Beehive
Privacy Policy
Version: 2.0 | Effective date: 5 June 2026
1. About this Privacy Policy
The Beehive, also known as the “AI Hub,” is an internal platform commissioned by Candide for use across the group of estates: Babylonstoren, The Newt in Somerset, Vignamaggio, Over-Amstel Boerderij, The Story of Emily, Plataeon and Toring. Candide also participates in the Beehive as an estate in its own right.
This Privacy Policy explains what personal data we collect through the Beehive, why we collect it, how long we keep it, who we share it with, and the rights you have over your information. It applies to everyone who uses the platform — including staff, AI Champions, and admins — and to anyone whose details appear in it (for example, an AI Champion who has been nominated but does not log in personally).
We have written it in plain English. Where we use a technical or legal term for a reason (for example, “legitimate interests”), we explain what it means in context.
2. Who is responsible for your information
The Beehive involves two layers of responsibility under data protection law:
2.1 Candide — controller for the platform
Candide is the data controller for the operation of the Beehive itself. That includes decisions about how the platform is designed, hosted, secured and maintained, how accounts are created, how content is approved, and how the AI Academy compliance records are produced.
Candide contact for this Policy:
Candide AI (Pty) Ltd, KBT Offices, Klapmuts – Simondium Rd, Simondium, 7670
hilde.venter@candide.com.
2.2 Each estate — controller for its own employees’ data
Each estate is the data controller for the personal data of its own employees that flows through the Beehive. Access to the Beehive is governed by a whitelist of approved estate email domains — anyone with an email address at a whitelisted domain can register and join the platform. The estate decides who is nominated as an AI Champion and how the Beehive fits into its wider employment and training arrangements.
3. What personal data we collect
We try to collect as little personal data as possible. The categories below cover everything the platform processes today.
3.1 Account information
- Your work email address (required at registration). The domain determines which estate your account belongs to.
- Your first and last name (optional — you can add or change these at any time).
- Your role on the platform (General User, Estate Admin, or Master Admin).
- One-time passcodes issued to your email for login (held transiently and discarded after use).
- Basic login records: the date and time of each login attempt, and the IP address used (for security).
3.2 Content you submit
- AI Toolkit usage records, ratings and notes (Estate Admins and Master Admins).
- AI Champion records you create on behalf of your estate (Estate Admins and Master Admins).
- Approval and rejection actions on submitted content (Master Admins).
3.3 AI Champion profiles
If you have been nominated as an AI Champion, the directory contains your first name, last name, estate, team or department, and work email address. No photo, phone number or home address is stored. Champion profiles are only visible to other users within the same estate (and to Master Admins from the Candide AI team for governance).
3.4 Training records (Phase 2 — AI Academy)
- Which modules and courses you have started and completed.
- Your quiz scores and overall completion percentage.
- Completion dates and the estate you completed training under.
3.5 Audit and security records
- Admin actions on the platform (creating, editing, approving, archiving content).
- Login attempts and authentication events.
- Erasure events (a chain-of-custody record written when an account is deleted).
3.6 What we do not collect
- We do not collect special category data (such as health, ethnicity or religion).
- We do not show individual user names in the platform’s group-wide activity feed — attribution there is at estate level only.
- We do not use third-party advertising or marketing trackers, social plug-ins, session replay, or analytics. We do use a small, self-hosted, privacy-respecting analytics tool.
4. Why we use your personal data, and our lawful basis
Under UK GDPR and EU GDPR we must have a lawful basis for every use of personal data. The table below sets out our basis for each activity.
