top of page

Privacy Policy

Last updated: 30 June 2025

Introduction (Yes, This is One of Those Documents)

Welcome to the privacy policy of Design + Automate. We know – privacy policies are about as thrilling as watching paint dry. We’re slightly exasperated that we have to write a novella on this, but hey, the law (UK GDPR and PECR) requires it and your privacy matters to us. So brew a coffee (or something stronger) and read on for the what, why, and how of the personal data we collect on our website. We promise to keep it as clear and jargon-free as possible (with just a dash of sardonic wit), without skimping on the legal essentials.

In plain English, this policy explains who we are, what personal information we collect from you, what we do (and don’t do) with it, what rights you have, and how you can get in touch with us about any privacy questions. We’re not here to sell or misuse your data – we’re here to help UK small businesses automate things, not to automate the betrayal of trust. Now, let’s get into the details.

Who We Are & How to Contact Us

Data Controller: The organisation responsible for your personal data on this site is Design + Automate, which is a trading name of LF Capital Management Limited, a UK company (company no. 13261514). Our registered office is 127 Lucas Avenue, Chelmsford, England, CM2 9JP. (Basically, that’s our official alter ego in the eyes of the law.)

If you need to contact us about anything in this policy or about your personal data, please don’t hesitate to reach out. You can email us at hello@designautomate.co.uk. You can also send mail to our registered address (if you’re feeling old-school and enjoy stamps) – we’ll respond as helpfully (and swiftly) as we can.

What Personal Data We Collect (and How We Collect It)

To do our job (and run a functional website), we collect a few kinds of information:

  • Information You Provide Directly: When you interact with us, you may give us personal details. For example:

    • If you fill out our contact form, we ask for your first name, last name, email address, phone number, and your message/query. (Yes, we do want to know your name – calling you “Hey you” in emails felt too impersonal.)

    • If you book a free discovery call (via our linked calendar), you’ll provide scheduling details and contact info so we can talk.

    • If you choose to subscribe to our newsletter (the one you’ll only get if you explicitly say “Yes, subscribe me”), we collect your email address for that purpose.

    • Any other time you voluntarily give us info – whether by email, phone, WhatsApp, carrier pigeon, etc. – we’ll collect whatever data you choose to share (and use it to respond or assist, as you’d expect).

  • Information We Collect Automatically: Like most websites, we gather some data automatically when you visit designautomate.co.uk. This includes:

    • Technical details – e.g. your IP address, browser type, device type, operating system, and other nerdy computer stuff that gets logged by our website host (Wix) or analytics tools when you access our site. This is basically a digital “hello” your device gives our site, and it might be recorded in server logs.

    • Usage data – e.g. which pages you visit, how you got here (referring link or search query), the dates/times of visits, how long you stay on pages, buttons you click, how far you scroll, and so on. We collect this via cookies and similar tracking technologies (more on those annoying cookies later, we promise). This helps us understand what content is popular, whether our navigation makes sense, and if anyone actually reads our blog posts.

    • Session recordings and heatmaps – We use a Microsoft tool called Clarity that, with your permission, records anonymised videos of how you interact with our site (where you click or scroll, etc.) and generates “heatmaps” of aggregated user activity. It’s like a usability study, showing us which parts of a page attract attention or confusion. Don’t worry – this doesn’t record your personal details or any keystrokes in form fields; it’s behavioural data to help us improve the site’s design and user experience.

    • Cookies – small data files stored on your browser – are the main way we (and our third-party tools) automatically collect the info above. We’ll detail our cookie usage in the dedicated Cookies and Tracking section below (including those from Google, Microsoft, Facebook, and LinkedIn).

 

We do not collect any special categories of personal data (like sensitive info about health, religion, etc.) – frankly, we have zero interest in that, and our site isn’t built to handle it. We also don’t knowingly collect data from children; our services are aimed at adult business owners, not kids.

How We Use Your Data (Purposes & Lawful Bases)

Alright, here’s the crucial part: what we actually do with the personal data we collect, and why we’re allowed to do so under the law. Under the UK GDPR, we have to have a valid “lawful basis” for each use of personal data. In simpler terms, we need a good reason – like your consent or our legitimate need to do something – to use your info. Below we explain the purposes for which we process your data, and the corresponding lawful basis:

  • Responding to Your Inquiries or Requests: If you contact us via our form, email, phone, or book a call, we use your provided info to communicate with you and answer your questions or discuss our services. It might seem obvious – you asked us, so we reply – but legally our basis here is “legitimate interests.” It’s in our legitimate interest to assist potential or existing clients, and we believe it’s in your interest too to get a response (you did contact us, after all). If your inquiry is about potentially doing business with us (e.g. discussing a project proposal), then it’s also “necessary for steps prior to entering a contract” (UK GDPR Article 6(1)(b)) – in other words, we need to process your info to possibly provide our services to you. Rest assured, we’ll use your details only to handle your inquiry and not for any unrelated marketing unless you specifically opt in.

  • Providing Our Services to You: If you become a client or engage our automation/AI services, we will process whatever personal data is necessary to deliver those services and manage our business relationship. This includes corresponding with you, planning and implementing your projects, and handling billing or administration. The lawful basis is “contract” – processing is necessary for us to fulfill our contract with you (or to take steps you request before entering a contract). For example, if we automate a workflow that involves your data, obviously we have to use that data as part of the service you asked for.

  • Sending Our Newsletter or Marketing Communications: We hate spam, so we’ll only send you marketing emails if: a) you have explicitly subscribed to our newsletter or requested such updates, or b) you’re an existing customer who’d reasonably expect occasional product/service updates (and even then, we’ll ensure you have a clear opt-out). The point is, consent is our primary basis for email marketing – you’ll have ticked a box or otherwise clearly agreed to hear from us. If you sign up for our newsletter (when it’s available), we’ll use your email to send you AI and automation tips, company news, and similar content. No email marketing platform is currently in use (we’re not blasting out Mailchimp campaigns or anything), so for now it’s fairly low-volume and manual. And of course, you can withdraw your consent any time – every marketing email will include an “unsubscribe” link, or you can just contact us and say “stop sending me stuff” (no hurt feelings). We will promptly remove you from the list.

  • Website Functionality & User Experience: We process some data to run and improve our website. This includes using certain cookies that are necessary for the site to function (for example, Wix may set cookies to enable page loading or to remember your cookie preferences). For strictly necessary data (like ensuring the website displays correctly or preventing fraud), our lawful basis is our legitimate interests in operating a secure, efficient website (or sometimes “performance of a contract” if you consider just using the website a sort of contract for us to deliver content). We balance this against your rights and ensure this type of data use isn’t intrusive. For example, our site may log technical info (IP address, etc.) in server logs for security and debugging – we do that to keep things running smoothly and safely. We also may use your data in aggregate to improve design – e.g. if Clarity shows most users never scroll to the bottom of a page, we might rearrange content (that’s a legitimate interest in improving our service, without impacting your privacy negatively).

  • Analytics and Insight (with Consent): To sharpen our website and marketing, we use analytics tools – specifically Google Analytics and Microsoft Clarity – which collect data about how visitors use our site. However, because these tools use non-essential cookies, we only activate them if you give consent via our cookie banner (in compliance with PECR’s strict consent rules for tracking). When permitted, Google Analytics helps us see overall website metrics (like number of visitors, popular pages, referring sites, etc.), and Microsoft Clarity provides session replays and heatmaps, as mentioned. We use this information to understand our audience and make data-driven improvements – e.g. refining content, fixing navigation issues, or gauging interest in our services. The lawful basis here is consent (UK GDPR Article 6(1)(a)), since you have the choice to allow or decline these analytics cookies. If you do consent, you can always change your mind later (see “Cookies” below on how to adjust settings). And if you choose not to consent, don’t worry – our site will still work just fine; we just won’t have the benefit of your particular visit’s data (no hard feelings!).

  • Advertising and Retargeting (with Consent): Like many small businesses, we occasionally run online advertising campaigns. To help measure and tailor those campaigns, we use the Facebook Pixel (by Meta) and LinkedIn Insight Tag on our site. These are little pieces of code that, again, rely on cookies/tracking to do things like: track conversions (e.g. if you came to our site from a Facebook ad and filled out the contact form, the pixel tells us that our ad was successful), build a “custom audience” for ad targeting (e.g. so we could show follow-up ads on Facebook or LinkedIn to people who visited our site), and otherwise optimize our ads to be more relevant. We only deploy these tracking pixels if you give consent via the cookie banner, since they are non-essential and used for marketing. The lawful basis is consent (not “legitimate interest” – we’re not going to argue that showing you ads is in your vital interest, promise). If you do opt in, these pixels will allow Meta (Facebook/Instagram) and LinkedIn to know that you visited our site and to link that information with your user profile on their platforms (if you have one), in order to, for example, show you an ad for our services later. Essentially, the social media sites track visitors to our website to help tailor advertising messages you see on their platforms. (We know, the idea of being “followed” by ads can be irritating – that’s why we seek your explicit permission first.) You can always decline or revoke consent for these, and you’ll still get ads in the world – they just won’t be our specifically targeted ads.

  • Compliance with Legal Obligations: If we’re ever required by law to process or disclose your personal data, we will do so as necessary to comply. For example, if tax law requires us to keep invoicing records that include your name or business contact info, we’ll retain those records as mandated. This processing is based on legal obligation (UK GDPR Article 6(1)(c)). Another example is responding to lawful requests by authorities or court orders – we’d have to provide data if legally compelled, but we’d only hand over what’s required and only to the proper authorities.

  • Protecting Our Rights, Security, or Property: We may process and possibly share data if needed to enforce our terms of service, prevent abuse of our services, investigate potential security issues or fraud, or defend ourselves in legal disputes. This would fall under legitimate interests as well – our legitimate interest in safeguarding our business, preventing wrongdoing, and asserting legal rights. For instance, we keep server logs (including IP addresses) to monitor for malicious activity and may analyse or share those logs if we detect an attack or need to investigate a security incident. We hope this never becomes relevant, but we have to mention it.

Let’s be crystal clear on one thing: We do NOT sell your personal data to anyone. We don’t trade it for magic beans, we don’t lease it, and we haven’t suddenly changed careers into data brokering. Any personal information you entrust us with is used for the purposes above and shared only with the categories of partners described below.

Also, if we ever want to use your data for some new purpose that isn’t covered here, we’ll update this policy and/or ask for your consent as required. We’re not into surprises when it comes to privacy.

Cookies and Tracking Technologies (AKA “Why Is There a Cookie Banner?”)

Like virtually every modern website, we use cookies and similar tracking technologies to make our site work properly and to help us understand and improve it. Unfortunately, these aren’t the tasty chocolate chip kind of cookies, but small text files stored on your browser. Since UK law (PECR) treats non-essential cookies like a big deal, we have that little banner asking for your preferences. Here we explain what we use and why:

  • Essential Cookies (Strictly Necessary): These cookies are needed for our website to function and cannot be switched off (without breaking things). They include, for example:

    • Wix platform cookies: Our site is built on the Wix platform, which uses certain necessary cookies to enable core functionality – like page loading, routing you to the nearest server for speed, preventing cross-site request forgery (security), and remembering cookie consent choices. These cookies do not gather your personal info for marketing – they’re just doing the behind-the-scenes housekeeping of the site. Because they are essential for service, we use them under legitimate interests (no consent required for these, as per PECR’s exemptions).

    • Form and spam protection cookies: When you submit a contact form, there may be a session cookie to keep track of the form submission. Also, to protect against spam bots, our site might use an anti-forgery or captcha cookie/token. Again, these are purely functional and security-related.

