Legal

Privacy Policy

How Code & Canvas collects, uses and protects your personal data, and your rights under UK GDPR.

Last updated: April 2026

We keep things simple. We do not sell your data, use advertising trackers, or share your information with anyone except the service providers needed to run this website. All of those providers are listed below.

Who we are

Code & Canvas is a web services business registered in England and Wales, based in Shropshire. We provide managed web hosting, bespoke website builds and managed WordPress care to UK businesses.

For the purposes of UK data protection law, Code & Canvas is the data controller for personal data collected through this website and our client services.

You can contact us about any data protection matter at: [email protected]

Data we collect

Contact enquiries

When you submit the contact form on our website, we collect your name, email address, phone number (if provided), the service you are enquiring about, and your message. This information is used solely to respond to your enquiry.

Client portal accounts

Clients with a portal account have the following information stored: full name, company name, email address, phone number (if provided), password (stored as a one-way cryptographic hash — we cannot read it), hosting plan, and any notes relevant to your account.

Support tickets and messages

The content of support tickets, replies and live chat messages sent through the client portal is stored so we can provide ongoing support and maintain an accurate service history.

Documents

Files you upload to the client portal (such as reports or reference documents) are stored securely and accessible only to you and us.

Website usage

We do not use Google Analytics or any third-party analytics service. We do not track you across the web. Our server may log standard access information (IP address, browser type, pages visited, time of visit) for security and diagnostic purposes only. These logs are not shared and are routinely deleted.

How we use your data

  • To respond to your enquiry or provide the services you have requested
  • To manage your hosting account and provide technical support
  • To send you service-related communications (such as invoice notifications or scheduled maintenance notices)
  • To maintain security and monitor for abuse or unauthorised access
  • To comply with our legal obligations

We do not use your data for marketing purposes, profiling, or automated decision-making. We will never sell your data to any third party.

We rely on the following legal bases under UK GDPR:

  • Contract — processing necessary to deliver the services you have engaged us for (client accounts, hosting, support)
  • Legitimate interests — responding to contact enquiries and maintaining server security logs, where our interest in running a safe and responsive business does not override your rights
  • Legal obligation — where we are required to retain records to comply with UK law

Third parties

We share data with the following service providers only, and only to the extent necessary to deliver our services:

  • IONOS SE — UK datacentre server infrastructure. Your website and associated data is stored on servers physically located in the United Kingdom.
  • Zoho Corporation Europe — email delivery (Zoho Mail EU). Emails sent from our systems (such as enquiry confirmations and support notifications) are processed via Zoho's EU infrastructure.
  • Cloudflare, Inc. — CDN and DDoS protection. Traffic to hosted websites passes through Cloudflare. Cloudflare's privacy policy applies to this processing.

All providers are bound by data processing agreements. We do not transfer your personal data outside the United Kingdom or European Economic Area.

Retention periods

  • Contact enquiries — retained for 12 months, then deleted unless they have resulted in a client relationship
  • Client account data — retained for the duration of the client relationship and for 6 years after it ends, in line with UK financial record-keeping requirements
  • Support tickets and messages — retained for the duration of the client relationship and 12 months thereafter
  • Server access logs — retained for 30 days, then automatically deleted

Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access — you may request a copy of the personal data we hold about you
  • Right to rectification — you may ask us to correct inaccurate or incomplete data
  • Right to erasure — you may ask us to delete your data where there is no legitimate reason for us to keep it
  • Right to restriction — you may ask us to restrict processing while a dispute is resolved
  • Right to data portability — where processing is based on consent or contract, you may request your data in a structured, machine-readable format
  • Right to object — you may object to processing based on legitimate interests

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. There is no charge for reasonable requests.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Cookies

This website uses one strictly necessary session cookie to maintain your login state when you are signed in to the client portal. It is set only when you log in and expires when your session ends or after 7 days. No consent is required for strictly necessary cookies.

We do not use analytics cookies, advertising cookies or any third-party tracking cookies. For full details, see our Cookie Policy.

Contact us

For any questions about this policy or to exercise your data rights, please contact us:

This policy was last reviewed in April 2026. We will update it if our practices change and note the revision date above.