1. Who we are
SteadyWeb ("we", "us", "our") is a UK-based managed website service. We provide website design, hosting, domain registration, business email and ongoing website management for tradespeople and local service businesses across the United Kingdom.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), SteadyWeb is the data controller responsible for your personal data.
How our team is structured. SteadyWeb is operated from the UK. To deliver web design, development and SEO work efficiently, we work with a dedicated production team based in Pakistan. They handle the design and build, content drafting, technical SEO and ongoing optimisation work. Your personal identity data — your name, email address, phone number, postal/billing address and payment details — is held only by the UK side of SteadyWeb and is not shared with our overseas team. The production team only accesses what is strictly needed to build and maintain your public-facing website (for example, your business name and trade, the content you provide for the site, and account credentials on a need-to-use basis), strictly under our instruction. This is a deliberate data-minimisation choice to reduce UK GDPR transfer risk. Full details, safeguards and exactly what is and isn't shared are set out in Section 8 (International data transfers).
Contact:
Email: [email protected]
Address: 192A Stapleton Road, Bristol, BS5 0NY | United Kingdom
2. What personal data we collect
We collect and process the following categories of personal data:
| Category | Examples | Source |
|---|
| Identity data | Full name, business name, trade/profession | Application form |
| Contact data | Email address, phone number, postcode, business address | Application form, correspondence |
| Website data | Current website URL, content preferences, design requirements, business descriptions, uploaded images | Application form, onboarding |
| Credential data | Hosting login details, domain registrar credentials, email account credentials, WordPress admin credentials, third-party service logins (provided by you or created on your behalf) | Provided by client or created during setup |
| Payment data | Billing information, payment method details | Payment processor (we do not store full card numbers) |
| Technical data | IP address, browser type, device type, pages visited on steadyweb.co.uk | Automatically collected via cookies/analytics |
| Communication data | Emails, support requests, phone call notes, form submissions | Correspondence with us |
| Performance data | Website analytics for sites we manage (traffic, page views, form submissions) | Website analytics tools |
We do not knowingly collect any special category data (e.g. health information, religious beliefs, political opinions, biometric data). If you inadvertently provide such data in correspondence, we will delete it unless required to retain it for a specific lawful purpose.
3. How we use your data
We use your personal data for the following purposes:
- To provide our service: designing, building, hosting and managing your website; registering your domain name; setting up your business email; performing content updates and maintenance.
- To communicate with you: responding to enquiries, sending onboarding information, providing monthly performance reports, notifying you of issues with your website.
- To process payments: collecting subscription fees and managing your billing account through our payment processor.
- To maintain security: monitoring your website for malware, managing backups, applying security patches, and managing hosting credentials on your behalf.
- To improve our service: understanding how our website (steadyweb.co.uk) is used, identifying areas for improvement, and resolving technical issues.
- To comply with legal obligations: fulfilling our obligations under UK law, including tax, accounting and regulatory requirements.
We will never sell, rent, lease or trade your personal data to any third party for marketing purposes.
4. Lawful basis for processing
Under Article 6 of the UK GDPR, we rely on the following lawful bases:
| Purpose | Lawful Basis |
|---|
| Providing the managed website service | Contract: processing is necessary for the performance of our contract with you (Article 6(1)(b)) |
| Storing and managing your credentials | Contract: necessary to deliver the service, with Consent for any optional retention beyond service delivery |
| Sending service-related communications | Contract: necessary to fulfil our obligations |
| Processing payments | Contract: necessary to collect agreed fees |
| Website analytics on steadyweb.co.uk | Legitimate interests: to understand usage and improve our service (Article 6(1)(f)) |
| Complying with legal/tax obligations | Legal obligation: required by UK law (Article 6(1)(c)) |
| Marketing communications (e.g. newsletter) | Consent: only with your explicit opt-in (Article 6(1)(a)) |
Where we rely on legitimate interests, we have conducted a legitimate interests assessment and are satisfied that your rights and freedoms are not overridden. You may request details of this assessment at any time by contacting us.
