This notice explains what personal data Studio Prosper collects, why we collect it, who we share it with, and the rights you have under UK GDPR. We've kept it short and in plain English.
Plain English
We're a small Essex studio. We collect only what we need to introduce you to a cleaner, build your website, or send you a one-time business email. We don't sell your data, ever. If you want it deleted, email us and we'll do it within 30 days.
1. Who we are
Studio Prosper is a sole trader business operated by David Prosper, based in Essex, United Kingdom. We are the data controller for the personal data described in this notice.
The data we collect depends on which of our services you use. We collect the minimum needed for the purpose, and we tell you straight what each piece is for.
2a. Need a cleaner (Client Business)
What we collect: business name, contact name, email, phone (if you provide it), site postcode, site type (office, gym, etc.), how often it needs cleaning, rough annual spend bracket, and anything else you write in your reply.
Why: to brief the right local cleaner and introduce them to you.
Lawful basis: performance of pre-contractual steps at your request (UK GDPR Article 6(1)(b)).
Who we share with: the cleaning company we introduce you to, once you confirm you'd like an introduction. We do not share your details with anyone else, and never with cleaners you haven't agreed to be introduced to.
2b. Cleaning Provider (Partner cleaners)
What we collect: business name, director or contact name, business email, business phone, service area (postcode/town), and Companies House details for verification.
Why: to offer you matching contracts, take payment for the finder's fee when you claim one, and (if you're on the Partner plan) chase your client reviews and bill your monthly fee.
Lawful basis: performance of contract / pre-contractual steps. Initial outreach is conducted under PECR / legitimate interest (B2B, see section 5).
Who we share with: Stripe (payment processing), SendGrid (email delivery). We do not share your client list, pricing or revenue with anyone.
2c. Website clients
What we collect: business name, trade, area, contact name and email, your business facts (services, opening hours, phone, email โ the things you want on the site), any content you supply, and (during build) hosting/CMS access credentials.
Why: to design, build, host and maintain your website.
Lawful basis: performance of contract (UK GDPR Article 6(1)(b)).
Who we share with: Stripe (payments), our hosting provider (delivery), domain registrar (if you registered through us), SendGrid (email). Credentials you give us are stored encrypted and deleted within 7 days of project close.
3. Cold business outreach
You may receive an initial email from us if your business appeared in our search for Essex businesses likely to need a cleaner (Agency Connect demand outreach) or small UK trade businesses without a current website (website outreach). This is a business-to-business (B2B) communication, sent under the Privacy and Electronic Communications Regulations (PECR) on the basis of legitimate interest.
What we use to find you: public sources only — Companies House, Google Maps / Places, and your own business website if you have one.
To opt out: reply with "Remove" (any case, any wording with the word in it). We delete your details immediately and add you to a permanent suppression list so you are never contacted again.
Consumers: we only contact businesses. If our outreach reaches a personal/sole-trader address by mistake, replying "Remove" will purge you instantly.
Our team inboxes (leads@ / team@ / digital@) and document storage
Any email correspondence with us, and any files you attach
Hosting provider (DigitalOcean / Vercel)
Website hosting and our backend infrastructure
Server logs (IP, request path) for any visit to a site we host
Cleaning company you choose
Agency Connect introduction
Your name, business, contact details and brief, but only after you confirm the introduction
We do not transfer data outside the UK/EEA where it can be avoided. Where transfers occur (Stripe and Twilio operate from the US), they are covered by the UK Extension to the EU–US Data Privacy Framework or Standard Contractual Clauses.
5. How long we keep your data
Cold outreach replies that say "no thanks" or "Remove": we keep your email on the suppression list indefinitely (so we don't contact you again), but nothing else.
Cleaning enquiries (Client Businesses): active engagement + 12 months after last contact.
Cleaning Provider partners: while your partner status is active + 12 months after closure.
Website clients: while your hosting is active + 12 months after cancellation. Site backups deleted within 30 days of cancellation unless you ask us to keep them.
Financial records (invoices, payments, tax records): 6 years from the end of the tax year, as required by HMRC.
Hosting access credentials: deleted within 7 days of project close.
6. Your rights under UK GDPR
You can ask us to:
Access the personal data we hold about you (subject access request).
Correct anything that's wrong.
Delete it (right to erasure), except where we are legally required to keep it (e.g. financial records for HMRC).
Restrict how we use it.
Object to our legitimate-interest processing, including B2B outreach.
Port a copy of your data to another provider, in a machine-readable format.
Email team@studioprosper.co.uk with the subject line "Data request". We respond within 30 days. Requests are free.
You also have the right to complain to the Information Commissioner's Office (ICO) if you think we've handled your data badly. We'd appreciate the chance to put it right first.
7. Cookies and analytics
This website (studioprosper.co.uk) does not set tracking cookies, does not run third-party analytics like Google Analytics, and does not use ad-tracking pixels. We may keep server access logs (IP address, browser, request path) for security and debugging, deleted within 30 days.
Websites we build for clients may set their own cookies (for example, if they include a contact form or analytics). Each client site has its own privacy notice covering that.
8. Automated processing & AI
We use AI tools (locally-hosted models, plus Anthropic Claude and Google Gemini APIs) for limited internal tasks: drafting first versions of cold-email copy, classifying inbound replies (interested / not / remove), and drafting summaries of cleaning briefs. No automated decision with legal or significant effect is made about you — all final decisions (introducing a cleaner, accepting a website project, sending an invoice) involve human review by David.
You can contact us at any time to ask what automated output we produced about your business, and to request human review of any decision.
9. Security
Live payment data is handled by Stripe; we never store card numbers.
Client emails are stored in Google Workspace (UK/EU region) with two-factor authentication on our accounts.
Cleaning-broker database is hosted on a UK-region server with encryption at rest for personally identifiable fields.
Hosting access credentials we receive are deleted within 7 days of project close.
We have not had a personal data breach. If we ever do, we will notify affected people and the ICO within 72 hours where required.
10. Changes to this notice
We may update this notice from time to time. If we make a material change (new sub-processor, new data category, new purpose), we will email active clients and update the "Last updated" date at the top.