Skip to main content

Privacy Policy

Last revised: June 2026

Who we are

Cactus Co is a web design and development agency based in the United Kingdom. We are the data controller for personal data you share with us through our website or during our business relationship.

Privacy contact: [email protected]
Website: wearecactus.co

What data we collect and why

1. Contact form enquiries

When you use our contact form, we collect your name and email address, and the content of your message. We use this solely to respond to your enquiry.

Lawful basis: Legitimate interest: you have voluntarily contacted us about our services, and we have a clear interest in responding.

2. Instant estimate enquiries

When you use our public instant estimate tool, we collect your name, email address, and the project details you enter (page count and selected features). We also store the computed estimate result shown to you so the figure is preserved even if our pricing changes later. This data is used to follow up on your enquiry.

Lawful basis: Legitimate interest: you have voluntarily requested a pricing estimate, and we have a clear interest in following up.

3. Discovery call and meeting bookings

When you book a call or meeting via our scheduling tool (Cal.com), we collect your name, email address, the type of call booked, and the scheduled time. This data is used only to confirm, manage, and follow up on your booking.

Lawful basis: Legitimate interest: pre-contractual communication with prospective clients.

4. Client accounts

When you become a client we store your name, email address, phone number, and company name to manage your project and our business relationship. We also store an internal role (admin or client) and external reference IDs that link your account to our authentication provider (Supabase Auth) and payment processor (Stripe). Authentication credentials are held by Supabase, not by us directly. No card or payment data is stored by us.

If you upload a profile photo, we store it in Supabase Storage. If you save accessibility preferences in the portal (such as contrast, font size, or reading mode), we store those to your account so your choices persist across devices. These preferences may include disability-related information (such as a dyslexia reading mode); they are stored solely to improve your portal experience and are not shared with any third party.

Lawful basis: Contract performance: processing is necessary to deliver the agreed services.

5. Quotes

When we prepare a quote for you, we store the itemised services, amounts, applicable discounts, and any free-text notes associated with your quote. Quotes are linked to your client account.

Lawful basis: Contract performance: necessary for pre-contractual negotiations and to formalise the scope of work.

6. Project briefs

When we prepare a project brief for you, we record your name, email address, and company name alongside the agreed project scope: an overview, goals, pages and structure, features, design direction, client responsibilities, timeline, and out-of-scope items. Briefs are used to define and document the scope of work before or alongside a quote.

Lawful basis: Contract performance: necessary for pre-contractual negotiations and to formalise the scope of work.

7. Contracts

When you sign a contract with us, we store the signed contract document (as a PDF) and record your email address and the date and time of signing. Contracts are prepared and signed via SignWell, our e-signature provider, and then stored by us in Supabase Storage.

Lawful basis: Contract performance and legal obligation: the signed contract is a legally binding record of the agreed services.

8. Invoicing and payments

We collect your name, email address, and company name for invoicing purposes. Invoice records include itemised descriptions and amounts, payment dates, and reference IDs linking to Stripe. Card payments are processed entirely by Stripe: we never see or store your card details. Invoicing covers both one-off build projects and recurring maintenance plan subscriptions.

Lawful basis: Contract performance and legal obligation: HMRC requires retention of accounting records for six years.

9. Maintenance plan subscriptions

If you subscribe to a Cactus Co maintenance plan, we store your plan name, subscription status, current billing period, and cancellation information, alongside reference IDs from Stripe. No card data is stored by us.

Lawful basis: Contract performance: necessary to manage and deliver your ongoing maintenance plan.

10. Project messages and feedback

Within the client portal, we store messages exchanged between you and our team on individual projects, as well as general company-level communications. We also send periodic feedback requests at project milestones; any feedback you submit is stored against your project record. These records are used to manage your project and maintain a clear communication history.

Lawful basis: Contract performance: necessary to deliver and document the agreed services.

11. Website analytics

We use Umami to understand how visitors use our site. Umami is a privacy-first analytics tool that does not use cookies, does not collect personal data, and does not track individuals across sites or devices. No IP addresses are stored. Because no personal data is processed, Umami falls outside the scope of GDPR and requires no consent.

Cookies

Our website uses essential cookies only. These are required for the site to function correctly and do not require your consent. We do not use any advertising, tracking, or analytics cookies.

Who we share your data with

ProviderPurposeData shared
StripePayment processing and subscription billingName, email, invoice/subscription amounts and reference IDs
SupabaseUser authentication, session management, and data storageName, email, password hash, session tokens, login timestamps and IP addresses (authentication); all client account, project, booking, brief, quote, contract, invoice, and subscription data (storage)
Cal.comMeeting and call schedulingName, email, booking details
ResendTransactional email deliveryName, email address (included in each email sent)
FreeAgentAccounting and invoice managementName, email, company name, invoice amounts and reference IDs
SignWellContract e-signatureName, email address, contract PDF document
UmamiWebsite analytics (no personal data collected)Aggregate, cookieless usage statistics only

All providers are contractually required to protect your data and comply with applicable data protection law.

Note on Supabase Auth: Authentication data (password hashes, session tokens, login timestamps, IP addresses, and audit log entries) is stored and processed by Supabase within the EU (AWS eu-west-2) under their own privacy policy, available at supabase.com/privacy. This data does not leave the EU region.

How long we keep your data

Data typeRetention period
Contact form enquiries12 months from last contact
Instant estimate enquiries12 months from date of submission
Booking records12 months from the date of the booking
Client account dataDuration of contract plus 6 years
Project briefsDuration of contract plus 6 years (or 12 months if no contract resulted)
QuotesDuration of contract plus 6 years (or 12 months if no contract resulted)
ContractsDuration of contract plus 6 years
Invoice and payment records6 years from invoice date (HMRC requirement)
Subscription recordsDuration of subscription plus 6 years
Project messages and feedbackDuration of contract plus 6 years
Umami analyticsNo personal data collected; no retention limit applies

Your rights under UK GDPR

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Request erasure
  • Restrict processing
  • Data portability
  • Object to processing based on legitimate interest
  • Withdraw consent at any time where processing is consent-based

To exercise any right, email [email protected]. We will respond within 30 days.

Complaints

You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

Changes to this policy

We may update this policy periodically. The date at the top of this page shows when it was last revised. Material changes will be communicated to active clients by email at least 14 days before they take effect.

Let's talk about your project

Book a free 30-minute call. I'll go through your project with you, answer your questions, and give you a price on the call.

Free consultation  ·  No commitment