  • Analytics Cookies: These are the optional cookies that collect information about how visitors use our site. We utilise:

    • Google Analytics (GA): GA sets first-party cookies (like _ga) to gather data on site usage – e.g. number of visitors, pages visited, time spent, and interactions. The data collected typically includes online identifiers (like a cookie ID and truncated IP address), device and browser info, and site engagement metrics. We have configured Google Analytics with IP anonymisation turned on, meaning your IP address is shortened so it cannot directly identify you. Google Analytics cookies allow us to “analyse how users use the site” and compile reports for us. For instance, we can see that “50 people visited the Automation page this week” or “Most users come from Google search.” This info is aggregated and helps us improve content and usability. Important: Google Analytics data may be processed by Google outside the UK (e.g., in the US or elsewhere), but Google is bound by contractual clauses to protect your data (see “International Data Transfers” below for more on that). We only deploy GA cookies with your consent – if you decline analytics, GA will not run.

    • Microsoft Clarity: Clarity sets cookies (like _clsk and _clck) to enable session recording and heatmap functionality. These cookies help tie together user actions in a single session for analysis (e.g. so the recording knows it’s you moving from page A to page B on one visit). Through Clarity, we capture behavioural metrics, session replays, and heatmaps of how visitors interact with our site. This data lets us improve our website design and user experience (for example, if Clarity shows nobody clicks a certain button, we might reposition it or label it better). Clarity’s cookies and scripts do not collect sensitive personal data – they mostly track usage patterns. However, they do transmit usage data to Microsoft. Microsoft may combine Clarity data with its advertising and analytics services; in fact, we “partner with Microsoft Clarity (and possibly Microsoft Advertising) to capture how you use and interact with our website… through cookies and other tracking technologies”. We use Clarity’s insights for site optimization, detecting usability issues, and sometimes for advertising analysis (e.g. seeing if users from a campaign behave differently). Clarity data is stored by Microsoft, potentially on servers in the United States, and Microsoft may process it further for its own analytics. Again, we only use Clarity with your consent. If you opt out of tracking, Clarity won’t record your session. (On the bright side, Clarity automatically deletes raw session recordings after 30 days, so your on-site antics aren’t preserved forever – even we can’t replay your mouse wiggles after a month.)

  • Advertising/Marketing Cookies (Facebook and LinkedIn Pixels): These are also only set if you give consent via the banner. They include:

    • Meta (Facebook) Pixel: This cookie (and associated code) allows Meta to recognize you visiting our site and possibly connect that info with your Facebook/Instagram profile. It basically tells us and Meta if certain actions occurred (like “User visited the pricing page” or “User submitted the contact form after coming from an ad”). We use this to measure ad conversions and to build audiences for future ads. For example, we might target an ad to people who visited our site but didn’t fill the form, or exclude those who already became leads – the Pixel makes that feasible. What data does it collect? Things like your device information, the pages you visit on our site, and a Facebook cookie identifier. This can result in you seeing our ads on Facebook or Instagram if you fit our target criteria. Facebook’s use of this data is governed by Facebook’s own privacy policy, and they may also use it to improve their advertising systems. We do not get personal details about you from Facebook – we just see aggregated ad campaign stats. If you opt out of marketing cookies, the Facebook Pixel is not activated.

    • LinkedIn Insight Tag: Similar to the FB Pixel, the LinkedIn Insight Tag drops a cookie that allows LinkedIn to know you visited our site. It helps us measure LinkedIn ad performance and do retargeting. For instance, if you clicked one of our LinkedIn ads, the Insight Tag reports conversion events (like contacting us) so we know the ad worked. It also enables building of a “Matched Audience” on LinkedIn (e.g. to show follow-up content to site visitors). Data collected includes your LinkedIn user ID (if you’re logged in), IP address, device info, and timestamps. LinkedIn hashes (scrambles) this data and uses it to provide us with anonymised reports about our audience and ad effectiveness, and to fuel their ad targeting algorithm. Again, no LinkedIn tracking happens unless you consent. If you do consent but later have second thoughts, you can clear cookies or use LinkedIn’s Ad Preferences settings to opt out of ads.

  • Other Tracking Technologies: We avoid any creepy or unnecessary trackers. We do not use any key-logging, nor do we use third-party ad networks beyond the ones mentioned. We might have social media share buttons or links on our site – clicking those may lead to the third-party platform (e.g. our LinkedIn or Facebook page), which has its own cookies, but we’re not directly embedding their trackers aside from the pixels described. We also do not use any email tracking pixels at this time (since we’re not sending mass emails yet).

Your Choices: When you first visit our site, you’ll see a cookie banner asking you to consent to Analytics and Marketing cookies. You can accept all, reject all, or pick and choose. Whatever you decide, we’ll honor it – no cookies will be set for purposes you disallowed (except the strictly necessary ones which don’t require consent). If you simply ignore the banner and continue using the site without making a choice, we will treat that as a “no” for anything optional (we won’t assume you love cookies by default – that would not be cool).

If you change your mind later, you can usually find a “cookie settings” link on our site (often in the footer) to update your preferences. You can also control cookies through your browser settings: all major browsers let you block or delete cookies. Feel free to clear our cookies any time – at worst, you’ll just be treated as a new visitor and see the cookie banner again.

Keep in mind, if you disable all cookies (especially via browser settings), some parts of the site might not function perfectly. For example, videos might not load, or we might not remember that you already dismissed a pop-up, etc.. But for the most part, you’ll still be able to read content and contact us.

For more detailed info on how each third-party uses cookies and data: you can check out Wix’s privacy policy, Google’s Privacy Policy (for Analytics), Microsoft’s Privacy Statement (for Clarity), Facebook’s Data Policy, and LinkedIn’s Privacy Policy. (We’ve linked some of these in context above.) We know that’s a lot of reading – the summary is that these providers are not supposed to use your data for anything other than providing services to us (or for their own legitimate purposes like improving their services), and they shouldn’t share it further. We contractually require them to protect your info and not use it for their own marketing or other purposes without permission.

