Skip to content

Privacy Policy

Last updated: Version 1.0

1. Introduction

Godfrey Engineering Ltd (“we”, “us”, “our”, or “Godfrey Engineering”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website at godfreyengineering.com, use our products (including ChainSolve), or otherwise interact with our services.

Godfrey Engineering Ltd is a company registered in England and Wales. We are the data controller for the personal data described in this policy.

Contact details:

This policy applies to all personal data processed through our website, applications, email communications, and any other service we operate. By using our services, you acknowledge that you have read and understood this policy.

2. Data We Collect

We collect personal data in the following categories:

2.1 Information You Provide Directly

  • Account information: When you create an account for ChainSolve or any other Godfrey Engineering product, we collect your name, email address, and password (hashed — we never store plaintext passwords).
  • Contact form submissions: When you submit a contact form, we collect your name, email address, and the content of your message.
  • Payment information: When you make a purchase or subscribe to a paid service, we collect billing details (name, address, payment card details). Payment card details are processed directly by Stripe and are never stored on our servers.
  • Support requests: When you contact us for support, we collect the information you provide in your request, which may include your name, email, and details about the issue.
  • Newsletter subscriptions: If you subscribe to our newsletter, we collect your email address and, optionally, your name and preferences.

2.2 Information Collected Automatically

  • Usage data: Pages visited, time spent on pages, links clicked, referral source, and navigation paths. This data is collected by PostHog (see Section 5).
  • Device and browser information: Browser type and version, operating system, device type, screen resolution, and language preference.
  • IP address: Collected by our hosting provider (Cloudflare) for security and performance purposes. PostHog is configured to discard IP addresses after geolocation.
  • Cookies and similar technologies: See our Cookie Policy for detailed information about the cookies we use.

2.3 Information from Third Parties

  • Authentication providers: If you sign in using a third-party provider (e.g., Google, GitHub), we receive your name, email address, and profile picture from that provider.
  • Payment processor: Stripe provides us with transaction confirmation, the last four digits of your payment card, and billing address to fulfil our contractual obligations.

We process your personal data under the following legal bases as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

Legal BasisExamples
Contractual necessity (Article 6(1)(b))Processing your account data to provide ChainSolve services; processing payment data to fulfil a purchase
Legitimate interests (Article 6(1)(f))Website analytics to improve our services; error monitoring to maintain service quality; security measures to protect our systems
Consent (Article 6(1)(a))Newsletter subscriptions; non-essential cookies (analytics, marketing); PostHog product analytics
Legal obligation (Article 6(1)(c))Retaining transaction records for tax and accounting purposes; responding to lawful requests from authorities

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at legal@godfreyengineering.com.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: To create and manage your account, provide access to our products (including ChainSolve), process transactions, and deliver customer support.
  • Communication: To respond to your enquiries, send transactional emails (order confirmations, password resets, service notifications), and, where you have consented, send marketing communications.
  • Analytics and improvement: To understand how visitors use our website, identify popular content, diagnose technical issues, and improve our services. Analytics data is aggregated and pseudonymised wherever possible.
  • Security and fraud prevention: To protect our services, detect and prevent fraudulent activity, and enforce our Terms of Service.
  • Legal compliance: To comply with applicable laws, regulations, and legal processes, including tax obligations and data protection law.

5. Third-Party Data Processors

We share personal data with the following third-party service providers, each of whom processes data on our behalf under a Data Processing Agreement (DPA):

5.1 Cloudflare (Hosting & CDN)

  • Provider: Cloudflare, Inc.
  • Purpose: Website hosting via Cloudflare Pages, content delivery network (CDN), DDoS protection, DNS resolution, and web application firewall.
  • Data processed: IP addresses, HTTP request headers, page URLs, and performance metrics.
  • Data location: Global edge network; primary processing in EU and US data centres. Cloudflare is certified under the EU-US Data Privacy Framework.
  • Retention: Web traffic logs are retained for a maximum of 72 hours. Aggregated analytics are retained for up to 6 months.
  • Privacy policy: https://www.cloudflare.com/privacypolicy/

5.2 Supabase (Database & Authentication)

  • Provider: Supabase, Inc.
  • Purpose: User authentication, database storage for user accounts and application data.
  • Data processed: Email addresses, hashed passwords, user profile data, and application data stored by users.
  • Data location: EU region (Frankfurt, Germany).
  • Retention: Data is retained for the lifetime of the user account. Deleted account data is purged within 30 days.
  • Privacy policy: https://supabase.com/privacy

5.3 Stripe (Payments)

  • Provider: Stripe, Inc.
  • Purpose: Payment processing for product purchases and subscriptions.
  • Data processed: Name, email address, billing address, payment card details (handled directly by Stripe — card numbers never touch our servers), transaction history.
  • Data location: EU processing region. Stripe is certified under the EU-US Data Privacy Framework.
  • Retention: Transaction records retained for 7 years to comply with UK tax and accounting obligations. Payment card details are retained by Stripe in accordance with PCI-DSS requirements.
  • Privacy policy: https://stripe.com/privacy

