Data Protection

Privacy Policy

How TsvWeb collects, uses, stores, shares, and protects your personal information, and the rights you have under UK data protection law.

Last updated: 30 April 2026

In plain English

We only collect the information we need to reply to enquiries, deliver services, run the website, and meet our legal obligations.
We never sell your personal data and we never use it for advertising.
Payment card details are handled exclusively by Stripe — we never see or store them.
You can email hello@tsvweb.com at any time to access, correct, or delete the data we hold about you.

1. Introduction & Scope

This Privacy Policy ("Policy") explains how TsvWeb ("TsvWeb", "we", "us", or "our") collects, uses, discloses, retains, and protects personal data when you visit tsvweb.com and any subdomains we operate (collectively, the "Site"), when you contact us, when you become a client, and when you otherwise interact with our products and services (collectively, the "Services").

This Policy is issued under, and should be read together with, the United Kingdom General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018"), and the Privacy and Electronic Communications Regulations 2003 ("PECR"). It applies to all visitors to the Site, prospective clients, current clients, former clients, and individuals whose personal data we receive in the course of providing the Services.

Where we provide development, hosting, or platform services on behalf of a client and process personal data of that client's end users, we generally act as a processor on the client's instructions. In those cases, the client's own privacy notice governs the processing and this Policy applies only to the limited extent we act as a controller (for example, to manage the client relationship itself).

By using the Site or engaging us for Services, you confirm that you have read and understood this Policy. If you do not agree with any part of it, you must stop using the Site and the Services.

2. Who We Are (Data Controller)

TsvWeb is a sole-trader web design and development service operating from the United Kingdom. We are the "data controller" of personal data we collect about you through the Site and through our direct dealings with you, which means we are responsible for deciding how and why your personal data is processed.

hello@tsvweb.com

Trading from

United Kingdom

We have not formally appointed a Data Protection Officer because we are not required to under UK GDPR. The owner of TsvWeb is personally responsible for data protection matters and is the point of contact for any privacy-related enquiry, request, or complaint.

3. Definitions

The following terms are used throughout this Policy. Where a term is defined in UK GDPR or DPA 2018, those statutory definitions apply.

"Personal data" means any information relating to an identified or identifiable natural person.
"Special category data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person, health data, or data concerning a person's sex life or sexual orientation.
"Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Controller" means the entity that determines the purposes and means of processing personal data.
"Processor" means an entity that processes personal data on behalf of a controller.
"Data subject" means the identified or identifiable individual to whom the personal data relates.
"ICO" means the Information Commissioner's Office, the UK's data protection regulator.

4. Personal Data We Collect

4.1 Information you provide directly

When you contact us, request a quote, sign up for Services, or correspond with us, we may collect:

Identity data — full name, business name, job title, and any other identifier you choose to share.
Contact data — email address, phone number, postal address, and preferred method of contact.
Project data — your website requirements, brief, brand assets, copy, images, logos, and any other content you supply for use in the Services.
Account data — login credentials for any client portal we provide (passwords are stored as one-way hashes; we cannot read them).
Communication data — the content of emails, messages, calls, meeting notes, and feedback you send to us.
Marketing preferences — your consent or opt-out status for any direct marketing.

4.2 Information collected automatically

When you visit the Site, we and our service providers may automatically collect:

Technical data — IP address (truncated where possible), browser type and version, operating system, device type, screen resolution, and time-zone setting.
Usage data — pages visited, time on page, referrer, exit pages, and clickstream data, processed in an aggregated and pseudonymised form.
Cookie data — small text files stored on your device. See our Cookie Policy for the full list.
Server log data — request URL, HTTP status, response time, and user-agent string, retained for security and diagnostic purposes.

4.3 Information from third parties

We may also receive personal data about you from:

Stripe — limited transaction metadata such as payment status, subscription identifiers, and the last four digits of a card. Full card numbers are never disclosed to us.
Calendar / scheduling tools — booking details when you reserve a discovery call.
Analytics providers — aggregated, pseudonymised behavioural data.
Public sources — for example, your business website or Companies House if you ask us to research your business as part of a quote.

4.4 Special category data

We do not knowingly collect special category data. If you voluntarily disclose any such data to us (for example, in the context of an accessibility request), we will process it only to the extent necessary to respond, with your explicit consent or another lawful condition under Article 9 UK GDPR, and we will delete it as soon as it is no longer needed.

Payment card data: All card payments are handled directly by Stripe. We never receive, store, or have access to full card numbers, CVV codes, or authentication credentials.

5. How and Why We Use Your Data

We process your personal data only where we have a lawful basis to do so. The list below explains each purpose, the categories of data involved, and our lawful basis.

