Skip to main content
elite Logo
My account linkPress to access My account

Legal

Privacy Policy

How HULO Global Limited (trading as elite) collects, uses and protects your personal data when you use elite-software.co.uk.

Version 2.0 · Last reviewed June 2026

Summary (at a glance)

  • We are the data controller of personal data we collect through this website.
  • We collect what we need to take orders, deliver licence keys, run your account, comply with our legal obligations, and improve the service.
  • We use UK GDPR Article 6 lawful bases — contract, legitimate interests, legal obligation, and (for marketing) your consent.
  • We do not sell your personal data. We share it only with the processors that help us run the business (payment, email, hosting, fraud, support) and only as needed.
  • You have a full set of UK GDPR rights — access, correction, erasure, restriction, objection, portability, complaint. They're set out in §10.
  • If you're not happy, complain to us first — and you can also complain to the UK Information Commissioner's Office.

1. Who we are (the data controller)

HULO Global Limited (trading as elite) is the “data controller” for personal data collected through this website and our business operations.

Legal entity
HULO Global Limited
VAT registration
GB 406 9289 73
Registered office
Unit A, 82 James Carter Road, Mildenhall, United Kingdom, IP28 7DE
ICO registration
HULO Global Limited is registered with the UK Information Commissioner's Office as a data controller.
Data protection contact
privacy@eliteenterprisesoftware.com

We have not formally appointed a Data Protection Officer because we are not required to under Article 37 UK GDPR; data protection responsibility sits with the Director responsible for compliance.

2. What personal data we collect

We collect only what we need. Categories:

  • Identity & contact — name, billing address, delivery address, email, phone.
  • Account credentials — username, hashed password, multi-factor settings.
  • Order data — products purchased, prices, payment method (we do not store card numbers — payment is handled by Stripe / Braintree as our processors), invoice/PO references, delivery dates.
  • Business / B2B details — company name, role, VAT and company registration numbers, requested credit limit, payment-terms days, cost-centre, project code, approver email, delivery notes (where you supply them on the wholesale order pad or business application).
  • Communications — emails you send us, support tickets, chatbot transcripts, reviews you submit.
  • Technical data — IP address, browser type and version, device identifiers, time-zone, operating system, pages visited, referring URL, errors encountered.
  • Marketing & consent — newsletter subscription status, cookie consent records, your responses to marketing.
  • Compliance data — fraud-prevention checks (IP reputation, email-domain reputation, sanctions screening), terms-acceptance audit records (version, timestamp, IP, user-agent).
  • Visitor analytics — pages you visit on this site, the order you visit them in, how long you spend on each page, the referring URL (if any) and basic technical details (browser, operating system). Stored against two cookies — one short-lived per browsing session, one longer-lived (up to 2 years) per browser. Your IP address, browser, operating system, device type and approximate location (country / region / city, from a public IP geolocation database) are recorded alongside each event so we can investigate suspected abuse or fraud. Used only to understand how visitors use the site and to fix drop-off points in our buying flow — not used for advertising or sold to third parties.
  • Email engagement data — when we send you a transactional email (order confirmation, invoice, password reset, payment reminder, etc.) we record whether the email was delivered by our mail server, whether you opened it (via a 1×1 pixel loaded by your mail client) and whether you clicked any links inside it. We capture the date / time, your IP address and your mail-client user-agent at the moment of open / click. This is used only to support delivery, debug failed sends and detect bounces — it is not used to build a profile or to target marketing.

We do not collect special-category data (race, religion, health, sexuality, biometrics, etc.) and do not ask for it. Don't send it to us; if you do, we will delete it.

3. How we collect it

  • Directly from you — when you register, place an order, apply for credit, submit a quote request, contact support, or subscribe to a newsletter.
  • Automatically — cookies and similar technologies as you use the site (see our Cookies Policy).
  • From third parties acting as our processors — payment processors confirming a payment, Microsoft for licence-allocation, our hosting and email providers.
  • From public sources — Companies House (for verifying business buyers), sanctions / PEP lists, fraud-prevention feeds.

4. Lawful bases (Article 6 UK GDPR)

We process your personal data on these bases:

PurposeLawful basis
Take and fulfil your order; deliver licence keys; provide your accountPerformance of a contract (Art 6(1)(b))
Process payments via Stripe / Braintree / BACSPerformance of a contract
Issue invoices, keep tax records, run accountingLegal obligation (Art 6(1)(c)) — Companies Act 2006 / VAT Act 1994 / Money Laundering Regs
Fraud-prevention checks; IP/email reputation; sanctions screeningLegitimate interests (Art 6(1)(f)) — protecting our business and other customers from fraud
Improve the site; analytics; debuggingLegitimate interests — running and improving the service
Newsletter / promotional email to existing customers (about similar products)Legitimate interests under the soft-opt-in exemption (PECR reg 22)
Newsletter / promotional email to people who never bought from usConsent (Art 6(1)(a)) — captured at sign-up, withdrawable any time
Non-essential cookies and trackersConsent (under PECR + Art 6(1)(a))
Record terms acceptance with IP / user-agent / timestampLegitimate interests — proving contract formation
Track delivery, opens and clicks of transactional email we send you (order confirmation, invoice, password reset, payment reminder, etc.)Legitimate interests (Art 6(1)(f)) — ensuring reliable delivery of operational messages and diagnosing failed sends. You can disable image-loading in your mail client to opt out of open-tracking.
Respond to data-subject requestsLegal obligation

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms and concluded the processing is proportionate. You can ask us for the legitimate-interests assessment summary using the contact details above.

