VistaConnect

    VistaConnect Privacy Notice

    Version: 2.0 Effective from: 2026-04-22 Last reviewed: 2026-04-22

    This notice explains how Data HQ Limited handles personal data in connection with the VistaConnect platform. It sits alongside the VistaConnect Terms of Service (which govern your commercial use of the platform), the VistaConnect Non-Disclosure Agreement (which covers confidentiality and Article 28 UK GDPR processor terms) and the Data Retention Schedule (which sets out how long we keep each category of information). In the event of conflict between these documents, the order of precedence set out in the Terms of Service applies.

    1. Who we are

    Data HQ Limited — company number 03751685, registered office Saxon House, 27 Duke Street, Chelmsford, Essex CM1 1HT.

    Data HQ is registered with the UK Information Commissioner's Office (ICO) as a data controller, registration Z5561873.

    Our internal Data Protection Lead is responsible for privacy compliance and can be contacted at legal@datahq.co.uk (postal: Saxon House, 27 Duke Street, Chelmsford, Essex CM1 1HT). A formal Data Protection Officer (UK GDPR Article 37) is not appointed because Data HQ's core activities do not meet the statutory threshold for mandatory appointment; we keep this position under review.

    2. Our role — controller or processor

    Under UK GDPR we may act as either a data controller or a data processor, depending on the data in question:

    We are the controller in respect of:

    • your account identifying information (email, name, password hash, company name, signup source);
    • your billing and payment information;
    • logs of your use of the platform (which endpoints you hit, when, how many credits you used);
    • the underlying B2B database that VistaConnect queries against, which is built and maintained by Data HQ under licences from public and commercial sources (see section 4 — Sources of data). Our lawful basis for maintaining this database is legitimate interest in providing B2B data services to businesses.

    We are the processor in respect of any data you upload through the Data Audit, List Builder or Find Look-alikes features, including personal data in uploaded files. When we act as processor, you are the controller; our processing is carried out only on your instructions for the purposes of the Project described in the NDA. Article 28 contractual obligations are set out in section 17 of the NDA.

    3. Lawful basis for processing

    We rely on one or more of the following bases:

    • Contract. Most processing, in order to provide the VistaConnect platform you signed up for.
    • Legitimate interest. For security monitoring, fraud prevention, service improvement, and maintenance of the underlying B2B database. We have performed a Legitimate Interests Assessment for the database which considers the necessity of the processing, its proportionality to the purpose, and the reasonable expectations of individuals whose data appears in the database in their professional capacity as employees, officers or representatives of a business. We consider that our legitimate interest in providing accurate B2B business information is not overridden by the rights and freedoms of those individuals, whose data is drawn from public registers or commercially licensed sources and does not relate to their private lives. You may request a summary of our LIA from legal@datahq.co.uk, and you may object to inclusion in the database or request suppression of your entry at any time by writing to the same address.
    • Legal obligation. To retain accounting, tax and audit records for the period required by UK tax and accounting law.
    • Consent. Where we rely on it (for example, optional marketing communications). You may withdraw consent at any time.

    4. What we collect, and where it comes from

    From you, directly: account data (name, work email, hashed password, company name, signup source, verification status, login timestamps); billing data (company billing address, VAT number, payment history recorded by Stripe — card numbers are never seen by Data HQ); files and content you upload; usage data; technical data (IP address, browser type, timestamps) for security and abuse-monitoring.

    Sources of data held in our B2B database (Article 14 disclosure): we build the underlying B2B database from a combination of public and commercially licensed sources, including:

    • Companies House (UK register of companies) — licensed Crown Copyright data;
    • Royal Mail Postcode Address File (PAF) — licensed address data;
    • Licensed B2B contact-data providers — commercial licences with providers who warrant a lawful basis for the data they supply us;
    • Published corporate websites — public business information;
    • Direct updates from data subjects — where individuals correct or request suppression of their entries.

    The personal data in our B2B database relates to individuals in their professional capacity (for example, company directors recorded on public registers, or named contacts supplied by licensed business-data partners). We do not process special categories of personal data.

    We ask that you do not upload special-category data to the platform.

    5. How long we keep it

    See the VistaConnect Data Retention Schedule at vista.datahq.co.uk/legal/retention for the full position. In summary:

    • Audit jobs and their results — 30 days from job completion, automated.
    • List Builder purchased lists — 24 months from purchase.
    • Your account — until you ask us to delete it (self-serve deletion is available in Settings).
    • Tax and accounting records — up to 7 years from the end of the relevant accounting period, as required by UK law.
    • Operational logs — 30 days (90 days for audit-flagged events).
    • Database backups — 7-day rolling window.

    Where you exercise your right to erasure, your data is removed from our live systems within 24 hours. Your data may persist in system backups for up to 7 additional days while the backup window rolls forward; it is not accessible for operational use during that period and will be automatically aged out.

    6. Where we store it

    VistaConnect is hosted in Microsoft Azure's UK South region. Personal data does not leave the UK in the ordinary course of processing. Some sub-processors may process data outside the UK (see section 7).

