Last updated: 8 June 2026
1. Introduction
Paul James, trading as Paul James Digital (“I”, “me”, “my”), is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains what personal data I collect, why I collect it, how long I keep it, who I share it with, and what your rights are.
2. Data Controller
The data controller for personal data collected through this website and in connection with my services is:
Paul James, trading as Paul James Digital
c/o Penn & Co, 5 Load Street, Bewdley DY12 2AF
Email: [email protected]
I am registered with the Information Commissioner’s Office (ICO) as a data controller. My ICO reference is C1954054.
For my own website, enquiries, invoicing and business administration, I act as data controller and this policy applies in full. Where I access or process personal data inside a client’s website, content management system, hosting account, analytics account or other system solely on the client’s instructions, the client is usually the data controller and I act as their data processor under the terms of our client agreement. In those circumstances, the client’s own privacy policy and data practices govern that processing. The distinction matters because I may handle personal data belonging to a client’s customers, users, subscribers or staff in the course of delivering agreed services.
3. Personal data I collect: purpose, lawful basis and retention
The table below sets out each category of personal data I collect or receive, why I use it, the lawful basis under UK GDPR (or, for cookieless analytics, the position under PECR), and how long I keep it.
| Data | Purpose | Lawful basis / PECR position | Retention |
|---|---|---|---|
| Name, email address, phone number | Responding to enquiries and communicating if you become a client | Legitimate interests | 12 months from last contact if no services are engaged |
| Client project information (branding preferences, website content, business information) | Delivering the services I have agreed to provide | Contract performance | Core contract, correspondence and project records: the engagement plus 6 years. Draft working files and access materials: deleted or returned when no longer required for the agreed purpose. |
| Login credentials and access details | Carrying out agreed work on your website or systems | Contract performance | Duration of the engagement only; deleted or returned on completion |
| Invoicing details (business name, billing address) | Issuing invoices and meeting UK tax and accounting obligations | Legal obligation | 6 years from the end of the relevant tax year |
| Technical data (IP address, browser type, pages visited) | Operating and securing the website | Legitimate interests | Short-term server and security logs held by my hosting and content delivery providers |
| Aggregate website analytics (Matomo, self-hosted) | Measuring how the website is used so I can improve it | No UK GDPR lawful basis is needed because the analytics is configured so that no personal data is collected or stored. Handled under the PECR statistical purposes exception (see Section 7) | Aggregate statistics only; no individual-level personal data is retained |
Some of this information is necessary rather than optional. If you do not provide contact details I cannot respond to your enquiry. If you do not provide the project information or access details a piece of work requires, I may not be able to deliver the service. If you do not provide billing details I cannot issue an invoice or meet my tax and accounting obligations. You are under no statutory obligation to provide any of this data.
Where I collect login credentials or access details on your behalf, I use them only for the agreed purpose, store them securely using password management tools, restrict access to them, and delete or return them when they are no longer needed.
Where I rely on legitimate interests as the lawful basis for processing, those interests are: responding to genuine business enquiries, managing client and prospective client communications, maintaining the security and integrity of this website, preventing abuse, and operating my business efficiently. I have considered whether those interests are overridden by the rights and freedoms of the individuals whose data is processed and am satisfied that they are not, given the limited nature and volume of data involved and the reasonable expectations of people who contact a business.
4. Processors and data sharing
I will not sell your personal data or share it with third parties for marketing purposes. I do not currently send marketing emails. If that changes, I will only do so where permitted by law, and you will be able to opt out at any time by contacting me at [email protected]. I may share data in the circumstances below.
Infrastructure and service providers. The infrastructure I use to operate this website and deliver services involves the following third-party processors. Each processes personal data only as necessary to provide its service and operates under its own published data processing terms.
| Processor | Role | Data processing terms |
|---|---|---|
| Krystal Hosting Ltd (Company No. 07571790), 124 City Road, London, EC1V 2NX | Website hosting infrastructure | krystal.io/legal/data-processing-agreement |
| Cloudflare, Inc. | Content delivery network, DNS and website security. All traffic to this website passes through Cloudflare. | cloudflare.com/cloudflare-customer-dpa |
| Amazon Web Services, Inc. (Amazon Simple Email Service) | Email delivery and routing | aws.amazon.com/compliance/gdpr-center |
My website analytics is provided by Matomo, which I host myself on my own infrastructure at pauljamesanalytics.uk. Analytics data is not shared with any third party. Full details are in Section 7.
