Privacy Policy

1.0 Our User Privacy and Data Protection Ethos

We have some core beliefs surrounding the data we hold, collect, and process. These are:

  • The privacy and protection of the data we hold is fundamentally important
  • We have a duty of care to the people whose personal data we have
  • We should only collect and process the data we need – nothing more
  • We will not sell, rent, distribute, or make the data we hold public

2.0 Relevant Legislation

This website, and our internal data policies, are intended to comply with the following pieces of legislation:

By complying with the above legislation, we and this website should also comply with the data protection and privacy requirements of many other countries and territories. However, if you are unsure if the site is compliant with your own country’s requirements, please contact our data protection officer, for whom details can be found below.

3.0 Personal Information: What We Collect and Why

This website collects and uses personal information for the following reasons:

3.1 Site Visitation Tracking

Like many other websites, this site uses Google Analytics (GA) to track users’ interactions with it. We use this data to understand how our site is being used, for example:

  • The number of people using it
  • The pages users visit
  • The journey users take through the site
  • Where users enter the site
  • Where users come from
  • Where users exit
  • The demographics of our users

GA records data such as geographical location, device, internet browsers, and operating system. It does not personally identify you to us.

GA also records your device’s IP address which could be used to personally identify you. It does not grant us access to this.

We consider Google to be a third party data processor (see section 6.0 below).

GA uses cookies. Details about these can be found on Google’s developer guides. So you’re aware, our website uses the analytics.js implementation of GA.

Disabling cookies in your browser will stop GA from being able to track your journey and details on this website.

3.2 Contact Forms and Email Links

If you contact us using the contact form on our website, or an email link none of the data that you supply will be stored by this website or passed to/be processed by any of the third party data processors defined in section 6.0.

The data you provide (including your email address if you use an email link) will be collated into an email and sent to us over the Simple Mail Transfer Protocol (SMTP).

We use Gmail as part of GSuite to receive, store and send emails for our domain dontpanicdesign.co.uk. GSuite can accept insecure and secure email messages. We request that you send your emails securely by TLS (sometimes known as SSL) meaning that the email content is encrypted using SHA-2, 256-bit cryptography before being sent across the internet. The email content is then decrypted on Google servers and we access this securely (over SSL) through our desktop browsers and Gmail applications on our mobile devices. Further details about GSuite and how it processes/stores data can be found below.

4.0 About This Website’s Server

This website is hosted on a server provided by VPS.net in London.

The data centre has on-site staff, and 24×7 security and digital video surveillance.

Their privacy policy, which also relates to visitors of their customers’ websites (i.e. this website) is available here.

Our servers retain access logs, error logs, security logs, mail and service logs to allow us to monitor our servers in order to maintain them and keep a level of security. These logs may store personally identifiable information in plain text locally on each server. All logs are deleted after 200 days.

The personally identifiable information the logs may store includes:

  • Time/Date
  • IP address
  • Request URL
  • Browser
  • Protocol
  • Email address
  • Referrer paths

Our website and server are protected by Cloudflare’s services which act as a relay between your browser and our web server.

5.0 Client Information

If you become, or are one of our clients there are likely to be certain details we need from you in order that we can fulfil our contractual obligations to you, or complete certain tasks before entering into a contract with you (e.g. providing a quote).

These details may include:

  • Your name
  • Your email address
  • Your telephone number
  • Your postal/physical address
  • Your business’ registered address
  • Your business’ VAT and registered business numbers
  • Social media details
  • Usernames and passwords for services or systems we need access to (these will vary by project but may include: social media platforms, domain registrar, FTP access details, CMS). More information about this is below.

We only ask for details that we need. For example – if we won’t need access to any of your social media platforms, we won’t ask for any details about it.

Any details you supply us with may be stored in the following locations, or by the following systems:

  • Company owned devices including mobile phones, computers, and external hard drives/storage – all of which are password secured
  • Google (including GSuite: Gmail, Drive, Sheets, Docs, Meet, Calendar, etc)
  • Xero (for accounting)
  • Lloyds Bank (for accounting/banking)
  • Skype (for communication)
  • WhatsApp (for communication)
  • Slack (for communication)
  • Campaign Monitor (for communication)
  • Facebook for Business (for management of Facebook Pages)
  • Git Repositories e.g. Bitbucket (for development of web applications)
  • In the settings, or as user accounts, within web applications that we build/manage for you
  • Keeper (for usernames and passwords)
  • Trello (for project management)

5.1 Usernames and Passwords

If we need access to specific systems or services you use in order to do our job, we may ask for you to either:

  • Create a user account for us
  • Delegate access to an existing account we have with the third party system
  • Provide us with access details (e.g. username, password, access key)

We will only ever ask for details that we need, and will be specific as to what we need as well as why.

We will never ask you to share your username and password as part of the same communication, and will instead ask that you provide your password securely by doing so separately (e.g. by sending your username by email and the password by text message/WhatsApp, or using a service like One Time Secret).

Wherever possible, any usernames and passwords you provide us with are stored securely using Keeper.

If developing an application for you that makes use of external services, tools or endpoints, we may need to store user credentials such as API keys and secrets indefinitely within the application. These may be stored in backup copies, but will not be stored within Git repositories.

6.0 Our Third Party Data Processors

We use some third parties to process personal data on our behalf. We only do this where it would be impractical to do otherwise. We have chosen these third parties carefully, look for them to be compliant with the legislation set out in section 2.0. This includes where they are not based within the EU.

The third parties are as follows:

  • Google (including GSuite [Gmail, Drive, Sheets, Docs, Meet, Calendar, etc], Google Analytics, and Google Webmaster Tools)
  • Xero (for accounting)
  • Lloyds Bank (for accounting/banking)
  • Skype (for communication)
  • WhatsApp (for communication)
  • Slack (for communication)
  • Campaign Monitor (for communication)
  • Facebook for Business (for management of Facebook Pages)
  • Git Repositories e.g. Bitbucket (for development of web applications)
  • Keeper (for usernames and passwords)
  • Trello (for project management)

7.0 Data Breaches

We will report any unlawful data breach of this website’s database or the database(s) of any of our third party data processors to any and all relevant persons and authorities as required by law.

8.0 Data Retention

We pride ourselves on only storing the data we need. With that in mind, we conduct a biannual data review of the information we hold and delete anything we no longer need, or which we have held for at least 12 months without usage. This takes place on or around the following dates:

  • 1st May
  • 1st November

If we encounter data at any other point we believe we no longer need, this is deleted.

We will only hold personal data for a longer period in order to fulfil our contractual or legal obligations.

9.0 Data Erasure Requests & Data Subject Access Requests

In order to make a data erasure request, or data subject access request please contact our Data Protection Officer whose details are listed below.

10.0 Data Controller

Our website’s data controller is:

Don’t Panic Design Ltd. A UK Private Limited company, with the company number: 10253468

The data controller’s registered office and operating office is:

Don’t Panic Design Ltd.
11 Simplemarsh Court
Simplemarsh Road
Addlestone
Surrey
KT15 1QF

11.0 Data Protection Officer

The data protection officer is:

Stuart Lawrence
Technical Director, Don’t Panic Design Ltd.
Telephone: 07725 209 819
Email: stuart@dontpanicdesign.co.uk

Appendix

1.0 Change Log

  • 16/05/2018: Privacy Policy implemented (v2.0)

For a moment, nothing happened.
Then, after a second or so,
nothing continued to happen.

Okay We use cookies to give you the best online experience. By using our website you agree to our use of cookies in accordance with our privacy policy.