Sharing Your Data: Third Parties and Service Providers

We do not play fast and loose with who gets to see your data. In general, we’ll only share your personal information with third parties in the following contexts:

  • Companies that Help Us Run Our Website and Business (Processors): We use a few key service providers to operate Design + Automate. These third parties process data on our behalf and are bound by contracts to safeguard it and use it only under our instructions. The main ones are:

    • Wix.com Ltd.: Our website is hosted and built on Wix. So when you enter information on our site (like submitting a contact form or subscribing to the newsletter), that data passes through and is stored on Wix’s servers. Wix might incidentally process things like your IP address, device info, and form submissions to provide their hosting service to us. They also give us an interface to view and manage the data. Wix is a processor for us, meaning they shouldn’t use your data for their own purposes. You can read more in [Wix’s privacy documentation]. We chose Wix for its robust platform – part of that includes security measures to protect your data (e.g. HTTPS, DDoS protection).

    • Airtable (Formagrid, Inc.): We use Airtable as a simple customer relationship management (CRM) database. This means when you fill out our contact form, your submitted information (name, contact details, message) may be automatically logged in our private Airtable database. Airtable is basically a cloud spreadsheet/database where we track leads and client info. Airtable acts as our data processor – they store the data on their secure servers so we can organize and reference it. They do not access or use that data except as needed to keep it hosted and backed up for us. (Fun fact: Airtable is US-based, but we ensure appropriate safeguards for data transfers, as discussed later.) We like Airtable because it helps us not lose track of who contacted us and when – it’s our memory bank, and it’s permission-based so only our small internal team can access it.

    • Email and IT Providers: If you email us at hello@designautomate.co.uk, your email will route through our email service provider (which might be e.g. Google Workspace or Microsoft 365 – whichever we use for company email). Those providers will store your email and our responses. They are also bound to keep data secure. Additionally, our IT systems (computers, cloud storage for documents, etc.) may temporarily hold your information if it’s part of our business records (for example, if we draft a proposal that includes your name or requirements, that document might be stored on a cloud drive accessible only to our team). All such providers are selected carefully for security and privacy compliance.

    • Analytics and Tracking Providers: As detailed, we use Google Analytics and Microsoft Clarity – these involve sending usage data to Google and Microsoft. In those cases, those companies are somewhat acting as our service providers (they give us analytics results), but they also may use the data for their own purposes (e.g. improving their analytics services). We have agreements/Addendums in place (like Google’s Data Processing Addendum) to ensure they handle data lawfully. We also use Meta (Facebook) and LinkedIn via their pixel integrations, which means those companies receive some data when you allow those cookies. Technically, when you permit marketing cookies, we and the pixel providers are considered “joint controllers” for that data – we decide to collect it for ads, and they deliver the ad technology and further processing. We’ll each have responsibilities: we decide the targeting, and they display the ads and secure the data. In any case, we do not get personal identifiers from them – we only see aggregated campaign performance. But we want you to know that when you opt in to those trackers, your data is also in the hands of those big companies (Google, Microsoft, Meta, LinkedIn), under their privacy policies.

  • Professional Advisors: On occasion, we might have to share information with our professional advisors (lawyers, accountants, etc.) for legitimate reasons – for instance, sharing a contract with our lawyer that contains your name and address, or showing an invoice with your company name to our accountant. We limit such sharing to what’s necessary for the advisor to provide their service to us and expect them to keep it confidential (they have their own professional ethics and privacy obligations).

  • Legal Compliance and Protection: If compelled by law or regulators, we may disclose certain data. For example, if the tax authority or a court subpoena demands to see our business records, which might include client contact details or transaction histories, we have to comply. Similarly, if disclosing data will help prevent a crime, fraud, or protect someone’s safety, we may do so. We will only share what is necessary and permitted. In all such cases, we’d carefully verify the request’s legitimacy.

  • Business Transfers: We’re a small business, but if in the future Design + Automate (or LF Capital Management Ltd.) goes through a business transition – such as a merger, acquisition by another company, or sale of assets – personal data we hold might be transferred to the new owner as part of that deal (so they can continue the service). If that happens, we’ll ensure your data remains subject to the same protections and this privacy policy (unless you’re notified otherwise and given a chance to opt out). We’re not planning to sell out to Big Tech just yet, but we have to mention this possibility.

What we don’t do: We don’t share your information with third-party advertisers or unknown parties for their own marketing. You won’t find us suddenly sending your data to some random partner without your knowledge. If we ever want to spotlight your success story or something in our marketing, we’d ask for your permission first – that’s more of a case-by-case courtesy than a systemic data sharing anyway.

In summary, when we share data it’s either because we have to (to run our operations or by law) or because you’ve allowed us to (like with pixels). All third parties we work with are expected to handle your data with care, keep it secure, and use it only for the specific services they provide to us. We’ve done our due diligence to pick reputable providers with strong privacy practices. If you want more details on any specific third party or have concerns, feel free to contact us.

Data Retention: How Long We Keep Your Info

We don’t want to keep your personal data indefinitely, nor do we want to delete it too soon and forget who you are. We aim to keep data only for as long as necessary to fulfill the purposes we collected it for (remember those purposes above?), including for satisfying any legal, accounting, or reporting requirements. Here’s how that plays out for different categories:

  • Inquiry Data (Contact Form, Emails, Calls): If you reach out to us and we have a back-and-forth, we will retain that correspondence and your contact details as long as it’s needed to assist you and follow up. If it looks like you’re interested in our services, we’ll keep your info while we continue that conversation or engage in a project. If ultimately you don’t become a client and the conversation peters out, we will likely keep the inquiry information for a reasonable period (up to 12 months, for example) in case you come back or have follow-up questions, and for our own reference (so we remember what we discussed). We periodically review old inquiry records, and if we’re quite sure the conversation is over and there’s no further legitimate interest in retaining the data, we’ll delete it from our CRM and inbox. That said, if your inquiry leads to a contract, then we’ll keep the data as part of our business records (see next point).

