Privacy policy.

The short version: I collect the minimum, I don't track you, and I never sell your details. Last updated 2 July 2026.

1. Who's responsible for your data

Me: David, trading as Towpath Studio, based in Staines-upon-Thames, Surrey. For anything in this policy, or any question about your data, email hello@towpathstudio.com or message me on 0333 335 6832.

2. What I collect, and why

Enquiries. If you fill in the contact form I receive your name, email address, message, and your phone number and business name if you choose to give them. If you WhatsApp, call or email me, I receive whatever you send. I use this to reply to you, quote for your project and carry out the work. The legal basis is taking steps to enter into a contract with you, or my legitimate interest in responding to people who contact me.

Clients. If you become a client I also hold what's needed to do the job and keep proper records: your contact details, correspondence, invoices and payment history. The legal bases are performing our contract and my legal obligation to keep business records.

Server logs. Like almost every website, my server keeps standard access logs (IP address, pages requested, browser type) for security and to keep the site working. That's a legitimate interest, and logs are routinely rotated out after a short period.

That's it. There is no analytics software on this site, no advertising, no social media pixels and no profiling.

3. Where your data lives

On my own servers in the UK, including my own mail server, which is where contact-form messages and emails are delivered. Data is backed up as part of keeping everything safe. If you message me on WhatsApp, that conversation also passes through WhatsApp itself, which is run by Meta under its own privacy policy.

4. Who I share it with

Nobody, as a rule. I never sell or rent your details, and I don't hand them to marketers. The only exceptions are the everyday services needed to run a business (for example, card payments are processed by the payment provider, who see what they need to take the payment) and situations where the law requires disclosure.

5. How long I keep it

Enquiries that don't go anywhere are deleted within a couple of years. Client records are kept for the life of our work together, and invoices and accounting records for six years after the tax year they relate to, because HMRC requires it. Server logs are kept for a matter of weeks.

6. Cookies

This site sets no tracking or advertising cookies. The only thing stored in your browser is a single small note remembering that you've dismissed the cookie notice, so it doesn't keep popping up. That's stored on your device, tells me nothing about you, and you can clear it in your browser settings whenever you like.

7. Sites I host for clients

If I host your business's website, you stay in charge of your customers' data and I act on your instructions as a processor: I keep the server secure, backed up and updated, and I don't use your customers' data for anything of my own.

8. Your rights

You can ask me for a copy of the personal data I hold about you, ask me to correct it, delete it, or stop using it, and ask me to pass it to someone else. Just email me and I'll sort it, normally within a month. If you're unhappy with how I've handled your data you can complain to the Information Commissioner's Office at ico.org.uk, though I'd appreciate the chance to put it right first.

9. Changes to this policy

If anything here changes, the current version will always live at this address with the date at the top updated. If a change materially affects how I use your data, I'll tell you directly.