Introduction
Welcome to HUB BY THE WEB GUYS ("we", "our", "us"). We provide a multi-tenant business platform — every customer ("Tenant") receives their own dedicated deployment for managing customers, content, communications, scheduling, e-commerce, and connected services including social media accounts.
We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable equivalent regulations in jurisdictions where we operate.
This Privacy Policy explains:
If you do not agree with this policy, please do not use the platform.
- What information we collect about you
- How and why we use it
- How long we keep it
- Who we share it with
- The rights you have over your data
- How our multi-tenant model works for connected services such as social media accounts (see Section 6 — this is the most important section if you've connected a social platform to your Tenant workspace)
Who is the Data Controller?
TWG HUB is the data controller for:
Each Tenant is the data controller for personal data of their own end users (e.g. their customers, leads, members, employees, video testimonial contributors). In that capacity HUB BY THE WEB GUYS acts as a data processor on behalf of the Tenant, governed by our Data Processing Addendum.
- Public website visitors (e.g. anyone browsing https://thewebguys.co.uk)
- Direct customers — i.e. people who sign up for a HUB BY THE WEB GUYS subscription ("Tenants")
- People who contact us via support, sales, or any contact form
Information We Collect
We collect different categories of data depending on how you interact with the platform.
3.1 Information you provide directly
- Account data — name, email address, password (hashed using bcrypt), company name, role, billing address
- Profile data — profile photo, bio, job title, time zone, language
- Content data — anything you create or upload: video testimonials, blog posts, social media drafts, calendar events, courses, members, products, messages, customer records
- Communication data — messages, support tickets, replies, attachments
- Payment data — billing name and address; full card numbers are never stored on our systems — payment processing is handled by our payment provider (Stripe)
- Booking and scheduling data — appointment requests, availability, attendee details
3.2 Information collected automatically
- Device and browser data — IP address, browser type and version, operating system, device type, screen resolution, language
- Usage data — pages visited, time spent, click paths, referrers, feature interactions
- Cookie and tracking data — see Section 11
- Server logs — timestamps, API calls, error reports, security events
3.3 Information from connected services
When you (or a member of your Tenant team) connect a third-party service to your workspace — for example a social media account, Google Calendar, Outlook, Stripe, Google Ads, an email provider, or an AI provider — we receive data from that service as authorised by you during the OAuth permission flow. See Section 6 for the specifics of social media connections.
3.4 Information from public sources
- Aggregated and anonymous traffic data from analytics providers (e.g. Google Analytics)
- Publicly available business information when used to enrich CRM contacts you create
How We Use Your Information
We use your data for the following purposes:
We do not use your business or end-customer data to train any AI model or share it with AI providers other than to fulfil a request you have explicitly made (e.g. clicking "Generate post with AI" sends the necessary context to the AI provider you have configured under your own credentials — see Section 7).
| Purpose | Examples |
|---|---|
| Service delivery | Running your account; storing your content; running scheduled jobs (drip campaigns, social publishing, reminders) |
| Account management | Authentication; password reset; billing; subscription changes |
| Analytics & product improvement | Understanding feature usage; performance monitoring; identifying bugs |
| Communications | Transactional emails (booking confirmations, password reset, billing); service updates; opt-in marketing communications |
| Legal compliance | Responding to lawful requests; meeting tax / accounting obligations |
| Security & fraud prevention | Detecting abuse; rate limiting; investigating incidents |
| Customer support | Answering questions; troubleshooting issues |
Legal Basis for Processing (UK GDPR)
Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interest does not override your rights.
| Legal basis | When we rely on it |
|---|---|
| Contractual necessity | Providing the platform services you have signed up for |
| Consent | Marketing emails; non-essential cookies; specific feature opt-ins |
| Legitimate interests | Analytics, product improvement, fraud prevention, security |
| Legal obligation | Tax records, regulatory reporting, lawful requests |
Connected Social Media Accounts
6.1 How our social media integration works
HUB BY THE WEB GUYS is registered as a developer with the social media platforms we integrate with — currently LinkedIn, X (formerly Twitter), Facebook, Instagram, TikTok, Pinterest, and YouTube. We operate one master developer application per platform under our company account.