  • Client Data (Project and Contract Information): For customers who use our services, we will keep your data for the duration of our working relationship and thereafter as required by law or our legitimate interests. For example, we generally need to retain records of services provided, contracts, and invoices for 6 years for tax and financial record-keeping (a common requirement) – these records may include your name, business details, and transaction information. We may also retain project-related communications or work product for our reference (unless you request otherwise), at least until it’s no longer relevant. After the mandatory retention period, we’ll delete or anonymize client personal data that’s no longer needed. Anything that is just useful for historical reference (but not legally required) we’ll keep under review and securely archive or dispose of when appropriate. In summary, if you become a client, expect us to hold onto the basics of our interactions for several years, but not forever.

  • Newsletter Subscription Data: If you’ve subscribed to our newsletter, we’ll keep your email on our mailing list until you unsubscribe or until we decide to discontinue our newsletter service. If you unsubscribe, we will promptly remove you from the active list (though we might keep a suppression list of unsubscribed addresses to make sure we don’t accidentally re-add you, as is standard practice). If we notice that emails to you bounce or you never engage, we might also remove your email after some time to clean our list. Since we currently aren’t using an external email marketing platform, this is a pretty manual process and we won’t be spamming you regardless.

  • Analytics Data: Google Analytics and Microsoft Clarity each have their own data retention settings. We have configured Google Analytics to retain user-level and event-level data for a default period (often 14 months) after which it gets automatically deleted from Analytics’ servers (we only see aggregated statistics anyway). Clarity deletes unimportant session records after 30 days, and any “favorite” recordings or heatmaps we save can last up to 13 months. We don’t personally store analytics data outside those platforms. We might download aggregated reports (which don’t identify individuals) and those could be kept indefinitely for trend analysis. But any identifiable analytics data is subject to the third-party retention limits and our account settings with them. In short, your website usage data isn’t kept forever – it either gets anonymized or auto-purged in time.

  • Pixel Data (Facebook/LinkedIn): We do not directly hold any personal data from the Facebook or LinkedIn pixels – all that info is with Meta and LinkedIn. They have their own retention policies (for instance, LinkedIn Insight data is typically deleted after 90 days in a usable form). If we use the data for building an ad audience, those audiences on the ad platforms update dynamically and individuals can remove themselves via their privacy settings on those platforms. We won’t have anything in our systems to delete, because we never see individual identities from pixel tracking. So the retention here is more on Facebook/LinkedIn’s side (refer to their policies for specifics).

  • General: In all cases, when we say we delete data, we strive to truly remove it from our active systems. However, note that backups or archives may linger for a bit. Our providers (like Wix or Airtable) may have routine backups that could contain your data even after we “delete” it. These backups are typically kept secure and eventually overwritten per their schedules. We will not restore or use backed-up data except if needed for disaster recovery (i.e. if we had to restore the whole system). We also might retain anonymized data (with personal identifiers removed) for statistical purposes indefinitely, because anonymous data isn’t personal data anymore.

In determining exact retention periods, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from retention, the purposes of processing, and legal requirements. For instance, if holding onto some information longer could pose a risk to your privacy and we have no strong reason to keep it, we’ll dispose of it. Conversely, if we think a piece of data is crucial for defending a legal claim or for tax records, we’ll hold it for the legally recommended time.

To summarize: we keep your data no longer than necessary. If you ever want us to delete something sooner (and we have no legal obligation to retain it), you have the right to ask – see “Your Rights” below – and we’ll gladly comply.

Data Security: How We Protect Your Information

We take security seriously – partly because we’re obligated to, and partly because we’re tech nerds who just find data breaches to be so uncool. We have implemented a variety of measures to safeguard your personal data from loss, misuse, unauthorized access, alteration, or disclosure. Here’s an overview (in human language):

  • Website Encryption: Our website is only accessible over HTTPS – the “lock” in your browser bar. This means any data you submit (like form inputs) is encrypted in transit using SSL/TLS. It’s like sealing a letter in an envelope – it prevents eavesdroppers from reading the content as it travels across the internet. So, when you type in that contact form, your info is scrambled while it goes from your browser to our server.

  • Secure Hosting (Wix): We rely on Wix’s security infrastructure to keep the site and its data safe. Wix is a well-established platform, and they employ measures like firewalls, intrusion prevention, and security monitoring. They also isolate our environment so that other Wix users can’t access our data. They regularly update their systems to patch vulnerabilities. In short, our site benefits from Wix’s enterprise-grade security team (which is great, because our own team is just a handful of folks with a million other tasks).

  • Access Controls: Internally, we operate on a need-to-know basis. Only the founder and a few authorized team members (if any) have access to personal data you provide, such as our Airtable CRM or the Wix dashboard. Each of these accounts is protected with strong passwords and (where possible) two-factor authentication. We don’t share login credentials loosely, and we train ourselves (and any staff) to follow good security practices. There’s no big company here with hundreds of employees snooping – it’s a small, tight ship.

  • Airtable & Cloud Security: Data stored in Airtable or any cloud service we use is subject to those services’ security measures. Airtable, for example, encrypts data at rest and in transit, and they have certifications like SOC2. We treat external cloud tools like an extension of our infrastructure, and we choose reputable ones with solid security track records. We also organize data in such a way that personal info is contained and not spread everywhere. For instance, if we export a list of contacts for some reason, we handle that file carefully and delete it when done.

  • Device and Network Security: Our computers and devices that may access personal data are secured with passwords/PINs, and they’re kept up-to-date with security patches and antivirus software. We avoid using public Wi-Fi for accessing sensitive data, or if we must, we use a VPN. It’s all pretty standard stuff, but it reduces the risk of someone intercepting data. We also lock our devices when not in use – no opportunistic shoulder surfing allowed!

