Privacy Policy

Last updated: 31 March 2026

Who we are

Kitted is developed and sold by Hypericon Ltd, company number 11012096, registered in England and Wales, with registered office at 24 Market Place, Swaffham, England, PE37 7QH. Hypericon Ltd is the data controller for the personal data described in this policy. References to "we", "us", and "our" refer to Hypericon Ltd. You can contact us at [email protected].

What data we collect and why

Licence purchases

When you purchase a licence we collect your email address. We use this to deliver your licence key and to provide purchase-related support. Your email is stored in our licence database hosted on DigitalOcean (EU region). We do not use it for marketing without your explicit consent.

Payment is processed by Stripe. We never see or store your card number or full payment details - these go directly to Stripe and are subject to Stripe's own privacy policy. We receive only a transaction confirmation and the last four digits of the card used.

Licence activation

When you activate Kitted on a machine, we record a machine identifier derived from hardware properties of that computer. This is used solely to enforce the per-seat licence limit and to allow you to deactivate a seat and move your licence to a different machine. Machine identifiers are stored alongside your licence key in our licence database.

Periodic check-ins

The application periodically contacts our licence server to confirm that your licence is still active. These requests include your licence key and machine identifier. No usage data, telemetry, or personal files are transmitted.

This website

This marketing and documentation site is static and hosted on DigitalOcean App Platform. We use Plausible Analytics to understand how visitors use the site. Plausible is a privacy-focused analytics tool: it does not use cookies, does not track you across sites, and does not collect any personally identifiable information. Aggregate, anonymised visit data is stored on Plausible's EU-based infrastructure; see Plausible's privacy policy. DigitalOcean may also collect standard web server access logs (IP address, browser type, page requested) as part of its hosting service; see DigitalOcean's privacy policy.

Lawful basis for processing

We process personal data on the following lawful bases under UK GDPR:

  • Contract performance - processing your email address and machine identifier is necessary to deliver your licence, handle activation and check-ins, and provide purchase-related support.
  • Legitimate interests - we process data to prevent fraud, enforce licence terms, and maintain the security and integrity of our systems.
  • Legal obligation - we may retain certain records (e.g. transaction data) to comply with tax and accounting obligations.

How we store and protect your data

Our licence database is a PostgreSQL database hosted on DigitalOcean's managed database service. Access is restricted to authenticated requests from the application and to Hypericon staff via a private admin token. The server communicates exclusively over HTTPS/TLS. We take reasonable technical measures to protect the data, but no internet transmission is completely secure.

How long we keep your data

We retain your email address and activation records for as long as your licence is active plus a reasonable support period (currently 3 years after last activity). You may request deletion at any time - see "Your rights" below.

Who we share your data with

We do not sell or rent your personal data. We share it only as follows:

  • Stripe - processes your payment. Stripe is a data controller in its own right for payment data.
  • DigitalOcean - hosts our licence server and this website. They process data on our behalf as a data processor.
  • Resend - delivers transactional emails (licence key delivery, magic-link sign-in). Your email address is passed to Resend solely for this purpose; see Resend's privacy policy.
  • Plausible Analytics - provides anonymised, cookie-free website analytics. No personal data is shared.

We will disclose data if required to do so by law or a court order.

Your rights

Under UK GDPR and applicable data protection law you have the right to:

  • Request a copy of the personal data we hold about you
  • Ask us to correct inaccurate data
  • Ask us to delete your data (subject to any legal retention obligations)
  • Object to our processing of your data
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Cookies

The marketing website (kitted.site) does not use cookies. The desktop application does not use cookies. Plausible Analytics is cookieless by design.

The account portal (app.kitted.site) uses cookies to manage your login session. When you sign in, a secure, HttpOnly session cookie is set so that you remain authenticated while browsing your account. This cookie is scoped to the kitted.site domain and expires when you sign out or after a period of inactivity. No tracking or advertising cookies are used.

Children's privacy

Kitted is a business application not directed at children. We do not knowingly collect personal data from anyone under 16.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of your licence after a material change constitutes acceptance of the revised policy.

Contact

Questions about this policy? Email [email protected].