Privacy Policy
Image Concepts (Yorkshire) Ltd
| Version 2.1 | 16 April 2026 Replaces all previous versions | Data controller: Image Concepts (Yorkshire) Ltd ICO registration: ZA525313 Contact: info@imageconcepts.co.uk |
1. Who we are
Image Concepts (Yorkshire) Ltd (Company No. 08161985) provides managed WordPress website hosting and related digital services. We are registered in England and Wales. Our registered office is at Flexspace, Hartwith Way, Harrogate, HG3 2XA.
We are the data controller for the personal data we collect in connection with our own business — that is, when you visit our website, make an enquiry, or become a customer. We are registered with the Information Commissioner’s Office (ICO) under registration number ZA525313.
When we host your website as part of our hosting services, we also act as a data processor on your behalf in respect of personal data contained in that website. That relationship is governed separately by our Data Processing Agreement, which is incorporated into your hosting contract.
This privacy policy applies to our website (www.imageconcepts.co.uk) and to our business operations as a data controller. It explains what personal data we collect, why we collect it, how we use it, and your rights.
2. What personal data we collect
The personal data we collect depends on how you interact with us. The main categories are set out below.
2.1 Enquiries and contact forms
When you submit an enquiry through our website or contact us by email or telephone, we collect your name, email address, telephone number, and the content of your message. If you represent a business, we may also collect your company name and job title.
2.2 Customer account and billing data
When you become a hosting customer, we collect the information necessary to set up and manage your account and to invoice you. This includes your name, company name, registered address, email address, telephone number, and billing information.
2.3 Payment data
We use third-party payment processors to handle payments. The processor used depends on your chosen payment method:
- Stripe, Inc. processes card payments on our behalf. We do not see or store your full card number — Stripe handles all card data directly.
- GoCardless Ltd processes direct debit payments. Your bank account details are held by GoCardless, not by us.
- PayPal (Europe) S.à r.l. et Cie, S.C.A. processes PayPal payments. Your PayPal account and payment details are held by PayPal.
- Where you pay by BACS bank transfer in response to an invoice, we hold your payment reference on our billing records but do not collect your bank account details.
In each case, your payment data is subject to the relevant processor’s own privacy policy. We receive only a transaction confirmation and the last four digits of a card or a masked account reference where necessary for our records.
2.4 Website analytics
We use Google Analytics to understand how visitors use our website. This collects information about the pages you visit, how long you spend on them, your approximate location (derived from your IP address), your browser type, and your device type. This data is collected via cookies and is only placed if you have consented through our cookie banner.
Google Analytics data is aggregated and anonymised for our purposes. We do not use it to identify individual visitors.
2.5 Email marketing
If you subscribe to our newsletter or marketing emails, we collect your name and email address and use Mailchimp (operated by The Rocket Science Group LLC d/b/a Mailchimp, a subsidiary of Intuit Inc.) to manage our mailing list and send communications. We only send marketing emails to people who have opted in. You can unsubscribe at any time using the link in any email we send.
2.6 Technical data
Our web server automatically records standard technical information when you visit our website, including your IP address, browser type, operating system, referring URL, and the date and time of your visit. This information is held in server access logs and is used for security monitoring and diagnosing technical issues.
3. How and why we use your personal data
UK GDPR requires us to have a lawful basis each time we process personal data. The table below sets out the purposes for which we process personal data and the legal basis we rely on in each case.