| Processing activity | Personal data involved | Lawful basis (UK GDPR / EU GDPR Article 6) |
|---|---|---|
| Creating and operating a user account on the Beehive | Work email address, name (optional), estate (derived from email domain), role | Article 6(1)(f) — legitimate interests of Candide and the estates in providing a secure, governed internal AI resource to staff |
| Showing AI Toolkit content (group catalogue and per-estate usage records) | Estate and team attribution on usage records; ratings and notes submitted by Estate Admins | Article 6(1)(f) — legitimate interests in sharing practical AI experience across the group |
| Publishing AI Champion profiles | Champion name, work email, estate, team | Article 6(1)(f) — legitimate interests in helping staff identify the right internal AI contact. Champions are notified before publication (see section 6) |
| Recording completion of AI literacy training (AI Academy — Phase 2) | User, estate, module name, completion date, quiz score, overall percentage | Article 6(1)(c) — legal obligation to evidence AI literacy under Article 4 of the EU AI Act (Regulation (EU) 2024/1689), where applicable. For staff outside that scope: Article 6(1)(f), legitimate interests in workforce upskilling |
| Audit logs, login events, security monitoring | User ID, action taken, timestamp, IP address (login only) | Article 6(1)(f) — legitimate interests in security, accountability and the integrity of the platform |
| Sending one-time login passcodes and operational platform emails | Work email address | Article 6(1)(f) — legitimate interests in providing secure authentication and operational notifications |
| Self-hosted, privacy-respecting analytics on platform use | Anonymised page-view counts and aggregated estate-level usage; no individual profiles; IP addresses anonymised at collection | Article 6(1)(f) — legitimate interests in maintaining and improving a secure internal platform |
5. How we collect personal data
We collect personal data in four ways:
- Directly from you when you register an account and when you submit content through the platform.
- From your estate, where an Estate Admin nominates you as an AI Champion or invites you to register.
- Automatically when you use the platform — for example, login records and audit log entries.
6. Special notice for AI Champions
If you are listed as an AI Champion in the directory, your details were provided to the platform by your estate, not by you. Data protection law (Article 14 of the UK GDPR / EU GDPR) requires us to tell you what information we hold and why.
Before your profile is published, Candide will notify you. You have the right to ask not to be listed. After publication, you can ask at any time to have your profile updated or removed by reaching out to Candide or your Estate Admin.
7. Who we share your data with
7.1 Within the group
Your estate’s Estate Admins — typically AI Champions and HR representatives — and Candide’s Master Admins can see the content you submit and the training records linked to you. Other users within your estate can see the AI Champion profiles of your estate. Users in other estates cannot see your AI Champion profile or the individual user details of your account.
7.2 Service providers (“sub-processors”)
The Beehive is self-hosted on Candide’s own infrastructure. We do not give a third-party SaaS platform access to the database. The narrow set of services we rely on, and the safeguards we apply, are:
| Service | Purpose | Location of processing | Safeguard |
|---|---|---|---|
| Google Cloud Platform (Google Ireland Ltd) | Hosting and storage of the Beehive application and database | europe-west2 (London, United Kingdom) | Data Processing Addendum incorporated into the GCP terms; ISO 27001, SOC 2 Type II certified |
| Postmark (operated by ActiveCampaign LLC) | Delivery of one-time login passcodes and operational platform emails (e.g. account notices) | United States, with EU/UK delivery routing where available | Data Processing Agreement in place; EU Standard Contractual Clauses + UK International Data Transfer Addendum for transfers |
| LearnDash (Phase 2 — AI Academy) | Self-hosted learning management system plugin used to deliver AI Academy training | Runs entirely within Candide’s GCP infrastructure (London) — no data is transmitted to the vendor | Self-hosted; vendor has no access to user data. Licence/security review completed before deployment |
We do not sell personal data, and we do not share it with any third party for marketing.
8. International data transfers
The Beehive is hosted in the United Kingdom (Google Cloud Platform, europe-west2 — London). For users at our UK estate (The Newt in Somerset), data stays in the UK. For users at our EU estates (Vignamaggio in Italy, Over-Amstel Boerderij in the Netherlands, Plataeon in Greece), personal data is transferred from the EU to the UK on the basis of the European Commission’s adequacy decision for the United Kingdom (adopted 28 June 2021, renewed 17 December 2024).
