Privacy Notice

Last updated: 15 March 2026

This notice explains how Studio Prosper ("we", "us") collects, uses, stores, and protects personal data. It covers two categories of people: prospective clients (businesses we contact) and paying clients (businesses that purchase our services).

        In plain English: We find UK trade businesses on Google Maps that don't have a website. We build them a sample site and email them once to show it. If they're not interested, we delete everything. If they buy, we keep what's needed to run their site and meet our tax obligations. We never sell your data.
    

1. Who We Are

Studio Prosper is a sole trader business operated by David Prosper, based in Manchester, United Kingdom. Our data protection contact is:

team@studioprosper.co.uk

2. What Data We Collect and Where From

2a. Prospective clients (outbound contact)

We collect the following data from publicly available Google Maps business listings:

Business trading name
Business address (as listed on Google Maps)
Business phone number (as listed on Google Maps)
Google star rating
Business category / industry
Business email address (from public website or listing, where available)
Business photos (from Google Maps listing)

We do not collect personal home addresses, personal phone numbers, or any data about individuals — only data about businesses that is already publicly visible on Google.

2b. Paying clients

When you purchase our services, we additionally collect:

Email address (for Stripe payment and project communications)
Any text, images, or logo files you send us for your website
Email correspondence about your project

Payment card details are processed entirely by Stripe. We never see or store your card number, expiry date, or CVV.

3. How We Use Your Data

Purpose	Data used	Legal basis
Sending you a one-time email showing a sample website we built for your business	Business name, email, industry, location	Legitimate interest (PECR Regulation 22 — B2B communication based on public listing)
Building and hosting your website	Business name, industry, location, logo, content you provide	Contract performance
Processing your payment	Email, business name, amount	Contract performance
Sending invoices and project updates	Email, business name	Contract performance
Keeping tax records	Payment amount, date, invoice	Legal obligation (HMRC — 6-year retention)
Improving our service (learning which approaches work per industry)	Industry, location, anonymised outcomes	Legitimate interest

4. Automated Processing

We use AI tools (Google Gemini) to generate website copy and to classify inbound email responses. No automated decision with legal or significant effect is made about you — all payment, contract, and service decisions involve human oversight. You can contact us at any time to query any automated output.

5. Who We Share Data With

Third party	Purpose	Data shared
Stripe	Payment processing	Email, business name, payment amount
Google Maps Platform	Finding businesses without websites	Search queries (industry + location) — no personal data sent
Google Gemini AI	Generating website copy	Industry and location only — no personal contact details
Hosting provider (Vercel / Render)	Serving your live website	Website content files only

We do not sell, rent, or trade your personal data with any other party.

6. Data Retention

Data category	Retention period	Reason
Prospect data (non-converted leads)	12 months from collection, then deleted	No ongoing business relationship
Client contact details	Duration of contract + 12 months	Service delivery and follow-up
Payment and invoice records	6 years from transaction date	HMRC legal obligation
Website content files	Duration of hosting contract + 30 days	Service delivery
Email correspondence	Duration of contract + 6 months	Dispute resolution

7. Your Rights

Under UK GDPR, you have the right to:

Access — request a copy of all data we hold about you (Article 15). We will respond within 30 days.
Rectification — request correction of inaccurate data (Article 16). If you change your phone number or email, we will update your records and your website.
Erasure — request permanent deletion of your data (Article 17). We will complete erasure within 72 hours and send you confirmation. Financial records required by HMRC are the only exception.
Data portability — receive your data in a structured, machine-readable format (Article 20).
Object — object to processing based on legitimate interest (Article 21).
Restrict — request that we limit how we use your data (Article 18).
Complain — lodge a complaint with the Information Commissioner's Office (ICO).

How to exercise your rights: Email team@studioprosper.co.uk with your request. If you received an outreach email from us, simply reply with "Remove" and we will permanently delete all data we hold about your business within 72 hours.

8. Outbound Email (PECR Compliance)

If we email you without prior contact, it is because we found your business listed on Google Maps without a website. Under the Privacy and Electronic Communications Regulations (PECR) Regulation 22, this is a one-time business-to-business communication sent on the basis of legitimate interest.

We contact each business once only.
We state our identity and data source in every email.
Every email contains a clear opt-out mechanism.
We do not contact businesses that have opted out or bounced.
We maintain a suppression list to prevent re-contact.

9. Data Security

We protect your data with the following measures:

All payment processing via Stripe over HTTPS (PCI DSS Level 1 certified).
API endpoints secured with authentication tokens.
Input sanitisation to prevent injection attacks.
Email phishing detection on inbound messages.
Secrets stored in environment variables, never in code repositories.
CORS restrictions limiting API access to authorised domains only.

10. Cookies

Our website (studioprosper.co.uk) does not use tracking cookies or analytics. Stripe's payment pages may set cookies for fraud prevention — see Stripe's cookie policy.

11. Children

Our services are for businesses only. We do not knowingly collect data from anyone under 18.

12. Changes to This Notice

We may update this notice from time to time. The current version is always available at studioprosper.co.uk/privacy. Material changes will be communicated to active clients by email.