| Purpose | Data used | Lawful basis |
| Responding to your enquiry or quote request | Name, email, phone, message content, company details | Article 6(1)(b) — steps prior to entering a contract; or Article 6(1)(f) — our legitimate interest in responding to business enquiries |
| Setting up and managing your hosting account | Name, company, address, email, phone | Article 6(1)(b) — performance of our contract with you |
| Invoicing and collecting payment | Name, company, address, billing reference, payment transaction confirmation | Article 6(1)(b) — performance of contract; Article 6(1)(c) — legal obligation (HMRC record-keeping requirements) |
| Providing technical support | Account details, communications, server/access logs | Article 6(1)(b) — performance of contract |
| Sending service notices (e.g. maintenance, renewals, service changes) | Name, email address | Article 6(1)(b) — performance of contract; Article 6(1)(f) — legitimate interest in keeping customers informed |
| Sending marketing emails and newsletters | Name, email address | Article 6(1)(a) — your consent (opt-in). You may withdraw consent at any time. |
| Analysing website usage to improve our services (Google Analytics) | IP address, device/browser data, page visit data | Article 6(1)(a) — your consent via our cookie banner |
| Security monitoring and fraud prevention | IP addresses, server access logs | Article 6(1)(f) — our legitimate interest in maintaining the security of our systems and services |
| Complying with legal obligations (e.g. responding to lawful requests from authorities) | Relevant data as required | Article 6(1)(c) — legal obligation |
4. Who we share your personal data with
We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We share personal data only in the following circumstances.
4.1 Data processors acting on our behalf
We use a number of third-party service providers (“data processors”) who process personal data on our behalf as part of delivering our services. Each processor is required by contract to handle personal data only on our instructions and to maintain appropriate security. Our current processors are:
| Processor | Purpose | Location | More information |
| Cloudways Ltd | Hosting management platform — manages server provisioning and hosting infrastructure | EU / EEA — confirmed: no data stored outside the EU | cloudways.com/privacy-policy |
| DigitalOcean LLC | Physical server infrastructure on which hosted websites run | United Kingdom (LON1 data centre) | digitalocean.com/legal/privacy-policy |
| AC PM LLC (Postmark) | Transactional email delivery service used by hosted websites | United States (see section 5) | postmarkapp.com/privacy-policy |
| Stripe, Inc. | Card payment processing | United States / UK (see section 5) | stripe.com/gb/privacy |
| GoCardless Ltd | Direct debit payment processing | United Kingdom | gocardless.com/legal/privacy |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | PayPal payment processing | Luxembourg / European Union | paypal.com/uk/legalhub/privacy-full |
| Google LLC | Website analytics (Google Analytics) | United States (see section 5) | policies.google.com/privacy |
| The Rocket Science Group LLC (Mailchimp / Intuit) | Email marketing list management and sending | United States (see section 5) | mailchimp.com/legal/privacy |
4.2 Legal requirements
We may disclose personal data to law enforcement agencies, courts, regulators, or other authorities if we are required to do so by law, or if we believe disclosure is necessary to comply with a legal obligation, protect our rights or property, or prevent fraud or illegal activity. We will notify you of any such disclosure where we are legally permitted to do so.
4.3 Business transfers
If we sell or transfer all or part of our business, personal data held about customers may be transferred to the buyer as part of that transaction. We will take reasonable steps to ensure that personal data continues to be handled in accordance with this policy.
5. International transfers of personal data
The UK has its own international data transfer regime under UK GDPR. When we transfer personal data to a country outside the UK, we ensure that appropriate safeguards are in place. The relevant transfer basis for each processor that operates outside the UK is set out below.
| Processor | Country | Transfer safeguard |
| AC PM LLC (Postmark) | United States | UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). AC PM LLC holds active certification. We verify this annually. |
| Stripe, Inc. | United States | UK-US Data Bridge certification (Stripe is certified) and/or Standard Contractual Clauses with UK Addendum where applicable. |
| Google LLC | United States | UK adequacy regulations and/or Standard Contractual Clauses with UK Addendum. Google Analytics data is also subject to IP anonymisation. |
| The Rocket Science Group LLC (Mailchimp) | United States | UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). Intuit Inc. (Mailchimp’s parent) holds active certification. |
| PayPal | Luxembourg / EU | UK adequacy — no additional safeguard required for transfers within the EEA. |
You can find out more about the UK-US Data Bridge at: ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/adequacy-regulations
6. How long we keep your personal data
We keep personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our retention schedule is set out below.