5. Credential storage & website access
Why we store credentials: As part of managing your website, we require access to your hosting account, domain registrar, WordPress admin panel, business email accounts, and any related third-party services. We store these credentials securely so we can perform updates, backups, security patches, and content changes on your behalf, and so we can assist you if you forget or lose access to your own accounts.
What credentials we may hold
- Hosting control panel login details
- Domain registrar login details
- WordPress admin username and password
- Business email account credentials (created during setup)
- FTP/SFTP access details
- DNS management credentials
- Any third-party service logins created or provided as part of the website build (e.g. Google Search Console, analytics accounts)
How we protect credentials
- All stored credentials are encrypted at rest using industry-standard encryption.
- Access is restricted to authorised SteadyWeb team members only, on a need-to-access basis.
- We use secure, encrypted credential management tools. Credentials are never stored in plain text, spreadsheets, or email.
- We conduct regular access reviews and immediately revoke internal access when team members leave.
Your right to opt out or revoke access
You are always in control. You can request at any time that we:
- Delete any or all stored credentials from our systems
- Change your passwords and stop storing them
- Provide you with a full export of all credentials we hold for your accounts
- Restrict our access to specific services only
To make any of these requests, email [email protected]. We will action your request within 5 working days. Please note that revoking access to certain services may limit our ability to deliver parts of the managed service (e.g. performing updates or restoring backups).
If you revoke credential access, we will clearly communicate to you which parts of the service may be affected. The responsibility for managing those services would then transfer to you or your chosen provider.
Upon cancellation of your SteadyWeb subscription, we will either securely delete all stored credentials within 30 days, or transfer them to you upon request, whichever you prefer. If we do not hear from you, credentials will be securely deleted automatically.
6. Third-party services & processors
To deliver our service, we rely on the following categories of processors and third-party providers. Each is selected for reliability, security and, where applicable, UK GDPR compliance:
| Service Type | Purpose | Data Shared |
|---|
| Hosting provider | Hosting your website on UK/EEA servers | Website files, database content, email data |
| Domain registrar | Registering and managing your domain name | Name, address, email (required by ICANN/registrar) |
| Payment processor | Processing subscription payments | Name, email, payment method (we never see/store full card details) |
| Email delivery service | Sending transactional emails (e.g. form notifications, reports) | Email address, name |
| Form processing (Formsubmit.co) | Processing application form submissions on steadyweb.co.uk | All data submitted via the form |
| Analytics (if used) | Understanding traffic to steadyweb.co.uk | Anonymised/pseudonymised usage data, IP address |
| Security & CDN | Firewall, malware protection, performance | IP addresses, request data |
| SteadyWeb production team (Pakistan) | Web design, development, technical SEO, content drafting and ongoing optimisation, under a written processing agreement | Business details intended for public display, public-facing website content, aggregated analytics, credentials on a need-to-use basis. Excludes your name, email, phone, postal address, billing/payment data and customer enquiry submissions (see Section 8) |
We have data processing agreements in place with our key sub-processors where required. We do not use your personal data, or your customers' data, for our own marketing or analytics purposes beyond what is described in this policy.
7. Data sharing
The principle: we share your personal data only with the processors who deliver the service to you, and only what they need. We do not share your data with anyone for marketing, advertising or any unrelated commercial purpose. Your customers' personal data, including anything submitted through enquiry forms on a site we build for you, belongs to you and is not used by us, sold, or shared with anyone.
We will never sell, rent or trade your personal data. We may share your data only in the following limited circumstances:
- Service providers and processors: the parties listed in Section 6, strictly for the purposes of delivering our service to you, and only with the data they need.
- Legal requirements: where we are required to disclose information by law, regulation, court order, or governmental request.
- Business transfer: if SteadyWeb is acquired, merged, or sells substantially all of its assets, your data may be transferred to the successor entity. We will notify you in advance and your rights will be preserved.
- With your explicit consent: in any other circumstance, only with your clear, informed agreement.
