Home 01 What we do 02 Pricing 03 About 04 Referrals 05 Get in touch 06

// [email protected] — read by Luke or Ralph

Privacy

Privacy policy

The plain-English version of how we handle your data. Short, because we don't collect much.

// last updated June 2026 · draft for review

Who we are

LRWeb ("we", "us") is a small UK business run by Luke and Ralph, operating as sole traders trading as LRWeb. We provide website design, hosting and maintenance services. For the personal data described in this policy, we are the data controller. You can contact us about anything here at [email protected].

What we collect, why, and our lawful basis

  • Enquiry details — your name, email, organisation and message when you contact us. Used solely to reply and discuss your project. Lawful basis: legitimate interests (responding to people who contact us).
  • Client account information — contact details, billing address and payment records needed to invoice you and manage your services. Lawful basis: performance of a contract, and legal obligation for tax records.
  • Correspondence — emails between us, kept so we have an accurate record of what was agreed and requested. Lawful basis: legitimate interests.
  • Technical logs — standard server logs (including IP addresses) generated when you visit this site or a site we host, used for security and troubleshooting. Lawful basis: legitimate interests (keeping things secure). Logs rotate automatically, typically within 30 days.

We don't sell data, we don't run advertising trackers, we don't profile anyone, and we don't collect anything we don't need.

Your website's data — who's responsible for what

If we host your website, two roles apply. For our own records about you (billing, correspondence), we're the controller. For the content and visitor data of your website — your customers' enquiries, orders, comments — you are the controller and we act as your processor: we store and process that data on your instructions, keep it secure, and don't use it for anything else. Your website should have its own privacy policy covering your visitors; we're happy to help you draft one.

Who we share data with

Only the suppliers needed to run the service, each bound by UK GDPR-compatible terms:

  • Netcup GmbH (Germany) — server infrastructure where hosted websites live, in EU data centres powered by 100% renewable energy.
  • Backblaze (EU region) — encrypted off-site backup storage.
  • Cloudflare — DNS, content delivery and security protection.
  • Our payment and banking providers — to process invoices and payments. We never see or store full card details.

We never share, rent or sell your data to anyone else, and we'll only disclose data where the law requires it.

Where data lives and international transfers

Websites we host run on servers in Germany. Backups are encrypted and stored in the EU. The EU benefits from UK adequacy regulations, so transfers there don't need additional safeguards. Where any provider processes data outside the UK/EU (for example parts of Cloudflare's global network), they do so under recognised UK GDPR transfer mechanisms.

How we keep it secure

  • Encryption in transit (HTTPS/SSL everywhere) and encrypted backups at rest.
  • Access limited to the two of us, protected by strong unique credentials and two-factor authentication.
  • Firewalls, malware scanning and continuous monitoring on every server we run.
  • Daily off-site backups so data can be recovered if something goes wrong.

Cookies

This website doesn't use advertising or tracking cookies. If we ever need a strictly necessary cookie for something to function, that's all it will be. No consent banners pretending a hundred trackers are "essential".

How long we keep things

  • Enquiries that don't become work — deleted within 12 months.
  • Client records and invoices — kept for the duration of our relationship plus 6 years, as required by UK tax law.
  • Server logs — rotate automatically, typically within 30 days.
  • Backups — rotate automatically on a fixed schedule; old copies are overwritten.
  • When you leave us — we hand your website data over to you, then delete our copies once the migration is confirmed (except invoice records we must keep).

Your rights

Under UK GDPR you can ask us: what we hold about you (access), to correct it (rectification), to delete it (erasure), to limit how we use it (restriction), for a copy in a portable format (portability), or to stop processing based on legitimate interests (objection). Email [email protected] and we'll respond within 30 days, usually much faster. There's no charge.

If you think we've got something wrong and we haven't fixed it, you can complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.

If something goes wrong

If a data breach ever affects your personal data, we'll tell you promptly and without drama: what happened, what was affected, and what we're doing about it. Where the breach is likely to risk people's rights, we'll also report it to the ICO within 72 hours as the law requires.

Changes to this policy

If we change this policy in any meaningful way, we'll update the date at the top and tell active clients by email. We won't quietly slip anything in.