1. Who We Are

Hillmorton Design and Development Ltd ("we", "our", "us") is the data controller responsible for your personal data. We are a web design and development agency registered in England and Wales.

2. What Data We Collect and Why

2.1 Website Visitors

When you browse our website, we use Cloudflare Web Analytics to understand how visitors interact with our site. This service is privacy-preserving: it does not use cookies and does not collect or store personally identifiable information. Cloudflare may process technical metadata (such as anonymised IP data and device type) for security and performance purposes. See the Cloudflare Privacy Policy for details.

2.2 Contact & Enquiries

If you contact us by email or via our contact form, we collect your name, email address, company name, and the content of your message. We use this information solely to respond to your enquiry. Our lawful basis is legitimate interests (responding to business correspondence).

2.3 Clients & Project Data

When we enter a business relationship with you, we collect and process data necessary to deliver our services. This includes contact details, billing information, project files, and communications. Our lawful basis is contract performance and, where applicable, legitimate interests.

2.4 Support Tickets

Our support system ingests emails sent to our support address. These emails and any attachments are stored to facilitate issue resolution. Our lawful basis is contract performance.

2.5 Portal & Authentication Data

Staff and client portal accounts store authentication credentials (hashed passwords, TOTP secrets, passkey data), session tokens, and access logs. This data is collected on the basis of contract performance and our legitimate interests in maintaining secure systems.

3. How We Use Your Information

• To deliver the web design, development, and digital services you have commissioned.
• To communicate with you about your projects and respond to support requests.
• To manage billing and client accounts.
• To maintain and improve the performance and security of our systems.
• To comply with legal obligations (e.g. Companies House requirements, HMRC).
• To analyse aggregated, anonymised usage trends to improve our services.

We do not sell, rent, or trade your personal data. We do not use your data for automated decision-making or profiling.

4. Third-Party Data Processors

We use the following third-party services which may process personal data on our behalf as data processors:

Data hosted on our Netcup servers (Germany) benefits from the UK's adequacy decision for transfers to the EU/EEA. For Cloudflare, transfers are governed by Standard Contractual Clauses (SCCs) in accordance with UK GDPR Article 46.

Where we create Cloudflare accounts on behalf of clients (using the client's name and email to grant them ownership), the client becomes the account holder and controller of that Cloudflare relationship. We act as a facilitator in that setup only.

5. Data Retention

We retain personal data only for as long as necessary for the purpose it was collected:

• Client project data: Retained for the duration of the contract plus 7 years (to comply with UK tax and accounting obligations).
• Support tickets and communications: Retained for 3 years from closure, then securely deleted.
• Enquiry emails: Retained for 12 months if no business relationship follows, then deleted.
• Portal authentication data: Retained for the lifetime of the account. Deleted within 30 days of account closure upon request.
• Website analytics: Aggregated only; no personally identifiable data retained by us.

6. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you.
• Right to rectification — to ask us to correct inaccurate data.
• Right to erasure — to request deletion of your data where there is no compelling reason for us to continue processing it.
• Right to restrict processing — to ask us to limit how we use your data.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to object to processing based on legitimate interests.
• Rights related to automated decision-making — we do not carry out automated decision-making or profiling.

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month.

7. Cookies

Our public-facing website does not use tracking or advertising cookies. Cloudflare Web Analytics is cookie-free. If you use our client portal, session cookies are used solely to maintain your authenticated session and are strictly necessary for the portal to function. We do not serve third-party advertising or analytics cookies.

8. Data Security

We take the security of personal data seriously. Our technical measures include password hashing (bcrypt), multi-factor authentication (TOTP and passkeys), encrypted transmission (TLS), role-based access controls, and secure file storage. All servers are hosted at Netcup, a reputable German provider operating within EU data protection standards. While we take every reasonable precaution, no system is entirely immune to risk, and we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, notify affected individuals without undue delay.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this page will reflect any changes. We encourage you to review this policy periodically. Continued use of our website or services after changes are posted constitutes your acceptance of the revised policy.