At your request or where necessary to provide services. In certain circumstances, such as registering a domain name or setting up a third-party service on your behalf, I may share information with additional providers in order to deliver what you have asked for. I will tell you before doing so.
Legal requirements. If required by UK law, a court order or a regulatory authority, I may be obliged to disclose personal data. I will notify you of any such request where I am legally permitted to do so.
5. International transfers
My analytics is self-hosted in the United Kingdom, so it does not involve an international transfer. Some of the infrastructure providers listed above may process or allow access to personal data outside the United Kingdom. Cloudflare and Amazon Web Services are US-headquartered organisations and may process data in countries outside the UK.
Where personal data is transferred outside the UK, that transfer is protected by appropriate safeguards under UK GDPR. For Cloudflare and Amazon Web Services this is the EU Standard Contractual Clauses as amended by the UK Addendum (the International Data Transfer Addendum issued by the Information Commissioner’s Office). Each provider sets out its transfer safeguards in the data processing terms linked in the table above.
6. Data retention
Retention periods are set out in the table in Section 3. Where no specific period is stated, for example for short-term technical and log data held by infrastructure providers, retention is governed by the minimum period necessary for the purpose for which the data was collected, or by the terms of the relevant provider’s data processing agreement.
7. Cookies and analytics
I use a small number of strictly necessary cookies and similar technologies that are essential to operate this website, keep it secure, and remember choices you make, such as your analytics objection. These do not require consent.
For analytics, I use Matomo, which I host myself on my own infrastructure at pauljamesanalytics.uk. It is configured to run without cookies and to collect only aggregate statistics about how this website is used, such as page views, referring sites, device type and approximate country. No personal data is collected or stored, and no analytics data is shared with any third party.
Because this analytics does not store or read information on your device and is used only to produce aggregate statistics to improve the website, it falls within the ICO’s statistical purposes exception. For that reason I do not ask for your consent to analytics. As that exception requires, I give you clear information about it here and a simple, free way to object at any time using the opt-out below.
Opt out of analytics
You can also block or delete cookies through your browser settings. For full details of the specific cookies used on this website, please read my Cookie Policy.
8. Your rights
Under UK GDPR, you have the following rights in relation to your personal data.
- Right of access. You may request a copy of the personal data I hold about you.
- Right to rectification. You may ask me to correct inaccurate or incomplete data.
- Right to erasure. You may ask me to delete your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent and no other lawful basis applies.
- Right to restriction. You may ask me to pause processing of your data in certain circumstances.
- Right to object. You may object to processing based on legitimate interests.
- Right to data portability. Where processing is carried out by automated means and based on consent or contract, you may request your data in a structured, machine-readable format.
- Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact me at [email protected]. I will respond without undue delay and within one month of receiving your request. Before acting, I may need to verify your identity, or your authority to act for someone else, and I may ask you to clarify a request where it is unclear or covers a large amount of information. Where a request is complex or you have made a number of requests, I may extend this period by up to two further months, and I will tell you within the first month if that is the case. Requests are normally free, but where the law allows I may charge a reasonable fee, or decline to act, where a request is manifestly unfounded or excessive. I would welcome the chance to address any concern directly, but you also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time. The ICO’s contact details are at ico.org.uk.
9. Security
I implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. These include encrypted website connections (HTTPS/SSL), secure password management practices, access controls on systems holding client data, and hosting infrastructure that is ISO 27001 certified.
No method of transmission over the internet is entirely secure. If you have concerns about the security of information you have shared with me, please contact me directly.
10. Changes to this policy
I may update this policy from time to time to reflect changes in my services, infrastructure or legal obligations. The date at the top of this page shows when it was last reviewed. Where changes are significant, I will notify active clients by email.
11. Contact
For any questions about this policy or about how I handle your personal data, please contact me:
Paul James, trading as Paul James Digital
c/o Penn & Co, 5 Load Street, Bewdley DY12 2AF
Email: [email protected]
