Sandbanks Digital
Claim your free demo
Legal

Privacy Policy

How we collect, use and protect your personal data. We aim to be plain-English about it.

Last updated: 27 May 2026

1. Who we are

Sandbanks Digital Ltd (“we”, “us”, “our”) is a web design and software studio based in Poole, Dorset, registered in England and Wales. We are the data controller of the personal data described in this policy.

Contact: contact@sandbanksdigital.com · +44 7703 718828

2. Data we collect from you directly

We collect what we need to run our business and serve our clients:

  • Contact form submissions — name, email, phone number, business name and the message you send us. Submissions are forwarded from this website to our internal CRM system (dashboard.sandbanksdigital.com) operated by Sandbanks Digital, where they are stored for lead management and follow-up.
  • Client project data — anything you share with us as part of a project, including brand assets, copy, customer-facing content and access credentials for third-party platforms.
  • Billing details — name, address, company details and VAT number where applicable, processed through our accounting software.
  • Email correspondence — emails you send us are stored for as long as needed to deliver the project and meet our legal obligations.
  • Website analytics — where you consent, aggregated usage data via Google Analytics 4 (page views, referrers, broad device and location data). We do not enable Google Signals, Google Ads linking or advertising personalisation.

We do not use third-party marketing tracking pixels (no Facebook Pixel, no Google Ads remarketing) on this website. Analytics cookies are only set after you accept them — see our Cookie Policy.

3. Business contact data we collect for B2B marketing

As part of our business development we maintain a database of UK businesses that may benefit from our services. Some of this information is personal data (for example a named contact, a company officer's name, or a business email address that includes a person's name), and we collect it from sources other than you directly. UK GDPR requires us to tell you about this.

What we collect: business name and trading address, business phone number and email address, website address, business category, publicly filed company information, and the names and roles of company officers.

Where we get it: publicly accessible sources, including public registers (such as Companies House), online business directories, and businesses' own public websites. We do not purchase marketing lists.

Why and on what basis: we process this data on the basis of our legitimate interests (UK GDPR Article 6(1)(f)) in carrying out business-to-business marketing to organisations we believe are relevant prospects. We have weighed this against the rights and reasonable expectations of the individuals concerned and limit the data to business-context contact details.

Your choice: you can object to this processing or ask us to stop contacting you and erase your details at any time, with no need to give a reason — email contact@sandbanksdigital.com and we will action it promptly. Every marketing message we send also identifies us and offers an opt-out.

4. Automated processing and AI tools

We use third-party AI services (currently Google's Gemini API, provided by Google) to help us assess and prioritise prospective business leads, remove duplicate records, categorise businesses, and draft outreach messages for our team to review. Business contact details described in section 3 may be processed by these tools.

When we send data to the Gemini API, Google acts as a data processor under its Gemini API / Vertex AI terms (not its consumer-product terms). Under those terms, inputs and outputs are not used to train Google's general-purpose models. Processing primarily takes place in Google data centres in the EU and United States; international transfers rely on the safeguards described in section 7.

This processing supports human decision-making; it does not produce legal or similarly significant effects on individuals through solely automated means. You can ask us about, or object to, this processing by emailing contact@sandbanksdigital.com.

5. Why we collect data

We use personal data for the following purposes only:

  • Responding to your enquiry and providing a quote.
  • Delivering the services agreed under contract.
  • Business-to-business marketing to relevant prospects (see section 3).
  • Invoicing, accounting and statutory record-keeping (HMRC requires us to keep records for six years).
  • Hosting, maintaining and supporting websites we have built for you.
  • Improving our website (aggregated analytics only — never identified to you).

6. Our lawful basis

Under UK GDPR we rely on one or more of the following lawful bases:

  • Contract — to deliver work you have engaged us to do.
  • Legitimate interest — to respond to enquiries, to maintain ongoing client relationships, and to carry out business-to-business marketing to relevant prospects.
  • Legal obligation — to keep financial records for HMRC and Companies House.
  • Consent — for analytics cookies and for any optional marketing communications, which you can withdraw at any time.

7. Sharing your data

We do not sell your data. We share it only with trusted providers who help us run the business, including:

  • Our internal CRM / contact management system (dashboard.sandbanksdigital.com), hosted on our managed cloud database provider (Supabase) — for storing and managing enquiries and prospect records.
  • Cloud hosting providers — this website is served via Railway.app. Client websites are hosted on cloud infrastructure appropriate to each project (e.g. Vercel, Railway.app or similar platforms).
  • AI service providers (Google, for the Gemini API) — for the automated processing described in section 4.
  • Public-data and directory APIs (e.g. Companies House, Google Places) — used to compile and verify business records.
  • Source-code and automation infrastructure (e.g. GitHub) — used to build and deploy client projects.
  • Email and productivity providers (e.g. Google Workspace) — for correspondence and internal operations.
  • Analytics providers (Google Analytics 4, provided by Google LLC / Google Ireland Limited) — for aggregated website usage measurement, where you consent.
  • Accounting software (e.g. Xero, FreeAgent) — for invoicing and financial record-keeping, where used.
  • Payment processors (e.g. Stripe, GoCardless) — used to process invoices and payments for client engagements, where used. No payment processing takes place through this website.

Some of these providers (including Google and GitHub) are based outside the UK. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as UK adequacy regulations, the UK Addendum to the EU Standard Contractual Clauses, or the providers' certification under the UK extension to the EU–US Data Privacy Framework.

8. How long we keep your data

  • Enquiry data from people who do not become clients: deleted within 12 months.
  • Website analytics (Google Analytics 4): event-level data is retained by Google for 14 months, after which it is automatically deleted. Aggregated reports may be retained longer.
  • Prospect / business contact data: reviewed periodically and removed when no longer relevant, or sooner if you object or ask us to erase it.
  • Client project data: kept for the duration of the engagement plus 12 months, unless we are still hosting the site.
  • Hosting and ongoing-retainer client data: kept for the duration of the contract.
  • Financial records: kept for six years to meet HMRC requirements.

9. Your rights

Under UK GDPR you have the right to:

  • Request a copy of the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to delete your data (subject to our legal obligation to retain financial records).
  • Object to processing based on legitimate interest, including our B2B marketing.
  • Withdraw consent for any optional processing.
  • Complain to the Information Commissioner's Office (ICO) — ico.org.uk.

To exercise any of these rights, email contact@sandbanksdigital.com. We will respond within one month.

10. Cookies

See our Cookie Policy for full details of what we use and why.

11. Security

We take security seriously. All websites and applications we host run on TLS (HTTPS). Account passwords are stored only in hashed form, never in plain text. Credentials and access details for third-party platforms are held in encrypted form.

Operationally, we apply multi-factor authentication on administrative accounts where the provider supports it, follow a principle of least-privilege when granting access to client systems, keep encrypted off-site backups of critical data, and patch dependencies on a routine basis. Access to our internal CRM is restricted to named staff. No system is perfectly secure, but we apply appropriate technical and organisational measures to protect personal data and review them regularly.

12. Changes to this policy

We may update this policy from time to time. We will publish the “Last updated” date at the top. Material changes affecting existing clients will be communicated by email.

Questions about your data?

Email us directly — Elliot or Dan will reply.

contact@sandbanksdigital.com