Privacy Policy

Last updated: June 25, 2026

1. Information We Collect

  • Contact Information: Email addresses, names, and messages submitted through our contact forms.
  • Technical Data: IP addresses, browser type, device information, and website usage analytics.
  • Project Data: Information shared during consultations, project requirements, and business objectives.
  • Communication Records: Email correspondence, meeting notes, and project documentation.

2. How We Use Your Information

  • Service Delivery: To provide consulting, design, and development services as agreed.
  • Communication: To respond to inquiries, provide project updates, and maintain client relationships.
  • Improvement: To analyse website usage and improve our services and user experience.
  • Legal Compliance: To meet legal obligations and protect our legitimate business interests.

3. Data Sharing & Third Parties

  • Service Providers: We use Supabase for data storage, and tools such as analytics and scheduling providers to run the site and our service. These providers have their own privacy policies.
  • AI Tools: Where AI helps deliver your project, we may use third-party AI services, which can process data outside the UK. We agree with you what data is included and exclude confidential information unless specifically agreed.
  • No Sale of Data: We never sell, rent, or trade your personal information to third parties.
  • Legal Requirements: We may disclose information if required by law or to protect our rights.
  • Business Transfers: In the event of a merger or acquisition, data may be transferred to the new entity.

4. Data Security & Retention

  • Security Measures: We implement appropriate technical and organisational measures to protect your data.
  • Data Location: We keep client and project data in UK or EU-based storage where practical. Some third-party tools (such as AI services) may process data outside the UK and EU; see International Transfers below.
  • Retention Period: Contact form data is retained for 2 years. Project data is retained for 7 years for legal and business purposes.
  • Data Deletion: You can request deletion of your personal data, subject to legal retention requirements.
  • Breach Notification: We will notify affected users and authorities of any data breaches as required by law.

5. Your Rights (GDPR & UK GDPR)

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data in certain circumstances.
  • Portability: Request transfer of your data to another service provider.
  • Objection: Object to processing of your data for direct marketing or legitimate interests.
  • Restriction: Request restriction of processing in certain circumstances.

6. Cookies & Analytics

  • Essential Cookies: We use necessary cookies for website functionality.
  • Analytics: We may use analytics tools to understand website usage patterns.
  • No Tracking: We do not use invasive tracking or advertising cookies.
  • Browser Settings: You can control cookie preferences through your browser settings.

7. International Transfers

We keep data in UK or EU-based storage where practical. Some service providers and AI tools may process data in countries outside the UK and EU. Where they do, we ensure appropriate safeguards are in place, and we agree with clients what data is included, excluding confidential information unless specifically agreed.

8. Updates to This Policy

We may update this privacy policy from time to time. Significant changes will be communicated via email or website notice. Continued use of our services constitutes acceptance of updated terms.

9. Contact & Complaints

For privacy-related questions or to exercise your rights, contact us at privacy@productofexperience.com.

Under the Data (Use and Access) Act 2025, you have a legal right to raise a data protection complaint directly with us. This applies to any concern about how your personal data has been collected, used, stored or shared; a suspected breach of UK GDPR or the Data Protection Act 2018; how a Subject Access Request or other data subject right has been handled; or marketing sent without valid consent.

How to submit a complaint

Email privacy@productofexperience.com with your name and contact details, a clear description of your concern, and any relevant dates or reference information. There is no formal form required — a plain email is enough.

Our complaints process

  1. Receive. We log the complaint with the date received, your name and contact details, and the nature of the concern.
  2. Acknowledge — within 30 days. We send a written acknowledgement confirming receipt and that your complaint is under review. This is a legal requirement under the DUA Act 2025.
  3. Investigate. We review the relevant data, processes, and records, and assess whether UK GDPR or the DPA 2018 has been breached, seeking specialist advice where needed.
  4. Respond. We provide a full written response explaining our findings and any corrective action taken or planned, without undue delay following acknowledgement.
  5. Escalation info. We inform you of your right to escalate to the Information Commissioner's Office (ICO) if you are unsatisfied with our response.
  6. Record & close. We update the complaints log with the outcome and closure date, and retain records for a minimum of three years.

Timescales

  • Acknowledgement: within 30 days of receipt (legal requirement).
  • Full response: without undue delay (target: within 30 days of acknowledgement).
  • Record retention: minimum 3 years from closure.

Escalation to the ICO

If you are not satisfied with our response, or if we fail to respond within a reasonable timeframe, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The ICO generally expects individuals to raise a complaint with the relevant controller first before contacting the ICO directly.

Records

We maintain a complaints log which records the date a complaint is received, the complainant's name and contact details, a summary of the complaint, the date acknowledgement was sent, the outcome and date of the full response, and any corrective action taken.

Complaint records are held securely and accessed only by Scott Byrne-Fraser. They are not used for any purpose other than managing and learning from complaints.