When a Tenant connects their own social media account to their HUB BY THE WEB GUYS workspace, the connection happens through that master developer application:
1. The Tenant clicks "Connect [platform]" in their HUB BY THE WEB GUYS admin. 2. They are redirected to the social platform's standard OAuth consent screen. 3. The social platform asks them to authorise our application against their own account with a defined set of permissions ("scopes"). 4. On approval, the social platform returns an OAuth access token (and, in most cases, a refresh token) scoped specifically to that user's social account. 5. We store the token encrypted and namespaced to the Tenant's deployment. No other Tenant can read, use, or even see the existence of that token.
6.2 What data we receive from your connected social account
Only the data necessary to provide the publishing, scheduling, analytics, and engagement features you've enabled. Specifically:
We do not request, read, store, or process:
- The contents of your private messages or direct messages
- Your social media followers' personal data (only aggregate metrics)
- Data unrelated to the publishing / scheduling / analytics features
6.3 Where social media data is stored and who can access it
- Tokens are encrypted at rest and stored only in your Tenant's database
- Tokens are scoped to the user who connected the account and the Tenant's deployment
- Other Tenants on the HUB BY THE WEB GUYS platform cannot read, use, or even detect the existence of your tokens or social data
- HUB BY THE WEB GUYS staff access is restricted to authorised engineers resolving a specific support incident, under signed confidentiality obligations, and is logged in our audit trail
- Posts you draft, schedule, or publish through HUB BY THE WEB GUYS are stored in your Tenant's database — not on any shared system
6.4 How we use your social media data
Only to deliver the features you have explicitly turned on:
We never:
- Publishing: posting content you have created or approved
- Scheduling: queuing posts for future publication at times you specify
- Analytics: showing you post performance metrics returned by the platform's API
- Engagement: surfacing comments / mentions where the platform's API supports it and you have enabled it
- Approval workflow: routing posts through your team's review process before publication
- Sell, share, license, or trade your social media data with third parties
- Use your social media data to train any AI model
- Post on your behalf without your explicit action (manual click, scheduled publication you configured, or auto-publish setting you turned on)
- Access posts on behalf of one Tenant from another Tenant's account
6.5 Compliance with social media platform policies
Our use of each social platform's API complies with that platform's developer terms and privacy requirements, including but not limited to:
By using our platform you also agree to the relevant social platform's terms.
- Meta Platform Terms and the Facebook / Instagram Platform Policies
- X Developer Agreement and Policy
- LinkedIn API Terms of Use
- TikTok for Developers Terms of Service
- Pinterest Developer Guidelines
- YouTube API Services Terms of Service
6.6 How to revoke our access
You can disconnect any social account at any time:
When you disconnect, we delete the OAuth tokens immediately and any cached profile/metric data within 30 days. Posts you have already published to the social platform are not affected — they remain on that platform under the platform's own retention rules.
- From within HUB BY THE WEB GUYS: Admin → Integrations → click "Disconnect" on the relevant platform card
- From the social platform itself: - LinkedIn → Settings → Permitted Services → revoke HUB BY THE WEB GUYS - X → Settings → Apps and Sessions → revoke - Facebook / Instagram → Settings → Business Integrations → revoke - TikTok → Settings → Manage app permissions - Pinterest → Settings → Apps → revoke - YouTube (Google) → myaccount.google.com → Third-party apps → revoke
6.7 Data deletion requests for social media data
You may request deletion of all social-media-derived data we hold by contacting info@thewebguys.co.uk. We will:
- Confirm receipt within 5 working days
- Complete deletion within 30 days (or 90 days for Meta-platform data, per Facebook's requirements)
- Confirm completion in writing
Connected AI Providers
HUB BY THE WEB GUYS integrates with AI providers (OpenAI, Anthropic, Google Gemini, and others). Importantly:
If you do not want any data sent to AI providers, do not enter AI provider credentials in your admin settings and do not use AI-powered features.