For users at Babylonstoren in South Africa, personal data is transferred from South Africa to the United Kingdom. This transfer is made in accordance with section 72 of the Protection of Personal Information Act 2013 (POPIA): the United Kingdom is subject to data protection law (the UK GDPR and Data Protection Act 2018) that provides an adequate level of protection broadly corresponding to POPIA, and contractual safeguards are in place between Candide and its sub-processors. Where it is required, we will obtain the data subject’s consent before transferring their personal information outside South Africa.
9. How long we keep your data
We keep personal data only for as long as we need it for the purposes set out in this Policy. The table below is our retention schedule for each category of data.
| Data category | Retention period | Why this period |
|---|---|---|
| User account data (email address, name, role, estate, login records) | Retained while the account is active. Deleted within 12 months of the user leaving the relevant estate or otherwise becoming ineligible for the platform. | Storage limitation principle (UK GDPR / EU GDPR Article 5(1)(e)). The 12-month tail allows for handover, security review, and any post-departure data subject requests. |
| AI Champion profiles (name, work email, estate, team) | Retained while the champion is published in the directory. On archive, the profile is removed from public view and fully deleted within 90 days. | No statutory retention period applies. The 90-day window allows a final accountability check before deletion (e.g. confirming the archive was intended). |
| AI Toolkit usage records, ratings and notes | Retained indefinitely as an estate-level resource. On deletion of the submitting user’s account, the record is pseudonymised: the link to the individual is severed; the estate and team attribution are preserved. | Once pseudonymised, the record is no longer personal data (UK GDPR Recital 26). Retaining the underlying group knowledge supports the legitimate purpose of the Toolkit. |
| AI Academy training records (modules completed, quiz scores, completion dates, overall percentage) | 6 years from the end of the calendar year in which the training was completed (or longer if a specific regulatory requirement applies to that course). | Aligns with the 6-year limitation period under the Limitation Act 1980 for contractual claims, and provides evidence of compliance with Article 4 of the EU AI Act once enforcement begins on 2 August 2026. |
| Audit logs (admin actions, approval events, login events, IP at login) | 24 months from the date of the event. | Supports security incident investigation and accountability under UK GDPR / EU GDPR Article 5(2); aligns with the ICO Accountability Framework and standard internal-platform cyber-security practice. |
| Activity feed entries (estate-attributed, no individual names) | 12 months on a rolling basis, after which entries are removed from the feed. | Activity feed entries do not contain personal data once attributed at estate level only. A 12-month window keeps the feed useful without unnecessary accumulation. |
| Analytics data (aggregated, IP-anonymised) | 12 months from the date of collection, after which the underlying events are deleted; aggregated counts retained indefinitely. | Once IP-anonymised and aggregated to estate level, the data is no longer personal data (UK GDPR Recital 26). A 12-month window allows for year-on-year usage comparison. |
| Database backups (encrypted, point-in-time recovery) | Minimum 30 days, then automatically deleted. | Operational minimum to support disaster recovery. Erasure requests are honoured in the live system immediately; backups age out within 30 days. |
| Erasure audit record (chain-of-custody entry created when a user account is deleted) | 6 years from the date of erasure. | Accountability obligation under UK GDPR / EU GDPR Article 5(2); aligned with the Limitation Act 1980. The audit row contains no identifiable content. |
At the end of the relevant retention period we delete the data, or in the case of certain content (such as Toolkit ratings) we pseudonymise it so the content is preserved without identifying any individual.
10. How we protect your data
Security is a primary design consideration of the Beehive. The main controls in place are:
- Self-hosting on Candide’s own Google Cloud Platform infrastructure, with no third-party SaaS platform holding the database.
- Database encryption at rest and encryption in transit (HTTPS / TLS) for all traffic to and from the platform.
- Email-based one-time passcode login for general users, with password and multi-factor authentication available to administrative roles.
- Strict domain whitelist — only email addresses from approved estate domains can register.
- Permission boundaries are enforced at the application’s capability layer rather than only in the user interface, so a user cannot reach content outside their permission level even by constructing a direct URL.
- Infrastructure defined entirely in code (Terraform), reproducible deployments, immutable container images, and automated rollback on production deployments.
- Automatic security-advisory pipeline that blocks deployment of any plugin or library with an open advisory.
