Privacy Policy
Last revised: June 2026
Who we are
Cactus Co is a web design and development agency based in the United Kingdom. We are the data controller for personal data you share with us through our website or during our business relationship.
Privacy contact: [email protected]
Website: wearecactus.co
What data we collect and why
1. Contact form enquiries
When you use our contact form, we collect your name and email address, and the content of your message. We use this solely to respond to your enquiry.
Lawful basis: Legitimate interest: you have voluntarily contacted us about our services, and we have a clear interest in responding.
2. Instant estimate enquiries
When you use our public instant estimate tool, we collect your name, email address, and the project details you enter (page count and selected features). We also store the computed estimate result shown to you so the figure is preserved even if our pricing changes later. This data is used to follow up on your enquiry.
Lawful basis: Legitimate interest: you have voluntarily requested a pricing estimate, and we have a clear interest in following up.
3. Discovery call and meeting bookings
When you book a call or meeting via our scheduling tool (Cal.com), we collect your name, email address, the type of call booked, and the scheduled time. This data is used only to confirm, manage, and follow up on your booking.
Lawful basis: Legitimate interest: pre-contractual communication with prospective clients.
4. Client accounts
When you become a client we store your name, email address, phone number, and company name to manage your project and our business relationship. We also store an internal role (admin or client) and external reference IDs that link your account to our authentication provider (Supabase Auth) and payment processor (Stripe). Authentication credentials are held by Supabase, not by us directly. No card or payment data is stored by us.
If you upload a profile photo, we store it in Supabase Storage. If you save accessibility preferences in the portal (such as contrast, font size, or reading mode), we store those to your account so your choices persist across devices. These preferences may include disability-related information (such as a dyslexia reading mode); they are stored solely to improve your portal experience and are not shared with any third party.
Lawful basis: Contract performance: processing is necessary to deliver the agreed services.
5. Quotes
When we prepare a quote for you, we store the itemised services, amounts, applicable discounts, and any free-text notes associated with your quote. Quotes are linked to your client account.
Lawful basis: Contract performance: necessary for pre-contractual negotiations and to formalise the scope of work.
6. Project briefs
When we prepare a project brief for you, we record your name, email address, and company name alongside the agreed project scope: an overview, goals, pages and structure, features, design direction, client responsibilities, timeline, and out-of-scope items. Briefs are used to define and document the scope of work before or alongside a quote.
Lawful basis: Contract performance: necessary for pre-contractual negotiations and to formalise the scope of work.
7. Contracts
When you sign a contract with us, we store the signed contract document (as a PDF) and record your email address and the date and time of signing. Contracts are prepared and signed via SignWell, our e-signature provider, and then stored by us in Supabase Storage.
Lawful basis: Contract performance and legal obligation: the signed contract is a legally binding record of the agreed services.
8. Invoicing and payments
We collect your name, email address, and company name for invoicing purposes. Invoice records include itemised descriptions and amounts, payment dates, and reference IDs linking to Stripe. Card payments are processed entirely by Stripe: we never see or store your card details. Invoicing covers both one-off build projects and recurring maintenance plan subscriptions.
Lawful basis: Contract performance and legal obligation: HMRC requires retention of accounting records for six years.
9. Maintenance plan subscriptions
If you subscribe to a Cactus Co maintenance plan, we store your plan name, subscription status, current billing period, and cancellation information, alongside reference IDs from Stripe. No card data is stored by us.
Lawful basis: Contract performance: necessary to manage and deliver your ongoing maintenance plan.
10. Project messages and feedback
Within the client portal, we store messages exchanged between you and our team on individual projects, as well as general company-level communications. We also send periodic feedback requests at project milestones; any feedback you submit is stored against your project record. These records are used to manage your project and maintain a clear communication history.
Lawful basis: Contract performance: necessary to deliver and document the agreed services.
11. Website analytics
We use Umami to understand how visitors use our site. Umami is a privacy-first analytics tool that does not use cookies, does not collect personal data, and does not track individuals across sites or devices. No IP addresses are stored. Because no personal data is processed, Umami falls outside the scope of GDPR and requires no consent.
Cookies
Our website uses essential cookies only. These are required for the site to function correctly and do not require your consent. We do not use any advertising, tracking, or analytics cookies.
Who we share your data with
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing and subscription billing | Name, email, invoice/subscription amounts and reference IDs |
| Supabase | User authentication, session management, and data storage | Name, email, password hash, session tokens, login timestamps and IP addresses (authentication); all client account, project, booking, brief, quote, contract, invoice, and subscription data (storage) |
| Cal.com | Meeting and call scheduling | Name, email, booking details |
| Resend | Transactional email delivery | Name, email address (included in each email sent) |
| FreeAgent | Accounting and invoice management | Name, email, company name, invoice amounts and reference IDs |
| SignWell | Contract e-signature | Name, email address, contract PDF document |
| Umami | Website analytics (no personal data collected) | Aggregate, cookieless usage statistics only |
All providers are contractually required to protect your data and comply with applicable data protection law.
Note on Supabase Auth: Authentication data (password hashes, session tokens, login timestamps, IP addresses, and audit log entries) is stored and processed by Supabase within the EU (AWS eu-west-2) under their own privacy policy, available at supabase.com/privacy. This data does not leave the EU region.
How long we keep your data
| Data type | Retention period |
|---|---|
| Contact form enquiries | 12 months from last contact |
| Instant estimate enquiries | 12 months from date of submission |
| Booking records | 12 months from the date of the booking |
| Client account data | Duration of contract plus 6 years |
| Project briefs | Duration of contract plus 6 years (or 12 months if no contract resulted) |
| Quotes | Duration of contract plus 6 years (or 12 months if no contract resulted) |
| Contracts | Duration of contract plus 6 years |
| Invoice and payment records | 6 years from invoice date (HMRC requirement) |
| Subscription records | Duration of subscription plus 6 years |
| Project messages and feedback | Duration of contract plus 6 years |
| Umami analytics | No personal data collected; no retention limit applies |
Your rights under UK GDPR
You have the right to:
- Access your data
- Correct inaccurate data
- Request erasure
- Restrict processing
- Data portability
- Object to processing based on legitimate interest
- Withdraw consent at any time where processing is consent-based
To exercise any right, email [email protected]. We will respond within 30 days.
Complaints
You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.
Changes to this policy
We may update this policy periodically. The date at the top of this page shows when it was last revised. Material changes will be communicated to active clients by email at least 14 days before they take effect.
Let's talk about your project
Book a free 30-minute call. I'll go through your project with you, answer your questions, and give you a price on the call.
Free consultation · No commitment