Privacy policy

1. Introduction

Wanstone Ltd (“Wanstone”, “we”, “us”, “our”) takes your privacy seriously. This privacy policy explains what personal data we collect through wanstoneltd.com (the “Site”), why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to all visitors, prospective clients and existing clients who interact with the Site.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). Where you are based in the European Economic Area, we also have regard to the EU General Data Protection Regulation (EU GDPR).

If you have any questions about this policy or about how we handle your personal data, please get in touch via our contact form.

2. Who we are (the data controller)

Wanstone Ltd is the “data controller” for the personal data we collect through the Site. We are a private limited company registered in England and Wales, with our registered office in Greater London, United Kingdom. As we are not currently required to register with the Information Commissioner's Office as a fee-paying controller for the limited processing we carry out through this Site, this policy explains how we behave as though we were — because we believe that's the right thing to do.

3. The personal data we collect

The categories of personal data we may collect when you use the Site are:

• Contact and enquiry data: when you submit our contact form we collect your name, email address, optional company name, and the message you choose to send us.
• Communications: any subsequent emails, messages or call notes that arise from your enquiry.
• Technical and security data: our hosting provider records server logs containing your IP address, user-agent string, referrer and the URLs you request. These logs are used for security, abuse detection, and operational diagnostics.
• Analytics data (only with consent): if you accept analytics cookies, our analytics provider records anonymised information such as page views, referrer, approximate country, browser and device type. We never see your full IP address.
• Client engagement data: if you go on to engage us for paid services, we collect contact details, billing details and the information you share with us during the course of that engagement.

We do not collect special category data through the Site (such as data revealing racial or ethnic origin, religious beliefs, health data, or biometric data) and we ask that you do not include such data in any message you send us. We do not knowingly collect personal data from children under 13.

4. How and why we use your data

We use personal data for the following purposes:

• To respond to enquiries and provide information you have asked for
• To discuss a potential engagement and provide quotations or proposals
• To perform any contract we enter into with you
• To send you operational communications relating to a live project
• To operate, secure and improve the Site
• To understand, in aggregate form, how the Site is used (only if you have consented to analytics)
• To comply with our legal, regulatory, accounting and tax obligations
• To establish, exercise or defend legal claims where necessary

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

5. Lawful bases for processing

Under Article 6 of the UK GDPR we rely on the following lawful bases:

• Legitimate interests — responding to enquiries you have initiated, operating and securing the Site, protecting it from abuse and improving our service. We have carried out a legitimate interests assessment and concluded that our interests are not overridden by your rights and freedoms.
• Consent — for setting optional analytics cookies and for any direct marketing communications. You can withdraw consent at any time, as described in section 9.
• Performance of a contract — where you have engaged Wanstone for paid services, processing your data is necessary to perform that contract.
• Legal obligation — to keep adequate financial records and to respond to lawful regulatory or law-enforcement requests.

6. Sharing your data

We do not sell your personal data. We share data only with a small number of trusted processors who help us operate the Site and our business, each of whom is bound by a written data-processing agreement. These currently include:

• Vercel Inc. — hosting and edge content delivery
• Resend — transactional email delivery for the contact form
• Umami Software, Inc. — privacy-respecting web analytics (only loaded with consent)
• Google LLC — for fonts only; no cookies are set
• Our professional advisers — accountants, auditors and legal advisers, where strictly necessary and under duties of confidentiality

We may also disclose data where we are legally required to (for example to comply with a court order, regulator or tax authority), or where doing so is necessary to protect our rights, property or safety, or those of others.

In the event of a corporate transaction such as a merger, acquisition, reorganisation or sale of assets, personal data may be transferred to the acquiring entity as part of the transferred business. We will notify you of any such change.

7. International transfers

Some of our processors are based outside the United Kingdom. Where personal data is transferred to a country that has not been deemed to provide an adequate level of protection under UK data protection law, we ensure appropriate safeguards are in place — typically the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, supplemented by a transfer risk assessment where required. You can request a copy of the safeguards in place by contacting us.

8. Retention

We keep personal data only for as long as we need it:

• Contact-form enquiries: up to 24 months from last interaction, then deleted or anonymised
• Server logs: up to 30 days
• Aggregated analytics data: up to 24 months
• Client engagement records, contracts and correspondence: for the duration of the relationship plus 7 years to meet our legal, accounting and tax obligations
• Records required for the establishment, exercise or defence of legal claims: for as long as is necessary for that purpose

9. Cookies and similar technologies

We use a small number of cookies and similar technologies. Strictly necessary cookies are always active; optional analytics cookies are only set if you give consent through our cookie banner. You can withdraw or change your consent at any time. Full details are in our cookie policy.

10. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — to obtain confirmation that we are processing your data and a copy of that data
• Right to rectification — to have inaccurate or incomplete data corrected
• Right to erasure — the “right to be forgotten” in certain circumstances
• Right to restrict processing — to ask us to limit how we use your data
• Right to object — to processing based on legitimate interests, including profiling, and to direct marketing at any time
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format
• Right to withdraw consent — where consent is the lawful basis, without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint — with the Information Commissioner's Office (see section 12)

To exercise any of these rights, please get in touch via our contact form. We will respond within one calendar month, although for complex or numerous requests we may extend this by up to two further months and will let you know if we need to. There is normally no charge.

11. Security

We have put in place appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include TLS encryption in transit, access controls and the principle of least privilege on internal systems, regular review of our processors, secure software development practices, and staff training. No system is perfectly secure, but we treat our obligation to safeguard your data seriously and will notify the ICO and (where required) you in the event of a personal data breach likely to result in a risk to your rights and freedoms.

12. Complaints to the ICO

If you are unhappy with how we have handled your personal data you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to put things right first.

13. Marketing

We do not run mass marketing campaigns through this Site. If you opt in to receive occasional updates from us, you can unsubscribe at any time using the link in the email or by emailing us directly. We will never share your contact details with third-party marketers.

14. Third-party sites

The Site may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party sites and are not responsible for their privacy statements. When you leave the Site we encourage you to read the privacy policy of every site you visit.

15. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, technology, legal requirements or for other operational reasons. The “last updated” date at the top shows when the current version took effect. Material changes will be highlighted on the Site and, where appropriate, we will notify you directly.

16. Contact us

If you have any questions about this privacy policy or want to exercise any of your rights, please get in touch via our contact form.