Privacy Policy
Last updated: 8 March 2026
This policy explains how Squishy Little Agency Ltd (company number registered in England & Wales), trading as Squishy Little Websites ("we", "us", "our"), collects, uses, stores and protects your personal data when you use our website at squishylittlewebsites.com and our services.
We are the data controller for personal data collected through this website. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. What data we collect
We may collect and process the following personal data:
1.1 Data you give us directly
- Account data: Name and email address when you create a Client Portal account via Supabase Auth.
- Onboarding data: Business name, website goals, brand details, content, design preferences and other information you provide through our onboarding questionnaires.
- Contact data: Name, email address and message content when you use our contact form.
- Payment data: We do not store your card details. All payments are processed securely by Stripe, which acts as an independent data controller for payment information. See Stripe's Privacy Policy.
1.2 Data collected automatically
- Analytics data: We use Google Analytics (GA4) to collect anonymised usage data such as pages visited, time on site, device type and approximate location (country/city level). Google processes this data under its own terms. See Google's Privacy Policy.
- Cookies: We use cookies as described in our Cookie Policy. You can manage your preferences via our cookie banner.
- Log data: Our hosting provider (Vercel) may collect IP addresses, browser type and access times as part of standard server logs. See Vercel's Privacy Policy.
2. How we use your data
We process your personal data for the following purposes and lawful bases under UK GDPR Article 6:
| Purpose | Lawful basis |
|---|---|
| To create and manage your Client Portal account | Performance of a contract (Art. 6(1)(b)) |
| To deliver website design & development services | Performance of a contract (Art. 6(1)(b)) |
| To process payments via Stripe | Performance of a contract (Art. 6(1)(b)) |
| To respond to enquiries via the contact form | Legitimate interest (Art. 6(1)(f)) |
| To send project updates and build progress notifications | Performance of a contract (Art. 6(1)(b)) |
| To analyse website usage and improve our services | Legitimate interest (Art. 6(1)(f)) |
| To comply with legal obligations (e.g. tax records) | Legal obligation (Art. 6(1)(c)) |
3. Who we share your data with
We do not sell your personal data. We share it only with trusted third-party service providers who process data on our behalf or as independent controllers:
- Vercel (USA) � website hosting. See Vercel's Privacy Policy.
- Supabase (USA) � project data storage and account authentication. See Supabase's Privacy Policy.
- Google Analytics (USA) � anonymised website analytics. See Google's Privacy Policy.
- Metricool / Clarity � website analytics and heatmaps, as configured on the site.
Where data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses, adequacy decisions, or the provider's participation in a recognised data privacy framework).
4. How long we keep your data
- Client Portal account data: Retained for the duration of our business relationship plus 6 years (to comply with HMRC record-keeping requirements).
- Onboarding questionnaire data: Retained for the project duration plus 2 years, unless required longer for legal purposes.
- Contact form enquiries: Retained for up to 2 years from the date of the enquiry.
- Payment records: Retained for 6 years as required by UK tax law.
- Analytics data: Governed by Google Analytics' own retention settings (currently set to 14 months).
- Server logs: Retained by Vercel per their own data retention practices.
5. Your rights
Under UK GDPR, you have the following rights:
- Right of access � request a copy of the personal data we hold about you.
- Right to rectification � ask us to correct inaccurate or incomplete data.
- Right to erasure � ask us to delete your data (subject to legal obligations).
- Right to restrict processing � ask us to limit how we use your data.
- Right to data portability � receive your data in a structured, machine-readable format.
- Right to object � object to processing based on legitimate interests.
- Right to withdraw consent � where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, email us at hello@squishylittleagency.com. We will respond within one month as required by law.
6. Data security
We take appropriate technical and organisational measures to protect your personal data, including:
- All data transmitted between your browser and our site is encrypted via HTTPS/TLS.
- Client Portal authentication is handled by Supabase Auth with secure token-based sessions.
- Access to project data in Supabase is restricted to authenticated and authorised users.
7. Children's data
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
8. Changes to this policy
We may update this policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this page periodically. Material changes will be notified via email where appropriate.
9. Complaints
If you are unhappy with how we handle your personal data, please contact us first at hello@squishylittleagency.com so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
- Website: ico.org.uk
- Helpline: 0303 123 1113
10. Contact us
For any questions about this privacy policy or how we handle your data:
- Email: hello@squishylittleagency.com
- Post: Squishy Little Agency Ltd, Office One, 1 Coldbath Square, London, EC1R 5HL