This Privacy Policy explains how Sheriff Brain Digital (“we”, “us”, “our”) collects, uses, and protects personal data in connection with our services. Our services include custom website design, web hosting, server maintenance, lead generation tools, automated review request systems, SMS and email messaging tools, and related automation infrastructure (the “Services”).
We process personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (“PECR”).
By engaging our Services, accessing our systems, or utilizing our hosted infrastructure, you acknowledge that you have read and understood this Privacy Policy.
2. Scope of This Policy
This Policy applies to personal data processed in connection with:
* Our direct business relationship with clients, including website subscribers and trade business owners (“Client Data”).
* Personal data provided to us by clients or captured dynamically via clients' hosted websites, web forms, and communication channels relating to their customers, leads, or contacts (“End Customer Data”).
3. Data We Collect
We may collect and process the following categories of data:
* Client Data: Name, business name, email address, telephone number, billing address, payment details, domain registration configurations, and website design preferences necessary to provision and manage your account and hosted infrastructure.
* End Customer Data: Names, phone numbers, email addresses, job completion statuses, and communication histories submitted manually by the client, integrated via third-party trade software, or captured directly via contact forms, lead forms, and chat widgets deployed on the client's hosted website.
We do not intentionally collect or process special category data (such as health data, criminal records, or trade union memberships).
4. Data Protection Roles
For the purposes of the UK GDPR:
* The Client acts as the Data Controller in respect of all End Customer Data, including all leads captured via their hosted website and contacts imported into the automation infrastructure.
* Sheriff Brain Digital acts strictly as a Data Processor, processing such data solely on the documented, contractual instructions of the client to maintain their website and run their automation nodes.
* We do not determine the purpose or means of processing End Customer Data and accept no responsibility for the underlying legality, consent acquisition, or management of such data.
5. Lawful Basis for Processing
* We process Client Data on the basis of contractual necessity (to build, host, and maintain your website and automations) and legitimate interests (operating, securing, and improving our technical infrastructure).
* We process End Customer Data strictly on behalf of the client. The client is solely responsible for establishing and maintaining a valid lawful basis for such processing, including compliance with PECR regarding automated SMS and email routing.
6. Use of Personal Data
We use personal data to:
* Operate, host, secure, and optimize custom client websites.
* Route automated review requests, missed call text-backs, and client communication workflows.
* Manage client accounts, subscriptions, and process recurring invoice payments.
* Monitor website form submissions and ensure reliable lead delivery to the client.
* Provide technical support and diagnose system or server errors.
We do not sell, rent, or trade personal data to third parties for marketing purposes.
7. Client Responsibility and Website Compliance Warranty
Where a client utilizes our hosted web infrastructure or automation engines, the client warrants that:
* All End Customer Data has been collected and shared in full compliance with applicable data protection laws.
* Any contact form, lead form, or tracking tool deployed on their rented website features a compliant, visible privacy notice informing users how their data is handled.
* Individuals have been appropriately informed that their data may be used for automated communications (such as review requests) and processed via third-party web hosts.
* The client has full authority to instruct us to store and process that data on our servers.
We rely entirely on these representations and accept no liability arising from unlawful, non-compliant, or improper data captured by or provided to our systems by the client.
8. Data Sharing and Sub-Processors
We may share data with trusted third-party service providers (Sub-Processors) strictly for the purpose of delivering our website hosting and automation services. These include:
* Cloud hosting and server infrastructure providers.
* SMS gateways, telecommunication networks, and email delivery platforms.
* Customer Relationship Management (CRM) and database management tools.
* Integrated trade business software systems (upon client instruction).
All such sub-processors are contractually bound to implement stringent security measures and process data in strict accordance with UK data protection laws.
9. International Transfers
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including utilizing UK adequacy decisions or standard contractual clauses (SCCs) to guarantee the data remains fully protected.
10. Data Retention and Account Deactivation
* We retain Client Data for the duration of the active subscription engagement and as required to fulfill statutory legal or tax obligations.
* We retain End Customer Data in accordance with the client's instructions.
* Upon termination of the subscription service or cessation of the website rental contract, the hosted website, attached forms, and localized data stores will be permanently deactivated and purged from our active servers, subject to any legal or regulatory retention overrides.
11. Data Security
We implement appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, alteration, or disclosure. This includes utilizing secure server hosting, encryption protocols, and controlled access layers. However, no digital system is entirely secure, and we cannot guarantee absolute security.
12. Data Subject Rights
Individuals have specific rights under the UK GDPR, including the right to access, rectify, erase, restrict, or object to the processing of their data.
* Where an individual contacts us regarding data where we act as a Data Processor (End Customer Data), we will redirect that request to the relevant client as the Data Controller.
* Where we act as the Data Controller (Client Data), individuals may exercise their rights by contacting us directly at [email protected].
13. Communications, Website Forms, and Opt-Outs
All automated marketing or review communication loops sent via our systems must include a clear, operational opt-out or unsubscribe mechanism.
* Where an individual opts out via SMS or email, our system is designed to implement suppression instructions automatically.
* The client remains responsible for ensuring that form submissions on their website do not violate local marketing communication regulations.
14. Third-Party Integration Services
Our custom websites and automations frequently connect via APIs to external applications, client booking software, and third-party platforms. We are not responsible for the privacy practices, tracking mechanisms, or data policies governing those external third-party applications.
15. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect infrastructure modifications, server changes, or regulatory updates. Continued maintenance of your website subscription or interaction with our systems constitutes acceptance of the updated Policy terms.
16. Contact and Regulatory Authority
For any privacy-related enquiries, data deletion requests, or infrastructure clarity:
If you are a UK resident and believe your data has been handled incorrectly, you have the right to lodge a formal complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.
