ServicesWorkAboutGet a quote
Legal

Privacy Policy

Version 4.1 · Effective 6 May 2026

The short version

  • We collect only what's needed to deliver your website and run our business.
  • We never sell, rent, or trade your data.
  • We use trusted providers (Stripe, Vercel, Notion, Google Workspace, GitHub, Fathom Analytics) to operate.
  • You can ask us to delete your data at any time — we respond within 14 days.
  • If you ever feel we've mishandled your data, you can complain directly to the UK ICO without contacting us first.

1. Introduction

This Privacy Policy explains how Octar Studio collects, uses, stores, and protects personal data. It applies to everyone we interact with: prospects we cold call, leads who complete forms on our website, clients who pay for a build, and anyone who visits octarstudio.uk.

Controller: David Down, trading as Octar Studio, Sittingbourne, ME9 8AA, Kent, United Kingdom.

Contact: david@octarstudio.uk

ICO registration: C1925036

2. What personal data we collect

We collect only what's needed to run Octar Studio. We do not sell, rent, or trade personal data under any circumstances.

2.1 Data from prospects and leads

When you submit our quote form or we contact you directly:

  • Your name
  • Your mobile phone number
  • Your email address
  • Your business name and trade
  • Your town, service area, or business address
  • Your existing website URL (if you share it)
  • The services you're interested in
  • Any notes from our phone or email conversations

2.2 Data from paying clients

Once you've paid your build invoice, we collect additional data via our build intake form:

  • Full business address and postcode
  • Domain name and registrar access details
  • Logo, brand colours, and design preferences
  • Photos of your work, your team, your vehicles
  • Your services list, business hours, and pricing
  • Customer testimonials you provide (text only)
  • Accreditations, certificates, and registration numbers
  • Google Business Profile URL and review platform links

2.3 Payment data

Payments are processed by Stripe Payments UK Ltd. We do not store full card details. We see in our Stripe dashboard: card type and last four digits, billing name and address, invoice amount and status. Stripe handles all card data under PCI-DSS compliance.

2.4 Communications data

When you contact us by email, WhatsApp, phone, or via a website form, we retain a record of the conversation. Retention periods are set out in Section 5.

2.5 Website analytics data (all build clients)

We install Fathom Analytics on every Octar Studio build at go-live. Fathom records aggregate page views, traffic source, approximate geographic region, device type, browser, and anonymous click-to-call events. No cookies are set, no personal identifiers are captured, and no caller phone numbers are recorded.

2.6 Website visitor data (octarstudio.uk)

Our own website uses two cookieless analytics tools running side by side: Vercel Analytics + Speed Insights (performance monitoring) and Fathom Analytics (visitor and conversion analytics). Neither tool sets cookies or captures personal identifiers.

2.7 No automated decision-making

We do not use your personal data for any automated decision-making or profiling that would produce legal or similarly significant effects on you. All decisions are made by a human (David Down).

3. How we use your data

3.1 To deliver our services (lawful basis: contract) — Responding to your quote request, preparing and issuing Stripe invoices, building and maintaining your website, communicating during the build, providing ongoing retainer services.

3.2 To run our business (lawful basis: legitimate interests) — Logging sales calls and pipeline activity in our CRM, improving our service quality and processes, responding to general enquiries, protecting against fraud and abuse.

3.3 To comply with legal obligations (lawful basis: legal obligation) — Keeping financial records for HMRC (6 years), responding to lawful requests from authorities, enforcing or defending our legal rights.

3.4 With your specific consent (lawful basis: consent) — Featuring your business as a case study, using your testimonials or project photos publicly, referring to your business by name in our marketing. Consent is captured in writing at project handoff. You can withdraw at any time by emailing david@octarstudio.uk — case study material will be removed within 30 days.