8. International data transfers
Your hosting, backups and domain records are stored within the United Kingdom and the European Economic Area (EEA). However, parts of our day-to-day production work (web design, development, technical SEO, content drafting and ongoing optimisation) are carried out by our dedicated team based in Pakistan. Pakistan is not currently the subject of a UK adequacy decision, so where personal data is accessed by team members outside the UK/EEA, we treat it as a restricted international transfer under UK GDPR and apply specific safeguards.
What our overseas team can access
Strictly limited to what is needed to design, build, optimise and maintain your public-facing website. In practice that means:
- Your business details intended for public display (trade, business name, service area, opening hours)
- Content you provide for the site (about-page copy, service descriptions, photos)
- Aggregated website analytics (traffic, page performance, conversion counts)
- Account credentials we hold on your behalf, only when needed to perform a specific task (e.g. publishing an update, applying a security patch), accessed through encrypted password managers — never plain-text
What our overseas team does not access
As a deliberate data-minimisation measure, the following categories are held only by the UK side of SteadyWeb and are not transferred to or accessed by our overseas team:
- Your personal identity data — your full name, email address and phone number
- Your postal address and business billing address
- Your payment and billing information, including any card or bank details on file
- Your customers' enquiry-form submissions, beyond aggregated counts in the monthly performance report
- Any personal data your customers submit through your live website's contact forms
- Direct correspondence between you and SteadyWeb (emails, support tickets, phone-call notes)
Personal data submitted by your customers through your live website is delivered directly to you (and to our UK office for monitoring deliverability). Our overseas team does not handle that data.
Safeguards we have in place
- Written data processing agreement with our overseas team in line with Article 28 of the UK GDPR, including confidentiality and security obligations binding on every individual team member.
- UK International Data Transfer Agreement (IDTA), or where applicable the UK Addendum to the EU Standard Contractual Clauses, covering all restricted transfers as required by UK GDPR Article 46.
- Transfer Risk Assessment (TRA) reviewed periodically to confirm that, taken together, our contractual, technical and organisational measures provide a level of protection essentially equivalent to that under UK law.
- Strict access controls on a need-to-know basis. Credentials are accessed through encrypted password managers; team members never see plain-text passwords or full payment details.
- Encryption of all data in transit (TLS) and at rest, including any working files used by our overseas team.
- Confidentiality obligations in writing for every individual contributor, with immediate revocation of access if their engagement ends.
- No onward transfers. Our overseas team is contractually prohibited from sub-processing your data to anyone else without our prior written authorisation and equivalent safeguards.
Other international transfers
Some of our other technology providers (for example, email delivery, analytics, security/CDN) may also process limited data outside the UK/EEA. Where that happens, we rely on one or more of the following:
- Transfers to countries with a UK adequacy decision (e.g. EEA, the EU–UK Trade and Cooperation Agreement countries)
- The UK Extension to the EU–US Data Privacy Framework (for certified US-based processors)
- Standard Contractual Clauses or the UK IDTA, supported by a Transfer Risk Assessment
You may request a current list of our sub-processors and the specific safeguards in place by emailing [email protected] with the subject line "Sub-processor list".
9. Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Type | Retention Period |
|---|
| Active client data (contact, website, credentials) | For the duration of your subscription, plus 30 days after cancellation |
| Application form data (non-clients) | 12 months from submission, then securely deleted |
| Invoices and payment records | 6 years from the transaction date (HMRC requirement) |
| Email correspondence | Duration of subscription plus 12 months, unless longer retention is required by law |
| Website backups (your site) | Rolling 30-day backups; all backups deleted within 30 days of cancellation |
| Analytics data (steadyweb.co.uk) | 26 months (anonymised/aggregated) |
| Stored credentials | Deleted within 30 days of cancellation (or sooner if you request it) |
When personal data is no longer needed, we securely delete or anonymise it. You may request earlier deletion at any time, subject to our legal obligations.
10. Data security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Encrypted credential storage using industry-standard tools
- Regular software and security updates on all systems
- Access controls with the principle of least privilege
- Regular backups with secure off-site storage
- Firewall and malware protection on all managed websites
- Periodic security reviews and vulnerability assessments
No system is 100% secure. While we take every reasonable measure to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security, but we commit to notifying you and the ICO without undue delay (and in any event within 72 hours) in the event of a data breach that poses a risk to your rights and freedoms.
