Privacy Policy
22nd January 2026
bearhug Customer Privacy Notice
This privacy notice tells you what to expect us to do with your personal information.
- Contact details
- What information we collect, use, and why
- Lawful bases and data protection rights
- Where we get personal information from
- How long we keep information
- How to complain
Introduction
We always recommend that our customers read this privacy policy in full. It explains who we are, how and why we collect personal data from you, how and why it will be processed by us and our commitment to protecting your data.
We have summarised the key points for you below:
- bearhug is a trading style and registered trademark of Mistral Data Limited. We are registered as a data controller with the Information Commissioner's Office and our registration number is ZB253719.
- We have appointed a Data Protection Officer. They are responsible for our approach to data protection and protecting your privacy. You can contact them at Mistral.DPO@firstgroup.co.uk
- We process (i.e. handle) your personal data to provide our services to you. Under data protection laws, we are only permitted to process your personal data where we have a legal basis for doing so. We will only ever process your personal data in compliance with applicable law.
- We may share your personal data with our third party suppliers, including payment processors and data analysts, to enable the efficient and secure provision of services to you. Except as explained in this privacy policy, we will not share your data with third parties without your consent unless required to do so by law.
- We will keep your personal data for as long as we need it. How long we need your personal data depends on what we are using it for, whether that is to provide services to you, for our own legitimate interests (described below) or so that we can comply with the law. We will actively review the information we hold and when there is no longer a customer, legal or business need for us to hold it, we will either delete it securely or in some cases anonymise it.
- We may transfer your personal data to a recipient located outside of the United Kingdom (UK). If we do this, we will ensure that the transfer mechanism provides an adequate level of protection, which has been recognised by the United Kingdom.
- You have important rights under laws aimed at protecting your personal data. This policy sets out your rights and how can you exercise them. You also have the right to make a complaint to the Information Commissioner's Office if you are unhappy with how we have handled your personal data.
Contact Details
What Information We Collect, Use, and Why
To provide and improve products and services for clients
We collect or use the following information:
- Names and contact details
- Addresses
- Usage data (including information about how you interact with and use our website, products and services)
- Account access information
- Website user information
For the operation of client or customer accounts
We collect or use the following personal information:
- Names and contact details
- Addresses
- Account information, including registration details
- Information used for security purposes
To comply with legal requirements
We collect or use the following personal information:
- Name
- Contact information
- Client account information
- Any other personal information required to comply with legal obligations
For dealing with queries, complaints or claims
We collect or use the following personal information:
- Names and contact details
- Address
- Account information
- Customer or client accounts and records
- Correspondence
Lawful Bases and Data Protection Rights
Under UK data protection law, we must have a "lawful basis" for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO's website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO's website:
- Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
- Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
- Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
- Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
- Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
- Your right to withdraw consent - When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our Lawful Bases for the Collection and Use of Your Data
To provide and improve products and services for clients
Contract - we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests - we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interest in collecting and using personal data is to deliver effective security monitoring services that protect our clients' AWS environments. By processing this information, we can surface critical security findings, provide actionable remediation steps, and continually improve our product's ability to identify threats. This benefits both our business and our clients by enabling better security outcomes. The data we collect is limited to what's necessary for service delivery and improvement (names, contact details, usage patterns), and the risks to individuals are minimal compared to the security benefits provided. We're transparent about our data practices and maintain appropriate safeguards to protect personal information.
For the operation of client or customer accounts
Contract - we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests - we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interest in processing personal data for account operations is to ensure proper administration of our service, including role-based access control that protects sensitive security information. By maintaining accurate account information and technical data, we can authenticate users properly, manage permissions based on assigned roles (Owner, Admin, User), and provide appropriate security information to the right personnel. This benefits clients by ensuring that only authorized individuals can access their security findings while protecting their AWS environment. The data we collect is proportionate to this purpose, and the potential impact on individuals is outweighed by the security benefits of proper account management.
To comply with legal requirements
Legal obligation - we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
For dealing with queries, complaints or claims
Contract - we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests - we're collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.
Our legitimate interest in processing personal data when handling queries, complaints, or claims is to provide effective customer support, maintain service quality, and resolve issues efficiently. This processing allows us to track support history, understand recurring issues, and improve our service based on customer feedback. It benefits our clients by ensuring their concerns are addressed promptly and thoroughly, while enabling us to maintain proper records for accountability. The data we collect for this purpose is limited to what's necessary for resolving issues, and the benefits to both parties outweigh the minimal privacy impact, as effective issue resolution directly improves the security services we provide.
Where We Get Personal Information From
- Directly from you
How Long We Keep Information
| Data Category | Retention Period | Justification |
|---|---|---|
| Identity & Contact Data | Duration of service + 2 years | To maintain records of service, handle potential reactivations, and fulfil contractual obligations |
| Profile Data | Duration of service + 2 years | To maintain access control records and user permission history |
| AWS Security Findings & Alerts | Duration of service + 2 years | To provide historical context for recurring security issues and demonstrate improvements |
| Usage & Interaction Data | 1 year | To improve our service, analyze trends, and enhance user experience |
| Support Query Records | 3 years from resolution | To maintain service quality records and address any recurring issues |
| Technical Logs | 6 months | For security incident investigation and troubleshooting |
Who Will Have Access to Your Personal Data?
This section is to explain who, within Mistral Data Limited, will have access to your data. Your personal data will only be seen or used by our employees who have a legitimate business need to access your personal data for the purposes set out in this privacy policy.
We take your privacy seriously and have implemented appropriate physical, technical and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure.
Who Else Might Have Access to Your Personal Data?
This section will inform you of who we share your personal data with and why. Except as explained in this privacy policy, we will not share your personal data without your consent unless required to do so by law.
- We may share your personal data with you, and where appropriate, your family, your associates and your representatives.
- We may share your personal data with any member of our group which means our subsidiaries, our ultimate holding company (FirstGroup plc) and its subsidiaries as defined in section 1159 of the UK Companies Act 2006.
- We may disclose your personal data to the police or any other law enforcement agency or court to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences; preventing threats to public security in accordance with applicable law; or validating a claim.
We may share your personal data with the following third-parties who assist us with administering the provision of our services to you:
- business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you
We may also pass Aggregated Data on the usage of our site (e.g. we might disclose the numbers of visitors to our site that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.
If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.
How to Complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.
Information Commissioner's Office Contact Details
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/