5. Who we share data with

We share your data only with the parties below, and only as needed:

  • Payment processorsStripe and Braintree for card payments. They are independent controllers for fraud-prevention purposes.
  • Software publishers — Microsoft (for licence allocation through the CSP programme) and other publishers whose licences you order. They are independent controllers in respect of the EULA you accept on activation.
  • Hosting & infrastructure — our cloud, CDN and email providers (UK / EEA-located where possible).
  • Email delivery — Gmail / Google Workspace SMTP for transactional and account emails. Newsletter ESPs where used.
  • Fraud-prevention sources — IP-reputation, disposable-email, and sanctions-list feeds (lookups are made, not pushed).
  • Professional advisers — accountants, lawyers, insurers, and auditors when needed to advise us or fulfil a legal obligation.
  • Regulators / law enforcement — only where we are required by law, court order, or to defend our legal rights.
  • Corporate transactions — if our business is restructured, sold or merged, your data may transfer to the new entity. We will tell you in advance where practicable.

We do not sell your personal data to anyone.

6. International transfers

Most processing happens in the UK or EEA. Where data leaves the UK (for example, where a processor uses US sub-processors) we rely on:

  • UK adequacy regulations (e.g. transfers to the EEA);
  • The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses;
  • The UK Extension to the EU-US Data Privacy Framework (for certified US recipients).

You can ask us for a copy of the transfer mechanism for any specific recipient.

7. How long we keep your data

We keep your personal data only as long as we need it:

DataRetention
Account record (no orders, dormant)3 years from last log-in, then anonymised
Order & invoice records (incl. names and addresses on invoices)7 years from the end of the tax year — HMRC requirement
Payment-related records / chargeback evidence6 years (Limitation Act 1980)
Marketing consents / opt-outsFor the life of the consent + 2 years (so we can prove the basis if you complain)
Cookie consent record12 months, then re-prompted
Terms acceptance audit (IP, UA, version)7 years (matches invoice retention)
Support tickets / contact emails3 years from resolution
Fraud / sanctions screening logs5 years (Money Laundering Regs & equivalent guidance)
Server access logs / security logs90 days standard; up to 12 months for forensic incidents

After the retention period we either delete the data or anonymise it so that you can no longer be identified.

8. Security

We use a defence-in-depth approach to protect your data: TLS 1.2+ on all public connections; database encryption at rest; hashed passwords (bcrypt); multi-factor authentication for admin access; principle of least privilege on internal systems; rate-limiting and fraud screening on the checkout; and regular security testing. We aim to limit the data we hold to what we actually need — the strongest defence is not collecting it in the first place.

No system is perfectly secure. If you believe you have found a security vulnerability, please report it under our Vulnerability Disclosure Policy.

9. Automated decisions & profiling

We use automated risk-scoring at checkout to detect fraud (factors include IP reputation, disposable-email lookup, velocity, mismatch between billing and shipping country). A high score may delay or block an order. This is not a solely-automated decision with legal or similarly significant effect under Article 22 UK GDPR — a human reviewer makes the final call where the score is borderline, and you can ask us to review any automated outcome.

We do not use your data for behavioural advertising on other websites.

10. Your rights under UK GDPR

You have the following rights in respect of your personal data:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete data we no longer need (subject to legal-retention obligations).
  • Restriction — restrict our processing in certain circumstances.
  • Objection — object to processing based on legitimate interests (including direct marketing — which we will always stop).
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — where we relied on consent (e.g. newsletter, non-essential cookies).
  • Not be subject to a solely automated decision producing legal or similarly significant effects (Article 22).
  • Complain — to the ICO (see §13).

To exercise a right, email privacy@eliteenterprisesoftware.com. We respond within one month under Article 12 — extendable by two months for complex requests, in which case we'll tell you within the first month. There is no charge unless your request is “manifestly unfounded or excessive”.

We may need to verify your identity before we can act on a request — typically by emailing you on the address we hold, or by asking you to verify a recent order.

11. Cookies & similar technologies

See our separate Cookies Policy. You manage non-essential cookies via the on-site consent banner; strictly-necessary cookies (login, cart, security) do not require consent.

12. Children

Our service is sold to businesses and adult consumers. We do not knowingly process personal data of anyone under 16. If you believe a child has provided us data, tell us at privacy@eliteenterprisesoftware.com and we will delete it.

13. Complaints

Please tell us first if you think we've got something wrong — we want to fix it. You can also complain to the UK Information Commissioner's Office:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
0303 123 1113 · ico.org.uk/make-a-complaint

14. Changes to this policy

We update this policy when our practices change or the law changes. The current version and the date of last review are shown at the top. Where the change is material, we will tell you (e.g. by email or an in-product notice) before it takes effect.

15. Contact

Privacy questions: privacy@eliteenterprisesoftware.com. Postal address: HULO Global Limited, Unit A, 82 James Carter Road, Mildenhall, United Kingdom, IP28 7DE.