Responding to enquiries

When you contact us, we use your identity, contact, and communication data to reply, prepare quotes, and arrange calls. Lawful basis: legitimate interests (running our business) and, where applicable, steps taken at your request prior to entering a contract.

Service delivery

Identity, contact, project, and account data is used to design, build, host, and maintain your website as agreed. Lawful basis: performance of a contract.

Billing and subscriptions

Identity, contact, and limited transaction data is used to issue invoices, take payment, and manage recurring subscriptions. Lawful basis: performance of a contract and legal obligation (tax records).

Client support

Identity, contact, and communication data is used to provide ongoing support, respond to issues, and improve the Services. Lawful basis: performance of a contract and legitimate interests.

Analytics and improvement

Aggregated, pseudonymised technical and usage data is used to understand how the Site is used and improve it. Lawful basis: legitimate interests and, for non-essential analytics cookies, your consent under PECR.

Direct marketing

If you opt in, we may send occasional emails about our Services, case studies, or offers. Lawful basis: consent (PECR) and legitimate interests in respect of existing clients in line with the soft opt-in.

Security and fraud prevention

Technical and usage data is used to detect, prevent, and investigate abuse, fraud, and security incidents. Lawful basis: legitimate interests and legal obligation.

Legal and regulatory compliance

We retain records to comply with tax, accounting, anti-money-laundering, and other legal obligations. Lawful basis: legal obligation.

Establishing or defending legal claims

We may retain and use personal data to enforce our rights, recover sums owed, or defend ourselves. Lawful basis: legitimate interests.

We will not use your personal data for any new purpose that is materially incompatible with the purposes set out above without first informing you and, where required, obtaining your consent.

6. Lawful Bases for Processing (UK GDPR Article 6)

Under UK GDPR, we must have a lawful basis for every processing activity. The bases we rely on are:

Art. 6(1)(a)

Consent

You have given clear, specific, freely given, informed consent — for example, by ticking a marketing opt-in box. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Art. 6(1)(b)

Contract

Processing is necessary for the performance of a contract with you, or to take steps at your request before entering a contract — for example, to deliver the Services or prepare a quote.

Art. 6(1)(c)

Legal obligation

Processing is necessary for compliance with a legal obligation to which we are subject, such as keeping VAT and accounting records.

Art. 6(1)(f)

Legitimate interests

Processing is necessary for our legitimate interests (such as running, securing, and improving our business) where these are not overridden by your fundamental rights and freedoms. We have considered and balanced any potential impact on you.

You can ask us at any time to provide further detail about the legitimate interests we rely on, the balancing assessment we have performed, or the lawful basis applied to a specific processing activity.

7. Marketing Communications

We will only send you direct marketing where we are lawfully entitled to do so. In practice this means:

Where you have given us your specific consent, you will receive marketing messages we have described to you (for example, an occasional newsletter).
Where you are an existing client and have not opted out, we may, in reliance on the PECR soft opt-in, send you information about similar Services to those you have already engaged.
Every marketing email we send contains a clear, free unsubscribe mechanism. Clicking it stops further marketing within a reasonable period (in practice, within 5 working days).
We do not engage in cold telephone marketing or send unsolicited SMS messages.

Operational and transactional messages — such as renewal reminders, invoices, support replies, and important service notices — are not marketing and will be sent regardless of your marketing preferences.

8. Sharing Your Data with Third Parties

We share personal data only where it is necessary, lawful, and proportionate. The categories of recipients are:

StripeCard payment processing and recurring subscription billing.

Hosting and infrastructure providersCloud hosting, container orchestration, CDN, and DNS for the Site and your website.

Email and transactional email providersSending quotes, invoices, support replies, and account notifications (e.g. Resend).

Analytics providersAggregated, pseudonymised analytics about how the Site is used (e.g. Google Analytics, where consented).

Scheduling toolsBooking discovery calls (e.g. Google Calendar).

Backup and storage providersEncrypted off-site backups of websites and project files.

Professional advisersAccountants, auditors, and lawyers, where strictly required for the running of our business.

Government, regulators, and law enforcementWhere we are required to disclose data by law, court order, or to protect our rights.

Successors in businessIf we restructure, sell, or transfer all or part of our business, personal data may be transferred to a successor under equivalent confidentiality and data protection obligations.