4. Who we share your data with

We share personal data only with the following trusted providers:

  • Stripe Payments UK Ltd — Payment processing (UK primary, US transfer under standard contractual clauses)
  • Vercel Inc. — Website hosting and cookieless performance analytics on octarstudio.uk (US, under UK-approved transfer mechanisms)
  • Notion Labs Inc. — Internal CRM and project management (US, under UK-approved transfer mechanisms)
  • Google Workspace (Gmail) — Business email (US and EU, under UK-approved transfer mechanisms)
  • GitHub Inc. — Code repository for your site; site code only, no personal data (US, under UK-approved transfer mechanisms)
  • Fathom Analytics — Cookieless visitor analytics on all client builds and octarstudio.uk. EU isolation mode. Canada recognised as adequate by UK government.

We never share your data with advertising networks, data brokers, or marketing services. If we add a new data processor, we will update this Privacy Policy before onboarding them and notify active clients by email.

5. How long we keep your data

5.1 Prospect and lead data (non-converting) — 12 months from last contact, then deleted.

5.2 Quote form submissions (non-converting) — 12 months from submission, then deleted.

5.3 Client data (during project + retainer) — Duration of working relationship.

5.4 Raw build files (logos, photos, brand assets) — Retainer clients: duration of retainer plus 30 days after cancellation. Non-retainer clients: 60 days post-launch, then deleted.

5.5 Live website code — Retained as long as the site is hosted on Octar Studio's infrastructure. On £250 migration, the codebase is transferred and we retain no copy.

5.6 Fathom Analytics data — Retainer clients: duration of retainer plus 30 days. Non-retainer: 60 days post-launch.

5.7 Financial records — 6 years after the end of the working relationship (HMRC requirement).

5.8 Case study and portfolio material — Until consent is withdrawn. Removed within 30 days of withdrawal.

You can request earlier deletion by emailing david@octarstudio.uk.

6. Your rights

Under UK GDPR, you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you
  • Right of rectification — Ask us to correct inaccurate or incomplete data
  • Right of erasure — Ask us to delete your data, subject to legal retention requirements
  • Right to restrict processing — Ask us to pause processing while you dispute accuracy or object to use
  • Right to data portability — Receive your data in a structured, machine-readable format
  • Right to object — Object to processing based on legitimate interests
  • Right to withdraw consent — Where we rely on consent, withdraw it at any time

To exercise any right, email david@octarstudio.uk. We aim to respond within 14 days and no later than one calendar month.

If you are unhappy with how we handle your data, you can complain directly to the UK ICO — you are not required to contact us first: ico.org.uk · 0303 123 1113.

7. How we protect your data

  • All data is transmitted over encrypted connections (HTTPS/TLS)
  • Stripe handles all card data under PCI-DSS compliance
  • Access to our internal systems is protected by strong unique passwords and two-factor authentication
  • We do not store client data on personal devices except during active project work
  • Raw build files are deleted per the retention schedule in Section 5

7.1 Data breach notification. In the unlikely event of a data breach that risks your rights and freedoms, we will notify the UK ICO within 72 hours and notify affected individuals without undue delay.

8. Cookies

See our Cookie Policy at octarstudio.uk/legal/cookies for full detail on the cookies used on our website.

9. Children's data

Octar Studio serves business-to-business clients. We do not knowingly collect personal data from children.

10. Data about your customers

When we build a website for you, visitors to your site may submit personal data via forms or contact buttons. This data belongs to you, the client, as data controller. It is routed directly to your email inbox or your chosen form provider — Octar Studio does not access, store, or use it. You are responsible for your own Privacy Policy, cookie compliance, and data protection practices toward your website's visitors.

11. AI assistance disclosure

Octar Studio uses AI-assisted tools to help draft copy, generate ideas, and streamline operations. No personal client data is processed by these tools for decision-making purposes. Human review is applied to all output before it affects any client or becomes part of a deliverable.

12. Changes to this Privacy Policy

We may update this policy from time to time. The current version is always published at octarstudio.uk/legal/privacy.

Material changes will be notified to active clients by email at least 14 days before they take effect. Minor changes will be made without notification.

13. Contact us

David Down, trading as Octar Studio
Sittingbourne, ME9 8AA, Kent, United Kingdom
david@octarstudio.uk

Back to homepage