Privacy Policy

Your privacy and data protection are our top priorities. This comprehensive policy outlines how we collect, use, protect, and manage your personal information in full compliance with UK GDPR and data protection laws.

WebDev Wales is committed to being transparent about the data we hold and how we use it. This policy applies to all personal data collected through our website, contact forms, email communications, and during the course of our professional services.

We collect information to provide better services, improve user experience, and fulfil our contractual obligations. All data collection is lawful, fair, and transparent under UK GDPR regulations.

Personal information we collect includes: Full Name (for communication and project identification, legal basis: contract performance); Email Address (for project communication and updates, legal basis: contract performance and legitimate interest); Phone Number (for direct communication and support, legal basis: contract performance); Business Name and Role (for professional context and project planning, legal basis: contract performance); Postal Address (for invoicing and legal documentation, legal basis: contract performance and legal obligation).

Technical and usage data we automatically collect includes: IP Address and Location (for security, analytics, and geo-targeting, legal basis: legitimate interest); Browser and Device Info (for website optimisation and compatibility, legal basis: legitimate interest); Page Views and Navigation (for user experience improvement, legal basis: legitimate interest); Referral Sources (for marketing effectiveness analysis, legal basis: legitimate interest); Session Duration (for website performance optimisation, legal basis: legitimate interest).

We follow the GDPR principle of data minimisation, collecting only the information necessary for specific, legitimate purposes. We regularly review and purge unnecessary data.

During our business relationship, we collect project-specific information necessary for service delivery, invoicing, and ongoing client support.

Project Requirements (legal basis: Contract Performance): Website goals and objectives; target audience information; branding guidelines and preferences; content and media files; functional requirements specification; timeline and budget constraints; third-party service requirements; domain and hosting preferences.

Financial Information (legal basis: Legal Obligation): Billing address and details; VAT number (if applicable); payment method preferences; invoice delivery preferences; purchase order numbers; credit application details; payment history records; refund and dispute information.

Communication Records (legal basis: Legitimate Interest): Email conversations and attachments; meeting notes and call recordings; project feedback and revisions; support ticket history; video conference recordings; file sharing activity logs; change request documentation; project completion sign-offs.

We collect information through various touchpoints and methods, always with transparency and appropriate legal basis under GDPR regulations.

Direct collection methods include: Contact Forms (website contact forms, quote requests, and consultation bookings, data collected: name, email, phone, project details); Email Communication (direct email exchanges during project discussions and support, data collected: email content, attachments, contact preferences); Phone and Video Calls (consultation calls, project meetings, and support conversations, data collected: contact details, meeting notes, recordings with consent); Contract Signing (project agreements and legal documentation, data collected: signature, business details, project specifications).

Automatic collection methods include: Website Analytics (Google Analytics tracking for website performance and user behaviour, data collected: page views, session duration, bounce rate, referral sources); Cookies and Tracking (essential and analytical cookies for website functionality, data collected: user preferences, session data, performance metrics); Server Logs (technical logs for security, performance, and error monitoring, data collected: IP addresses, browser info, timestamps, error reports); Third-Party Tools (CRM systems, email marketing platforms, and project management tools, data collected: interaction history, engagement metrics, project progress).

We process your personal data for specific, lawful purposes that are necessary for our business operations and service delivery. All processing activities comply with UK GDPR requirements.

Service Delivery (legal basis: Contract Performance): Project planning and consultation; website development and design; technical support and maintenance; training and handover sessions; quality assurance and testing; performance monitoring and optimisation.

Business Operations (legal basis: Legitimate Interest): Customer relationship management; marketing and communication; website analytics and improvement; security monitoring and fraud prevention; business development and growth; staff training and development.

Legal Compliance (legal basis: Legal Obligation): Financial record keeping; VAT and tax reporting; regulatory compliance monitoring; data breach notification; court order compliance; professional indemnity requirements.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, and protect our legitimate interests.

