Privacy Policy
This policy explains what personal data DrWebFix collects, how we use it, and your rights under applicable data protection law including the UK GDPR and EU GDPR.
Who We Are
DrWebFix ("we", "us", "our") is a website maintenance and migration service specialising in WordPress and Shopify platforms. We are the data controller responsible for the personal data we collect through our website at drwebfix.com and through the provision of our services.
For the purposes of applicable data protection legislation — including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018 — DrWebFix is the data controller of your personal information.
You can contact our data controller at: privacy@drwebfix.com
Personal Data We Collect
We collect personal data in the following ways:
| Data Type | What We Collect | How Collected |
|---|---|---|
| Contact Information | Full name, email address, phone number (optional), company or website name | Contact form, email enquiries |
| Website Information | Website URL, hosting provider, platform (WordPress/Shopify), services of interest | Contact form, onboarding process |
| Account Data | Login credentials for website admin access, SFTP/hosting credentials (encrypted) | Provided by client during onboarding — stored in encrypted vault only |
| Payment Information | Billing name and address, payment method details | Payment processor (Stripe) — we do not store card details directly |
| Communications | Email correspondence, support tickets, chat messages | Direct communication with our team |
| Usage Data | IP address, browser type, pages visited, time on site, referral source | Automatically via cookies and analytics (see Section 8) |
| Technical Data | Website audit results, performance reports, security scan findings | Generated by our tools as part of service delivery |
We do not collect sensitive personal data (such as health information, racial or ethnic origin, or financial account details beyond payment processing). We do not purchase or acquire data from third-party data brokers.
How We Use Your Personal Data
We use the personal data we collect for the following purposes:
| Purpose | Data Used |
|---|---|
| Responding to enquiries Replying to contact form submissions and email enquiries |
Name, email, website details, message content |
| Providing our services Performing maintenance, security, and migration work on your website |
Contact info, website credentials, platform details |
| Billing and payments Processing subscription payments and issuing invoices |
Billing name, address, payment details (via Stripe) |
| Service communications Sending monthly maintenance reports, security alerts, and service updates |
Name, email address |
| Legal compliance Meeting our obligations under applicable law, including tax and accounting requirements |
Billing information, contract records |
| Improving our services Understanding how our website is used to improve content and user experience |
Anonymised usage data and analytics |
We do not sell your personal data to any third party. We do not use your data for automated decision-making or profiling. We do not send unsolicited marketing emails — any service communications you receive relate directly to your enquiry or active service with us.
Our Legal Basis for Processing
Under UK GDPR and EU GDPR, we are required to have a lawful basis for processing your personal data. We rely on the following legal bases:
| Legal Basis | When We Rely on It |
|---|---|
| Contract (Article 6(1)(b)) | Processing necessary to perform the services you have contracted with us to provide — onboarding, maintenance work, billing, and reporting. |
| Legitimate Interests (Article 6(1)(f)) | Responding to pre-contractual enquiries, improving our website and services, and maintaining business records. We have assessed that our interests do not override your rights. |
| Legal Obligation (Article 6(1)(c)) | Retaining financial and transaction records to meet our legal obligations under tax and accounting law. |
| Consent (Article 6(1)(a)) | Non-essential cookies and analytics, where you have given explicit consent via our cookie consent tool. You may withdraw consent at any time. |
How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by applicable law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Client contact and service records | Duration of contract + 3 years | Ongoing service delivery and dispute resolution |
| Financial and billing records | 7 years from date of transaction | Legal obligation under UK tax law (HMRC) |
| Enquiry and contact form data | 12 months from last contact | Legitimate interest — potential future service relationship |
| Website credentials (access data) | Deleted within 30 days of contract termination | Security — credentials are revoked and purged on offboarding |
| Website analytics data | 14 months (Google Analytics default) | Service improvement — anonymised usage patterns |
When data is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures.
How We Protect Your Data
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:
Technical measures: SSL/TLS encryption for all data in transit, encrypted storage for credentials and sensitive data, two-factor authentication on all internal systems, regular security audits of our own infrastructure, and access controls that limit data access to authorised personnel only.
Organisational measures: Confidentiality obligations for all team members, formal data handling procedures, regular staff awareness of data protection responsibilities, and a defined process for responding to data security incidents.
Client website credentials are stored exclusively in an encrypted credential vault. No team member accesses your credentials outside of active service delivery tasks. Credentials are revoked and permanently deleted within 30 days of contract termination.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required.
Cookies & Tracking Technologies
Our website uses cookies — small text files stored on your device — to enable certain functionality and to help us understand how the site is used. You can control non-essential cookies through our cookie consent banner when you first visit the site.
You can withdraw or change your cookie consent at any time by clicking the cookie settings link in the footer of our website. You can also control cookies through your browser settings — please note that disabling all cookies may affect website functionality.
For more detail on the specific cookies we use, please see our Cookie Policy.
Your Data Protection Rights
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions.
You have the right to request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
You have the right to ask us to correct personal data that is inaccurate or incomplete. We will act on reasonable rectification requests promptly.
You may ask us to delete your personal data where there is no compelling reason for us to continue processing it. This right is subject to legal retention obligations.
You have the right to ask us to restrict processing of your personal data in certain circumstances — for example, while accuracy is contested.
Where processing is based on consent or contract, you have the right to receive your personal data in a structured, machine-readable format for transfer to another controller.
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
You have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.
To exercise any of these rights, please contact us at privacy@drwebfix.com. We will respond within one calendar month. We may need to verify your identity before processing your request.
International Data Transfers
Some of our third-party service providers (including Stripe and Google Analytics) may transfer or store your data outside of the UK or European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place to protect your personal data in accordance with applicable data protection law.
These safeguards include reliance on adequacy decisions (where the destination country has been determined to provide adequate data protection), Standard Contractual Clauses approved by the European Commission or the UK ICO, and certification schemes such as the EU-US Data Privacy Framework.
You may request further information about the specific safeguards in place for any such transfers by contacting us at privacy@drwebfix.com.
Children's Privacy
Our services are intended for use by businesses and individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 18. If you believe we have inadvertently collected data from a child under 18, please contact us immediately at privacy@drwebfix.com and we will delete the information promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active clients by email.
We encourage you to review this policy periodically to stay informed about how we protect your personal data. Your continued use of our services after any changes constitutes your acknowledgement of the updated policy.
Previous versions of this policy are available on request by contacting privacy@drwebfix.com.
Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us using any of the following methods:
| privacy@drwebfix.com | |
| General enquiries | hello@drwebfix.com |
| Website | drwebfix.com/free-health-check |
We aim to respond to all data protection enquiries within 5 business days and to all Subject Access Requests within one calendar month of receipt.
If you are not satisfied with our response, or believe we are processing your personal data in a manner that does not comply with data protection law, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO): ico.org.uk — or with the relevant supervisory authority in your country of residence within the EU.