- AI provider credentials are supplied by you under your own developer account — HUB BY THE WEB GUYS does not pool AI usage across Tenants
- Data sent to AI providers is only what is necessary to fulfil the specific request you initiated (e.g. the post you asked the AI to draft)
- We do not retain prompts or responses beyond what is needed to display the result back to you
- The AI provider's own privacy policy applies to data they receive from us on your behalf
Data Sharing and International Transfers
We do not sell your personal data. We share data only with:
- Sub-processors providing necessary infrastructure (hosting, payment processing, email delivery, analytics). A current list is available on request and is part of our DPA
- Connected services you authorise (social platforms, AI providers, Stripe, Google services, etc.) — only the data needed for the feature you enabled
- Authorities when required by law, regulation, lawful process, or to protect rights, property, or safety
- A successor entity in connection with a merger, acquisition, or sale of assets — and only on terms equivalent to this policy
International transfers
Where data is transferred outside the UK / EEA, we ensure appropriate safeguards are in place — typically Standard Contractual Clauses (SCCs) or an adequacy decision recognised by the UK government.
Data Retention
| Data category | Retention period |
|---|---|
| Active account data | Duration of subscription + 90 days |
| Deleted account data | Permanently removed within 30 days of deletion request (except where law requires retention) |
| Social media OAuth tokens | Deleted within 24 hours of disconnect; cached metrics within 30 days |
| Financial / billing records | 6 years (UK tax law) |
| Marketing consent records | Lifetime of consent + 12 months |
| Server access logs | 90 days |
| Audit logs (security / compliance) | 26 months |
| Anonymised analytics | Indefinitely (no longer constitutes personal data) |
Your Rights
Under UK GDPR you have the right to:
To exercise any right, email info@thewebguys.co.uk. We respond to legitimate requests within one month (extendable by a further two months in complex cases, with notice).
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion ("right to be forgotten")
- Restriction — request that we limit how we use your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests or direct marketing
- Withdraw consent — at any time, without affecting the lawfulness of prior processing
Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience, analyse usage, and (where you have consented) for marketing.
You can manage cookies through your browser settings. Disabling essential cookies will break core functionality.
| Cookie category | Purpose | Typical duration |
|---|---|---|
| Essential | Authentication, session, security, CSRF protection | Session / 30 days |
| Preferences | UI language, theme, view choices | 12 months |
| Analytics | Aggregated usage statistics (e.g. Google Analytics) | 26 months |
| Marketing | Campaign attribution and conversion (only if you opt in) | 12 months |
Security
We protect your personal data with appropriate technical and organisational measures:
While we use commercially reasonable means to protect your data, no system is 100% secure. We cannot guarantee absolute security.
- TLS / HTTPS for all data in transit
- Encryption at rest for sensitive fields (passwords, OAuth tokens, API keys)
- Role-based access control with principle of least privilege
- Audit logging of administrative actions
- Automated dependency security scanning and regular vulnerability assessments
- Tenant data isolation — physical separation at the deployment level
- Secure password hashing (bcrypt)
- Rate limiting and anomaly detection on authentication endpoints
- Encrypted, off-site backups
Children's Privacy
Our platform is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact info@thewebguys.co.uk and we will delete it promptly.
Changes to This Policy
We may update this policy to reflect product changes, legal requirements, or our practices. When we make material changes we will:
We encourage you to review this policy periodically.
- Update the Effective date at the top of this page
- Notify registered users by email when changes are significant
- Post a prominent notice on the platform for at least 30 days
Contact Us
For privacy questions, data requests, or complaints:
For complaints, you may also contact the Information Commissioner's Office (ICO) — ico.org.uk.
- Email: info@thewebguys.co.uk
- Website: https://thewebguys.co.uk
- Data Controller: TWG HUB