Retention periods by data type: Project Files and Communications - 7 years after project completion (reason: legal obligation and potential disputes); Financial Records and Invoices - 7 years from end of financial year (reason: HMRC requirements and audit purposes); Marketing and Analytics Data - 3 years from last interaction (reason: business development and compliance); Website Activity Logs - 12 months from collection (reason: security monitoring and performance); Support and Maintenance Records - 3 years after service ends (reason: quality assurance and warranty); Personal Identifiers - until erasure request or 7 years (reason: ongoing relationship management).

Our automatic deletion process includes quarterly data audit and review, automated deletion of expired data, manual review of edge cases, and documentation of deletion activities. Secure deletion methods include multi-pass data overwriting, cryptographic key destruction, physical media destruction when needed, and verification of complete removal.

Exceptions to deletion may apply in the case of legal hold for ongoing disputes, regulatory investigation requirements, active contract performance needs, or anonymised data for analytics.

Under the UK General Data Protection Regulation (GDPR), you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights promptly and transparently.

Right of Access: You can ask us to confirm if we process your data and request a copy of all personal information we hold about you. Response time: 1 month.

Right to Rectification: You can ask us to correct any personal information you think is inaccurate or incomplete. Response time: 1 month.

Right to Erasure: You can ask us to delete your personal data in certain circumstances, such as when it is no longer necessary. Response time: 1 month.

Right to Restrict Processing: You can ask us to suspend processing of your personal data in specific circumstances. Response time: 1 month.

Right to Data Portability: You can ask us to transfer your data to another service provider in a structured, commonly used format. Response time: 1 month.

Right to Object: You can object to processing based on legitimate interests or for direct marketing purposes. Response time: immediate.

Rights for Automated Decision-Making: You have rights regarding automated decision-making, including profiling that affects you legally. Response time: 1 month.

Right to Withdraw Consent: Where we process data based on consent, you can withdraw that consent at any time. Response time: immediate.

We have made it simple to exercise your privacy rights. To submit a request: email us at info@webdevwales.com with your full name, email, and the specific request type; we will verify your identity for security; we will review and process your request within a maximum of 30 days; we will deliver the requested information or action via secure email or encrypted file transfer.

For all requests, please include your full name and email address, a clear description of your request, your preferred communication method, and any relevant dates or time periods. For data access requests, please specify the data categories you want to access, the time period, and your preferred format for data delivery. For deletion requests, please specify the data to be deleted and the reason for the request.

Important: We may ask for additional information to verify your identity and ensure we are responding to legitimate requests.

We implement comprehensive security measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction.

Technical safeguards include: 256-bit SSL encryption for all data transfers; regular security vulnerability assessments; automated backup systems with encryption; multi-factor authentication for admin access; real-time monitoring and intrusion detection.

Organisational measures include: staff training on data protection principles; regular review of data processing activities; incident response and breach notification procedures; data minimisation and retention policies; third-party security assessments.

Our hosting infrastructure uses ISO 27001 certified data centres in the UK.

We never sell your personal data. Limited sharing occurs only with trusted service providers under strict contractual obligations for data protection.

We may share data with: Hosting Providers (secure data storage and website hosting services); Payment Processors (secure transaction processing and invoicing); Analytics Services (website performance and user experience insights); Professional Services (legal, accounting, and business consultancy); Legal Authorities (when required by law or to protect rights).

Data protection safeguards for all third parties include: comprehensive Data Processing Agreements (DPAs); priority given to UK and EU service providers; regular assessment of third-party security measures; only necessary data shared for specific purposes; adequate protection for any international transfers.

Data protection enquiries: Jack Warner (WebDev Wales), email info@webdevwales.com, phone +44 07916 214843, response time within 48 hours for urgent matters. Supervisory Authority: Information Commissioner's Office (ICO), website ico.org.uk, phone 0303 123 1113. You have the right to lodge complaints about our data processing with the ICO.