Privacy Policy

This Privacy Policy explains how Webdesign Xpress ("we", "us", "our"), a sole trader registered in the United Kingdom, collects, uses, stores, and protects your personal data when you use our website (webdesign-xpress.com) and related services.

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR) where applicable.

By using our website and services, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal data is:

If you have any questions about this Privacy Policy or our data practices, please contact us at the email address above.

3.1 Account Information: When you create an account or subscribe to our services, we collect your business name, owner name, email address, phone number (optional), and address (optional).

3.2 Payment Information: Payment details (credit/debit card numbers) are processed and stored securely by Stripe, our payment processor. We do not store your full payment card details on our servers. We retain Stripe customer and subscription identifiers to manage your account.

3.3 Usage Data: We collect information about how you interact with our services, including pages visited, features used, and actions taken within your dashboard.

3.4 Analytics Data: With your consent, we use Google Analytics to collect anonymised browsing data including IP address (anonymised), browser type, device type, operating system, referring URLs, and pages visited. IP anonymisation is enabled by default.

3.5 Product Data: When you use our digital products (QR codes, review collectors, loyalty cards, digital menus, etc.), we collect the data you input to create and manage those products, as well as interaction data from end-users who use your products (e.g., QR scan data, review responses).

3.6 Communication Data: When you contact us via email, WhatsApp, or our contact form, we retain the content of those communications to provide support and improve our services.

We process your personal data on the following legal bases:

• Contract Performance: Processing necessary to provide our services to you, manage your account, and fulfil our contractual obligations (Article 6(1)(b) GDPR).
• Consent: Where you have given explicit consent, such as for analytics cookies and marketing communications. You may withdraw consent at any time (Article 6(1)(a) GDPR).
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these interests are not overridden by your rights (Article 6(1)(f) GDPR).
• Legal Obligation: Processing necessary to comply with legal requirements, such as tax and accounting obligations (Article 6(1)(c) GDPR).

We use your personal data to:

• Provide, maintain, and improve our services
• Process payments and manage subscriptions
• Send service-related communications (account updates, billing notifications)
• Provide customer support
• Analyse usage patterns to improve our products (with anonymised data)
• Comply with legal obligations
• Prevent fraud and ensure security

We share your personal data only with trusted third-party processors who assist us in providing our services:

• Stripe (Payment processing) - Processes and stores payment information securely. Privacy Policy: stripe.com/privacy
• Resend (Email delivery) - Sends transactional emails on our behalf. Your email address is shared for delivery purposes.
• Google Analytics (Website analytics) - Collects anonymised browsing data with your consent. IP anonymisation is enabled. Privacy Policy: policies.google.com/privacy
• Cloudflare (CDN and security) - Provides content delivery and DDoS protection. May process IP addresses for security purposes.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

• Account data: Retained for the duration of your subscription and for 30 days after account deletion to allow for account recovery.
• Payment records: Retained for 7 years to comply with UK tax and accounting regulations.
• Analytics data: Retained for 26 months (Google Analytics default retention period).
• Communication records: Retained for 2 years after your last interaction.
• Product data: Deleted when you delete the product or your account, whichever comes first.

When your data is no longer needed, it is securely deleted or anonymised.

Under the UK GDPR and EU GDPR, you have the following rights:

Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.

Right to Rectification (Article 16): You can request that we correct any inaccurate or incomplete personal data.

Right to Erasure (Article 17): You can request that we delete your personal data. You can exercise this right through your account dashboard using the "Delete Account" feature.

Right to Data Portability (Article 20): You can request a copy of your data in a structured, commonly used, machine-readable format. You can exercise this right through your account dashboard using the "Download My Data" feature.

Right to Restrict Processing (Article 18): You can request that we restrict the processing of your personal data in certain circumstances.

Right to Object (Article 21): You can object to the processing of your personal data based on legitimate interests.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw consent at any time. For cookie preferences, you can update your choices via the cookie settings on our website.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Secure password hashing (PBKDF2 with 100,000 iterations)
• IP address masking in audit and security logs
• CSRF protection on all authenticated endpoints
• Secure session management with IP and User-Agent binding
• Regular security reviews and updates

While we take all reasonable steps to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

Your data is primarily stored on servers located in the United Kingdom and European Union. Where data is transferred to third-party processors outside the UK/EU (e.g., Stripe, Google), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions.

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

We may update this Privacy Policy from time to time. Material changes will be notified to you via email or through your account dashboard. The "Last updated" date at the top of this page indicates when this policy was last revised.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

• UK: Information Commissioner's Office (ICO) - ico.org.uk
• EU: Your local data protection authority

We encourage you to contact us first at [email protected] so we can try to resolve your concern.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: