Our regulatory standing
- Registered controller with the Information Commissioner's Office, reference ZB295864.
- Subject to UK GDPR and the Data Protection Act 2018.
- Companies House registration 11828717.
Controller versus processor
We act in two distinct roles depending on the activity:
- As a controller for our own business records: enquiries, contracts, billing, marketing, recruitment, internal IT and security telemetry.
- As a processor when we manage IT systems on behalf of a client. In that role we only process personal data on the client's documented instructions, set out in a written data-processing agreement.
Categories of data we process
- Identity and contact data (names, emails, phone numbers, business names and roles).
- Account and authentication data (usernames, hashed passwords, MFA records).
- Device and network data (IP addresses, device names, MAC addresses, OS and patch state, location of fixed kit).
- Communications data (email metadata, ticket and chat history with our service desk).
- Financial data (billing addresses, invoice history; full card numbers are handled by our PCI-compliant payment provider, not by us).
- Special category data: only where a client expressly asks us to handle it (for example, a vet practice's clinical-system back-up). We will sign an additional schedule before doing so.
Lawful bases
| Activity | Lawful basis |
|---|---|
| Quoting for and delivering services | Performance of a contract |
| Account administration and billing | Performance of a contract; legal obligation |
| Service-desk operations and security monitoring | Legitimate interests (keeping client systems available and safe) |
| Tax, accounting and audit | Legal obligation |
| Marketing to existing clients (B2B) | Legitimate interests, with an unsubscribe link in every message |
| Recruitment | Legitimate interests; consent for retained CVs |
Sub-processors
We use the following key sub-processors. The list is reviewed at least annually and clients are notified of changes that affect them:
- Microsoft — Microsoft 365 (email, files, identity), Microsoft Azure.
- OpenText / Carbonite — endpoint and server backup.
- Datto — managed network infrastructure and BCDR.
- HaloPSA / equivalent — service-desk and ticket records.
- Xero — accounting, invoicing.
- Stripe / GoCardless — payment processing.
International transfers
Data is processed in the UK or the EEA wherever possible. Where data leaves the UK (for example, to a US-based vendor), we rely on the UK adequacy regulations or the International Data Transfer Agreement together with the appropriate technical safeguards (encryption in transit and at rest, role-based access).
Security measures
- MFA on every administrative account.
- Role-based access; least privilege; quarterly access review.
- Endpoint protection, EDR and patch management on every device we manage.
- Backups encrypted in transit and at rest, with periodic restore testing.
- All laptops and removable media full-disk encrypted.
- Documented incident-response plan; clients notified within 72 hours of a confirmed breach affecting their data.
Retention
We keep data only for as long as we need it for the purpose for which it was collected, plus any period required by law (typically six years for tax records). We hold a written retention schedule which is reviewed annually.
Data-subject rights
Where we are the controller, you can exercise the rights set out in the UK GDPR (access, rectification, erasure, restriction, objection, portability, and the right not to be subject to solely automated decisions). Where we are the processor, please contact your own organisation, who is the controller; we will support that organisation in responding within the statutory timeframe.
How to contact us
Email contact@hanototechnology.com or write to: Data Protection, Hanoto Technology Ltd, Unit 3 Mill Farm, Barcombe Mills, Lewes, BN8 5BT.
Right to complain
You can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.