Privacy Policy

Huddle Duck Ltd

Last updated: 19 February 2026

URL: https://huddleduck.co.uk/privacy

1. Who We Are

Huddle Duck Ltd ("we", "us", "our") is a company registered in England and Wales.

Registered address: Huddle Duck Ltd, Ventnor Road, Solihull, B92 9BU, United Kingdom

Email: privacy@huddleduck.co.uk

Data Controller: Asad Shah, Founder

We are an AI-powered advertising tool built for multi-location food and beverage brands. We build and manage advertising campaigns using Meta platforms (Facebook and Instagram), automated messaging tools, and related technologies.

This privacy policy explains how we collect, use, store, share, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Meta Platform Terms.

2. What Data We Collect

We may collect and process the following categories of personal data:

2.1 Prospective Clients and Leads

  • Contact details: name, email address, phone number
  • Business details: company name, job title, brand name, number of locations
  • Booking information: date, time, and details submitted via our scheduling forms (Calendly)
  • Form submissions: information you provide through enquiry or campaign request forms (Tally)
  • Communication records: emails, call notes, and meeting transcripts

2.2 Clients

  • Account and billing information: company name, address, payment details (processed securely via Stripe)
  • Campaign data: brand assets, ad copy, creative materials, target audience details, performance metrics
  • Dashboard access data: login credentials and usage activity
  • Communication records: emails, messages, meeting notes, and call recordings

2.3 End Users (Customers of Our Clients)

When running campaigns on behalf of clients, we may process:

  • Engagement data: ad interactions, click-throughs, form submissions
  • Direct message data: Instagram DM conversations handled through ManyChat automation flows
  • Lead information: name, email, phone number, and responses submitted through ad lead forms or landing pages

In these cases, our client is typically the data controller and Huddle Duck acts as a data processor.

2.4 Data Received from Meta Platforms

Through our use of the Meta Platform APIs (including the Facebook Marketing API, Instagram API, and related services), we may receive and process:

  • Ad account data: campaign performance metrics, ad spend, impressions, reach, clicks, conversions, and cost data
  • Page and profile data: Facebook Page insights, Instagram business profile information, follower counts, and engagement metrics
  • Lead data: information submitted by users through Meta Lead Ads forms, including name, email address, phone number, and custom question responses
  • Messaging data: Instagram Direct Message conversations initiated through ad interactions, processed via authorised automation tools (ManyChat)
  • Audience data: custom audience parameters, lookalike audience configurations, and targeting criteria (we do not receive or store individual user profiles from Meta)
  • Creative performance data: ad-level metrics showing which creative assets perform best
  • Conversion data: event data from Meta Pixel and Conversions API tracking user actions on client websites (e.g. page views, form submissions, purchases)

We access this data solely to manage, optimise, and report on advertising campaigns for our clients. We do not sell, license, or otherwise commercialise any data received from Meta.

2.5 Website Visitors

  • Technical data: IP address, browser type, device information
  • Usage data: pages visited, time on site, referral source
  • Cookie data: see Section 9 below

3. How We Use Your Data

We process personal data for the following purposes:

PurposeLawful Basis (UK GDPR)
Responding to enquiries and booking callsLegitimate interest
Delivering our advertising services to clientsPerformance of a contract
Processing paymentsPerformance of a contract
Managing and optimising Meta ad campaigns on behalf of clientsPerformance of a contract / Legitimate interest
Processing lead data received through Meta Lead AdsLegitimate interest / Consent (obtained by client via lead form)
Processing Instagram DM conversations via ManyChat on behalf of clientsLegitimate interest / Contract
Generating campaign performance reports and dashboardsPerformance of a contract
Sending marketing emails (e.g. newsletters, offers)Consent
Improving our services and internal analyticsLegitimate interest
Complying with legal or regulatory obligationsLegal obligation

3.1 How We Use Meta Platform Data Specifically

Data received from Meta Platform APIs is used exclusively to:

  • Create, manage, and optimise advertising campaigns on Facebook and Instagram
  • Monitor campaign performance and generate reports for our clients
  • Process and deliver leads generated through Meta Lead Ads to our clients
  • Manage automated Instagram DM flows on behalf of our clients
  • Build and manage custom and lookalike audiences for campaign targeting
  • Track conversions and attribute results to specific campaigns

We do not use Meta Platform data to:

  • Sell, rent, lease, or otherwise transfer data to third parties
  • Build independent user profiles or databases unrelated to our advertising services
  • Conduct surveillance or monitoring of individuals
  • Discriminate against individuals based on protected characteristics
  • Contact individuals directly for our own marketing purposes

4. Who We Share Data With

We do not sell your personal data. We may share data with the following categories of third parties, solely for the purposes described above:

  • Meta Platforms (Facebook/Instagram): campaign delivery, ad management, and API integrations
  • ManyChat: automated direct message flows on behalf of clients
  • Stripe: secure payment processing
  • Calendly: meeting scheduling
  • Tally: form collection
  • Google (Analytics, Meet): website analytics and video calls
  • Notion: internal project and client management
  • Xero: invoicing and accounting
  • Email service providers: marketing communications
  • Professional advisers: accountants, legal counsel (where required)

All third-party processors are required to handle data in accordance with UK GDPR. Where data is transferred outside the UK, appropriate safeguards (such as Standard Contractual Clauses) are in place.

