Legal

Privacy Policy

Last updated: 17 April 2026

Short version. We collect the minimum personal data needed to build your website and run our business. We do not sell your data. Stripe, Klarna and Revolut Pay handle payments. We use Google Analytics and the Meta Pixel to measure our own advertising, only if you consent. You can ask us to show, correct, export or delete your data at any time — details in section 7.

Contents

Who we are
What data we collect & why
Legal bases for processing
Cookies & tracking
Third-party processors
How long we keep data
Your rights under UK GDPR
Data security
International transfers
Changes to this policy
Contact & complaints

1. Who we are

Exist Online Ltd (company number 17085581) is a limited company registered in England and Wales. Our registered office is at 122 Burleigh Avenue, Wigston, LE18 1FL.

For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data described in this policy. That means we decide what data is collected, why, and how it is used.

Because we are a small business and do not carry out large-scale systematic processing of personal data, we are not required to appoint a Data Protection Officer. Data-protection queries are handled directly by the company directors at hello@existonline.co.uk.

2. What data we collect & why

When	What we collect	Why
You submit the Free Revenue Check form	Your name, email, business name, business website URL (optional), postcode and industry	To run the Revenue Check against your business, email you the report you requested, and respond if you reply. We do not add you to a marketing list without your separate, explicit opt-in.
You order a website or add-on	Name, email, phone, business details, billing address; project content you provide through onboarding	To deliver the service, handle payment, and meet UK tax and accounting law
You pay at checkout	Payment identifiers only — card and bank details go directly to Stripe, Klarna or Revolut Pay. We never see or store your full card number.	To process payments and issue receipts
You contact us	Email, WhatsApp number or phone number, and the content of your message	To respond and keep a record of the conversation
You visit the website	IP address (truncated for analytics), device and browser info, pages viewed, referrer — via cookies you have accepted	To measure site performance and the effectiveness of our own advertising
You become a Care Plan or Basic Hosting subscriber	Continuation of the data above, plus hosting usage logs (access logs, error logs) for as long as the subscription is active	To operate hosting, detect abuse, and respond to support requests

We do not buy personal data from third parties and we do not enrich your profile with data from data brokers.

3. Legal bases for processing

Under UK GDPR we need a lawful basis for every type of processing. Specifically:

Processing activity	Lawful basis
Delivering the website, add-ons or Care Plan you ordered and communicating about them	Contract (Art. 6(1)(b))
Running the Free Revenue Check and emailing the report you asked for	Legitimate interests — providing the service you requested (Art. 6(1)(f))
Responding to email / WhatsApp enquiries	Legitimate interests — replying to people who contact us (Art. 6(1)(f))
Keeping invoicing and accounting records	Legal obligation — UK tax and company law (Art. 6(1)(c))
Analytics cookies (Google Analytics 4)	Consent (Art. 6(1)(a) + PECR reg. 6)
Advertising cookies / Meta Pixel	Consent (Art. 6(1)(a) + PECR reg. 6)
Optional marketing emails	Consent (Art. 6(1)(a)) — you can unsubscribe at any time

You can withdraw consent at any time where the basis is consent, without affecting the lawfulness of processing carried out before withdrawal.

4. Cookies & tracking

We use a small number of cookies and similar technologies. Non-essential cookies are only loaded after you have given active consent through our cookie banner, as required by the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR. Essential cookies load automatically because the site and checkout cannot function without them.

Essential cookies — session state, checkout and cookie-preference storage. Always on. No consent required under PECR.
Analytics (Google Analytics 4) — with IP anonymisation enabled. Loaded only if you accept analytics cookies.
Meta (Facebook) Pixel — used to measure the performance of our own paid advertising. Loaded only if you accept advertising cookies.

You can change your cookie choices at any time by clicking in the footer, or through your browser settings. Refusing non-essential cookies does not affect your ability to browse, order or pay.

5. Third-party processors

We use a short list of trusted providers to run the business. Each is bound by a data-processing agreement and their own security and privacy commitments:

Stripe — card payments and subscription billing. PCI DSS Level 1. Card numbers never touch our servers.
Klarna — Pay in 3 buy-now-pay-later at checkout. Klarna is a separate data controller for any instalment plan you take out with them.
Revolut Pay — alternative card / wallet payment method at checkout.
Hostinger — our VPS and hosting infrastructure provider (UK/EU region).
Google — Google Analytics 4 (site measurement), Google Search Console, and Google Business Profile where you use that add-on.
Meta (Facebook) — Facebook Pixel for measuring our own advertising. We do not run ads that target individuals by name or email.
Make.com — internal workflow automation between our own systems. Processes minimal PII (name, email, order identifiers) to route notifications.
Notion — internal project and revenue records.
Telegram / WhatsApp — internal operational notifications and client communication.

6. How long we keep data

Data	Retention period
Free Revenue Check submissions (no purchase)	12 months, then deleted
Client project files and onboarding content	Duration of the engagement, plus 6 years (UK tax and contract-dispute window)
Invoicing and accounting records	6 years minimum, as required by UK tax law
Payment records	Retained by Stripe, Klarna and Revolut Pay under their own policies
Website hosting logs	30 days rolling, then deleted
Email correspondence	2 years after the last contact, then deleted unless part of an active project

7. Your rights under UK GDPR

You have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete data that is no longer needed, subject to our legal obligation to keep accounting records.
Portability — receive your data in a machine-readable format.
Restriction — ask us to limit the processing of your data.
Objection — object to processing we carry out on legitimate-interest grounds.
Withdraw consent — at any time, for any processing based on consent (e.g. non-essential cookies, marketing emails).

To exercise any of these rights, email hello@existonline.co.uk. We will respond within 30 days. We may ask for proof of identity before releasing data.

8. Data security

We take reasonable technical and organisational measures to protect your data:

TLS (HTTPS) encryption for all traffic between you and our servers.
Encrypted storage on our VPS and in third-party systems.
Access to client data restricted to the company directors and named contractors bound by confidentiality obligations.
Multi-factor authentication on all administrative accounts (Stripe, Notion, domain registrar, VPS, Make.com).
Regular offsite backups of client project data.

No online service is 100% secure. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours as required by UK GDPR.

9. International transfers

Some of the processors we use (notably Google, Meta and Make.com) are headquartered outside the UK and may process data in the United States or the European Economic Area. Where that happens, the transfer is covered by:

The UK Extension to the EU–US Data Privacy Framework, for providers that have certified under it; or
Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum, for providers that have not.

In plain English: your data is protected by the same legal standards abroad as it would be in the UK.

10. Changes to this policy

We may update this policy when our practices or the law change. The “last updated” date at the top reflects the most recent change. Material changes that affect existing customers will be notified by email at least 14 days before taking effect.

11. Contact & complaints

For any privacy-related question, request or complaint, contact us first:

Exist Online Ltd
Company No. 17085581 — registered in England and Wales
122 Burleigh Avenue, Wigston, LE18 1FL
Email: hello@existonline.co.uk
WhatsApp: 0116 444 0025

Still unhappy? You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent data-protection authority. We’d always rather you came to us first so we can try to put things right.