  • Preventative Measures: We employ common-sense measures to prevent breaches. For example, we won’t click suspicious links in emails (phishing is real, folks), and we’re wary of unsolicited downloads. We also back up important data (encrypted) so that a ransomware attack or hardware failure won’t result in permanent data loss. Our site forms have anti-bot protections to prevent spam that could clog our systems or attempt injection attacks. We monitor for any suspicious activity, and Wix does as well.

  • Third-Party Standards: When we share data with service providers, we ensure via contracts or terms that they will protect it adequately. For instance, our data processing agreements with providers like Wix, Google, etc., include commitments to security. These providers often have internationally recognized security certifications. While we can’t physically go and guard Google’s data centers (we wish!), we do trust but verify – meaning we review their security statements and ensure they align with UK GDPR requirements.

  • Breach Response: Despite all these efforts, no system is 100% foolproof. If a security incident (data breach) were to occur that affects your personal data, we have a procedure in place to deal with it. We would promptly contain the issue, assess the scope of impact, and take steps to mitigate any harm. If the breach is significant in risk, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours as required by law, and also inform you if your data is involved and there’s potential risk to you. We hope we never have to do this, but we’re ready to act responsibly if it happens.

In summary, we apply industry-standard security measures and a dose of practical paranoia to keep your data safe. We treat your personal information with at least the same care as we treat our own sensitive information. However, please remember that the internet is not an impregnable fortress – if you send us information, especially over email or other non-encrypted channels, there’s always some inherent risk. We encourage you to use the secure forms on our site or encrypted email if you have particularly sensitive info to share.

If you have any specific questions about our security practices, feel free to ask. (Just note we might not give out too many details, since describing all our security tricks might itself be a security risk!)

International Data Transfers

We’re a UK-based business and we primarily aim to store and process data within the UK or the European Economic Area (EEA). That said, some of the third-party services we use are global companies, and your data might be transferred to or accessed from outside the UK/EEA in certain cases. We want to be transparent about this:

  • Wix: Wix is headquartered in Israel (which is deemed to have adequate data protection by the UK) and also has servers in Europe and possibly the USA. When you use our site, your data could be stored in data centers outside the UK, but Wix guarantees that transfers of European/UK user data are covered by proper safeguards (Israel’s adequacy decision, or Standard Contractual Clauses for any other locations). So, if your data leaves the UK via Wix, it’s protected.

  • Airtable: Airtable’s infrastructure is in the United States. That means the contact details you submit, which we store in Airtable, will likely reside on U.S. servers. The UK has not (as of the date above) declared the US as having adequate protection by default, so we rely on standard contractual clauses (SCCs) and Airtable’s adherence to them to safeguard that data. In essence, Airtable contractually commits to handling your data with GDPR-level care even on U.S. soil. We also only store what’s necessary in Airtable to minimize exposure.

  • Google (Analytics): Google may process analytics data on servers outside the UK (often in the US). However, in our case, Google Analytics is configured to anonymize IP addresses within Europe, and Google is subject to SCCs for EU/UK data transfers. Additionally, as of mid-2025, there’s a new EU-US Data Privacy Framework in play (and the UK is working on a similar “Data Bridge” with the US). Google has certified to relevant frameworks to allow continued data flow. We understand this area is evolving (thanks to legal challenges like Schrems II), but we keep an eye on it. If Google couldn’t lawfully transfer data, we’d adjust our analytics approach. For now, though, analytics data might go to the US, but with safeguards.

  • Microsoft (Clarity): Clarity data is stored in the United States by Microsoft. When you consent to Clarity, you’re acknowledging that this usage data will be processed in the US. Microsoft, for its part, is a signatory of the appropriate data transfer agreements (using SCCs, etc.) to allow that. We also note that Clarity masks certain sensitive info and we don’t intentionally record any personal identifiers in session replays. Regardless, the transfer is happening, so we ensure it’s legally covered.

  • Meta/Facebook and LinkedIn: The pixel data going to Meta and LinkedIn could end up on servers around the world (including the US). Both Meta and LinkedIn have SCCs in place for European data. Meta also has the new Data Privacy Framework certification as of 2023 (for EU-US transfers, expected to extend to UK via the “data bridge”). So if you consent to our marketing pixels, your data may travel to the US, but under those companies’ compliance measures. Additionally, these companies store EU/UK user data partially on EU servers – but there’s some cross-border access for centralized processing. We obviously can’t control exactly where their servers are, but we trust the legal mechanisms in place. If any of this makes you uncomfortable, you are free not to opt in to those cookies.

  • Email/Other Services: If you email us, note that our email service might route data outside the UK (for example, if we use Gmail, Google’s servers could be in various countries). However, these are protected by SCCs as well. Any other software or IT service we use, we ensure it’s either UK/EU based or has a proper data transfer mechanism.

Our stance is: we do not intentionally transfer your personal data to countries without adequate protection unless it’s necessary and we have a lawful basis to do so, and even then we implement safeguards. Those safeguards typically include the European Commission’s Standard Contractual Clauses (SCCs) extended to UK via the ICO’s International Data Transfer Addendum, which contractually oblige the recipient to protect your data to GDPR standards. In some cases, as noted, the country (like Israel) is recognized as having adequate laws, which simplifies things.

If for some reason we needed to transfer data somewhere else (say, we onboard a new provider in a country not covered by an adequacy decision), we would either seek your consent or ensure another valid transfer mechanism (like binding corporate rules, etc.) and update this policy accordingly. We might also perform risk assessments as needed to make sure your data, when abroad, isn’t at undue risk of prying by foreign authorities.

The bottom line: None of our routine operations involve you, the user, having to send your data to some far-flung land. It mostly happens behind the scenes via the tools we use. And when it does, we’ve got the legal and security layers in place to protect it. If you have questions about cross-border data, let us know – international data flow can be complex, but we’ll try to explain further if needed.

