Privacy Policy

Who we are

HotHawk is a cold email platform that lets businesses run outbound email campaigns from their own mailboxes. This policy applies to the HotHawk website and application (together, the "Service").

The data controller for the Service is HotHawk Ltd, a company registered in England and Wales (company number 14998792), with its registered office at 27/28 Gelliwastad Road, Pontypridd, Wales, CF37 2BW. We are registered with the UK Information Commissioner's Office (ICO) under reference ZB709177.

Our data protection contact is Elliot Thomas. For any privacy question, or to exercise your rights, contact us at support@hothawk.ai.

Our role: controller and processor

We handle personal data in two different roles, and your relationship with us depends on which applies.

As a controller. For data about our own customers and website visitors, including account details, billing information, and how the Service is used, HotHawk Ltd is the controller and decides how and why that data is processed. This policy describes that processing.

As a processor. When a customer uploads their contact lists and runs campaigns, and when replies arrive into their account, that data belongs to the customer. The customer is the controller and decides what to do with it; HotHawk acts as their processor and only processes that data on their instructions, under ourData Processing Agreement. If you are a recipient of a campaign and want your data changed or removed, the quickest route is usually to contact the business that emailed you (see below).

Personal data we collect

In our role as controller, we collect and use the following categories of personal data.

Account and identity data

Your name, business email address, company name, and the details of any team members you invite. We use email-based sign-up, so we do not collect a social or single sign-on profile.

Billing data

Your plan, billing address, and a record of payments. Card details are handled directly by our payment processor; we do not store full card numbers, only limited information such as the last four digits needed to identify a payment.

Connection data for your mailboxes

To send and receive on your behalf, you connect your own sending mailboxes. For Google and Microsoft mailboxes this is done through secure OAuth authorisation, so we never see or store your password and you can revoke access at any time. For other providers you may connect using SMTP and IMAP credentials, which are stored in encrypted form.

Usage and technical data

Information about how you use the Service (such as campaigns created, sending volumes, reply and bounce rates, and deliverability metrics), along with IP addresses, access logs, and basic device and browser information used to keep the Service secure and working. We do not use open tracking or click tracking pixels in campaigns, by design.

Support data

Any information you give us when you contact support or correspond with us.

Content you create

Campaign copy, templates, custom fields, blocklists, labels, notes, and similar content you add to the Service.

If you received a cold email through HotHawk

If a business has emailed you using HotHawk, that business chose to contact you and decides what data it holds about you. HotHawk only processes that data on the business's behalf as its processor; we did not choose to contact you and we do not control how the business uses your details.

Because contact details are usually provided to our customers by you, obtained from your business's public information, or shared with them by others, we may process the following about recipients on a customer's behalf: name, business email address, job title, company, any custom fields the customer added, and the content and metadata of emails sent to and received from you. Our reply features may also process replies from colleagues who are copied in, forwarded the message, or otherwise looped into the conversation by you or the recipient.

To stop receiving emails or have your data corrected or deleted, the fastest route is to reply to the sender or use the unsubscribe or opt-out option in their message, because they control your data. You can also contact us atsupport@hothawk.ai and we will forward your request to the relevant customer and assist them in actioning it.

How and why we use personal data

Under UK and EU data protection law we must have a lawful basis for each use of personal data. In our role as controller we rely on the following.

• To provide the Service and our contract with you (performance of a contract): creating and running your account, processing campaigns, providing support, and taking payment.
• To run and improve our business (legitimate interests): keeping the Service secure, preventing abuse and fraud, understanding how the Service is used, and developing new features. We balance these interests against your rights and only rely on them where appropriate.
• To send you service and, where relevant, marketing messages (legitimate interests or consent, depending on the message and your preferences). You can opt out of marketing at any time.
• To meet our legal obligations (legal obligation): for example tax, accounting, and responding to lawful requests.

When we process recipient and reply data, we do so as a processor on our customers' instructions. The responsibility for having a lawful basis to email a given contact, and for complying with marketing and privacy laws, sits with the customer who sends the campaign. Our Terms of Service require every customer to confirm they have that lawful basis.

Who we share data with

We never sell personal data, and we do not share it for advertising. We share data only with the service providers (sub-processors) that help us run HotHawk, and only as needed. The categories are:

• cloud hosting and database providers (located in the European Economic Area and the United Kingdom);
• an email infrastructure provider that delivers transactional and campaign email;
• a payment processor that handles billing;
• an AI provider that powers our mailbox warmup feature; and
• security, content-delivery, and monitoring providers that keep the Service fast and safe.

If you choose to connect an optional integration (for example our Claude connector, a LinkedIn reply integration, or a CRM sync), data flows to that provider only because you enabled it. The named list of our sub-processors is set out in ourData Processing Agreement, which is available to customers. We may also disclose data where we are legally required to do so, or to protect our rights, users, or the public.

