Legal information

Privacy Policy

How Creative Spark Digital Ltd handles your personal information under UK GDPR and the Data Protection Act 2018. This policy explains what we collect, why we use it, who we share it with, and your rights.

This Privacy Policy explains how Creative Spark Digital Ltd collects, uses, stores, and protects your personal information when you use our website, tools, and services. We aim to be clear and straightforward. If anything is unclear, please contact us.

Last updated: 2 July 2026

Who we are

Creative Spark Digital Ltd is a UK limited company that designs and builds websites for businesses. We provide services including website design and development, the Website Health Check tool, discovery calls, project delivery, hosting setup support, and ongoing website care.

  • Company name: Creative Spark Digital Ltd
  • Company number: 17059945
  • Registered in: England & Wales
  • Registered office: 128 City Road, London, EC1V 2NX, United Kingdom

Data controller

For the purposes of UK data protection law, Creative Spark Digital Ltd is the data controller for personal information collected through this website and in connection with our services.

This means we decide why and how your personal information is processed. Where we use service providers to help us run our business, they process information on our instructions as data processors, as explained below.

Contact details

If you have questions about this policy or how we handle your information, or if you want to exercise your data protection rights, contact us at:

Email: cssdesignstudiouk@gmail.com

Postal address: 128 City Road, London, EC1V 2NX, United Kingdom

What information we collect

The information we collect depends on how you use our website and services.

Information you provide

You may give us personal information when you:

  • Contact us — name, email address, business name (if provided), service interest, and your message
  • Book a discovery call — name, email address, phone number, business name (if provided), website address (if provided), what you need help with, budget range, and your chosen appointment time
  • Run a Website Health Check — name, email address, business name (if provided), website address, business type, and answers to optional questions about your website
  • Start or pay for a project — name, email address, package choice, payment details entered into Stripe (we do not receive your full card number), and information you provide in project questionnaires or during delivery
  • Use project tracking — email address, job number, and/or secure tracking link to access your project updates
  • Communicate with us — any information you choose to send by email or during calls, including feedback, content, branding assets, and project materials

Information collected automatically

When you visit our website, we may automatically collect limited technical information, such as:

  • IP address (used for security and rate limiting on some tools)
  • Browser type and version
  • Device type and operating system
  • Pages visited and general interaction with the site
  • Referring website or link (where available)
  • Date and time of access

For the Website Health Check, we also analyse the publicly available content of the website address you submit. This can include page text, headings, metadata, and a screenshot of the homepage. We use this only to produce your report and related service communications.

Website analytics

We use Vercel Analytics and Vercel Speed Insights to understand how visitors use our website and to monitor performance. These tools may collect anonymised or pseudonymised usage data, such as pages viewed and load times. They are not used to identify you personally for marketing purposes.

We also keep first-party conversion analytics to understand how visitors move from browsing to enquiry, booking, and project delivery. This includes anonymised page views, CTA clicks, and milestone events (for example, a Health Check completed or Project Starter submitted). We do not store form answers, message contents, or keystrokes in analytics events. Optional Microsoft Clarity may be used for heatmaps and session replays when configured — only with analytics consent and with form fields masked.

Cookies

We use cookies and similar technologies as explained in our Cookie Policy. Non-essential analytics and performance tools load only if you consent through our cookie banner. You can change your choices at any time using Cookie settings in the footer.

How we use your information

We use personal information to:

  • Respond to enquiries and communicate with you
  • Book and manage discovery calls
  • Provide Website Health Check reports and related follow-up emails
  • Deliver website design and development projects
  • Process payments and send invoices or receipts
  • Provide project updates through our tracking portal
  • Support domain, launch, and care plan services where agreed
  • Maintain internal records in our client management systems
  • Improve our website, tools, and services
  • Protect our website and services from misuse, spam, or abuse
  • Meet legal, tax, and accounting obligations

We do not sell your personal information. We do not use your information for automated decision-making that produces legal or similarly significant effects about you. Website Health Check reports use AI to generate suggestions, but these are advisory only and are reviewed as part of our service process.

Lawful basis for processing

Under UK GDPR, we must have a lawful basis for each way we use your personal information. The main bases we rely on are set out below.

Contract

Where you ask us to provide a service — for example, booking a discovery call, paying a deposit, or delivering a website project — we process your information because it is necessary to perform our contract with you or to take steps at your request before entering into a contract.

Legitimate interests

We process some information because it is necessary for our legitimate business interests, provided those interests are not outweighed by your rights. This includes:

  • Responding to enquiries and following up on service requests
  • Providing the free Website Health Check you request
  • Sending relevant service follow-up emails after a health check
  • Managing projects and client relationships
  • Understanding website usage to improve performance and content
  • Preventing fraud, abuse, and security incidents
  • Keeping appropriate business records

You have the right to object to processing based on legitimate interests. See Your rights below.

