Privacy Policy
This Privacy Policy explains what personal data Hulo Global Limited collects when you buy or use our Vendure plugins, why we collect it, how long we keep it, and the choices you have. We have tried to write it in plain English.
1. Who we are (the data controller)
Hulo Global Limited, a company registered in England and Wales (company number 17134928), registered office Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, United Kingdom.
For the data we collect about you in connection with the sale and operation of our Vendure plugins, we are the controller as defined in the UK GDPR and (where applicable) the EU GDPR.
2. Scope
This Policy covers personal data we collect when you:
- browse
huloglobal.com; - buy a subscription or lifetime licence at
elite.charity/licence/buy/<plugin>; - use the customer self-service endpoints we operate (Customer Portal, key resend, GDPR data export);
- email or otherwise contact us.
This Policy does not cover data your own end users' data that the plugins capture inside your Vendure installation. When you run our plugins on your servers, you are the controller of that data; we never see it.
3. What personal data we collect
| Data | When |
|---|---|
| Email address | at checkout, on key resend, on GDPR requests |
| Name, billing address, VAT number (if a company) | collected by Stripe at checkout; we receive a copy via the receipt webhook |
| Card fingerprint (a SHA-256 hash from Stripe, not the card number) | stored against the licence record to detect duplicate trial attempts; the card number itself is never seen by us |
| Stripe identifiers (customer id, subscription id, payment intent id) | stored with the licence record |
| IP address | in temporary rate-limit memory for the public endpoints; not persisted |
| Domain name (the hostname your licence is bound to) | embedded in the licence key; collected when you tell us |
| Correspondence | when you email us |
| Plugin heartbeat (plugin name, version, licence jti, SHA-256 fingerprint of the embedded public key + verifier source, uptime in seconds) | sent automatically by each plugin to elite.charity/licence/heartbeat once a day. Contains no personal data of you or your end users. The source IP is hashed with a per-install salt at insert time and the raw IP is never stored. You can opt out by setting HULO_HEARTBEAT_DISABLED=true in the host environment. |
4. How we use it and our lawful basis
| Purpose | Lawful basis |
|---|---|
| Issue, deliver, renew and revoke your licence key | Performance of contract (UK GDPR art. 6(1)(b)) |
| Take payment, process refunds, comply with tax law | Performance of contract + legal obligation (art. 6(1)(b)+(c)) |
| Send a trial-ending reminder (~2 days before billing) | Performance of contract |
| Detect trial abuse via card fingerprint | Legitimate interest (preventing financial loss); balanced against your interest with strict scope: only the fingerprint, not the card |
| Rate-limit public endpoints to prevent abuse | Legitimate interest (security) |
| Receive daily plugin heartbeats (anti-tamper telemetry) | Legitimate interest (preventing licence circumvention + identifying installs running modified or known-bad builds when triaging support). No personal data is collected; opt-out via HULO_HEARTBEAT_DISABLED=true |
| Respond to your support requests | Performance of contract |
We do not use your data for marketing, profiling or automated decisions that produce legal effects on you. We do not sell your data.
5. Who we share data with
The only third-party processors we use are:
- Stripe Payments Europe, Ltd — processes your card payment and stores your billing details. Stripe's privacy policy.
- Google Workspace — Gmail SMTP is used to send you the licence email and any subsequent service emails. Google's privacy policy.
- Cloudflare, Inc — fronts our public endpoints (TLS termination, DDoS protection, IP geolocation for rate-limiting). Cloudflare's privacy policy.
- GitHub, Inc — hosts our public source repositories. Not relevant to your personal data unless you open an issue on our public repos.
We do not give your personal data to any other third party except where required by law (for example, in response to a valid order from a UK court or regulator).
6. International transfers
Stripe processes EU/UK card data in the EEA; our Stripe Dashboard access transfers some metadata to the United States. The UK-US Data Bridge and the EU-US Data Privacy Framework provide the lawful basis for these transfers.
Google and Cloudflare may transfer data to the United States under the same frameworks.
7. How long we keep data
- Active licence records: for the lifetime of the licence + 7 years after expiry/cancellation to satisfy tax and accounting law.
- Trial claim records (email + card fingerprint): 24 months, to enforce the one-trial-per-customer policy.
- Webhook deduplication records: 30 days.
- Rate-limit memory: in-process only — never persisted.
- Correspondence: 24 months after the last contact, unless we need it longer to defend a claim.
If you exercise your right to erasure (see below), we will anonymise the email column on every record and delete the trial claim row entirely. The licence id (jti) remains in our revocation list so the key can be invalidated, but no personal data remains on our side. Stripe retains its own copies for as long as their retention policy and their own legal obligations require — usually 7 years for invoices.
8. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you;
- Rectification of inaccurate or incomplete data;
- Erasure ("right to be forgotten");
- Restriction of processing;
- Portability — receive a copy of your data in a machine-readable format;
- Object to processing based on legitimate interest;
- Withdraw consent (if we ever rely on consent — we currently do not).
You can exercise the access and erasure rights yourself, instantly, at elite.charity/licence/privacy. We will email you a magic link to view (and optionally delete) every record. For any other right, email us at [email protected] and we will respond within 30 days.
9. Cookies
Our marketing site (huloglobal.com) sets no cookies of any kind. The currency preference on the buy page is stored in localStorage, which is technically not a cookie and is exempt from PECR consent requirements; you can clear it any time via your browser settings.
Our checkout pages (elite.charity) set a session cookie only if you proceed through Stripe Checkout. Stripe sets its own cookies for fraud prevention and accessibility — see Stripe's cookie policy.
See our Cookie Policy for the full list.
10. Children
Our services are not directed at children and we do not knowingly collect personal data from anyone under 18.
11. Security
We take security seriously. Specifics include: HMAC-signed webhooks; HMAC-signed cookies on the visitor-analytics plugin; HMAC-signed open/click URLs on the email-tracking plugin; rate-limiting on every public endpoint; security headers on every response; SHA-256 hashing of IP addresses we store; AES-256-CBC encrypted weekly backups of the licence private key; offline JWT verification so we cannot be remotely compromised by a single endpoint being breached.
12. Changes to this Policy
We may update this Policy from time to time. We will publish the new version at this URL and notify active customers of material changes by email at least 30 days before they take effect.
13. Complaints
If you are unhappy with how we handle your personal data you can complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/concerns or by phone on 0303 123 1113. We would prefer to hear from you first so we can put things right.
14. Contact
For any privacy question, email [email protected] with "Privacy" in the subject.
- 2026-06-21 — Initial publication.