Your Rights Under UK Data Protection Law

Even though legalese can be a pain, this part is actually about your power over your data. Under the UK GDPR (and the Data Protection Act 2018), you have a suite of rights regarding the personal data we hold about you. We’re here to respect and facilitate those rights. Here’s an overview of what you can do:

  • Right to Be Informed: First off, you have the right to know what we do with your data, who we are, and all that – basically the purpose of this very policy. We hope we’ve informed you clearly, but that’s an ongoing right – if anything remains unclear, you can ask us and we’ll provide further info.

  • Right of Access: You can ask us to confirm if we’re processing your personal data, and if so, request a copy of that data and additional details about how we use it. This is often called a “Data Subject Access Request” (DSAR). In plain terms, you can see the data we have about you. We’ll provide it, usually free of charge, within one month of your request. If you need it in a particular format, let us know – we’ll try to accommodate (and by law, if feasible, we should give it in a commonly used electronic form). We might ask you to verify your identity first (we don’t want to hand your data to an impostor).

  • Right to Rectification: If you believe any personal data we hold about you is inaccurate or incomplete, you have the right to get it corrected. Just tell us what’s wrong and what it should be, and we’ll fix it. For example, if we spelled your name incorrectly or an old phone number is on file, we’ll update it. We want our data about you to be correct (if only our personal photo ID could be as easily updated as our CRM entries!).

  • Right to Erasure: Commonly known as the “right to be forgotten,” this allows you to request that we delete your personal data. This isn’t absolute (you can’t make us erase every trace if there’s a strong reason for us to keep it), but you can ask for deletion in certain circumstances – for instance, if the data is no longer needed for the purpose it was collected, or if you withdraw consent and we have no other legal basis to keep it, or if you object to processing and we have no overriding interest, or if we handled your data unlawfully in some way. If you ask for erasure, we’ll either comply fully or explain why we can’t (for example, if it’s something we must keep for legal compliance, we’d let you know that). If the data has been shared with a third party, we’ll inform them of the need to erase it too, where feasible.

  • Right to Restrict Processing: You can ask us to pause or limit the processing of your data in certain scenarios. Essentially, you might not want it erased, but just frozen. For example, if you contest the accuracy of data, you can request we not use it until it’s verified. Or if we no longer need the data but you need us to keep it for a legal claim, we’d mark it as restricted. During restriction, we can still store it but not actively use it (except to, say, enforce rights or if you consent or for important public interests). We’ll let you know when a restriction is lifted.

  • Right to Data Portability: This allows you to obtain and reuse the personal data you’ve given us, for your own purposes across different services. It only applies to data you provided to us, that we process by automated means, and based on your consent or a contract. In practice, this is more relevant for, say, transferring your social media photos or your contacts list to another provider. For us, it might apply if you, for instance, wanted all the data you submitted in a machine-readable format. If it’s applicable, we will provide your data in a structured, commonly used, and machine-readable form (likely a CSV or JSON file) and you can ask us to transmit it to another controller if technically feasible. To be honest, we don’t hold a lot of data that would be useful elsewhere, but the right is yours nonetheless.

  • Right to Object: You have the right to object to certain processing activities. The big one is direct marketing – if we ever send you marketing emails or targeted ads, you can object at any time and we must stop. This is typically handled by the unsubscribe mechanism for emails or not consenting to cookies for targeted ads. If you object to marketing, we will cease ASAP (no convincing attempts, just action). You can also object to processing based on legitimate interests (or tasks in public interest/exercise of official authority, which we don’t do). If you object on these grounds, you need to give us a reason related to your situation, and we’ll consider it. If we can show compelling legitimate grounds for the processing that override your interests, we may continue; otherwise, we’ll stop. For example, if you object to us processing your data for website improvement via legitimate interest, we’d weigh our need to improve service against your privacy concern. If your interest prevails, we’d stop or find an alternative.

  • Right to Withdraw Consent: In cases where we rely on your consent (like for analytics cookies, marketing emails, etc.), you have the right to withdraw that consent at any time. Withdrawal is easy – click “unsubscribe” in an email, toggle off the cookie, or contact us with your request. Once consent is withdrawn, we will stop the processing that was based on it. (Note: withdrawing consent doesn’t retroactively make prior processing illegal – e.g. if you consented to cookies last week, we were allowed to use them last week, but we’ll stop going forward.)

  • Right Not to Be Subject to Automated Decision-Making: This mouthful of a right is about not being subject to decisions made solely by algorithms that have significant effects on you (like something that affects your legal status or finances) without human involvement. We can assure you we do not do any such automated decision-making or profiling with your data. There’s no AI here deciding whether you’re a worthy client or setting prices just for you – any decision-making (like who we take on as a client) has human brains and hearts involved. So this right is more theoretical in our context – you won’t be subject to robo-judgment by Design + Automate.

  • Right to Complain: While not a “data right” per se, you absolutely have the right to lodge a complaint with the supervisory authority if you believe we’re not handling your data lawfully or your rights properly. In the UK, that’s the Information Commissioner’s Office (ICO). We include more on this below in “Complaints” – just know that you’re empowered to escalate concerns if needed.

We want to emphasize: Your rights are important to us. We won’t ever punish or refuse service just because you exercise your privacy rights. Our goal is to be transparent and fair. If you exercise a right, we’ll honor it to the fullest extent applicable. There are, as noted, exceptions and nuances (GDPR has some fine print), but we’ll guide you through that if it comes up.

If you want to exercise any of these rights, just contact us (see below). We might need to verify your identity, especially for access, deletion, or any serious changes – we don’t want to hand out or alter data at the request of an impostor. We may ask you to specify your request so we can address it effectively (e.g. tell us what data you want access to, or what you want corrected).

We will respond as soon as possible, generally within one month of receiving your request. If your request is complex or you’ve made multiple requests, we’re allowed to extend this by up to two further months, but we’d inform you and explain why if that happens. Our response will typically be in writing (usually via email). If we for some reason cannot fulfill your request, we will explain our refusal and the reasons (and you would have the right to challenge that via the ICO or a court).

