Legal

Privacy Policy

Effective Date: 4 June 2026

This Privacy Policy explains how CMX Web Design ("CMX", "we", "us" or "our") collects, uses, stores and protects personal data when you visit cmxwd.com (the "Site"), submit an enquiry or client brief, or otherwise engage our services. We are committed to protecting your privacy and handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

1. Who We Are and How to Contact Us

CMX Web Design is a web design business operating from Tamarisk, 13 Grenville Road, Padstow, Cornwall, PL28 8EX, United Kingdom. For any privacy matter, including exercising your rights under data protection law, you can contact us at:

CMX Web Design
Tamarisk, 13 Grenville Road
Padstow, Cornwall, PL28 8EX
United Kingdom
Email: charlie@cmxwd.com
Phone: (+44) 7891975239

CMX is the data controller for personal data collected through this Site and through our own enquiry and client intake process. Where we build and maintain websites for clients and process personal data on their behalf, CMX acts as a data processor for that client data, consistent with clause 9 of our Terms and Conditions. This policy concerns the data for which CMX is the controller.

2. The Personal Data We Collect

2.1 Enquiry and intake form data. When you complete a form on our Site (for example the Get Started client brief), we collect the information you provide, which may include your name, business name, email address, telephone number, business location, details about your business and its goals, your existing website and social media links, your Google Business Profile, brand preferences, and any files you upload such as a logo or brand assets.

2.2 Communications. If you contact us by email, telephone or through the Site, we keep a record of that correspondence.

2.3 Payment data. When you purchase our services, payment is processed by our payment providers (Stripe and GoCardless). We do not collect or store your full card details or bank details on our own systems. We receive limited confirmation data such as the fact and amount of a payment.

2.4 Analytics data. We use Google Analytics 4 to understand how visitors use the Site. This may include your approximate location, device and browser type, pages visited, and interactions, collected through cookies and similar technologies.

2.5 Hosting and server logs. Our hosting provider automatically records technical data such as your IP address, request times, and pages requested, for security, diagnostics and the reliable operation of the Site.

2.6 Cookies. We use cookies and similar technologies as described in section 9.

3. Lawful Bases for Processing

We only process personal data where we have a lawful basis to do so under Article 6 of the UK GDPR:

3.1 Steps to enter into a contract. We process enquiry and intake data to respond to your request and to take steps, at your request, towards entering into a contract for our services.

3.2 Performance of a contract. Where you become a client, we process your data to deliver, host and support your website and to administer payments.

3.3 Legitimate interests. We process certain data to run and improve our business, to respond to enquiries, to maintain records, and to keep our Site secure. Where we rely on legitimate interests, we balance those interests against your rights.

3.4 Legal obligation. We process and retain certain data, such as transaction records, to comply with our legal and tax obligations.

3.5 Consent. We rely on your consent for non-essential cookies and analytics, and for any optional marketing communications. You may withdraw consent at any time.

4. How We Use Your Data

We use personal data to: respond to your enquiry and prepare a proposal or client brief; design, build, host and maintain your website; process payments and manage your subscription; provide customer support and communicate with you about your project; maintain business and financial records; improve our Site and services; and protect the security and integrity of our systems.

5. Third Parties and Processors

We share personal data only where necessary, and only with trusted providers who process it on our behalf under appropriate safeguards. Our key processors and providers are:

5.1 Krystal Hosting Ltd (UK based web hosting), which hosts the Site and stores submitted data and server logs.

5.2 Microsoft 365 and GoDaddy (business email), used to receive and manage correspondence including enquiry and intake submissions.

5.3 Stripe (card payments for the setup fee) and GoCardless (Direct Debit for the monthly subscription), which process payment data as independent controllers in respect of payment processing.

5.4 Google (Google Analytics 4), which provides Site analytics.

5.5 Trustpilot, which we use to collect and display genuine customer reviews. If you choose to leave a review, your data is processed by Trustpilot under its own privacy policy.

We do not sell your personal data to anyone. We may disclose data where required by law or to protect our legal rights.

6. International Data Transfers

We aim to keep personal data within the United Kingdom or the European Economic Area. Some of our providers (for example Google, Stripe and Microsoft) may process data outside the UK. Where this happens, we rely on appropriate safeguards recognised under UK data protection law, such as UK adequacy regulations or the International Data Transfer Agreement (including the UK Addendum to the EU Standard Contractual Clauses), to ensure your data receives an equivalent level of protection.

7. Data Retention

7.1 Enquiry and intake data (non-clients). Where an enquiry does not result in an engagement, we retain the submission and any uploaded files for up to twelve (12) months from our last contact, after which it is securely deleted, unless you ask us to delete it sooner.

7.2 Client data. Where you become a client, we retain your data for the duration of our engagement and for up to six (6) years afterwards, to meet contractual, accounting and legal obligations.

7.3 Transaction records. Financial and transaction records are retained for at least six (6) years in line with UK tax law.

7.4 Analytics and server logs. Analytics data is retained in line with our Google Analytics configuration (by default up to fourteen (14) months), and server logs are retained for a limited period for security and diagnostics.

8. Your Rights

Under the UK GDPR you have the following rights in relation to your personal data:

8.1 Access. The right to request a copy of the personal data we hold about you.

8.2 Rectification. The right to ask us to correct inaccurate or incomplete data.

8.3 Erasure. The right to ask us to delete your data in certain circumstances.

8.4 Restriction. The right to ask us to restrict processing in certain circumstances.

8.5 Portability. The right to receive certain data in a structured, commonly used and machine readable format.

8.6 Objection. The right to object to processing based on our legitimate interests, and to object to direct marketing at any time.

8.7 Withdraw consent. Where we rely on consent, the right to withdraw it at any time, without affecting processing carried out before withdrawal.

To exercise any of these rights, please contact us using the details in section 1. We will respond within one (1) month. You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority, at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by telephone on 0303 123 1113, or at ico.org.uk. We would, however, appreciate the chance to address your concerns before you approach the ICO.

9. Cookies and Consent

9.1 The Site uses essential cookies that are necessary for it to function, and, with your consent, non-essential cookies for analytics. Essential cookies do not require consent under PECR.

9.2 When you first visit the Site, you are presented with a cookie consent mechanism that lets you accept or decline non-essential cookies. Non-essential and analytics cookies are only set after you give consent.

9.3 You can change or withdraw your cookie choices at any time through the consent mechanism, and you can manage or delete cookies through your browser settings. Blocking some cookies may affect how the Site works.

10. Data Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse or alteration. These include encryption in transit using SSL, access controls, reputable hosting and email providers, and limiting access to personal data to those who need it. No transmission over the internet can be guaranteed to be completely secure, but we work to protect your data and to respond promptly to any suspected breach.

11. Children's Data

Our Site and services are intended for businesses and adults. We do not knowingly collect personal data from children under the age of sixteen (16). If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.

13. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact:

CMX Web Design
Tamarisk, 13 Grenville Road
Padstow, Cornwall, PL28 8EX
United Kingdom
Email: charlie@cmxwd.com
Phone: (+44) 7891975239

By using our Site and services, you acknowledge that you have read and understood this Privacy Policy.