Privacy Policy
Vivid Beginnings ("we", "us", "our") takes your privacy seriously. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have under UK data protection law.
This policy applies to:
- Visitors to our website at vividbeginnings.co.uk
- Customers who order a website through our service
- Users of our customer portal
If you have questions about this policy, please email hello@vividbeginnings.co.uk.
Data controller: Vivid Beginnings, based in the United Kingdom. We are the data controller for personal data you provide to us directly.
1. What data we collect
When you browse our website
- Your IP address (automatically collected by Cloudflare for security and performance)
- Browser type, device type, and operating system
- Pages visited and time spent on each page
- Your cookie consent preferences
- Referral source (how you found us)
When you fill in our studio form
- Your name, email address, and phone number
- Your business name, industry, and location
- Your business services, style preferences, and design choices
- Photos or logos you upload (if provided)
When you order a website
- Everything above, plus payment details (handled entirely by Stripe — we never see your card details)
- Your billing address (if provided to Stripe)
- A record of your order, payment amount, and Stripe transaction ID
When you use your customer portal
- Magic link login tokens (expire after 30 minutes)
- Session cookies (expire after 7 days of inactivity)
- Changes you make to your business details
- Blog posts you write and publish
- Messages you send us via the dashboard
Visitor data from your website
If someone fills in the contact form on a website we have built for you, the submission is forwarded immediately via our email service (Postmark) and not stored on our servers. The visitor's name, email, and message pass through us for the time it takes to deliver the email to you.
2. Why we collect this data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| To generate and deliver the website you ordered | Contract performance |
| To process your payment | Contract performance |
| To provide customer support and respond to enquiries | Contract performance / legitimate interests |
| To send service-related emails (order confirmations, deployment notices) | Contract performance |
| To keep financial records | Legal obligation (HMRC requires 6 years) |
| To detect fraud and prevent abuse | Legitimate interests |
| To improve our service and analytics | Legitimate interests (with your cookie consent) |
| To send marketing emails (where applicable) | Consent — you can withdraw anytime |
3. Who we share your data with
We only share your data with service providers we need to deliver our service. We do not sell your data to anyone, ever.
| Service provider | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA / EU (UK transfer adequacy) |
| Cloudflare | CDN, security, DDoS protection | Global (including UK) |
| Postmark | Transactional email delivery | USA |
| Supabase | Customer database | EU (Frankfurt) |
| Vercel | Customer portal hosting | Global |
| Anthropic (Claude) | AI website generation | USA |
| Backblaze B2 | Encrypted backups | EU (Amsterdam) |
| Plesk hosting | Customer website hosting | United Kingdom |
Where data is transferred outside the UK/EU, we rely on appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses, or the UK Extension to the EU-US Data Privacy Framework.
4. How long we keep your data
| Data type | Retention period |
|---|---|
| Active customer data | For as long as you are a customer |
| Cancelled customer data (no active care plan) | Retained while your website remains online. Inactivity review after 12 months. |
| Financial records | 6 years (HMRC legal obligation) |
| Website content (your live site files) | While hosting is active |
| Email logs (Postmark) | 45 days |
| Server access logs (Cloudflare) | 30 days |
| Contact form submissions | Not stored — forwarded only |
| Backup data | 90 days rolling (encrypted) |
5. Your rights under UK GDPR
Under UK data protection law, you have the following rights:
- Right to be informed — to know what we collect and why (this policy)
- Right of access — to request a copy of the personal data we hold about you
- Right to rectification — to correct inaccurate data
- Right to erasure — to request we delete your data (subject to our legal obligation to retain financial records)
- Right to restrict processing — to pause processing in certain circumstances
- Right to data portability — to receive your data in a machine-readable format
- Right to object — to object to processing based on legitimate interests
- Rights around automated decision-making — we do not make decisions that produce legal effects solely by automated means
- Right to withdraw consent — where processing is based on consent, you can withdraw it anytime
To exercise any of these rights, email hello@vividbeginnings.co.uk. We will respond within 30 days. There is no charge for reasonable requests.
6. How to complain
If you believe we have mishandled your data, please contact us first — we will take your concerns seriously and try to resolve the issue. If you are not satisfied, you have the right to complain to the UK's data protection authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
7. Security
We take appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted using TLS/SSL
- Backups are encrypted at rest using AES-256 with Object Lock immutability
- Access to customer data is restricted to authorised personnel only
- Our infrastructure is protected by Cloudflare's enterprise-grade firewall and DDoS protection
- We follow the principle of least privilege and rotate credentials regularly
No system is 100% secure, but we do everything we reasonably can to protect your data. If a data breach occurs that affects your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR.
8. Cookies
We use a minimal number of cookies. See our Cookie Policy for full details.
9. Children's privacy
Our service is not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, please contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will show when changes were made. For material changes, we will notify customers by email.
In plain English: We only collect what we need to run our service. We never sell your data. We use trusted providers like Stripe, Cloudflare, and Postmark to deliver the service. You have full control — you can access, correct, or delete your data anytime. If anything's unclear, just email us.
Vivid Beginnings is a trading name based in the United Kingdom. This policy is governed by the laws of England and Wales. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply.