Privacy Policy

Data Controller

This Privacy Policy explains how ilumi Technologies Ltd (trading as ilumi SEO, or ilumi) collects, uses, protects, and processes your personal data in connection with our digital marketing services:

Legal Entity: ilumi Technologies Ltd

Registered in: England & Wales

Company Number: 16883192

Registered Office: 82A James Carter Road, Mildenhall IP28 7DE

As the Data Controller under UK GDPR and EU GDPR, we are responsible for how your personal data is processed. For any questions, requests, or concerns, contact us at:
[email protected]

1. What Data We Collect & Why

We only collect personal data that is necessary to deliver our services. Below is a full breakdown by activity.

Website browsing
We do not collect any personal data when you browse our website. Anonymous, aggregated behavioural and traffic data is collected via Google Analytics 4 (GA4) and Google Search Console only if you accept cookies via our consent banner. No IP addresses or personal identifiers are stored by us. See Section 2 for full details.

Optimal Website Audit. Product-specific notice:
Our Optimal Website Audit is a paid product. When you purchase an audit online:

• Payment: Your transaction is processed entirely and securely by Stripe. ilumi Technologies Ltd does not receive, store, or handle your card details at any point. For details on how Stripe handles your payment data, please review the Stripe Privacy Policy.

• Email address: The email address you provide during checkout is passed to our email automation platform, Brevo, solely to send you your audit access link. It is not used for any other purpose unless you separately opt in to marketing communications. For details on how Brevo processes your data, see the Brevo Privacy Policy.

• Domain submitted: The domain you submit for audit is scanned using publicly accessible performance and SEO data only. By submitting a domain, you confirm you are the owner or authorised representative of that domain.

• Audit data retention: Your email address and associated audit data are retained for 180 days from the date of your audit, unless you are in an active conversation, project, or retainer with us, in which case it is retained for the duration of that engagement plus 90 days after conclusion. You will receive an email notification before your data is permanently deleted, giving you time to export your results. Your unique audit access link expires at the same time.

Webinars & online events
When you register for an ilumi webinar, we collect your name and email address to send you access details, reminders, and a post-event follow-up. We will only add you to our ongoing marketing list if you explicitly opt in on the registration form registration alone does not constitute marketing consent. Webinar registrant data is retained for 90 days from the event date unless you have opted in to further communications. We will never share your registration data with co-hosts, sponsors, or partners without a separate, explicit opt-in.

Email marketing & newsletters
We only send marketing communications where you have given given consent. Every marketing email contains a clear unsubscribe link. We honour all opt-out requests promptly and within 72 hours at most. Upon unsubscribing, your data is suppressed to prevent accidental re-addition; you may request full deletion at any time.

Retainer clients & ongoing engagements
For clients on a retainer or active project, we collect contact details, access credentials (e.g. analytics platforms, CMS, ad accounts), and business performance data necessary to deliver the agreed scope. This data is processed under our contractual obligations and retained for the duration of the engagement, then for 6 years post-engagement for legal and financial compliance, after which it is securely deleted.

Web development projects
During website development work, we may handle data relating to your business, your customers, or third-party integrations, solely for delivery of the agreed project scope. Data is deleted or returned to you upon project completion unless ongoing maintenance is contracted.

Consulting & strategy sessions
We collect your email and any details you voluntarily share to schedule and run sessions. No recordings are made without explicit prior written consent. Any temporary access you grant to analytics tools, ad platforms, or accounts is revoked and removed immediately after the session. Consulting data is deleted after the session unless legal retention is required.

Contact & enquiry forms
Name, email, and message content collected via contact forms or direct email are used solely to respond to your enquiry and retained for 12 months from last contact. This data is not used for marketing unless you separately opt in.

Lawful bases for processing:
• Article 6(1)(a) GDPR — Consent: webinar sign-ups, email marketing, analytics cookies.
• Article 6(1)(b) GDPR — Performance of a contract: delivering the Optimal Audit, client projects, and retainers.
• Article 6(1)(c) GDPR — Legal obligation: invoicing and financial record-keeping.
• Article 6(1)(f) GDPR — Legitimate interests: transactional service delivery (e.g. sending your audit link), fraud prevention, and business administration — balanced against your privacy rights.

2. Cookies & Analytics

We use cookies to understand how visitors interact with our website and to improve our services. No tracking or analytics scripts are loaded until you actively accept via the cookie consent banner shown on your first visit.

When you accept our cookie policy, the following tools become active:

• Google Analytics 4 (GA4) — Collects anonymous, aggregated behavioural and traffic data (e.g. pages visited, session duration, traffic sources). IP anonymisation is enabled. No personal identifiers are stored by us.
• Google Search Console — Used to monitor search performance data (e.g. impressions, clicks, keyword data). This is aggregated and does not identify individual users.

We use the following cookie categories:
• Strictly necessary — Required for the website to function. Always active; consent not required.
• Analytics — GA4 and Search Console data collection. Active only on your consent.
• Marketing / advertising — May be used for conversion tracking or retargeting if enabled. Active only on your consent.

You may withdraw cookie consent at any time by clearing your browser cookies or adjusting your browser settings. For more on Google's data practices: Google Privacy Policy.

3. Third-Party Processors & International Transfers

We engage the following data processors. Each is bound by a Data Processing Agreement and may only process your data on our instructions. International transfers are covered by Standard Contractual Clauses (SCCs) or an equivalent adequacy mechanism.

Stripe Inc. (USA) — Payment processing for the Optimal Website Audit and other products.
Transfers covered by EU/UK SCCs.  Stripe Privacy Policy

Brevo (France / USA) — Transactional email delivery (e.g. audit access links) and marketing email campaigns.
Transfers covered by EU/UK SCCs.  Brevo Privacy Policy

Google Ireland Ltd. (EU) — Google Analytics 4 (anonymous usage data), Google Search Console (aggregated search performance data), and where applicable, Google Ads.
Google Privacy Policy

Video conferencing platforms (Zoom / Google Meet / Microsoft Teams) — Used for consulting sessions and webinars. Transfers covered by EU/UK SCCs. Please review the relevant platform's privacy policy before joining a session.

Calendly LLC (USA) — Scheduling tool used to book free consultation sessions and manage appointment availability.
Transfers covered by EU/UK SCCs.   Calendly Privacy Policy

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. Webinar attendee lists are never shared with co-hosts, sponsors, or partners without your separate, explicit consent.

4. Data Retention Schedule

Optimal Website Audit data — 180 days from audit date, extended for active clients (see Section 1). Pre-deletion email notification sent.

Webinar registrant data — 12 months from event date, unless opted in to ongoing communications.

Email marketing — Retained while subscribed; Deleted on unsubscribe.

Client / retainer data — Duration of engagement, then 6 years for legal and contractual compliance.

Billing & invoicing records — 7 years in accordance with UK tax legislation (HMRC requirements).

Enquiry & contact form data — 12 months from last contact, unless a commercial relationship has commenced.

Consulting session data — Deleted after session unless legal retention is required.

All data is stored on secure, GDPR-compliant cloud infrastructure and erased using industry-standard secure deletion methods at the end of the applicable retention period.

5. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encrypted data transmission via TLS/HTTPS across all our platforms.
• Role-based access controls — staff only access data relevant to their role.
• Secure, GDPR-compliant cloud infrastructure.
• Immediate revocation of any client-granted platform access credentials after sessions or project completion.
• Regular review of our data handling practices and third-party processor compliance.

6. Your Rights

Under UK GDPR and EU GDPR you have the following rights, exercisable free of charge. We will respond within one calendar month:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion where there is no lawful reason to continue processing.
• Right to restriction — Request that we limit processing in certain circumstances.
• Right to object — Object to processing based on legitimate interests or for direct marketing. We will stop direct marketing processing immediately upon objection.
• Right to data portability — Receive your data in a structured, machine-readable format.
• Right to withdraw consent — Withdraw consent at any time without affecting prior processing.
• Right to lodge a complaint — Contact the Information Commissioner's Office (ICO) at ico.org.uk (UK), or your relevant EU supervisory authority.

To exercise any right, email [email protected] with the subject line "Data Rights Request".

7. Client Engagements — Data Processor Role

When delivering services such as SEO, paid media, or web development, we may access data belonging to our clients' customers or users (e.g. via Google Analytics, Google Ads, a CMS, or CRM platform). In these situations:

• Our client is the Data Controller for that data.
• ilumi Technologies Ltd acts as the Data Processor and processes that data only on the client's documented instructions.
• Where we handle end-user personal data as part of a client engagement, we will enter into a Data Processing Agreement (DPA) with that client, as required by Article 28 UK/EU GDPR.
• Any temporary access credentials are revoked immediately upon project completion or session end.

Clients are responsible for ensuring their own data collection practices comply with applicable law. We will promptly notify clients of any breach or issue affecting their data during our engagement.

8. Audit Results & Exported Data

By requesting an Optimal Website Audit, you confirm you are the owner or authorised representative of the domain submitted. Audit results reflect only publicly accessible performance and SEO information and are provided for informational purposes only.

Once you export or share your audit results, that data leaves our infrastructure. You are solely responsible for its security and handling once shared. We do not track, control, or accept liability for how third parties handle exported audit data.

9. Children's Privacy

Our services are directed at business professionals. We do not knowingly collect personal data from individuals under 16 in the EEA or under 13 in the UK. If you believe we have inadvertently done so, contact us at [email protected] and we will delete it immediately.

10. Links to Other Websites

Our website may contain links to third-party sites (including Stripe and Brevo as referenced in this policy). This Privacy Policy applies only to ilumi Technologies Ltd. We encourage you to review the privacy policies of any external sites you visit.

11. Changes to This Policy

We review this policy regularly and update it whenever our services or processing activities change materially. Significant changes will be reflected in an updated effective date and version number at the top of this page. Where changes materially affect how we use your data, active clients and subscribers will be notified directly by email. Continued use of our services after any update constitutes acceptance of the revised policy.

12. Protecting Our Team's Privacy

We respect the privacy of our staff and contractors. No personal information relating to our team is shared externally without their knowledge and consent.

Contact

For questions about this policy, your personal data, or to exercise your rights:
Email: [email protected]
Post: ilumi Technologies Ltd, 82A James Carter Road, Mildenhall IP28 7DE