Last updated: 6 March 2026
We respect your privacy and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. This policy explains what information we collect, how we use it, who we may share it with, how long we keep it, and how we keep it secure.
We collect only the information needed to provide our services. That includes managing client websites, handling business information for publication, communicating with clients, and, where relevant, helping clients gather case studies, testimonials, and reviews based on work they have carried out.
We collect information directly from the businesses we work with. This may include names, email addresses, telephone numbers, business addresses, service details, opening hours, photos, and other information needed for websites and online business listings.
Client businesses may also provide us with information relating to their customers where this is needed for us to help prepare case studies, request reviews, or discuss completed work for marketing purposes.
We may also receive information through emails, phone calls, documents, and login details provided to us so that we can access services connected with a client's website or business listing.
We do not use website analytics, tracking technologies, advertising pixels, or non-essential cookies on this website.
We may hold the following information:
Information may be stored in the systems and services we use to run the business and deliver our services. This includes secure email systems, business devices, password management software, accounts software, website hosting systems, and related administrative tools.
For example, login credentials may be stored in a password manager, billing and invoice information may be stored in accounts software, contact details may be stored in our mailboxes and on business devices, and relevant data may also be stored within website or hosting systems where needed to provide the service.
We use information to:
Where we process customer information provided by a client business, we do so only in connection with the services we are providing to that client. Client businesses are responsible for ensuring they are entitled to share that information with us and that any necessary notices or permissions have been given.
We do not sell personal data and we do not use personal information for unrelated advertising or third-party marketing.
We process personal data where this is necessary for our legitimate interests in running and delivering our services, including building and maintaining websites, managing client relationships, communicating with clients, storing login credentials securely, and preparing invoices.
Where we process information in order to take steps before entering into a contract, or to perform a contract with a client business, we rely on that contractual basis.
Where customer information is provided to us by a client business for case studies, review requests, or related marketing activity, we process that information only for the agreed purpose and on the basis that the client business is entitled to share it with us and to instruct us to use it in that way.
If consent is needed for any particular use of personal data, that consent should be obtained by the relevant client before the information is shared with us or used for that purpose.
Access to personal information is limited to those who need it in order to provide our services and run the business.
Information may also be shared with third-party service providers we use to deliver those services, such as email providers, hosting providers, password management software, accounts software, and similar business systems.
Where customer information is provided to us by a client business for case studies, reviews, or related marketing activity, relevant information may also be shared back with that client business as part of the service being provided.
We may also disclose information where required to do so by law.
We keep personal information only for as long as it is reasonably needed for the purposes set out in this policy, including providing services, keeping business records, dealing with enquiries, and meeting legal, accounting, or tax requirements.
The exact retention period will depend on the type of information and the reason we hold it. When information is no longer needed, we will delete it or stop using it in a way that identifies the individual, where reasonably possible.
We use appropriate technical and organisational measures to protect personal information. These include strong passwords, access controls, encrypted connections where available, secure software and services, and limiting access to information to those who need it.
Devices used to access business information are protected by passcodes, authentication, and other security controls. Login details are stored in a password manager rather than in plain text.
Under UK data protection law, you may have the right to:
To exercise these rights, email support@businesscardy.com.
If you're unhappy with how we handle your data, please contact us at support@businesscardy.com.
You can also complain to the Information Commissioner's Office (ICO), the UK's data protection regulator.
We may update this policy from time to time to reflect legal, technical, or operational changes. Updates take effect when published on this page.