    Where personal data is transferred from the UK to a country without a UK adequacy decision, Data HQ relies on the UK International Data Transfer Agreement, or on EU Standard Contractual Clauses with the UK Addendum, together with supplementary measures as appropriate.

    7. Sub-processors and other third parties

    We do not sell your personal data. The following sub-processors assist in delivering VistaConnect:

    Sub-processorPurposeLocationTransfer mechanism (if outside UK)
    Microsoft AzureCloud hosting, database, email delivery (Azure Communication Services)UK (primary), EU/US (limited operational)UK IDTA + Microsoft Data Processing Addendum
    Stripe PaymentsPayment processing and subscription billingUSA / IrelandUK IDTA + UK Addendum to EU SCCs
    Azure OpenAIAI-assisted features (Blog Bot, Data Audit field mapping)West Europe / UKUK IDTA

    Azure OpenAI training. Data processed through the Azure OpenAI Service is subject to Microsoft's commitment that customer inputs and outputs are not used to train, retrain or improve the foundation models made available through the service, nor are they shared with other Microsoft customers or OpenAI. See Microsoft's published Azure OpenAI data handling terms for the current position.

    We commit to giving you at least 30 days' notice of any proposed addition or replacement of a sub-processor, by email and by a banner on the platform. The current list is also published and maintained at vista.datahq.co.uk/legal/sub-processors.

    We share personal data with third parties only in these circumstances:

    • with sub-processors, as described above;
    • where legally required (see section 6 of the NDA);
    • with a successor business in the event of a merger, acquisition or reorganisation — in which case your rights under this notice transfer with the business, and the successor is bound by these terms until it publishes an equivalent notice of its own to you.

    8. Your rights

    You have the following rights under UK GDPR in respect of your personal data:

    • Access — request a copy of the personal data we hold about you.
    • Rectification — ask us to correct inaccurate data.
    • Erasure — ask us to delete your data, subject to the statutory exceptions in the Retention Schedule.
    • Restriction — ask us to pause processing while a query is resolved.
    • Portability — receive your data in a structured, machine-readable format.
    • Objection — object to processing we carry out on a legitimate-interest basis, including processing for direct marketing (we will stop without exception if you object to direct marketing).
    • Withdrawal of consent — where consent is the lawful basis.

    To exercise any right, email legal@datahq.co.uk. We respond within 30 days (extendable by a further 60 days for complex requests, with explanation).

    If you are dissatisfied with our response, you may complain to the Information Commissioner's Office:

    Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk/make-a-complaint — 0303 123 1113.

    9. Data security

    We protect your data with a combination of technical and organisational measures:

    • Encryption in transit — TLS 1.2+ for all portal and API traffic.
    • Encryption at rest — Azure-managed encryption for databases, backups and object storage.
    • Access controls — access to production data is restricted to named Data HQ personnel on a need-to-know basis, with mandatory multi-factor authentication.
    • Sub-processor contracts — all sub-processors are contractually bound by equivalent data-protection obligations.
    • Incident response and notification. We will notify the Information Commissioner's Office of any reportable personal-data breach within 72 hours of Data HQ becoming aware, in line with UK GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, in plain language, describing the breach, the data affected, the likely consequences and the steps we are taking.

    10. Cookies and tracking

    The VistaConnect logged-in portal uses only strictly necessary cookies to keep you logged in and remember UI preferences. We do not use third-party advertising or cross-site tracking cookies within the logged-in portal.

    The public marketing pages (vista.datahq.co.uk homepage and similar) may use analytics cookies, subject to a separate cookie notice presented to you on your first visit and available from the footer of those pages.

    11. Automated decision-making and profiling

    We do not carry out any automated decision-making that has legal or similarly significant effects on individuals. Certain features (for example, the credit grade displayed in the Company Intelligence view) are derived from public Companies House filings and are informational only; they are not used to make automated decisions about individuals.

    12. Children

    VistaConnect is a B2B platform intended for use by people acting in a business capacity. It is not intended for use by individuals under 18 and we do not knowingly create accounts for anyone under 18.

    13. Marketing

    We may send you transactional emails about your account (verification, billing, breach notifications, account changes). We may also send you infrequent service-related announcements relevant to your use of the platform, on the basis of our legitimate interest in keeping you informed. We do not send unsolicited marketing to individuals under PECR without your consent. You can opt out of non-transactional communications at any time using the link in each message or by emailing legal@datahq.co.uk.

    14. Changes to this notice

    We may update this notice from time to time. The version number and last-reviewed date at the top of this document tell you when. Material changes (defined as changes that reduce your rights, expand the purposes for which we use your data, or change our sub-processors in a way that affects where your data is processed) will be notified by email at least 14 days in advance and require you to re-accept on next login. A changelog is maintained at vista.datahq.co.uk/legal/privacy/changelog.

    Quick reference

    • General data-protection querieslegal@datahq.co.uk
    • Postal address — Data HQ Limited, Saxon House, 27 Duke Street, Chelmsford, Essex CM1 1HT
    • ICO registration — Z5561873
    • ICO (UK regulator) — ico.org.uk (or 0303 123 1113)

    Questions about this document? Email legal@datahq.co.uk.