11. Your rights under UK GDPR
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): request deletion of your personal data where there is no compelling reason for continued processing.
- Right to restrict processing: request that we limit how we use your data in certain circumstances.
- Right to data portability: request a copy of your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Rights relating to automated decision-making: we do not make any solely automated decisions that produce legal or similarly significant effects on you.
To exercise any of these rights, please email [email protected] with the subject line "Data Rights Request". We will respond within one calendar month of receiving your request. In complex cases, we may extend this by a further two months, but we will inform you within the first month if this is necessary.
There is no fee to exercise your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
12. Cookies & tracking
Our marketing website (steadyweb.co.uk) may use the following types of cookies:
| Type | Purpose | Required? |
|---|
| Strictly necessary | Essential for the website to function (e.g. form submission, security) | Yes, cannot be disabled |
| Analytics | Help us understand how visitors use the site (e.g. Google Analytics with IP anonymisation, or a privacy-focused alternative) | Optional, only with your consent |
We do not use advertising cookies, retargeting pixels, or social media tracking scripts on steadyweb.co.uk.
For client websites we build and manage: any cookies used will be specific to the functionality of that site (e.g. WordPress session cookies). We do not add tracking scripts to your website without your knowledge and consent.
You can control cookies through your browser settings. Disabling strictly necessary cookies may impair the functionality of our website.
13. Website transfer & cancellation
Your relationship with SteadyWeb is on a rolling monthly basis with no long-term contract. You may cancel at any time.
If you cancel
- Your website will remain live until the end of your current paid billing period.
- After that, the site will be taken offline and all associated data (website files, database, backups, stored credentials) will be securely deleted within 30 days.
- Your domain name remains your property. We will provide you with the information needed to manage it independently or transfer it to another registrar.
If you want to transfer the website
- Within the first 6 months: If you wish to take the website we designed and move it to another hosting provider or developer, a one-off transfer fee of £250 applies. This covers the initial design, development and setup work.
- After 6 months: The website is yours to transfer free of charge. We will provide all files, databases, and credentials needed to move the site.
- If you cancel without requesting a transfer, you simply stop paying and the site comes down. No transfer fee applies.
Upon transfer or cancellation, we will delete all stored credentials and personal data in accordance with our retention policy (Section 9), unless you request an export or are required by law to retain certain records.
14. Limitation of liability
To the fullest extent permitted by applicable law:
- SteadyWeb provides the managed website service on an "as is" and "as available" basis. While we make every reasonable effort to ensure uptime, performance, and security, we do not guarantee uninterrupted or error-free operation of any website.
- We are not liable for any indirect, incidental, special, consequential or punitive damages, including loss of profits, revenue, data, business opportunities, or goodwill, arising from your use of our service, even if we have been advised of the possibility of such damages.
- Our total aggregate liability to you for any claims arising from or relating to our service shall not exceed the total fees paid by you in the 12 months preceding the claim.
- We are not liable for any loss, damage, or unauthorised access arising from credential storage where we have implemented the security measures described in this policy. If you choose to revoke our credential access (Section 5), the responsibility for securing and managing those accounts transfers to you.
- We are not responsible for the content, accuracy, or legality of the information you provide for inclusion on your website. You warrant that you have the right to use any content, images, or trademarks you supply to us.
- We are not responsible for the actions of third-party service providers (hosting companies, domain registrars, payment processors), although we select these providers with due care.
- We do not guarantee specific search engine rankings, traffic volumes, or business results. Any statistics referenced on our marketing materials are based on industry data and third-party sources, and individual results will vary.
Nothing in this policy excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
15. Children's privacy
Our service is intended for adults operating businesses and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will delete that information promptly.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify active clients by email where the changes materially affect how we process their data
- Publish the updated policy on this page
Your continued use of our service after any update constitutes acceptance of the revised policy. We encourage you to review this page periodically.
17. Contact us & complaints
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal data, please contact us:
Email: [email protected]
Subject line: "Privacy Enquiry" or "Data Rights Request"
We aim to resolve all concerns directly. However, if you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