And good news: we do not charge a fee for handling your rights requests. It’s all free. The only time we could charge is if a request is manifestly unfounded or excessive/repetitive, but that’s very rare – and we’re not looking to make money off this anyway. So don’t hesitate to ask.

Exercising Your Rights & Contacting Us

To exercise any of your rights outlined above or to ask a question about your personal data, the easiest way is to email us at hello@designautomate.co.uk. You can also write to our postal address provided in the “Who We Are” section, but email will likely get you a faster response.

When you reach out, please clearly state what you’re asking for. For example, “I’d like a copy of all data you have on me,” or “Please correct my phone number to XXXXX,” or “I withdraw consent for analytics cookies,” etc. If you are making an access request, it would help (but it’s not required) to specify the context – e.g. “I filled out your contact form last year” – so we can pinpoint data more quickly. We might reply asking for clarification if needed.

As noted, we may need to verify your identity to ensure we’re dealing with the right person. We might ask you to confirm some details we have on file or provide an ID in some cases (particularly for access or deletion of significant data). This is purely a security measure. We’ll handle any ID info you provide with utmost confidentiality and delete it once your identity is confirmed.

Once verified, we’ll proceed with the action requested. We’ll keep you updated on the progress and completion of your request within the legal timeframe (usually within one month).

If you have any general privacy questions – maybe something in this policy confused you, or you want to know more about how a certain tool handles your data – feel free to ask. We admit we might be a tad nerdy about this stuff (comes with the automation territory), so we’re happy to clarify. There’s no such thing as a stupid question when it comes to understanding your privacy rights.

Also, if you have any complaints or feel that we could do better in protecting your data, we’d deeply appreciate the chance to address that directly. We take feedback seriously. Which brings us to…

Complaints and Dispute Resolution

We certainly hope you never have cause to complain about our privacy practices – we do our best to be the good guys here. But if you do have concerns or feel we’ve not lived up to our obligations, you have every right to speak up.

1. Talk to Us First (Optional but Encouraged): If something’s bothering you, please consider reaching out to us at hello@designautomate.co.uk or via mail/phone. We will listen and try to resolve the issue amicably. Maybe there was a misunderstanding we can clear up, or an error on our part we can fix. We’re a small business, so you’ll be communicating with a real human (likely our founder) who genuinely wants to sort things out. We won’t take it personally – privacy is complex, and mistakes can happen, but we aim to make it right.

2. Right to Complain to the ICO: You have an absolute right to lodge a complaint with the UK’s Information Commissioner’s Office (ICO), which is the independent authority overseeing data protection. You can go to them directly without coming to us (though we’d appreciate a chance to address it first). The ICO can investigate and take action if needed.

  • ICO Contact Details:
    Website: The easiest way is through the ICO’s online complaint form, which you can find at ico.org.uk/make-a-complaint/. There you’ll get guidance on the process.
    Helpline: You can also call the ICO’s helpline at 0303 123 1113. They’re quite friendly and can offer advice.
    Mail: If you prefer writing, you can send a letter to:
    Information Commissioner’s Office
    Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.

The ICO is essentially the privacy police (with a much nicer community outreach). They can provide independent advice or pursue your complaint. We’ll cooperate fully with them if it gets to that point.

3. Legal Action: In addition to or instead of the ICO, you have the right to seek a judicial remedy through the courts if you believe your rights have been infringed. We sincerely hope it never comes to that – nobody wants a court saga – but the right exists.

We want to state clearly: No retaliation, no hard feelings. If you complain or exercise any rights, we will not refuse you services or treat you differently because of it. The law forbids retaliation and frankly it’d be a jerk move, which isn’t our style. Our focus will be on resolving the issue.

At the end of the day, your trust is crucial to us. We operate in an industry (automation and AI) where trust can be fragile – so we value privacy and transparency as part of earning and keeping that trust. If we screw up, we want to know, so we can fix it and do better.

Updates to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, services, or legal obligations. Let’s be honest: as our business grows or as regulations evolve, some parts of this policy might need tweaking (we’re looking at you, ever-changing cookie laws). We promise not to overhaul things in a sneaky way. If changes are significant, we’ll take steps to inform you – for example, by posting a prominent notice on our website or emailing you if appropriate.

Each version of this policy will have an “Last updated” date at the top (see above), so you can easily tell if there’s a newer version since your last read. We encourage you to check this page once in a while – not that we expect you to make a habit of reading privacy policies for fun, but just as a good practice.

If we were to change the purposes of processing your personal data, or any other key aspect, we’d ensure those changes are lawful and that we notify or obtain consent from you where required. We’re not going to secretly start doing something wildly different with your data – that’s a recipe for losing trust and getting in trouble, which we have no interest in.

By continuing to use our website or services after an updated policy is in effect, it will be deemed that you have read and understood the latest version. (We’ll try to make our updates clear enough that understanding comes easily.)

Final Words

We appreciate you taking the time (wow, you made it this far!) to read our Privacy Policy. It’s ironic that a company all about automation has to manually write a lengthy policy about how we handle data, but such is the world we live in. We’ve tried to infuse a bit of our personality – straightforward, a touch wry – while still covering all the necessary bases to keep things legally clear.

Your privacy is important. We might be a bit tongue-in-cheek about legalese, but we do not take lightly the fact that you entrust us with information. We will continue to respect that trust at every step. If there’s anything here you find confusing or concerning, please let us know. Open communication is part of our brand too (we automate tasks, not relationships).

Thank you for reading, and thank you for considering or choosing Design + Automate. Now, with all this privacy business squared away, we’ll get back to the fun stuff – saving you time and money with clever systems (all while keeping your data safe in the process).

Your Data, Your Rules – we’re just here to follow them and hopefully make your life easier. Cheers!

bottom of page