International data transfers

The personal data processed through the core Service is stored within the European Economic Area (EEA) and the United Kingdom. Transfers between the EEA and the UK are covered by the adequacy decisions in force between them.

A small number of providers are based outside the UK and EEA, most notably our payment processor in the United States. Where personal data is transferred outside the UK or EEA, we rely on a lawful transfer mechanism, such as the provider's certification under the EU-US Data Privacy Framework and its UK extension, the UK International Data Transfer Agreement, or the International Data Transfer Addendum to the EU Standard Contractual Clauses. You can ask us for more detail about the safeguards that apply to a particular transfer.

Google and Microsoft data

When you connect a Google or Microsoft mailbox, HotHawk's use of information received from Google and Microsoft APIs follows their respective API data policies, including theGoogle API Services User Data Policy and its Limited Use requirements. In particular:

• we use this data only to provide and improve the features of HotHawk that you can see and use in the application (such as sending your campaigns and bringing your replies into your inbox);
• we do not transfer or sell this data to third parties such as advertising platforms, data brokers, or information resellers;
• we do not use this data for advertising of any kind;
• we do not allow humans to read this data, unless you give specific consent to view particular messages, it is necessary for security or to comply with the law, or the data has been aggregated and anonymised for internal operations; and
• we do not use this data to train generalised or standalone artificial intelligence or machine learning models.

Our security has been independently assessed (CASA Tier 2) as part of meeting Google's requirements for applications that access mailbox data. You can review or revoke HotHawk's access to your Google or Microsoft account at any time through your account's security settings with that provider.

AI and automated processing

HotHawk uses artificial intelligence in a few specific, optional ways:

• Mailbox warmup. An AI provider generates warmup conversation content to help build sender reputation. This operates between warmup mailboxes and does not make decisions about you.
• Reply categorisation. Replies may be automatically sorted (for example positive, negative, or out-of-office) to help you manage your inbox. This is a convenience feature and does not produce legal or similarly significant effects on anyone.
• Claude connector. If you choose to connect HotHawk to Claude, campaign, reply, and analytics data is shared with that AI provider only at your request and only while the connection is active.

We do not use your data, or data from connected mailboxes, to train generalised AI models. We do not carry out solely automated decision-making that has a legal or similarly significant effect on you.

Cookies and tracking

We keep this simple. HotHawk does not use advertising or analytics tracking cookies, and our campaigns contain no open tracking or click tracking pixels. Our website uses only the cookies that are strictly necessary to make it work and keep it secure, and our application uses cookies that are necessary to sign you in and keep your session secure. Because we do not set non-essential cookies, you will not see a cookie consent banner. Our website also loads fonts from Google Fonts, which means your browser contacts Google to retrieve them. If we ever introduce analytics or other non-essential cookies, we will ask for your consent first and update this section.

How long we keep data

We keep personal data only for as long as we need it. Your account data is kept while your account is active. If you cancel, the data you processed through the Service is permanently deleted from our systems, except where we are required to keep limited records (for example billing records for tax purposes). Trial accounts that are never activated are deleted after 60 days, and frozen accounts after 180 days. When we act as a processor, we delete or return customer data in line with our Data Processing Agreement.

How we protect data

We maintain technical and organisational security measures appropriate to the data we hold. These include:

• encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• connecting Google and Microsoft mailboxes through OAuth, so we never hold your password;
• role-based access control, multi-factor authentication, and least-privilege access for our team;
• secure software development practices, secrets management, and regular patching;
• access logging, anomaly detection, and a documented incident response plan; and
• regular backups with geographic redundancy.

No system can be guaranteed to be completely secure, but we work hard to protect your data and review our measures regularly.

Your privacy rights

Under UK and EU data protection law you have the right to:

• be informed about how we use your data (this policy);
• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased in certain circumstances;
• restrict or object to processing, including an absolute right to object to direct marketing;
• data portability; and
• withdraw consent at any time, where we rely on consent.

To exercise any of these, email support@hothawk.ai. We will respond within one month and will not charge you in normal circumstances. If your data is held by a HotHawk customer (for example you received a campaign), we will pass your request to that customer and help them respond.

US state privacy rights

If you are a resident of California or another US state with a privacy law, you may have rights to know, access, delete, and correct your personal information, and to opt out of its sale or sharing.HotHawk does not sell personal information, and does not share it for cross-context behavioural advertising, so there is nothing for you to opt out of in that respect. To exercise any other right, contact support@hothawk.ai. We will not discriminate against you for exercising your rights.

Children's data

HotHawk is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with data, contact us and we will delete it.

Complaints

If you have a concern about how we handle your data, please contact us first atsupport@hothawk.ai so we can try to resolve it. You also have the right to complain to a supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk). If you are in the EEA, you may complain to the data protection authority in your country.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the date at the top and, where appropriate, notify you. Please check back periodically for the latest version.