Privacy Notice

Who we are

Digital Spark Ltd is the data controller for personal information collected through digitalspark.site. We're a UK company, registered in England & Wales (Company 12508193, VAT 346 7182 81), registered with the Information Commissioner's Office under ZA924819, and based in Hampshire.

Questions, requests, or complaints about your data: dataprotection@digitalspark.site.

What we collect, and why

We only collect what the site needs to function. Here's the full list:

We do not currently run third-party advertising, analytics tracking, social-media pixels, or behavioural profiling on this site. If we add analytics in future, this notice will be updated and the cookies section will reflect what's set.

How long we keep it

• Enquiry messages — kept for up to 24 months in our inbox so we can pick up an old conversation, then archived or deleted.
• Data-recovery submissions — kept by us for 12 months as an audit log; Fields Data Recovery retains and handles them under their own privacy policy thereafter.
• Account records — kept while your account is active; deleted within 30 days of you closing it (excluding records we're legally required to keep, e.g. invoices for tax purposes — up to 7 years).
• Order + invoice records — 7 years, as required by HMRC.
• Server logs — rotated weekly. Older log lines aren't retained.

Who we share it with

We use a small set of trusted sub-processors to run the site. Each handles a specific function and is contractually bound to UK GDPR-aligned terms.

We do not sell or rent your personal data to anyone, ever. We do not share it with advertising networks or data brokers.

Domains and WHOIS

When you register a domain through us, the registrant contact details (your name, address, email, phone) are passed to our domain partner 20i and, by them, to the domain registry that runs the relevant TLD (for example Nominet for .uk domains).

• For .uk domains: individual registrants can opt out of having their address published in the public Nominet WHOIS lookup. Business registrants' details are public by default.
• For .com, .net, .org and most gTLDs: ICANN now redacts personal registrant data from public WHOIS by default, but technical contact data and the registrant organisation can still be visible.
• If you want explicit WHOIS privacy (a privacy-service proxy stands in front of your contact details for the TLDs that support it), ask us when you register — we'll set it up where it's available.

When we host your website on the Ignite or Kindle tier, your site's files, configuration, and any visitor traffic to your site sit on 20i infrastructure under our partner agreement. The data flows on your site are then governed by your site's own privacy notice — we encourage you to have one in place.

How we communicate with you

We use email, phone, and WhatsApp as customer communication channels. WhatsApp is widely used by our customers and is often the most convenient option — but it comes with implications worth being aware of.

• WhatsApp is operated by Meta (Meta Platforms Inc., US). Message content is end-to-end encrypted between your device and ours — Meta cannot read it. Metadata (your phone number, the fact that you messaged us, when, and how often) is visible to Meta and processed under their privacy policy.
• If you back up your WhatsApp messages to iCloud or Google Drive, those backups may not be end-to-end encrypted by default — check your WhatsApp backup settings if this matters to you.
• We use a WhatsApp Business account for customer communication, kept separate from personal accounts.
• We do not send sensitive information via WhatsApp — passwords, payment details, login credentials, or full identity documents go via a more appropriate channel (a secure portal, signed email, or phone call). If you ever receive an unexpected request for that kind of information over WhatsApp, treat it as suspicious and contact us via another channel.
• You can ask us to communicate with you via email or phone only — just let us know and we'll switch channels.

Email exchanges are kept under our standard enquiry-retention policy above. WhatsApp message histories are retained on our device until deleted; if you'd like a record removed from our side, ask and we'll delete the thread.

Cookies

We use the minimum cookies needed to make the site work. We don't use cookies for advertising, cross-site tracking, or behavioural profiling.

All of the cookies above are strictly necessary — they're either required for the page you've requested or for security. Under UK PECR and GDPR, strictly-necessary cookies don't require a consent banner, so we don't show one. If we ever add non-essential cookies (e.g. analytics), we'll add a consent banner at the same time.

AI on this site

We use large-language-model AI — currently Anthropic's Claude API. We use it in three distinct ways, and we want to be clear about how each is protected. We'd rather be transparent than overclaim.