Consent

Where we rely on consent — for example, if you agree to optional marketing communications in future — you may withdraw that consent at any time. Withdrawal does not affect processing that was lawful before withdrawal.

Legal obligation

We process and retain certain information where required by law, including tax, accounting, and financial record-keeping rules.

ActivityLawful basis
Contact form enquiriesLegitimate interests / steps before contract
Discovery call bookingsContract / steps before contract
Website Health CheckLegitimate interests / steps before contract
Health check follow-up emailsLegitimate interests
Project delivery and trackingContract
Payments via StripeContract / legal obligation
Website analyticsLegitimate interests
Security and anti-spam measuresLegitimate interests
Tax and accounting recordsLegal obligation

How long we keep your information

We keep personal information only for as long as we need it for the purposes described in this policy, unless a longer period is required by law.

  • General enquiries — up to 24 months if you do not become a client, unless you ask us to delete it sooner
  • Website Health Check records — up to 24 months from your last interaction, unless you ask us to delete them sooner or a longer period is needed for an active enquiry
  • Discovery call bookings — up to 24 months after the appointment, unless you become a client
  • Client and project records — for the duration of the project and up to 6 years afterwards for contractual, tax, and accounting purposes
  • Payment and invoice records — up to 6 years, in line with UK tax and accounting requirements
  • Analytics data — according to the retention settings of our analytics providers (typically aggregated and not kept indefinitely in identifiable form)

When information is no longer needed, we delete it securely or anonymise it where appropriate.

Who we share your information with

We share personal information only where necessary, with trusted service providers who help us operate our business. They may only use your information on our instructions and for the purposes described in this policy.

  • Hosting provider (Vercel) — website hosting and infrastructure
  • Database provider (Neon) — secure storage of client, project, booking, and health check records
  • Email provider (Resend) — sending transactional emails such as health check reports, booking confirmations, project updates, and invoices
  • Payment provider (Stripe) — processing deposits and payments. Stripe handles card details directly; we do not store your full card number on our systems
  • Analytics providers (Vercel Analytics and Speed Insights) — website usage and performance measurement
  • AI provider (OpenAI) — generating Website Health Check analysis from website content you submit. Content is sent for processing only to deliver the report

We may also share information:

  • With professional advisers (for example, accountants) where necessary
  • Where required by law, court order, or regulatory authority
  • To protect our rights, users, or the security of our services

International transfers

Some of our service providers are based outside the UK. Where personal information is transferred internationally, we ensure appropriate safeguards are in place as required by UK data protection law. This may include:

  • Transfers to countries approved as providing adequate protection
  • Standard contractual clauses or equivalent safeguards approved under UK GDPR for transfers to countries such as the United States

Our database is hosted in the UK/EU region. Providers such as Stripe, Resend, Vercel, and OpenAI may process data in the United States or other countries. You can contact us for more information about safeguards used for specific transfers.

How we protect your information

We take reasonable steps to protect personal information, including:

  • Using HTTPS encryption for data sent between your browser and our website
  • Restricting access to personal information to those who need it
  • Using reputable hosting, database, email, and payment providers
  • Protecting admin and internal systems with access controls
  • Rate limiting and anti-spam measures on public forms and tools

No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.

Your rights under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal information. These rights are not absolute and may not apply in every situation.

Right of access

You can ask for a copy of the personal information we hold about you.

Right to rectification

You can ask us to correct inaccurate information or complete incomplete information.

Right to erasure

You can ask us to delete your personal information in certain circumstances, for example where it is no longer needed for the purpose it was collected.

Right to restriction

You can ask us to restrict processing in certain circumstances, for example while a complaint is being resolved.

Right to object

You can object to processing based on legitimate interests, and to direct marketing at any time.

Right to data portability

Where processing is based on consent or contract and is carried out by automated means, you may ask for your data in a structured, commonly used, machine-readable format.

Right to withdraw consent

Where we rely on consent, you may withdraw it at any time. This does not affect earlier lawful processing.

Right to complain to the Information Commissioner's Office (ICO)

If you are unhappy with how we have handled your personal information, you have the right to lodge a complaint with the ICO, the UK supervisory authority for data protection:

Website: ico.org.uk
Telephone: 0303 123 1113

We would appreciate the chance to resolve your concern first, so please contact us at cssdesignstudiouk@gmail.com before contacting the ICO.

To exercise any of your rights, email us at cssdesignstudiouk@gmail.com. We will respond within one month, as required by law. We may need to verify your identity before completing your request.

Children's privacy

Our website and services are aimed at businesses and adults. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

Changes to this policy

We may update this Privacy Policy from time to time, for example when our services, tools, or legal requirements change. The latest version will always be published on this page with an updated "Last updated" date. We encourage you to review this page periodically.

If we make significant changes to how we use your personal information, we will take appropriate steps to inform you where required by law.

This policy applies to personal information collected through the Creative Spark Digital website and related services operated by Creative Spark Digital Ltd.

Back to homepage · Terms & Conditions