How Drew collects, uses and protects personal data. Plain English. UK GDPR-compliant.
1. About this policy
This policy explains what personal data Drew collects when you visit our website, get in touch with us, or become a client — and what we do with it. We've written it in plain English. If anything's unclear, email us at hello@drewautomations.co.uk and we'll explain.
This policy is governed by UK law. The Information Commissioner's Office (ICO) is the regulator and you can complain to them if you're unhappy with how we handle your data — see section 11.
2. Who we are
Drew is a UK-based service that builds and looks after websites for trade businesses. For the purposes of UK GDPR:
We are the data controller for personal data you give us directly — for example, when you fill in our contact form, book a call, or become a paying client.
We are a data processor for personal data submitted by your customers through a Drew-built website — your customers are giving that data to you, not to Drew. We just route it to your inbox and your phone on your behalf.
Contact details — name, business name, email, phone number — if you submit our forms or email us.
Trade and location — what trade you do and roughly where, so we can audit relevant Google searches.
Website URL — if you give us your existing site for the free audit.
Billing details — handled by our payment provider (we don't store full card numbers ourselves).
Conversation history — emails you send us, call notes from any meetings.
3b. From your customers (via a Drew-built website)
When someone fills in a quote form or hits a click-to-email link on a website Drew has built for you, the data they submit (typically name, email, phone, and details of the job they're enquiring about) is processed by Drew on your behalf and routed to your business email and phone. You are the data controller for that data — Drew is the processor.
3c. Technical data
Visit logs — anonymous logs from our hosting provider (IP address, browser type, pages visited) for security and uptime monitoring.
Cookies — see section 9.
4. How we use your data
To respond to your enquiries and deliver the audit, call or service you've asked for.
To run your subscription — invoicing, payments, account admin.
To deliver the website, monthly SEO updates, business email and lead routing you've signed up for.
To improve our service — anonymised analysis of what works and what doesn't.
To send occasional follow-ups about your audit or service updates (you can opt out anytime).
To meet legal and tax obligations.
We do not sell your data, share it with advertisers, or use it to train AI models.
5. Lawful basis
UK GDPR requires us to have a lawful basis for handling personal data. Ours are:
Contract — to deliver the service you've signed up for.
Consent — for marketing follow-ups (you can withdraw at any time).
Legitimate interests — for security logging, fraud prevention, and improving our service.
Legal obligation — for accounting and tax records.
6. Who we share data with
We use a small number of trusted third-party providers to actually run Drew. We share only what they need to do their job, and we have data-processing agreements with each:
Hosting provider — to host your website and our own.
Email provider — for business email and transactional notifications.
Form / SMS notification provider — to deliver leads from your site to your inbox and phone.
Payment processor — to take subscription payments.
Domain registrar — if Drew registers a domain on your behalf.
We will only ever share your data with anyone else if you've asked us to, or if we're legally required to (e.g. court order).
7. International transfers
Where reasonably possible, our hosting and processing happens within the UK or EEA. Where a provider is based outside the UK/EEA (for example, certain US-based SaaS tools), transfers are protected by Standard Contractual Clauses or equivalent UK-approved safeguards.
8. How long we keep data
Prospect / audit enquiry data — up to 24 months from your last contact, then deleted.
Active client data — for the lifetime of your subscription, plus 7 years after cancellation for accounting and legal purposes.
Lead data routed through your Drew site — handled per your retention rules; Drew does not retain copies beyond delivery, except for service logs needed to prove delivery (typically 90 days).
9. Cookies
Drew's marketing site (drewautomations.co.uk) uses only essential cookies needed to make the site work. We don't use third-party advertising or tracking cookies. If we ever add analytics, we'll update this section and ask for your consent first.
Websites Drew builds for you may use additional cookies depending on what features you've asked us to add (e.g. analytics, chat widgets). Those are documented in your individual site's cookie notice.
10. Your rights
Under UK GDPR, you have the right to:
Access — ask us for a copy of the personal data we hold about you.
Rectification — correct anything inaccurate.
Erasure — ask us to delete your data (subject to legal retention requirements).
Restriction — pause our processing while a complaint is investigated.
Portability — receive your data in a machine-readable format.
Object — to processing based on legitimate interests, including marketing.
Withdraw consent — at any time, where consent is the lawful basis.
If you're unhappy with how we've handled your data, please tell us first — we'd much rather fix it directly. If you'd prefer to take it further, you can complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.
12. Changes to this policy
We update this policy when our service changes or when the law requires it. The "last updated" date at the top tells you when. Material changes will be flagged on the homepage or by email if you're a client.
13. Contact
Questions, requests, complaints — anything privacy-related comes to: