Rule 4 — UK GDPR / Data Protection Act 2018

Privacy

Last updated · 22 June 2026

This is a plain-English privacy policy. It tells you what data this website collects, why, how long I keep it, who I share it with, and what you can do about it. If anything below isn’t clear, email me — hi@jaycosten.co.uk— and I’ll explain.

Who I am

I’m Jay Costen, a sole trader based in Beverley, East Yorkshire. I build websites for small businesses. For the purposes of UK GDPR I am the data controller for any personal data this website collects about you.

Trading name: Jay Costen
Address area: Beverley, East Yorkshire HU17
Contact: hi@jaycosten.co.uk

What data I collect

I collect data in two ways: when you fill in a form, and when you visit a page.

If you fill in a form

  • Your name
  • Your email address
  • Your phone number (optional)
  • Your business name + type (so I can write back sensibly)
  • Whatever you write in the brief / message box
  • The page you came from (referrer / `ref` tag for attribution)

When you visit a page

  • A short anonymised hash of your IP address (so I can spot abuse, never to identify you)
  • Your browser’s user-agent string (so I can debug issues)
  • The pages you visit on this site, if you’ve consented to analytics cookies (see the Cookies page)

Why I collect it

Lawful basis under UK GDPR Article 6:

  • Form data — Article 6(1)(b), to take steps at your request before entering a contract (i.e. so I can reply to your enquiry).
  • Anonymised access logs — Article 6(1)(f), legitimate interest in keeping the site running and secure.
  • Analytics cookies — Article 6(1)(a), your explicit consent via the cookie banner. Off by default.

How long I keep it

  • Form submissions: 24 months from receipt. After that I delete them unless we’ve agreed otherwise (e.g. you’ve become a client).
  • Anonymised access logs: 30 days, then deleted.
  • Invoice / accounting records (if we work together): 7 years, because HMRC requires it.

Who I share it with

I share only with the suppliers needed to run the site or deliver the service:

  • Supabase (database, EU-region) — stores form submissions.
  • Vercel (hosting, EU-region) — serves the site.
  • Porkbun (domain registrar, US) — only holds my domain registration, not your data.
  • Stripe (payments, EU/US) — if and only if you pay an invoice.
  • HMRC — only the bits the tax authority can legally require.

I will never sell your data, and I will never share it with marketing platforms, ad networks, or data brokers.

Your rights

Under UK GDPR you have the right to:

  • Ask me what data I hold about you (a Subject Access Request)
  • Ask me to correct anything that’s wrong
  • Ask me to delete your data
  • Ask me to stop processing it
  • Receive a copy in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (where consent is the basis)

To exercise any of these, email hi@jaycosten.co.uk. I’ll reply within seven days and complete the request within 30 days, as UK GDPR requires.

If you’re not happy

If you think I’ve handled your data poorly and email me hasn’t resolved it, you have the right to complain to the Information Commissioner’s Office: ico.org.uk/make-a-complaint.

Changes to this policy

If I change this policy, I’ll update the “last updated” date at the top of the page. If the change is material I’ll email anyone who’s previously submitted a form.