states, local law requires express opt-in consent for most B2B email marketing. Where we send to prospects in those countries we rely on that consent, on an existing business relationship or we do not send.
Canadian recipients: under CASL we will only send you a commercial electronic message with your express or implied consent. Every commercial electronic message will identify us, provide our postal address and a functional unsubscribe link that will remain active for at least 60 days. We action unsubscribes within 10 business days.
US recipients: every commercial email complies with the CAN-SPAM Act. It identifies the sender, provides our postal address, does not use false or misleading header information, and gives a working opt-out. We honour opt-outs within 10 business days.
Right to object: you have an absolute right to object to direct marketing at any time and free of charge. If you do, we will stop and add you to our suppression list, which is applied to every system we use.
8. Website visitor identification and personalisation
hyperpersonalised.com will at times identify company-level information about business visitors (based on the IP address you connect from) and, where lawful, use a third-party visitor-identification provider to match your visit to your professional profile. We use this only to personalise the content of our website for business audiences. The specific provider in use is available on request - email privacy@hyperpersonalised.com.
UK and EU visitors: we will NOT set any non-essential cookie, pixel, SDK or identifier and we will NOT use any visitor-identification provider unless and until you give prior, informed, specific, granular consent via our consent banner. Until you consent, you will see a non-personalised version of the site.
California visitors: we provide a "Do Not Sell or Share My Personal Information" link in the footer. We treat use of visitor-ID and similar tracking technologies as a "sale" or "share" for CCPA/CPRA purposes and we honour the Global Privacy Control (GPC) signal automatically.
Other US visitors: we honour any valid Universal Opt-Out Mechanism signal in states where this is required (including Colorado, Connecticut, Texas, Oregon, Delaware, New Jersey, Montana and Maryland).
Canadian visitors: we treat meaningful consent under PIPEDA as required for the cookie/SDK, and for Quebec residents we apply Law 25 requirements.
9. Cookies and similar technologies
Our use of cookies and similar technologies is described in our Cookie and Tracking Technologies Notice, which is available from every page of hyperpersonalised.com.
10. Sharing of personal data
We share personal data with the following categories of recipient:
- Group companies of Struan (if any).
- Hyper platform customers, where Struan is processing their prospect data on their behalf.
- Our processors and sub-processors, who act on our documented instructions under an Article 28 data processing agreement. Categories include B2B data and enrichment providers, public-web scraping providers, sequencing providers, AI / large language model providers, scheduling providers, hosting providers, our consent management platform, our visitor identification vendor, our email service provider and our CRM. The current named list, with jurisdictions, transfer mechanisms and DPA status, is available on request - email privacy@hyperpersonalised.com or visit hyperpersonalised.com/subprocessors.
- Professional advisers (lawyers, auditors, insurers).
- Regulators, courts and law enforcement where required by law or to exercise legal rights.
- An acquirer or investor in connection with a business transaction.
11. International transfers
Some of our processors are located outside the UK / EEA, in particular in the United States. Where we transfer personal data outside the UK or EEA we put in place an appropriate safeguard:
- The UK's International Data Transfer Agreement (IDTA) or the UK addendum to the EU Standard Contractual Clauses (SCCs).
- The EU Standard Contractual Clauses (2021).
- The EU-US Data Privacy Framework where the recipient is certified.
We also carry out a Transfer Impact Assessment where required by Schrems II / UK ICO guidance. You can request a copy of the safeguard relevant to a transfer of your data by emailing privacy@hyperpersonalised.com.
12. Retention
We retain personal data only for as long as we need it for the purpose we collected it for, unless a longer period is required by law. Indicative retention periods:
| Data category | Retention |
|---|---|
| Outbound prospect data (no engagement) | 24 months from the last campaign contact, then deletion |
| Outbound prospect data (engaged - replied, booked a call) | Until the business relationship ends plus 6 years for statutory records |
| Website form submissions (demo, contact) | 36 months from submission |
| Newsletter subscribers | Until unsubscribe plus 12 months (then deletion) |
| Consent records | 6 years from consent or withdrawal |
| Suppression list entries | Indefinite (we keep these to honour your opt-out) |
| Cookies | Per cookie - see the Cookie and Tracking Technologies Notice |
| Server logs | Up to 12 months |
| Customer account data (Hyper SaaS) | Term of contract + 6 years |
13. Your rights (UK and EU residents)
Under UK GDPR / EU GDPR you have the following rights:
- Right to be informed (served by this notice).