All processors we use are bound by written contracts containing the data protection terms required by Article 28 UK GDPR. We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

9. International Data Transfers

Some of our processors are located outside the United Kingdom and the European Economic Area ("EEA"). Where personal data is transferred to a country that has not been granted UK adequacy status, we put appropriate safeguards in place under Chapter V of UK GDPR. These typically include:

The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, signed with each relevant processor.
A documented Transfer Risk Assessment (TRA) considering the laws and practices of the destination country.
Supplementary technical measures where relevant — for example, encryption in transit and at rest, pseudonymisation, and access controls.

You can request a list of the countries to which your data may be transferred and copies of the safeguards in place by emailing us at hello@tsvweb.com.

10. How Long We Keep Your Data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy any legal, tax, accounting, or reporting requirements. Our standard retention periods are:

Enquiry and quote data

Up to 12 months from last contact, after which we delete or anonymise it.

Active client data

For the full duration of our service relationship.

Former client data

Up to 6 years after the end of the relationship, in line with HMRC and limitation periods.

Invoices and tax records

At least 6 years after the end of the relevant accounting period (HMRC requirement).

Backups

Encrypted backups are rotated and overwritten on a rolling 30-90 day cycle.

Server and access logs

Up to 90 days, then deleted unless flagged for security review.

When the applicable retention period expires, data is securely deleted or irreversibly anonymised so it can no longer be linked to you.

11. Security of Your Data

We take the security of your personal data seriously and apply appropriate technical and organisational measures designed to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage. These include:

Encryption in transit using TLS 1.2 or higher for all connections to the Site, our APIs, and our admin tools.
Encryption at rest for databases, backups, and file storage where supported by the provider.
Strong, unique passwords stored as salted hashes; multi-factor authentication on all administrative accounts.
Role-based access controls; the principle of least privilege is applied to all systems.
Regular software updates, dependency scanning, and patching for known vulnerabilities.
Logging and monitoring of administrative access, with alerts for unusual activity.
Written processor agreements with all third parties handling personal data on our behalf.
Periodic review of our security posture and a documented incident response process.

No method of transmission or storage on the internet is 100% secure. While we strive to apply commercially reasonable measures, we cannot guarantee absolute security.

12. Personal Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in clear and plain language.
Document the facts of the breach, its effects, and the remedial action taken.
Take reasonable steps to mitigate the impact and prevent recurrence.

13. Your Rights Under UK GDPR

Subject to certain exemptions, you have the following rights in respect of your personal data. To exercise any of them, email hello@tsvweb.com. We will respond within one calendar month and may extend the period by up to two further months for complex requests, in which case we will explain why.

Right to be informed

To know how we collect and use your personal data — fulfilled by this Policy.

Right of access

To obtain a copy of the personal data we hold about you (a 'subject access request').

Right to rectification

To have inaccurate or incomplete personal data corrected.

Right to erasure

To have your personal data deleted in certain circumstances ('right to be forgotten').

Right to restriction

To ask us to limit how we use your data while a query is investigated.

Right to portability

To receive personal data you have provided in a structured, commonly used, machine-readable format.

Right to object

To object to processing based on legitimate interests, including profiling, and to direct marketing at any time.

Rights re. automated decisions

Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not carry out such processing).

Right to withdraw consent

Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.

Right to lodge a complaint

To complain to the ICO if you believe your rights have been infringed.

We may need to verify your identity before responding to a request. We will not charge a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act, as permitted by UK GDPR.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113. We would, however, appreciate the opportunity to address your concerns first.

14. Automated Decision-Making and Profiling

We do not use your personal data for automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you. If this changes, we will update this Policy and, where required, obtain your consent.

15. Cookies and Similar Technologies

We use a small number of cookies and similar technologies on the Site for essential functionality, performance analytics, and (where you have consented) optional features. For the full list, the categories used, their duration, and how to control them, please see our Cookie Policy.

16. Children's Data

Our Services are aimed at businesses and adult professionals. We do not knowingly collect personal data from anyone under the age of 18. If you become aware that a child has provided us with personal data, please contact us at hello@tsvweb.com and we will take prompt steps to delete it.

17. Third-Party Links

The Site may contain links to third-party websites, plug-ins, or applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party sites and are not responsible for their privacy statements. When you leave the Site, we encourage you to read the privacy policy of every site you visit.

18. Changes to This Policy

We keep this Policy under regular review. The date at the top of this page shows when it was last updated. Material changes will be communicated by updating that date and, where appropriate, by a prominent notice on the Site or by direct email to clients. Continued use of the Site or Services after the effective date of any change constitutes acceptance of the updated Policy.

Older versions of this Policy are available on request from hello@tsvweb.com.

Contact Us

Questions or concerns about this Privacy Policy or how we handle your data? We aim to respond to every privacy enquiry within 5 working days.