We do not share Meta Platform data with any parties other than the specific client on whose behalf the data was collected, and the sub-processors listed above that are strictly necessary to deliver our services.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

  • Client data: retained for the duration of our contract plus 6 years (to meet legal and accounting obligations)
  • Lead and enquiry data: retained for up to 2 years from last contact, then deleted unless you become a client
  • Meta Platform data: retained only for the duration of our active service agreement with the relevant client. Upon termination of a client contract, all Meta Platform data associated with that client is deleted within 90 days unless retention is required by law.
  • Campaign and end-user data: retained in line with our client's instructions and applicable data processing agreement
  • Marketing data: retained until you unsubscribe or withdraw consent
  • Website analytics data: retained for up to 26 months

6. Your Rights

Under the UK GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate or incomplete data
  • Erasure: request deletion of your data ("right to be forgotten")
  • Restriction: request that we limit how we use your data
  • Portability: request your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interest, including direct marketing
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at privacy@huddleduck.co.uk. We will respond within one month.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

7. Data Deletion

You may request deletion of your personal data at any time. Here is how:

7.1 How to Request Data Deletion

  1. Send an email to privacy@huddleduck.co.uk with the subject line: "Data Deletion Request"
  2. In the body of the email, include:
    • Your full name
    • Your email address (the one associated with the data you want deleted)
    • The name of the business or brand you are associated with (if applicable)
    • A description of what data you would like deleted
  3. We will acknowledge your request within 5 business days
  4. We will complete the deletion within 30 days of receiving your request
  5. We will send you a confirmation email once deletion is complete

7.2 Data Deletion for Meta Platform Users

If you have interacted with one of our advertising campaigns on Facebook or Instagram (for example, by submitting a lead form, engaging with a direct message flow, or clicking on an ad), you can request deletion of any data we hold about you by following the steps in Section 7.1 above.

If you wish to manage or revoke permissions granted to our application via your Facebook or Instagram account, you can do so directly through your Meta account settings:

  1. Go to Settings & Privacy on Facebook
  2. Select Settings, then Apps and Websites
  3. Find our application and click Remove
  4. Select Delete to request deletion of data the app may have received

Upon receiving a deletion request (whether directly from you or via Meta's data deletion callback), we will:

  • Delete all personal data associated with you from our systems
  • Confirm deletion to you via email (if contact details are available)
  • Notify any sub-processors who may hold your data to delete it

7.3 Exceptions

We may retain certain data where required by law (for example, financial transaction records required for tax purposes). In such cases, we will inform you of the specific data retained and the legal basis for retention.

8. Data Security

We take appropriate technical and organisational measures to protect personal data, including:

  • Encrypted data transmission (SSL/TLS)
  • Secure, access-controlled cloud storage
  • Limited access on a need-to-know basis within the team
  • Regular review of third-party processor security practices
  • Strong password policies and two-factor authentication where available
  • Secure handling of API credentials and access tokens
  • Regular audits of data access and processing activities

In the event of a personal data breach, we will notify the ICO within 72 hours where required by law and inform affected individuals without undue delay.

9. Cookies

Our website may use cookies and similar technologies to improve your browsing experience and analyse site usage. Types of cookies we may use:

  • Essential cookies: required for the site to function
  • Analytics cookies: help us understand how visitors use the site (e.g. Google Analytics)
  • Marketing cookies: used to deliver relevant advertising (e.g. Meta Pixel)

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect site functionality.

10. Data Processing on Behalf of Clients

When we run advertising campaigns, manage Instagram DM flows, or process lead data on behalf of our clients, we act as a data processor. In these cases:

  • The client is the data controller and determines the purpose and means of processing
  • We process data only in accordance with the client's instructions and our data processing agreement
  • We implement appropriate technical and organisational security measures
  • We do not engage additional sub-processors without the client's prior authorisation
  • We assist the client in responding to data subject requests
  • We delete or return all personal data at the end of the service agreement, at the client's choice
  • End users should refer to the relevant client's own privacy policy for details on how their data is handled

11. Meta Platform Terms Compliance

Our use of Meta Platform data is governed by the Meta Platform Terms and the Meta Developer Policies. We are committed to full compliance with these terms, including:

  • Only requesting permissions that are necessary for the services we provide
  • Using Meta Platform data solely for the purposes described in this privacy policy
  • Not selling, licensing, or otherwise transferring Meta Platform data to data brokers, information brokers, or any other third parties
  • Not using Meta Platform data to conduct surveillance
  • Not using Meta Platform data to discriminate against individuals
  • Promptly deleting Meta Platform data upon user request or upon revocation of access
  • Maintaining appropriate data security measures to protect Meta Platform data

12. International Transfers

Some of our third-party service providers are based outside the UK (primarily in the United States). Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreements
  • Standard Contractual Clauses approved by the ICO
  • Adequacy decisions where applicable

13. Children's Data

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@huddleduck.co.uk and we will delete the data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted at https://huddleduck.co.uk/privacy with an updated "Last updated" date. We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to make a data deletion request, contact us:

Huddle Duck Ltd
Ventnor Road, Solihull, B92 9BU, United Kingdom

Email: privacy@huddleduck.co.uk

© 2026 Huddle Duck Ltd. All rights reserved.

← Back to home