A Firefly Labs company.

This is the plain English version of how {{companyName}} handles your data. The short version: we collect only what we need to run the business and deliver your project, we don’t sell or share your data, and you can ask us to delete it at any time.

Last updated: {{date}}

Who we are

{{companyName}} is operated by {{CompanyName}}, a company registered in England and Wales (company number {{companyNumber}}) with its registered office at {{contactAddress}}.

For privacy questions, contact us at {{email}}.

We are the data controller for personal data we collect about you under UK GDPR and the Data Protection Act 2018.

What we collect, and why

We only collect personal data when we have a clear reason to, and we tell you what we’re doing with it.

When you visit the website

Our website uses Plausible Analytics, a privacy-focused analytics service that doesn’t use cookies and doesn’t identify individual visitors. Plausible records anonymous, aggregated information about visits — pages viewed, the country a visit came from, the type of device used, and where the visit came from (referring website or search). None of this can be used to identify you personally.

Our hosting provider (Vercel) keeps standard server logs (IP address, timestamp, page requested) for short periods for security and reliability purposes. These logs aren’t used to track individuals and are deleted after a short retention period.

We self-host the fonts used on the website. We don’t use Google Fonts, Google Analytics, Facebook Pixel, HubSpot tracking, or any other third-party tracking technology that follows you across the internet.

When you contact us

If you fill in our contact form, email us, or book a call, we collect:

• Your name
• Your email address
• Any other information you choose to send us

Contact form submissions are sent to our customer relationship management system (HubSpot) so we can keep track of our conversations with you and respond properly. HubSpot only receives the form data you submit — it doesn’t track your visit to our website.

Why: to reply to you and, if it’s relevant, to talk about working together.

Legal basis: legitimate interest (responding to enquiries) and, if it becomes a project, contract performance.

When you book a call

We use Calendly to schedule introductory calls. When you click our “book a call” link, you’re sent to Calendly’s own website, where you choose a time and submit your details directly to Calendly. We do not embed Calendly on our website — Calendly only receives your information once you’ve actively chosen to use it.

Calendly collects: your name, email address, the time slot you book, and any information you add to your booking. They share that information back with us so we know who is on the call and when.

Calendly operates under its own privacy policy, which we recommend reading if you have specific concerns:

Calendly’s privacy policy: https://calendly.com/privacy

Legal basis: legitimate interest (arranging meetings) and, if it becomes a project, contract performance.

When you buy from us

If you commission a project with us, we collect:

• Your name and the business name you’re trading under
• Your email address, phone number, and business address
• Your VAT number (if applicable)
• Your project content — copy, images, brand assets, anything you send us to build the site
• Payment information (handled by Stripe — see below)

Why: to deliver your project, invoice you, keep proper business records, and stay in touch about your site.

Legal basis: contract performance (delivering the work you’ve bought), legal obligation (HMRC record-keeping), and legitimate interest (keeping you informed about your project).

Payment data

We don’t see or store your card details. Payments are processed by Stripe, who handle card data under their own privacy policy and PCI-compliant infrastructure. We receive confirmation that payment has succeeded and the basic transaction information needed to invoice you properly.

Stripe’s privacy policy: https://stripe.com/gb/privacy

Project files and content

During the project, we’ll receive content from you (copy, images, brand assets, etc.) that we use to build your site. We store this on secure systems for the duration of the project and for a reasonable period afterward in case you need it again.

Cookies

This website doesn’t set any tracking cookies. Plausible Analytics works without cookies. We don’t use Google Analytics, Facebook Pixel, HubSpot tracking, or any other technology that follows you across the internet.

Calendly is not embedded on our website — when you click to book a call, you’re sent to Calendly’s own site, where their own cookie policy applies.

If we ever add a tool that does set non-essential cookies, we’ll show you a cookie banner first and ask for your consent.

Your browser may set its own essential cookies to make the site work (for example, remembering you’ve closed a notification). These aren’t used to track you.

Who we share your data with

We share your personal data only with the service providers we need to run the business. We don’t sell your data. We don’t share it for marketing purposes.

Our current service providers (called “data processors” under UK GDPR) are:

• Stripe — for payment processing. Data shared: name, email, billing address, payment information. Based in Ireland (EU) and the United States.
• Plausible Analytics — for anonymous website analytics. Data shared: none that identifies you personally. Based in Estonia (EU).
• Vercel — for hosting the website. Data shared: technical logs only, no personal data deliberately stored there. Based in the United States.
• HubSpot — for storing contact form submissions and managing our conversations with you. Data shared: name, email, phone number, business details, and the content of your enquiries. Based in the United States.
• Calendly — for scheduling introductory calls. Data shared: name, email, and any booking information you provide directly to Calendly when you book. Based in the United States.
• Our email provider ([Google Workspace / Fastmail / Proton / etc.]) — for sending and receiving email. Data shared: anything you send us via email.
• Our accounting software ([Xero / FreeAgent / QuickBooks / etc.]) — for invoicing and bookkeeping. Data shared: name, business name, address, invoice details.
• Our trusted contractors — where a contractor is involved in delivering your project, they may see project information needed to do their work. They are bound by confidentiality and data protection obligations.

International transfers: some of these providers (Stripe, Vercel, HubSpot, Calendly) are based in the United States. Where data is transferred outside the UK, we rely on UK GDPR-approved safeguards — the UK Addendum to the EU Standard Contractual Clauses, or the EU-US Data Privacy Framework where applicable — to protect your data.

How long we keep your data

• Enquiry-only contacts (HubSpot): up to 24 months from your last contact with us, then deleted unless you’ve become a customer.
• Call bookings (Calendly): kept for 12 months from the date of the booking, then deleted from Calendly. Contact details shared with us continue to live in HubSpot under our standard retention rules.
• Customer records: for the duration of the project and for 6 years afterward, which is the period HMRC requires for tax records.
• Project files and content: up to 12 months after project completion, then deleted unless you’ve asked us to retain them.
• Email correspondence: kept while it has business relevance, then archived or deleted.

Your rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Correct any inaccurate or incomplete data.
• Delete your personal data, where we don’t have a legal obligation to keep it.
• Restrict how we use your data in certain circumstances.
• Object to us using your data on legitimate-interest grounds.
• Move your data (data portability) where we hold it on the basis of consent or contract.
• Complain to the Information Commissioner’s Office (ICO) if you think we’ve handled your data badly.

To exercise any of these rights, email {{email}}. We’ll respond within one month.

ICO website: https://ico.org.uk

Marketing

We don’t run a marketing mailing list. If we add one in the future, it will be opt-in only and you’ll be able to unsubscribe from every email we send. We’ll update this policy before that happens.

If you’ve been a customer, we may occasionally email you about your project, our services, or things directly relevant to the work we’ve done together. You can ask us to stop at any time.

Security

We take reasonable technical and organisational measures to protect your data — encryption in transit (HTTPS), secure access controls on our systems, two-factor authentication on critical accounts, and limited access among the people working on your project. No system is perfectly secure, but we take it seriously.

If we ever suffer a data breach that puts your rights at risk, we’ll notify you and the ICO as required by law.

Children

Our services aren’t intended for, or marketed to, children under 18. We don’t knowingly collect data from children.

Changes to this policy

We may update this policy from time to time. The current version is always at this page, with the “last updated” date at the top. Material changes will be communicated to active customers by email.

Contact

For any privacy question — questions about this policy, requests to exercise your rights, complaints — email {{email}}.

{{CompanyName}} · {{contactAddress}} · Company number {{companyNumber}}

WebCraft Pro — A Firefly Labs company.