5.4 Resend (Transactional Email)

  • Provider: Resend, Inc.
  • Purpose: Sending transactional emails (account verification, password resets, order confirmations, support responses) and marketing emails (newsletters, product updates — only with consent).
  • Data processed: Email addresses, names, email content, and delivery metadata (open/click tracking for marketing emails only, with consent).
  • Data location: US-based processing. Data transfer is governed by Standard Contractual Clauses (SCCs).
  • Retention: Email delivery logs retained for 30 days. Marketing engagement data retained for the duration of the subscription.
  • Privacy policy: https://resend.com/legal/privacy-policy

5.5 PostHog (Product Analytics)

  • Provider: PostHog, Inc.
  • Purpose: Product analytics including pageview tracking, feature usage analysis, and user journey mapping. Used to improve our products and website.
  • Data processed: Pseudonymised user identifiers, page URLs, referral sources, browser and device metadata, feature interaction events. IP addresses are discarded after geolocation lookup.
  • Data location: EU-hosted instance (eu.posthog.com, Frankfurt, Germany).
  • Consent required: Yes — PostHog is only initialised after the visitor grants analytics consent via the cookie banner.
  • Configuration: Person profiles disabled for anonymous visitors; session recording disabled; IP collection disabled.
  • Retention: Event data retained for 12 months, then automatically deleted.
  • Privacy policy: https://posthog.com/privacy

6. International Data Transfers

Some of our third-party processors are based outside the United Kingdom and the European Economic Area (EEA). Where data is transferred internationally, we ensure that appropriate safeguards are in place:

  • EU-US Data Privacy Framework: Cloudflare and Stripe are certified under the EU-US Data Privacy Framework, providing an adequacy basis for data transfers.
  • Standard Contractual Clauses (SCCs): For processors not covered by an adequacy decision, we rely on the UK-approved International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses, as applicable.
  • EU-hosted instances: Where possible, we select EU-hosted instances of services (PostHog EU, Supabase EU) to minimise international data transfers.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

Data CategoryRetention PeriodReason
Account dataLifetime of account + 30 days after deletionService delivery
Payment transaction records7 years from transaction dateUK tax and accounting law (HMRC requirements)
Contact form submissions24 months from submissionLegitimate interest in responding to enquiries
Newsletter subscriptionsUntil unsubscribe + 30 daysConsent-based; data purged after unsubscribe
Analytics data (PostHog)12 monthsLegitimate interest in service improvement
Server logs (Cloudflare)72 hoursSecurity and performance
Cookie consent preferences12 monthsRegulatory compliance

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be associated with you.

8. Your Rights Under the UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights regarding your personal data:

8.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will respond to your request within one calendar month.

8.2 Right to Rectification (Article 16)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

8.3 Right to Erasure (Article 17)

You have the right to request that we delete your personal data where:

  • The data is no longer necessary for the purpose for which it was collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation

Note: We may retain certain data where required by law (e.g., financial transaction records for tax purposes).

8.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interests.

8.5 Right to Data Portability (Article 20)

Where processing is based on consent or contractual necessity, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit it to another controller.

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your rights.

You also have the right to object to direct marketing at any time. If you object, we will stop processing your data for direct marketing purposes immediately.

8.7 Rights Related to Automated Decision-Making (Article 22)

We do not currently make any decisions based solely on automated processing that produce legal or similarly significant effects on you. If this changes, we will update this policy and provide you with appropriate safeguards.

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

To withdraw cookie consent, use the “Cookie Settings” link in the footer of our website or visit our Cookie Policy.

9. Exercising Your Rights

To exercise any of the rights described above, please contact us:

We will verify your identity before processing your request. We may ask you to provide additional information to confirm your identity, particularly if the request is made via email.

We will respond to all valid requests within one calendar month. In exceptional circumstances (e.g., complex or numerous requests), we may extend this period by a further two months, in which case we will notify you of the extension and the reasons for it.

There is no fee for exercising your rights. However, we may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, their purpose, duration, and how to manage your preferences, please see our Cookie Policy.

You can manage your cookie preferences at any time by clicking the “Cookie Settings” link in the website footer.

11. Children’s Data

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data as quickly as possible.

If you believe that we may have collected data from a child under 16, please contact us at legal@godfreyengineering.com.

12. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS), enforced by Cloudflare.
  • Encryption at rest: User data stored in Supabase is encrypted at rest using AES-256 encryption.
  • Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
  • Password hashing: User passwords are hashed using bcrypt with a work factor of 12. Plaintext passwords are never stored.
  • Regular security reviews: We conduct periodic security reviews of our infrastructure and third-party integrations.
  • Incident response: We maintain an incident response procedure. In the event of a personal data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours where required, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party websites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Post a notice on our website for a reasonable period
  • Where legally required, notify you by email

We encourage you to review this policy periodically. Your continued use of our services after any changes constitutes acceptance of the updated policy.

15. Complaints

If you are unsatisfied with our response to a data protection concern, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)

We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at legal@godfreyengineering.com.

16. Contact Us

If you have any questions about this Privacy Policy or our data protection practices, please contact us:

Godfrey Engineering Ltd
United Kingdom