1. Customer-facing AI features on this site

None currently ship to visitors. When they do (e.g. an on-site assistant), they will be wired to Anthropic's API under a Zero Data Retention (ZDR) agreement: Anthropic will not retain prompts or responses after the API call completes, and will not use that data to train their models.

2. AI used in our customer-engagement work

When delivering consulting projects, we use Claude to accelerate code, documentation, analysis, and similar work. Across all of this use, Anthropic does not train on commercial data — that's a contractual default of their commercial terms. Operational prompts may be retained by Anthropic for up to 30 days for safety and abuse monitoring, then deleted. Where a customer engagement requires stronger guarantees (e.g. full ZDR for sensitive workloads), we arrange that as part of the engagement contract and Data Processing Agreement.

3. Internal company use

For internal work (planning, drafting, research), we use Claude under Anthropic's standard commercial terms — the same protections as above apply (no training on commercial data, ≤30-day operational retention). We avoid including identifiable customer data in internal prompts wherever practical.

What we never send to any AI service

Card details, hashed passwords, session tokens, or other authentication secrets. Ever.

Where we're heading

Our trajectory is to expand ZDR coverage across all customer-data workflows. This is a contractual upgrade with Anthropic that we extend in proportion to how much customer data flows through each surface. We'll update this notice as it changes.

All AI processing happens in the US under the EU/UK Standard Contractual Clauses for international transfers.

If a future feature uses a different AI provider, we'll update this section before turning it on.

International transfers

The core of our infrastructure (AWS, Neon) is in the UK / London. Some sub-processors are global (Cloudflare, Stripe, Anthropic). Where data leaves the UK, the transfer is covered by either the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an adequacy decision — all of which provide an equivalent level of protection to UK law.

Security

Connections to the site are encrypted with TLS. Passwords are stored as salted hashes — we never store the plain-text. Production secrets are kept on the server only, never in source code. Access to production data is restricted to named individuals and logged.

No system is invulnerable. If a breach affecting your data ever occurs, we'll notify you and the ICO without undue delay, in line with the UK GDPR.

Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Correct data that's inaccurate
• Delete data (where we're not required to keep it for legal reasons) — see how to request deletion for the specific process
• Restrict or object to certain processing
• Receive a portable copy of data you've given us
• Withdraw consent at any time, where consent was the lawful basis

To exercise any of these, email dataprotection@digitalspark.site. We'll respond within one month.

Requesting deletion of your data

You can ask us to delete the personal data we hold about you at any time. This includes:

• Records of you in our enquiry inbox
• Your portal account
• Message history on any channel — email, phone, WhatsApp
• Any other personal data covered by this notice

How to make a request

Email dataprotection@digitalspark.site with the subject line "Data deletion request". Please include:

• The full name(s) or email address(es) you've used with us, so we can find your records
• Which channel(s) you've reached us on (account email, WhatsApp number, phone number) — helps us be thorough
• Whether you want full deletion or only a specific subset (e.g. only your WhatsApp thread)

What happens next

• We acknowledge your request within 5 working days
• We may ask you to confirm something only you'd know, to verify the request is actually from you (this is a UK GDPR safeguard, not a hurdle)
• We complete the deletion within one month, or tell you why we can't (see below)
• Where you've asked, we also request deletion from our sub-processors where they support it

What we can't delete

• Records we're legally required to keep — e.g. invoices for tax purposes (HMRC requires 7 years from the financial year-end)
• Records subject to active legal claims or regulatory holds
• Anonymised or aggregated data that no longer identifies you

WhatsApp specifically

If you've messaged us on WhatsApp and want the thread deleted from our side, just ask — we'll remove our copy. WhatsApp's end-to-end encryption means you can also delete your own copy at any time from your own device's WhatsApp app, independently of any request to us.

We don't make you wait or jump through hoops. Requests go to a named individual internally and get actioned promptly.

Complaints

If you're unhappy with how we've handled your data, please contact us first — we'd rather sort it out directly. You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office.

Changes to this notice

When we make material changes, we'll update the date at the top and — for changes that affect existing account holders — notify you by email. Minor wording fixes are made silently.