- Automated daily database backups with a minimum 30-day retention window, and point-in-time recovery for the most recent 7 days.
- The application and database are deployed within a private virtual network (VPN) with strict access controls, ensuring that only authorised personnel and services can reach them, with all traffic routed through secured, monitored channels.
11. Your rights
You have the following rights under UK GDPR and EU GDPR:
| Right | What it means in the context of the Beehive |
|---|---|
| Right to be informed | This Privacy Policy, together with the notice we present at registration and any specific notice provided to AI Champions, fulfils this right. |
| Right of access | You can ask for a copy of the personal data the Beehive holds about you. We will respond within one month. |
| Right to rectification | You can ask us to correct inaccurate or incomplete information. Most profile fields can also be corrected directly in the platform. |
| Right to erasure (“right to be forgotten”) | You can ask us to delete your account and the personal data linked to it. The platform has a built-in erasure handler: your authored content is reassigned to a pseudonymous system user so the content is preserved without identifying you, and an audit row is written for accountability. Training records may be retained where we have a legal obligation to keep them (see retention table). |
| Right to restrict processing | In limited circumstances you can ask us to pause our use of your data while a question (e.g. accuracy) is resolved. |
| Right to data portability | Where we rely on your consent or on a contract, you can ask for the data you provided in a structured, commonly used, machine-readable format. |
| Right to object | Where we rely on legitimate interests, you can object to that processing. We will stop unless we have compelling legitimate grounds that override your rights. |
| Rights related to automated decision-making | The Beehive does not make automated decisions that produce legal or similarly significant effects on you. |
If you work for our South African estate (Babylonstoren), equivalent rights apply to you under the Protection of Personal Information Act 2013 (POPIA), including the right of access, correction, deletion and objection, and the right to lodge a complaint with the Information Regulator of South Africa.
To exercise any of these rights, contact us using the details in section 13. We will respond within one month. If your request is particularly complex, we may extend that period by up to two further months and will let you know if so.
12. Cookies and similar technologies
12.1 Strictly necessary cookies
The Beehive sets strictly necessary cookies that are required to keep you logged in and to keep the platform secure. Because these cookies are essential to providing a service you have asked for, they do not require your consent under the UK Privacy and Electronic Communications Regulations (PECR) or the EU ePrivacy Directive. You can block them in your browser, but the platform will not work if you do.
12.2 Audit logging
The platform records the actions taken by administrators (for example, approving a Champion record or publishing a new tool). This logging is for security and accountability and is described under audit logs in sections 3.5 and 9.
13. How to contact us
Most questions, requests and complaints about how your personal data is handled on the Beehive can be resolved quickly. We provide two routes.
13.1 Routine queries and data subject rights requests
Email: hilde.venter@candide.com.
Please tell us your name, your estate, what right you would like to exercise, and any details that will help us identify the relevant data. We may need to verify your identity before we can respond.
13.2 Escalation
If you are not satisfied with the response to a routine query, or if your concern is particularly serious or sensitive, you can escalate to:
Senior contact: Hilde Venter, Head of AI & CX
Email: hilde.venter@candide.com
14. Right to complain to a regulator
If you believe we are not handling your personal data lawfully and we have not resolved your concern, you have the right to complain to a data protection regulator. We would always appreciate the chance to address your concern first, but you do not have to contact us before complaining.
- United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk
- Italy: Garante per la protezione dei dati personali — garanteprivacy.it
- Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- Greece: Hellenic Data Protection Authority — dpa.gr
- South Africa: Information Regulator — inforegulator.org.za
15. Changes to this Privacy Policy
We will update this Policy from time to time — for example, when we add a new section to the platform, change a service provider, or refine our retention schedule. The current version is always available within the Beehive. If we make a material change, we will let you know through the platform before the change takes effect.
Revision History
| Version | Date | Description of Change |
|---|---|---|
| 1.0 | 29 May 2026 | Initial draft of the Privacy Policy. |
| 2.0 | 5 June 2026 | Updated name from “AI Hub” to “Beehive” |