Legal

Privacy Policy

Last updated: May 2026

1. Introduction

Hawk Eye ("we", "us", "our") is an operations intelligence platform for retail and hospitality businesses. This privacy policy explains how we collect, use and protect personal information when you use the Hawk Eye service, website and related products.

This policy applies to all visitors, users, and customers of Hawk Eye. It is written in line with the UK Data Protection Act 2018 and the UK GDPR. By using Hawk Eye, you agree to the practices described here.

2. Information we collect

We collect information in three categories:

Account information. When you or your organisation create an account, we collect your name, work email, role, phone number (optional), and the organisation and country you belong to.

Usage data. We collect information about how you interact with Hawk Eye, including the reports you submit, the pages you visit, and the actions you take. This data is used to operate and improve the service.

Cookies and technical data. We use essential cookies to keep you signed in and to keep the service secure. We also collect technical information such as your browser type, device type, and IP address for security and diagnostics.

3. How we use your information

We use personal information for the following purposes:

  • To provide the Hawk Eye service to you and your organisation.
  • To authenticate and authorise users.
  • To send service-related communications, such as password resets, report reminders, and billing notices.
  • To respond to support requests and enquiries.
  • To improve the product, fix bugs, and develop new features.
  • To comply with our legal obligations.

4. How we share your information

We do not sell your personal data. We share data only with trusted third parties required to run the service:

  • Supabase — our database and authentication provider, for storing account and application data.
  • Vercel — our hosting and deployment provider, for serving the Hawk Eye application and website.
  • Resend — our transactional email provider, for sending notifications, reminders and account emails.

We may also disclose data if required by law, court order or other legal process, or to protect the rights, property or safety of Hawk Eye, our customers or others.

5. Connected social media accounts (Meta / Instagram)

Hawk Eye allows authorised administrators (typically a tenant admin or marketing lead) to connect their organisation's Instagram Business account so that weekly social analytics populate automatically into the marketing report and the executive dashboard. The connection is established through Meta's standard Facebook Login OAuth flow because the Instagram Business API requires it; Hawk Eye does not fetch, store or display any Facebook Page content or analytics.

What we receive from Meta when you connect Instagram:

  • The Instagram Business Account's public profile (username, profile picture, follower count).
  • Aggregate weekly metrics for the connected account: post counts, total likes, comments and saves, reach, impressions, profile views and weekly follower change.
  • An OAuth access token used to call the Instagram Graph API on the connecting administrator's behalf, plus the linked Facebook Page identifier and Page access token (an implementation detail required by Meta's API; never displayed in Hawk Eye).

What we do with this data:

  • We sync the metrics once per week (Mondays, 07:00 UTC) and on demand when an authorised admin clicks "Sync now".
  • The metrics are cached inside your organisation's Hawk Eye workspace and shown only to users in your organisation who have permission to view marketing reports or the executive dashboard.
  • We do not sell, share, advertise against, or use this data for any purpose other than rendering analytics inside your Hawk Eye workspace.
  • We do not read or store the content of your posts, comments, direct messages, or any Facebook Page activity. Only the aggregate counts listed above are retained.

Token storage: all OAuth access tokens (Instagram and the technically-required Facebook Page token) are encrypted at rest using AES-256-GCM with a key held outside the database. Tokens are never returned to the browser.

How to disconnect, deauthorise or delete data:

  • From Hawk Eye: sign in, go to Settings → Social Media, find the country, and click Disconnect. This revokes the token, deletes the Instagram account record from our database, and clears the cached weekly metrics for that connection.
  • From Meta / Instagram: go to your Facebook account's Settings & Privacy → Apps and Websites → Logged in with Facebook and remove "Hawk Eye". Meta will notify Hawk Eye via the standard Deauthorize Callback, and we will revoke the connection on our side automatically.
  • Full data deletion request: Meta's Data Deletion Callback is also wired up; if you request deletion through Meta, our endpoint at /api/auth/social/facebook/delete deletes all Instagram-related records associated with your account from our database. You can also request the same outcome by emailing privacy@hawkeye.vision with the subject line "Instagram data deletion"; we will action the request within 30 days.

Disconnecting only affects the live connection and the cache. Historical weekly figures that an administrator has already typed into a marketing weekly report remain in that report (they're part of your own internal record).

6. Data retention

For active accounts, we retain your data for as long as your organisation maintains a subscription to Hawk Eye.

After an account is cancelled, we retain your data for 90 days to allow for reactivation and final data export, after which it is permanently deleted from our production systems. Backups are rotated on a rolling basis and purged within a further 30 days.

7. Your rights

Under UK GDPR, you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Deletion — ask us to delete your personal data, subject to legal exceptions.
  • Portability — request your data in a structured, machine-readable format.
  • Objection and restriction — object to certain processing or ask us to restrict it.

To exercise any of these rights, email privacy@hawkeye.vision. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We take data security seriously. All data is encrypted in transit using TLS, and encrypted at rest on our providers' infrastructure. Access to production systems is restricted to authorised personnel and protected by multi-factor authentication.

Role-based access control is enforced within Hawk Eye itself, so team members only see the data they are permitted to see. We regularly review our security practices and respond promptly to any incident.

9. Cookies

We use only essential cookies required for authentication and security. We do not use third-party advertising or tracking cookies, and we do not build advertising profiles. No consent banner is required because we do not set non-essential cookies.

10. Children's privacy

Hawk Eye is a business product and is not directed at or intended for children. We do not knowingly collect personal data from anyone under the age of 16. If we become aware that we have collected such data, we will delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify customers by email. Continued use of Hawk Eye after a change constitutes acceptance of the updated policy.

12. Contact us

If you have any questions about this privacy policy or how we handle your personal data, please contact us at privacy@hawkeye.vision.