Privacy Policy

1. Introduction

This Privacy Policy describes how SpiralCorp ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our web development and hosting services, visit our websites (spiralcorp.co.uk and portal.spiralcorp.co.uk), or interact with our client portal. We are committed to safeguarding your data in accordance with the UK General Data Protection Regulation ("UK GDPR"), Data Protection Act 2018, and where applicable, the EU GDPR and other relevant standards.

If you have any questions about this Policy or your data rights, please contact us at support@spiralcorp.co.uk.

2. Data Controller

SpiralCorp is the data controller for all personal data collected via our website and in relation to our services. When clients use our hosting platform to process third-party data, the client is the controller, and SpiralCorp acts as a processor as defined by applicable data law.

3. Scope of Policy

This policy applies to all personal data obtained:

• Directly from users, clients, or contacts
• Automatically via our websites and client portal
• Through client accounts, registrations, and support interactions
• Via third-party integrations (such as Google OAuth, Calendar, and other Google APIs)

4. What Personal Data We Collect

We collect the following types of personal data as necessary to provide our services:

• Contact information: name, company, address, email, phone number
• Account data: usernames, passwords, login activity, audit trails
• Service usage data: hosting plan details, domains registered, usage statistics
• Payment data: billing address, payment method, transaction records (handled through secure third-party processors)
• Support interactions: tickets, requests, client communications
• Technical data: IP address, device, browser info, access times, logs
• Email and web content (where you host or back up this via our services)
• Google API/Cloud/OAuth information (where you opt to connect these integrations)

We do not collect sensitive categories of data unless required to fulfil contractual obligations, and only with explicit user consent.

5. How We Use Your Data

We process your data only as is necessary, lawfully, and in a transparent manner. Typical uses include:

• Service provisioning: account creation, hosting, web development, domain registration
• Client support and communications
• Billing, invoicing, and payment transactions
• Account authentication and security
• Backup and disaster recovery services (incremental backup every 3 hours)
• Third-party integrations (e.g., Google Auth, Calendar) only if you opt in
• Email notifications and renewal reminders
• Service improvement, analytics, and infrastructure monitoring

We never sell, rent, or trade your personal information to third parties.

6. Legal Basis for Processing

We process personal data under the following lawful bases:

• Consent (where you grant permission, e.g., via registration or integrating Google APIs)
• Contract (to provide services you've requested)
• Legal obligation (to comply with laws/regulations)
• Legitimate interest (security, fraud prevention, improvement of our services)

7. Sharing and Transfers of Data

Your personal data is only shared as strictly necessary for:

• Service delivery (e.g., with domain registries, payment providers, or trusted infrastructure partners)
• Legal compliance and security incidents
• Requests from competent authorities, when legally required

All data is hosted on secure infrastructure located in the EU/EEA (Finland, Germany) and the UK. Data is not transferred outside these regions unless such transfer is permitted by UK GDPR/EU GDPR (e.g., through standard contractual clauses or express consent).

8. Google API and OAuth Integration

Where you use Google integrations (Calendar, OAuth, Reviews, etc.):

• We access only the minimum necessary data as authorized by you
• We use Google user data solely to fulfill the services you request, never for unrelated purposes
• Your use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements
• You may revoke SpiralCorp's access to your Google account at any time via your Google account settings

9. Cookies and Similar Technologies

We use essential cookies for session management, authentication, and user experience. Our websites may employ analytics and functional cookies; details and options are provided via our cookie banner and consent popup in compliance with PECR and GDPR.

10. Data Security

We apply robust security measures across our services:

• Enterprise firewalls, DDoS protection, and intrusion detection
• SSL/TLS encrypted communication
• Regular vulnerability assessment
• Secure passwords and authentication
• Data backup every 3 hours to geographically distinct locations (email & hosted data)
• Role-based access controls

11. Data Retention

We retain your data only as long as necessary to serve you or comply with legal requirements:

• Account and billing data: as long as your account is active plus no more than 6 years (UK requirements)
• Backups: incremental backups retained for a period consistent with our backup policy or client contract, typically up to 30 days
• Domain registration records: as required by registry contracts

You may request data deletion at any time unless retention is legally required.

12. Your Rights

You have the following rights under UK/EU data law:

• Access your data (right to know what we hold)
• Rectification (fix inaccurate data)
• Erasure ("right to be forgotten" where applicable)
• Restriction of processing
• Data portability (where feasible)
• Object to particular uses of your data
• Withdraw consent at any time

Contact us at support@spiralcorp.co.uk to exercise these rights. We respond to all data subject requests within one calendar month.

13. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect personal information from children under this age.

14. Data Breaches

In the unlikely event of a data breach affecting your personal data, we will notify you and relevant authorities as required by law and take immediate action to remediate.

15. Third-Party Services & Integrations

Our services may integrate with or link to:

• Domain registries and payment processors
• Google APIs (OAuth, Calendar, Reviews)
• Cloudflare (optional DNS failover)

All such providers have their own privacy policies; we recommend reviewing those policies where relevant.

16. Changes to This Policy

We review and update this Privacy Policy regularly. Material changes will be communicated via website notice or email, and the latest version will always be available at spiralcorp.co.uk/privacy-policy.

17. Contact Us

If you have questions, complaints, or wish to exercise your data rights please contact:

You may also contact the UK Information Commissioner's Office (ICO) for further information or to raise a concern: https://ico.org.uk/