Who we are
Penby Ltd is a data protection and marketing technology consultancy registered in England and Wales. We operate from the United Kingdom and help businesses build marketing systems that comply with privacy regulation.
Penby Ltd
Email: [email protected]
Website: penby.co.uk
When we refer to "we", "us", or "Penby" in this policy, we mean Penby Ltd.
What data we collect
We collect very little. Here's the complete list:
Contact form submissions – When you use our contact form, we collect your name, email address, and whatever you write in the message field. We don't collect anything else automatically from that interaction.
Newsletter signups – If you choose to subscribe to our newsletter, we collect your email address. Nothing more.
Analytics data – We use Fathom Analytics, which is cookieless and privacy-first. Fathom does not collect personal data. It records aggregate page views and referrer information without identifying individual visitors. No IP addresses are stored. No tracking cookies are set. No visitor profiles are built.
We do not collect:
- Payment or financial information – we don't process payments through this website
- Sensitive personal data – racial or ethnic origin, political opinions, religious beliefs, health data, or similar
- Data from children – this website is not directed at anyone under 18
How we use your data
Each type of data we collect has a specific, limited purpose:
- Contact form submissions – We use these solely to respond to your enquiry. If your message leads to a working relationship, we'll discuss separate data handling arrangements as part of that engagement.
- Newsletter – If you've opted in, we use your email address to send you our newsletter. That's it. We don't profile subscribers, segment by behaviour, or sell access to our mailing list.
- Analytics – We use Fathom's aggregate data to understand which pages are useful and where visitors come from. This helps us improve the site. Since Fathom doesn't collect personal data, there's nothing to misuse.
Legal basis for processing
Under UK GDPR, we need a legal basis for processing personal data. Here's what applies to each activity:
- Analytics (Fathom) – Legitimate interest. Fathom's cookieless, privacy-first approach means we can understand site usage without impacting your privacy. Since no personal data is collected, this is about as unintrusive as web analytics can be.
- Newsletter – Consent. You actively opt in when you subscribe, and you can withdraw that consent at any time by clicking the unsubscribe link in any email.
- Contact form – Depending on context, this falls under either contractual necessity (you're getting in touch about working together) or legitimate interest (you're asking a general question and would reasonably expect a reply).
Data sharing
We don't sell, rent, or trade your data. We do use a small number of service providers to operate this website:
| Service | Purpose | Data involved | Location |
|---|---|---|---|
| Fathom Analytics | Privacy-first web analytics | Aggregate, non-personal data only | EU (Germany) |
| Brevo | Newsletter delivery | Subscriber email addresses | EU |
| Ploi Cloud | Website hosting | Contact form submissions (in transit) | EU (Amsterdam) |
| Cloudflare | CDN, DDoS protection, security | IP addresses (for security processing, not stored long-term) | Global edge network, EU data processing |
| Postmark | Transactional email delivery | Email address, name (from contact form) | US-based* |
*Postmark (operated by ActiveCampaign) processes transactional emails. They act as a data processor under our instructions and are certified under the EU-US Data Privacy Framework. Contact form data passes through Postmark only for the purpose of delivering the email notification to us. They do not retain message content beyond delivery.
We have reviewed each provider's data processing practices. We chose these services specifically because they either operate entirely within the EU or have robust data protection frameworks in place.
International transfers
Our infrastructure is predominantly EU-based:
- Hosting – Ploi Cloud, Amsterdam (EU)
- Analytics – Fathom Analytics, EU-hosted (Germany)
- Newsletter – Brevo (EU)
- CDN/Security – Cloudflare operates a global edge network but processes data under EU data protection standards with appropriate safeguards in place, including Standard Contractual Clauses
- Transactional email – Postmark is US-based and certified under the EU-US Data Privacy Framework
We have deliberately chosen EU-based services wherever possible. Where a service involves data leaving the EU, appropriate transfer mechanisms are in place as required by UK GDPR.
Data retention
We keep data for as long as it's needed and no longer:
- Contact form submissions – Retained for 12 months from the date of the enquiry, then deleted. If an enquiry leads to a client engagement, retention is governed by our client agreement terms.
- Newsletter subscribers – Your email address is retained until you unsubscribe. Once you unsubscribe, your data is removed from our mailing list.
- Analytics data – Fathom Analytics stores aggregated, non-personal data. There is no personal data to retain or delete.
- Server logs – Standard server logs may contain IP addresses and are automatically rotated and deleted within 30 days.
Your rights
Under UK GDPR, you have the following rights regarding your personal data:
- Right of access – You can ask us what personal data we hold about you and request a copy.
- Right to rectification – If any data we hold is inaccurate or incomplete, you can ask us to correct it.
- Right to erasure – You can ask us to delete your personal data. We'll do so unless we have a legal obligation to keep it.
- Right to restrict processing – You can ask us to limit how we use your data in certain circumstances.
- Right to data portability – Where we process your data based on consent or contract, you can ask for it in a machine-readable format.
- Right to object – You can object to processing based on legitimate interest. We'll stop unless we have compelling grounds to continue.
- Right to withdraw consent – Where processing is based on consent (such as the newsletter), you can withdraw that consent at any time. For the newsletter, use the unsubscribe link. For anything else, email us.
- Right to complain – If you're unhappy with how we've handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by phone on 0303 123 1113.
To exercise any of these rights, email us at [email protected]. We'll respond within one month, as required by law.
Cookies
We keep this simple: we don't use tracking cookies.
Fathom Analytics is entirely cookieless. It doesn't set any cookies at all – no first-party, no third-party, nothing. This is one of the reasons we chose it.
Cloudflare Turnstile (our form protection service) may set functional cookies necessary for bot detection. These are strictly functional – they don't track you across sites or build a profile. They exist solely to distinguish humans from automated scripts when you submit a form.
We don't use:
- Marketing or advertising cookies
- Social media tracking pixels
- Third-party analytics cookies
- Any form of cross-site tracking
You don't need to accept a cookie banner on this site because there are no optional cookies to consent to.
Changes to this policy
If we make changes to this policy, we'll update the "last updated" date at the top of this page. For significant changes – such as using a new service provider that handles personal data – we'll make reasonable efforts to notify affected individuals directly.
We won't make changes that reduce your rights or weaken protections without clear notice.
Contact us
If you have questions about this policy, want to exercise your rights, or just want to know more about how we handle data, get in touch:
Email: [email protected]
Website: penby.co.uk/contact
We're a privacy consultancy. We're not going to be evasive about our own practices.