Privacy Policy

This policy explains what personal information Swale Software collects, why I collect it, how I keep it safe, and what rights you have over it. I aim to handle data the way I'd want my own handled: collect only what's needed, keep it no longer than necessary, and never sell or trade it.

Who I am

Swale Software is a sole-trader business based in North Yorkshire. I am the data controller for any personal information you provide through this website or in the course of working with me.

For questions about this policy or how I handle your data, contact andrew@swalesoftware.co.uk.

What information I collect

From visitors to this website:

• Contact form submissions: your name, email address, optional phone number, optional business name, and the content of your message.
• Email and phone enquiries: whatever contact details and information you choose to share.
• Technical request data: limited information such as IP address, browser type, and pages requested, handled by Cloudflare for site security and abuse prevention.

From clients during a project:

• Contact and billing details: names, business names, addresses, and contact information for invoicing and correspondence.
• Project information: anything you provide for the work, which may include data about your own customers, staff, suppliers, or business operations.
• Financial records: the details required for issuing invoices and processing payment.

I don't ask for, collect, or store more personal information than I need for the service I'm providing.

Why I collect it

Under UK GDPR, I collect and use your personal information for the following purposes on the lawful bases shown:

• Responding to enquiries received through the contact form, email, or phone (lawful basis: legitimate interest).
• Providing the services I've agreed with clients during a project (lawful basis: contract).
• Meeting my legal obligations, including keeping financial records for HMRC (lawful basis: legal obligation).
• Keeping the site and my systems secure and preventing abuse (lawful basis: legitimate interest).

Where I act as a data processor on behalf of a client (for example, when handling personal data that flows through a system I've built for them), the lawful basis for that processing is set by the client as data controller, and I handle the data under a written agreement with them.

How long I keep it

I keep personal information only as long as I need it:

• Enquiries that don't lead to work: deleted within 12 months unless you ask me to delete them sooner.
• Active client information: kept for the duration of the working relationship.
• Financial and contractual records: kept for at least 6 years after the end of the engagement, as required by HMRC and UK tax law.
• Project data I hold on a client's behalf: retained according to the agreement with that client, then returned or securely deleted when the engagement ends.
• Backups: rotated regularly. Information may persist in backups for a short period after deletion from live systems.
• Cloudflare server logs: retained according to Cloudflare's own retention policy, generally days to weeks.

Who I share it with

I don't sell, rent, or trade your personal information. I share it only where necessary to provide the service:

• Service providers acting as data processors on my behalf, including my email provider, cloud storage, accounting software, code hosting, project management tools, and Resend (which delivers contact-form submissions from this website to my inbox). Each is chosen for its security practices and is contractually bound to protect your data.
• Cloudflare, which provides hosting, security, and content delivery for this website, as well as the Turnstile spam-protection check on the contact form.
• HMRC and other UK authorities where required by law.
• Professional advisers (such as an accountant) where necessary for running the business, under appropriate confidentiality obligations.
• Other parties, only with your explicit consent or where I am legally required to do so.

Some of the services I use may store data outside the UK. Where this is the case, those providers are either covered by a UK adequacy decision or use appropriate safeguards such as standard contractual clauses to ensure your data remains protected to UK standards.

How I store and protect it

Information I hold is stored within reputable third-party services chosen for their security practices. I apply current standards throughout:

• Two-factor authentication on every service that supports it.
• Access controls so only those working on a given project can see its information.
• Encryption in transit (HTTPS) and at rest where the provider supports it.
• Regular review of permissions and removal of access when no longer needed.
• Prompt application of security updates to systems I operate.
• Strong, unique passwords stored in a password manager rather than reused.

No system can be made completely secure, but I treat security as a core part of how I work rather than an afterthought, and I'll always notify affected parties promptly in the unlikely event of a data breach involving their information.

Your rights

Under UK GDPR you have the right to:

• Be informed about how I collect and use your data (this policy is part of meeting that obligation).
• Access the personal information I hold about you.
• Have inaccurate or incomplete information corrected.
• Have your information deleted ("right to be forgotten"), where this is appropriate and not overridden by other legal requirements such as HMRC retention duties.
• Restrict how I process your information.
• Object to processing where it's based on legitimate interest.
• Receive your information in a portable format.
• Withdraw consent at any time, where I am relying on your consent for processing.

To exercise any of these rights, email andrew@swalesoftware.co.uk. I aim to respond within one month, as required by UK GDPR.

If you're unhappy with how I've handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. I'd appreciate the chance to put things right first, so please consider contacting me before going to the ICO.

Children

My services aren't aimed at children, and I don't knowingly collect personal information about anyone under 16. If you believe I hold information about a child, please get in touch and I'll remove it.

Cookies

This site uses a small number of functional cookies set by Cloudflare, my hosting and security provider. They help keep the site available, secure, and protected from automated abuse. None of them track you across other sites or build a profile of your activity.

• __cf_bm (Cloudflare Bot Management): used to identify and mitigate malicious bots to protect the website.
• cf_clearance (Challenge Platform): set when a visitor solves a challenge (such as a CAPTCHA or Turnstile) to prevent them from seeing it again on future requests.
• __cflb (Load Balancer Affinity): used for session affinity, routing users to the same origin server for a seamless experience.
• _cfuvid (Rate Limiting Rules): used by the Web Application Firewall (WAF) to distinguish individual users who share the same IP address, helping to prevent blocking legitimate users.
• cf_ob_info / cf_use_ob (Always Online): used when the “Always Online” feature is enabled to serve pages from the Cloudflare cache if my origin server is down.
• __cfwaitingroom (Waiting Room): used to manage user traffic when the site is under high load and a virtual waiting room is activated.

Because these cookies are strictly necessary for the site to function safely, no cookie consent banner is shown. I don't use analytics, advertising, or any other tracking cookies.

Changes to this policy

I may update this policy from time to time, for example when my processes change or to reflect new regulatory guidance. The date below shows when it was last revised. If I make significant changes, I'll let active clients know by email.

Last updated: 12 May 2026