Last updated: [Date]

1. Introduction This Privacy Policy explains how [Company Name] ("we", "us", "our") collects, uses, and protects personal data. We are committed to protecting your privacy and handling your data in accordance with UK GDPR and the Data Protection Act 2018. This policy applies to visitors to our website [URL], our clients, prospective clients, and suppliers.

2. Who We Are (Data Controller) [Company Name] is the data controller for the personal data described in this policy. Registered address: [address] Company number: [number] (if applicable) Contact: [email] | [phone] Data protection contact / DPO (if applicable): [name/email] You can also contact us about any privacy matter using the details above.

3. Personal Data We Collect Depending on your relationship with us, we may collect: Website visitors Information you submit via contact or quote forms (name, email, phone, company, message). Technical data: IP address, browser type, device information, and usage data via cookies (see our [Cookie Policy]). Clients and prospective clients Contact and billing details (name, business name, address, email, phone). Project information and any materials you share with us. Payment information (processed via our payment provider; we do not store full card details). Login credentials/access you provide for hosting, domains, or third-party accounts (handled securely and only for the duration needed). Suppliers and contractors Contact, payment, and contractual details.

4. How We Use Your Data and Legal Bases Purpose

Legal Basis Responding to enquiries and providing quotes Legitimate interests / steps before a contract Delivering web design and development services Performance of a contract Invoicing and processing payments Performance of a contract / legal obligation Providing support and maintenance Performance of a contract Sending service-related communications Legitimate interests Marketing (newsletters, offers)Consent (you can opt out anytime)Meeting legal/accounting obligations Legal obligation Improving and securing our website Legitimate interests

5. Data We Process on Behalf of Clients (Our Role as Processor)

When we build, host, or maintain a website or e-commerce store for a client, we may process personal data belonging to the client's customers (e.g. order details, account information). In these cases: The client is the data controller and we act as a data processor. We only process such data on the client's documented instructions. This processing is governed by a separate Data Processing Agreement (DPA). The client is responsible for having a lawful basis and their own privacy policy for that data.

6. Sharing Your Data

We do not sell your personal data. We may share it with: Service providers who help us operate (e.g. hosting providers, payment processors, email/CRM tools, accounting software). Sub-processors used to deliver client projects (e.g. hosting platforms, third-party plugins) — under appropriate agreements. Professional advisers (accountants, legal advisers) where necessary. Authorities where required by law. All third parties are required to keep your data secure and use it only for the agreed purposes.

7. International Transfers

Where data is transferred outside the UK (e.g. via cloud services), we ensure appropriate safeguards are in place, such as UK adequacy regulations or the International Data Transfer Agreement (IDTA)/Standard Contractual Clauses.

8. Data Retention

We keep personal data only as long as necessary: Enquiry data: [12] months if no engagement follows. Client/project data: for the duration of the relationship and [6] years afterwards for legal and tax purposes. Financial records: [6] years to comply with HMRC requirements. Account/access credentials: deleted promptly after project completion unless ongoing maintenance is agreed.

9. Data Security

We use appropriate technical and organisational measures to protect your data, including secure storage, access controls, encryption where appropriate, and regular updates. No method of transmission is 100% secure, but we work to protect your data and to notify you and the ICO of any breach where legally required.

10. Your Rights Under UK

GDPR, you have the right to: Access your personal data. Rectify inaccurate data. Erase your data ("right to be forgotten"). Restrict or object to processing. Data portability. Withdraw consent at any time (where processing is based on consent). To exercise any right, contact us at [email]. We will respond within one month. There is usually no charge. If we process data on behalf of a client (as a processor), requests relating to that data should be directed to the client as controller, though we will assist them as required.

11. Cookies

Our website uses cookies and similar technologies. Please see our [Cookie Policy] for full details on how we use them and how you can manage your preferences.

12. Marketing

If you have opted in to receive marketing, you can unsubscribe at any time via the link in our emails or by contacting us. We will not send marketing without a lawful basis.

13. Children's Privacy

Our services are aimed at businesses. We do not knowingly collect data from anyone under 18.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be on this page with a revised "Last updated" date.

15. Complaints

If you have concerns about how we handle your data, please contact us first. You also have the right to complain to the Information Commissioner's Office (ICO): Website: ico.org.uk Helpline: 0303 123 1113

16. Contact info@ecommerce-today.co.uk