Privacy Policy

Last updated: 1 March 2026

1. Who We Are

Exmoorweb Website Design ("we", "us", "our") is a sole trader web design business operated by Marcus Knapman, based in Williton, Somerset, TA4 4QS, United Kingdom.

Data Controller: Marcus Knapman
Email: marcus@exmoorweb.co.uk
Phone: 07528 579215

2. What Data We Collect

We collect different types of personal data depending on how you interact with our website and services:

2.1 Contact & Enquiry Forms

When you fill in our contact form, get started form, or request a free proposal:

Name, email address, phone number
Business name and message/enquiry details
Referral code (if applicable)

2.2 Free Website Funnel

When you claim a free website through our offer:

Name, email address, phone number, business name
Marketing attribution data (UTM parameters, Google Click ID)
Website brief details including: business description, services, address, social media links, opening hours, colour preferences, competitor websites, content, and any uploaded files (logo, images)

2.3 Free Proposal / Questionnaire

When you complete our AI-powered proposal questionnaire:

Name, email address, company name, phone number
Questionnaire answers about your business and website requirements
IP address and browser user agent (for verification and security)
Digital signature (if you proceed to contract stage)

2.4 Customer Portal

When you become a customer and use our portal:

Full name, email, phone number, company name
Business address (street, city, region, postcode, country)
Website URL, profile photo
Payment information (processed securely by GoCardless or Stripe — we never see or store your bank or card details)
Support tickets, uploaded documents, and AI assistant chat messages
Referral activity

2.5 Blog & Lead Magnets

When you download a resource from our blog:

Email address

2.6 Automatic Data Collection

When you visit any page on our website, we automatically collect:

IP address, browser type, device type, operating system
Pages visited, time on page, referral source
UTM parameters and campaign data

This is collected through Google Analytics 4 and our own analytics system. See our Cookie Policy for details.

3. How We Use Your Data

Purpose	Data Used	Lawful Basis (UK GDPR)
Respond to your enquiry	Name, email, phone, message	Legitimate interest
Provide a free website proposal	Contact details, questionnaire answers, business info	Contract (pre-contractual steps)
Build and host your website	All customer data, brief details, uploaded files	Contract performance
Process payments	Name, email (shared with GoCardless/Stripe)	Contract performance
Send invoices and receipts	Name, email, payment amounts	Contract / Legal obligation
Provide customer support	Name, email, ticket content, attachments	Contract performance
Send follow-up emails (funnel)	Name, email	Legitimate interest (with opt-out)
AI-powered features	Business info, questionnaire answers, chat messages	Consent / Contract
Prevent spam and abuse	IP address, reCAPTCHA data	Legitimate interest
Analyse website performance	Anonymised/pseudonymised analytics data	Legitimate interest
Marketing attribution	UTM parameters, Google Click ID	Legitimate interest
Deliver blog resources	Email address	Consent

4. Third-Party Services (Data Processors)

We share personal data with the following third-party services, each acting as a data processor:

Service	Purpose	Data Shared	Privacy Policy
GoCardless	Direct Debit payments	Name, email, bank details (entered directly on GoCardless)	gocardless.com/privacy
Stripe	Card payments	Name, email, card details (entered directly on Stripe)	stripe.com/privacy
Google Analytics	Website analytics	IP address (anonymised), browsing behaviour	policies.google.com/privacy
Google reCAPTCHA	Spam prevention	IP address, browser behaviour	policies.google.com/privacy
Anthropic (Claude AI)	AI website generation, proposals, assistant	Business information, questionnaire answers	anthropic.com/privacy
Pexels	Stock imagery	Search queries only (no personal data)	pexels.com/privacy-policy
Google Fonts	Typography	IP address (font loading requests)	policies.google.com/privacy

Payment card and bank details are entered directly on GoCardless or Stripe's secure pages — we never see, handle, or store these details on our servers.

5. AI-Powered Features

We use Anthropic's Claude AI to power several features including website generation, proposal creation, and the customer AI assistant. When you use these features:

Your business information and questionnaire answers are sent to Anthropic's API for processing
AI chat messages are stored securely in our database
Anthropic processes data per their privacy policy and does not use API data for model training
You can request deletion of AI chat history at any time

6. Data Retention

Data Type	Retention Period
Contact form enquiries	Emailed only — not stored in database
Funnel leads (not converted)	12 months, then deleted
Customer account data	Duration of service + 6 years (legal/tax requirement)
Invoices and payment records	6 years (HMRC requirement)
Support tickets	Duration of service + 2 years
Analytics data	26 months (Google Analytics default) / 12 months (custom analytics)
Email verification tokens	15 minutes (auto-expire)
Session data	2 hours (auto-expire)
Uploaded documents	Duration of service, deleted on request

7. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

Access — Request a copy of all personal data we hold about you
Rectification — Ask us to correct inaccurate data
Erasure — Ask us to delete your data (subject to legal retention requirements)
Restriction — Ask us to limit how we process your data
Portability — Receive your data in a machine-readable format
Objection — Object to processing based on legitimate interest
Withdraw consent — Where processing is based on consent, withdraw at any time

To exercise any of these rights, email us at marcus@exmoorweb.co.uk. We will respond within 30 days.

8. Data Security

We take the security of your data seriously and implement appropriate measures including:

SSL/TLS encryption on all pages (HTTPS)
Secure session management with automatic timeout
CSRF protection on all forms
Passwordless authentication (magic links) — no passwords stored
Payment data handled entirely by PCI-DSS compliant processors (GoCardless, Stripe)
Regular security sweeps and monitoring
Server-level firewalls and access controls
Daily encrypted backups

9. International Data Transfers

Some of our third-party processors (Google, Stripe, Anthropic) are based in the United States. Where data is transferred outside the UK, it is protected by:

UK adequacy regulations
Standard Contractual Clauses (SCCs)
The processor's own data protection frameworks

10. Children's Data

Our services are not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be notified via email to active customers. The "last updated" date at the top indicates when the policy was last revised.

12. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113

13. Contact Us

For any privacy-related questions or requests:

Marcus Knapman — Exmoorweb Website Design
Email: marcus@exmoorweb.co.uk
Phone: 07528 579215
Address: Williton, Somerset, TA4 4QS