| Category | Retention period | Reason |
| Customer account and contact data | Duration of contract, then 6 years from end of contract | Limitation Act 1980 — standard period for bringing contractual claims |
| Billing and invoice records | 7 years from end of the relevant accounting period | HMRC requirement for financial records |
| Pre-sale enquiries (not converted to customers) | 3 years from last contact | Legitimate interest in maintaining business records; limitation period for misrepresentation claims |
| Support and correspondence | 3 years from resolution of the matter | Legitimate interest in retaining records of service delivery |
| Marketing email list (Mailchimp) | Until you unsubscribe or withdraw consent, then deleted within 30 days | Consent-based processing ends when consent is withdrawn |
| Server access logs | 90 days | Security monitoring purposes; longer retention is unnecessary |
| Google Analytics data | 14 months (default Google Analytics retention setting) | Analytics purposes |
At the end of each retention period, personal data is securely deleted or anonymised so that it can no longer be linked to an individual.
7. Your rights
Under UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute — they apply in certain circumstances and may be subject to exceptions — but we will always respond to any request promptly and honestly.
| Your right | What it means |
| Access | You can ask us to confirm whether we hold personal data about you and, if so, to provide you with a copy. This is known as a subject access request. |
| Rectification | You can ask us to correct personal data about you that is inaccurate or incomplete. |
| Erasure | You can ask us to delete your personal data (“the right to be forgotten”). This right applies in certain circumstances, such as where the data is no longer necessary for the purpose it was collected, or where you withdraw consent. |
| Restriction | You can ask us to restrict our processing of your data in certain circumstances — for example, while we investigate a query about its accuracy. |
| Portability | Where our processing is based on your consent or on a contract, and is carried out by automated means, you can ask us to provide your personal data to you in a structured, commonly used, machine-readable format. |
| Objection | You can object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Withdraw consent | Where we rely on your consent to process your data (such as for marketing emails), you can withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing carried out before you withdrew consent. |
| Automated decisions | You have the right not to be subject to a decision based solely on automated processing that produces a significant legal effect on you. We do not carry out such processing. |
To exercise any of these rights, please contact us using the details in section 9. We will respond within one calendar month. There is no charge for making a request, although we may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive.
8. Cookies
Our website uses cookies — small text files stored on your device. We use strictly necessary cookies to make the website function, and, with your consent, analytics cookies (Google Analytics) and functionality cookies (Vimeo video embeds).
Non-essential cookies are only placed after you have actively consented through our cookie banner. You can withdraw consent or change your preferences at any time by clicking the cookie settings link in the footer of our website.
For full details of the cookies we use and how to manage them, please see our separate Cookie Policy.
9. How to contact us and how to complain
9.1 Contacting us
If you have any questions about this Privacy Policy, or if you wish to exercise any of your rights, please contact us by:
- Email: info@imageconcepts.co.uk
- Post: Image Concepts (Yorkshire) Ltd, Flexspace, Hartwith Way, Harrogate, HG3 2XA
- Telephone: 01423 900590
We aim to respond to all data protection queries within five business days and to all formal rights requests within one calendar month.
9.2 Making a complaint
If you are unhappy with how we have handled your personal data, we encourage you to contact us in the first instance so that we can try to resolve your concern.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent data protection regulator:
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Making a complaint to the ICO does not affect your right to seek a remedy through the courts.
10. Changes to this policy
We review this Privacy Policy periodically and will update it when necessary — for example, if we change the data we collect, the processors we use, or the way we use data. The version number and date at the top of this document will always reflect the current version.
Where changes are material, we will notify active customers by email before the new version takes effect. For minor changes (such as clarifications or correcting typographical errors), we will simply update the policy on our website.
Previous versions of this policy are available on request.
Image Concepts (Yorkshire) Ltd | Company No. 08161985 | ICO registration: ZA525313