1. Introduction
This Privacy Policy describes how SpiralCorp ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our web development and hosting services, visit our websites (spiralcorp.co.uk and portal.spiralcorp.co.uk), or interact with our client portal. We are committed to safeguarding your data in accordance with the UK General Data Protection Regulation ("UK GDPR"), Data Protection Act 2018, and where applicable, the EU GDPR and other relevant standards.
If you have any questions about this Policy or your data rights, please contact us at support@spiralcorp.co.uk.
2. Data Controller
SpiralCorp is the data controller for all personal data collected via our website and in relation to our services. When clients use our hosting platform to process third-party data, the client is the controller, and SpiralCorp acts as a processor as defined by applicable data law.
3. Scope of Policy
This policy applies to all personal data obtained:
- Directly from users, clients, or contacts
- Automatically via our websites and client portal
- Through client accounts, registrations, and support interactions
- Via third-party integrations (such as Google OAuth, Calendar, and other Google APIs)
4. What Personal Data We Collect
We collect the following types of personal data as necessary to provide our services:
- Contact information: name, company, address, email, phone number
- Account data: usernames, passwords, login activity, audit trails
- Service usage data: hosting plan details, domains registered, usage statistics
- Payment data: billing address, payment method, transaction records (handled through secure third-party processors)
- Support interactions: tickets, requests, client communications
- Technical data: IP address, device, browser info, access times, logs
- Email and web content (where you host or back up this via our services)
- Google API/Cloud/OAuth information (where you opt to connect these integrations)
We do not collect sensitive categories of data unless required to fulfil contractual obligations, and only with explicit user consent.
5. How We Use Your Data
We process your data only as is necessary, lawfully, and in a transparent manner. Typical uses include:
- Service provisioning: account creation, hosting, web development, domain registration
- Client support and communications
- Billing, invoicing, and payment transactions
- Account authentication and security
- Backup and disaster recovery services (incremental backup every 3 hours)
- Third-party integrations (e.g., Google Auth, Calendar) only if you opt in
- Email notifications and renewal reminders
- Service improvement, analytics, and infrastructure monitoring
We never sell, rent, or trade your personal information to third parties.
6. Legal Basis for Processing
We process personal data under the following lawful bases:
- Consent (where you grant permission, e.g., via registration or integrating Google APIs)
- Contract (to provide services you've requested)
- Legal obligation (to comply with laws/regulations)
- Legitimate interest (security, fraud prevention, improvement of our services)
7. Sharing and Transfers of Data
Your personal data is only shared as strictly necessary for:
- Service delivery (e.g., with domain registries, payment providers, or trusted infrastructure partners)
- Legal compliance and security incidents
- Requests from competent authorities, when legally required
All data is hosted on secure infrastructure located in the EU/EEA (Finland, Germany) and the UK. Data is not transferred outside these regions unless such transfer is permitted by UK GDPR/EU GDPR (e.g., through standard contractual clauses or express consent).
8. Google API and OAuth Integration
Where you use Google integrations (Calendar, OAuth, Reviews, etc.):
- We access only the minimum necessary data as authorized by you
- We use Google user data solely to fulfill the services you request, never for unrelated purposes
- Your use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements
- You may revoke SpiralCorp's access to your Google account at any time via your Google account settings
10. Data Security
We apply robust security measures across our services:
- Enterprise firewalls, DDoS protection, and intrusion detection
- SSL/TLS encrypted communication
- Regular vulnerability assessment
- Secure passwords and authentication
- Data backup every 3 hours to geographically distinct locations (email & hosted data)
- Role-based access controls
11. Data Retention
We retain your data only as long as necessary to serve you or comply with legal requirements:
- Account and billing data: as long as your account is active plus no more than 6 years (UK requirements)
- Backups: incremental backups retained for a period consistent with our backup policy or client contract, typically up to 30 days
- Domain registration records: as required by registry contracts
You may request data deletion at any time unless retention is legally required.
12. Your Rights
You have the following rights under UK/EU data law:
- Access your data (right to know what we hold)
- Rectification (fix inaccurate data)
- Erasure ("right to be forgotten" where applicable)
- Restriction of processing
- Data portability (where feasible)
- Object to particular uses of your data
- Withdraw consent at any time
Contact us at support@spiralcorp.co.uk to exercise these rights. We respond to all data subject requests within one calendar month.
13. Children's Privacy
Our services are not intended for children under 13. We do not knowingly collect personal information from children under this age.
14. Data Breaches
In the unlikely event of a data breach affecting your personal data, we will notify you and relevant authorities as required by law and take immediate action to remediate.
15. Third-Party Services & Integrations
Our services may integrate with or link to:
- Domain registries and payment processors
- Google APIs (OAuth, Calendar, Reviews)
- Cloudflare (optional DNS failover)
All such providers have their own privacy policies; we recommend reviewing those policies where relevant.
16. Changes to This Policy
We review and update this Privacy Policy regularly. Material changes will be communicated via website notice or email, and the latest version will always be available at spiralcorp.co.uk/privacy-policy.
17. Contact Us
If you have questions, complaints, or wish to exercise your data rights please contact:
You may also contact the UK Information Commissioner's Office (ICO) for further information or to raise a concern: https://ico.org.uk/