Privacy Policy

1. Data Controller Information

This privacy notice explains how we process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The data controller is:

2. Types of Personal Data We Process

2.1 Information You Provide Directly

• • Contact details (name, email address, telephone number, organisation name and role)
• • Communications with us (including emails, contact form submissions, and meeting notes)
• • Project requirements and technical specifications
• • Professional background and organisational information
• • Billing and payment information (when engaging our services)

2.2 Information Collected Through Server-Side Analytics

We use privacy-focused server-side analytics which collect aggregated, non-personally-identifiable data directly from server logs, without using cookies or client-side tracking:

• • Aggregated page view counts and popular content
• • Referring websites
• • General geographic region (country/city level, derived from IP address which is not stored)
• • Browser and device type (aggregated)

This data is processed in aggregate form and cannot be used to identify individual visitors. We do not track users across sessions or websites.

3. Lawful Basis for Processing

We process your personal data on the following legal bases under Article 6 of the UK GDPR:

• • Legitimate interests (Article 6(1)(f)) - for aggregated website analytics and business development
• • Contract performance (Article 6(1)(b)) - to deliver consulting services and fulfil contractual obligations
• • Consent (Article 6(1)(a)) - for marketing communications where you have opted in
• • Legal obligation (Article 6(1)(c)) - to comply with regulatory requirements and legal requests

4. How We Use Your Personal Data

• • Responding to enquiries and providing information about our services
• • Delivering consulting services and project management
• • Processing payments and maintaining financial records
• • Communicating about projects, services, and relevant industry developments
• • Understanding website usage patterns in aggregate to improve our services
• • Compliance with legal and regulatory obligations
• • Protecting against fraud, security threats, and legal liability
• • Business development and relationship management

5. Data Sharing and Disclosure

5.1 Third Party Service Providers

We may share personal data with trusted service providers who assist us in:

• • Website hosting and technical infrastructure
• • Email communications and customer relationship management
• • Payment processing and financial services
• • Professional services (legal, accounting, insurance)

5.2 Legal Requirements

We may disclose personal data when required to:

• • Comply with legal obligations or court orders
• • Respond to requests from regulatory authorities
• • Protect our legal rights and interests
• • Prevent fraud or other criminal activity

5.3 Business Transfers

In the event of a merger, acquisition, or business sale, personal data may be transferred to the acquiring entity, subject to equivalent data protection safeguards.

5.4 International Transfers

Some of our service providers may be located outside the UK/EEA. Where personal data is transferred internationally, we ensure adequate protection through:

• • European Commission adequacy decisions
• • Standard Contractual Clauses (SCCs)
• • Other appropriate safeguards recognised under UK GDPR

6. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in this policy:

• • Client data: 7 years after contract completion (for tax and legal compliance)
• • Marketing communications: Until consent is withdrawn or legitimate interest no longer applies
• • Server-side analytics: Data is aggregated and anonymised; no individual user data is retained
• • Email communications: 3 years from last contact
• • Financial records: 7 years (HMRC requirements)

We regularly review retention periods and securely delete data that is no longer required.

7. Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

Request confirmation of processing and a copy of your personal data.

7.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure (Article 17)

Request deletion of personal data in certain circumstances.

7.4 Right to Restrict Processing (Article 18)

Request limitation of processing in specific situations.

7.5 Right to Data Portability (Article 20)

Receive personal data in a structured, machine-readable format.

7.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for marketing purposes.

7.7 Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at: hello@nfpstack.com

We will respond within one calendar month of receiving your request.

8. Cookies and Tracking Technologies

Our website does not use cookies or client-side tracking technologies for analytics purposes. We use privacy-focused server-side analytics that process aggregated data from server logs without tracking individual users across sessions or websites.

If you use any interactive features on our website (such as contact forms), your browser may store strictly necessary session data to enable functionality. This is not used for tracking purposes and expires when you close your browser.

We do not use marketing cookies, advertising trackers, or any third-party tracking scripts.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data:

• • Encryption of data in transit and at rest
• • Access controls and authentication mechanisms
• • Regular security assessments and penetration testing
• • Staff training on data protection and security
• • Incident response and breach notification procedures
• • Regular backups and disaster recovery planning

Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but will notify relevant authorities and affected individuals of any data breach where required by law.

10. Children's Privacy

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided personal data, please contact us immediately.

11. Changes to This Privacy Policy

We may update this privacy policy to reflect changes in our practices or applicable law. Material changes will be notified through:

• • Email notification to registered users
• • Prominent website notice
• • Updated "last revised" date

Continued use of our services after changes constitutes acceptance of the revised policy.

12. Contact Information and Complaints

12.1 Data Protection Enquiries

For questions about this privacy policy or our data practices:

12.2 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):