- Right of access to your personal data (a Data Subject Access Request).
- Right to rectification of inaccurate or incomplete data.
- Right to erasure ("the right to be forgotten") in defined circumstances.
- Right to restriction of processing in defined circumstances.
- Right to data portability for data processed on the basis of consent or contract.
- Right to object to processing based on legitimate interests, including an absolute right to object to direct marketing.
- Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. We do not currently take such decisions. Our personalisation of landing pages is profiling under Article 4(4), but does not produce legal or similarly significant effects.
- Right to withdraw consent where processing is based on consent.
- Right to complain to a supervisory authority.
To exercise any right, email privacy@hyperpersonalised.com. We will respond within one calendar month under UK/EU GDPR. There is no fee in most cases.
14. Your rights (US residents)
Depending on your state of residence, you may have rights under one or more of the following statutes: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Tennessee (TIPA), Montana, Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire, Kentucky, Minnesota, Maryland (MODPA), Rhode Island.
These rights typically include:
- Right to know what personal information we have collected, used, disclosed and sold or shared.
- Right to delete personal information, subject to statutory exceptions.
- Right to correct inaccurate personal information.
- Right to portability of personal information you provided to us.
- Right to opt out of sale of personal information and of sharing for cross-context behavioural advertising.
- Right to limit use of sensitive personal information.
- Right to non-discrimination for exercising your rights.
To exercise any right, email privacy@hyperpersonalised.com or use the "Do Not Sell or Share My Personal Information" link on every page. You can also authorise an agent to act on your behalf. We do not discriminate against anyone for exercising a privacy right. California residents can also request information about disclosures for direct marketing purposes under California Shine the Light.
15. Your rights (Canadian residents)
Under PIPEDA and Quebec Law 25 you have the right to access, correct and delete your personal information, to withdraw consent and to complain to the Office of the Privacy Commissioner of Canada or, in Quebec, the Commission d'acces a l'information. Quebec residents additionally have the right to data portability and the right to object to automated decision-making. Email privacy@hyperpersonalised.com.
16. Automated decisions and profiling
We use profiling to personalise outbound emails and landing pages. This means we infer information about your likely role, seniority, team size, relevant tasks and the approximate salary range for the role being hired for, and we use those inferences to tailor the message you see. The logic is: starting from publicly observable hiring signals and third-party enrichment data, we generate content that is relevant to that role. The significance is that you may see a different email, or a different landing page, from someone in a different role or a different company. There is no legal or similarly significant effect from this profiling - you can always contact us as a human, and no automated decision is taken that legally binds you.
Some of our outbound emails and landing-page content are generated with the assistance of artificial intelligence (a third-party large language model provider). Where this is the case, we tell you. Under Article 50 of the EU AI Act we clearly disclose AI involvement on the relevant communication itself. The specific provider in use is available on request - email privacy@hyperpersonalised.com.
17. Children
The Hyper platform and hyperpersonalised.com are not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact privacy@hyperpersonalised.com and we will delete it.
18. Security
We maintain appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, logging, vendor due diligence, incident response procedures and staff training. Our incident response runbook provides for notification of a qualifying breach to the relevant supervisory authority within 72 hours and to affected data subjects where a high risk is likely.
19. Complaints
We would like to hear from you first if you have a concern. Email privacy@hyperpersonalised.com.
You can also complain to:
- In the UK: the Information Commissioner's Office (ICO), https://ico.org.uk.
- In the EU: your local supervisory authority, or the one designated through our EU representative.
- In California: the California Privacy Protection Agency or the California Attorney General.
- In other US states: the relevant state Attorney General.
- In Canada: the Office of the Privacy Commissioner of Canada. In Quebec: the Commission d'acces a l'information.
20. Changes to this notice
We may update this notice from time to time. The current version, effective date and version number are shown on the first page. Material changes will be communicated prominently on hyperpersonalised.com and, where we have your email, by email.