LEGAL

Privacy Policy

What data we collect, why we collect it, and what you can do about it. Written so a normal person can actually understand it.

Last updated: 1 May 2026

01The short version

If you'd rather not read all 12 sections, here's the gist:

  • We collect the minimum data we need to deliver our services.
  • We don't sell your data. Ever. To anyone.
  • We use trusted processors (Stripe for payments, SureCart for subscriptions, FluentCRM for email) — listed in detail below.
  • You can request a copy, correction, or deletion of your data at any time.
  • We're UK-based and follow UK GDPR.

The rest is detail.

02Who we are

Alchemist Ltd is the data controller for personal data collected through this website and our services. We're registered in England and Wales (company number: [INSERT COMPANY NUMBER]), with our registered office at [INSERT REGISTERED ADDRESS], Leeds, United Kingdom.

You can reach our data protection contact at [email protected].

03What we collect

Information you give us directly

  • Account data: name, email, business name, business address, phone number
  • Payment data: billing address, partial card details (Stripe holds the actual card data — we never see your full card number)
  • Communications: content of emails, support tickets, or chats you send us
  • Onboarding data: any business assets, brand materials, account access, or context you share to enable us to deliver services
  • Form submissions: anything you submit through the contact form or other site forms

Information collected automatically

  • Site analytics: pages visited, time on site, referrer, anonymised IP, browser type, device type (via privacy-respecting analytics — see "Cookies" below)
  • Server logs: request URLs, timestamps, IP addresses (kept for 30 days for security/diagnostics)
  • Cookies: only those strictly necessary for the site to function, plus optional analytics with consent — see Cookies section

What we do NOT collect

  • Special category data (health, race, religion, political opinions, etc.) — never needed for our service
  • Children's data — our service is for businesses, not individuals under 18
  • Card numbers directly — Stripe handles payment data; we only see a payment status and last 4 digits

04Why we collect it

We process personal data under the following lawful bases:

Contract performance

To deliver the services you've subscribed to. Without account data, payment info, and business onboarding details, we can't run your subscription. (Lawful basis: contract performance)

Legitimate interests

To improve the service, prevent fraud, secure our infrastructure, and communicate operationally about your account. (Lawful basis: legitimate interests — yours and ours, balanced)

Consent

For optional things like marketing newsletter sign-ups, optional analytics cookies, and case-study features. You can withdraw consent at any time. (Lawful basis: consent)

Legal obligation

To comply with tax law, anti-money-laundering checks, and other legal requirements (e.g., keeping invoices for 6 years per HMRC rules). (Lawful basis: legal obligation)

05Cookies

We use a small number of cookies, in three categories:

Strictly necessary (always on)

Required for the site to function. These remember your cookie preferences, your login state, and your cart/calculator state during a session. You can't disable these without breaking the site.

Analytics (opt-in)

If you consent, we use privacy-respecting analytics to understand which pages people use and how the site performs. We use a tool that anonymises IPs and doesn't track you across other sites.

Marketing (opt-in, only on specific pages)

If you reach our site via a paid ad and consent to it, we use cookies from Google Ads and Meta to measure ad effectiveness. You can opt out at any time via your cookie banner preferences.

Manage your cookie preferences at any time via the "Cookie preferences" link in the footer.

06Third-party processors

To deliver our services, we share specific data with the following processors. Each processor handles only what it needs and is bound by data processing agreements with us.

ProcessorPurposeData sharedLocation
StripePayment processingName, email, billing address, payment methodIreland / US (SCC-protected)
SureCartSubscription managementName, email, subscription state, invoice historyUS (SCC-protected)
FluentCRMEmail communicationsName, email, communication historySelf-hosted (UK)
DreamHostWeb hostingAll site data (encrypted at rest)US (SCC-protected)
CloudflareCDN and securityIP addresses, request metadataGlobal (UK PoP-served)
Google (GBP/GA4/Ads)Analytics and ad management (per-client)Anonymised usage data, ad performance dataIreland / US (SCC-protected)

Where data leaves the UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards per UK GDPR Article 46.

07How long we keep it

  • Active account data: for as long as you're a customer, plus 6 years after cancellation (HMRC accounting requirement).
  • Marketing lists: until you unsubscribe, or 2 years of inactivity.
  • Server logs: 30 days, then deleted.
  • Email communications: 3 years from last contact.
  • Cookies: session cookies expire when you close the browser; persistent cookies last from 30 days (analytics) to 12 months (preferences).

After retention periods expire, data is securely deleted or anonymised.

08Your rights

Under UK GDPR, you have the right to:

  • Access: request a copy of your personal data we hold
  • Rectification: correct inaccurate data
  • Erasure: request deletion (where lawful — note we may have to retain some data for tax/legal reasons)
  • Restriction: ask us to pause processing while we resolve a query
  • Portability: get your data in a portable, machine-readable format
  • Object: to certain processing, particularly direct marketing
  • Withdraw consent: for any processing based on consent
  • Complain: to the UK ICO (ico.org.uk) if you think we've mishandled your data

To exercise any of these, email [email protected] with "Data request" in the subject. We respond within 30 days — usually much faster.

Plain English: you own your data. You can see it, change it, take it away, or have us delete it. Just ask.

09How we secure it

We take security seriously. Specifically:

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for sensitive data
  • 2FA required on all team admin accounts
  • Regular software updates and security patches
  • Principle of least privilege — team members only access what they need
  • Annual review of processors and security practices

If we ever experience a data breach affecting your personal data, we'll notify you and the ICO within 72 hours as required by UK GDPR.

10International transfers

Some of our processors (Stripe, SureCart, Cloudflare, Google) are based outside the UK. Where data leaves the UK, we rely on:

  • Adequacy decisions (e.g., for transfers to the EEA)
  • UK International Data Transfer Agreement or Standard Contractual Clauses
  • Supplementary technical measures (encryption, pseudonymisation) where appropriate

11Changes to this policy

We may update this policy occasionally. For material changes, we'll notify you by email at least 30 days before the new policy takes effect. The "Last updated" date at the top will always reflect the current version.

12How to contact us

For data protection enquiries, complaints, or to exercise any of your rights:

Alchemist Ltd

[INSERT REGISTERED ADDRESS]

Leeds, England

Email: [email protected]

For complaints, you can also contact the UK ICO at ico.org.uk or call 0303 123 1113.

Questions about how we handle your data?

Get in touch — we're happy to explain anything in plain English.