Legal

Privacy Policy

How we collect, use, and protect personal data, for clients of Arcane Web and visitors to client sites we host.

Effective To be finalised before first paying client

Draft, pending legal review. This document is a working draft. Final wording will be reviewed by a UK solicitor before the first paying client. If you spot anything that affects your decision, email hello@arcaneweb.co.uk.

1. Who is the data controller

For data we collect about Arcane Web clients (your account, billing, support correspondence): Arcane Analytics Limited is the controller. We process this data to deliver and maintain your service.

For data collected by your customers via the website we host for you (contact-form submissions, analytics): you are the controller and we are the processor. We process the data under your instruction.

2. What we collect

About you (the client): name, email, phone, business address, billing details (processed by Stripe, so we never see card numbers), intake responses, support correspondence, dashboard activity.

About your customers (visitors to your site): contact-form submissions (name, email, phone, message), basic analytics (page views, referrer, country, device type, with no individual tracking across sites).

3. What we don't collect

We do not use cross-site tracking, advertising cookies, or third-party analytics that profile individuals. We do not sell data. We do not use your customers' data for our own marketing.

4. Legal basis (UK GDPR)

Contract: processing client account data is necessary to deliver the service you signed up for.

Legitimate interest: basic analytics (no individual profiling) to operate and improve the service.

Consent: any optional marketing emails to clients are sent only with explicit opt-in.

5. Where data is stored

Client account data and lead submissions are stored in Google Firebase (Firestore) hosted in EU data centres. Static site content is delivered via Cloudflare's global CDN. Card data is processed by Stripe (PCI-DSS compliant). We do not transfer personal data outside the UK/EEA without an adequate transfer mechanism in place.

6. How long we keep data

Client account data: for the duration of the service plus 7 years (UK tax retention requirement on invoices).

Lead submissions: for as long as you maintain your account. Downloadable as CSV at any time. Deleted within 30 days of account closure unless you ask for an earlier deletion.

Support correspondence: 2 years after the conversation, or longer where required by law.

7. Your rights

Under UK GDPR you have the right to access your data, correct inaccuracies, ask for deletion (subject to our legal obligations), object to processing, and port your data to another provider. To exercise any of these, email hello@arcaneweb.co.uk. We respond within 30 days.

8. Sub-processors

We use the following sub-processors to deliver the service:

  • Google Cloud / Firebase: primary data storage (EU region)
  • Cloudflare: CDN, DNS, edge security
  • Stripe: payment processing (when live)
  • Pingram: transactional email delivery
  • Google Vertex AI: site-generation assistance (text only, no personal data persisted)

9. Breach notification

If we discover a personal-data breach that risks affecting you or your customers, we will notify you within 72 hours of becoming aware of it. Where the breach affects rights and freedoms of data subjects, we will report to the ICO as required by law.

10. Contact and complaints

For privacy questions or to exercise your rights, email hello@arcaneweb.co.uk. If you're not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk, 0303 123 1113.