Privacy Policy

Last updated: 29 October 2025 • Version: 1.0

UK GDPR / DPA 2018 EU GDPR (where applicable) PECR (Cookies & Marketing)

Summary: We (FullStack Marketing) are a UK sole trader business. We act as data controller for personal data we collect via our website, forms and marketing. This policy explains what we collect, why, the lawful bases we rely on, who we share data with, how long we keep it, international transfers, your rights and how to contact us. It applies to this website and related services.

Legal not advice: This page explains our practices but is not legal advice. If you have questions, contact us at [email protected].

Full Stack Marketing Agency – Growth & Performance Partner

FullStackMarketing.co.uk operates as Full Stack Marketing Agency – Growth & Performance Partner, registered with the Information Commissioner’s Office (ICO Registration: ZB975053).

1) Who we are (Controller)

FullStack Marketing (the “Company”, “we”, “us”, “our”) is the trading name of a UK sole trader operated by Michael Roberts. For data protection law, we are the controller of personal data processed via this site.

ICO Registration (UK): ZB975053
Contact (privacy): [email protected]
General contact: [email protected]
Postal: United Kingdom (correspondence address available upon request for verified inquiries)

If you are in the EEA, you may contact us using the details above. If, in the future, we appoint an EU representative, details will be added here.

2) Data we collect

2.1 Data you provide

Inquiry & booking forms: name, email, phone, company, role, project details, budgets, preferences.
Account/portal access (if offered): login identifiers, support messages, uploaded files.
Marketing sign‑up: email address, consent and preferences.
Billing (if we invoice you online): invoicing details, VAT number, billing address. We do not directly process card data on our servers; payments are handled by third‑party processors.

2.2 Data collected automatically

Device & usage: IP address, device identifiers, browser type, pages viewed, referring URLs, timestamps, approximate location (country/region), events (clicks, scrolls) – via analytics and security tools.
Cookies & similar tech: see Cookies.
Server logs & security: firewall logs, error logs (e.g., Cloudflare, web server), used to protect our services.

2.3 Data from third parties

Advertising & social platforms: aggregated audience insights when we run ads (Google, Meta, LinkedIn, TikTok).
Lead sources & directories: publicly available business contact data or leads you share with us.

3) How we use data (purposes & lawful bases)

We only use personal data when allowed by law. Below are the typical purposes and legal bases under UK/EU GDPR:

Purpose	Lawful basis	Typical data
Provide and operate our website, respond to inquiries, deliver proposals and services.	Legitimate interests (to run our business and respond to requests) and/or Contract (pre‑contractual steps/contract performance).	Contact details, inquiry content, project info.
Security, fraud prevention, troubleshooting, and service integrity (including Cloudflare).	Legitimate interests (security and abuse prevention) and/or Legal obligation.	IP, logs, device information.
Analytics to improve content, UX and performance (e.g., Google Analytics).	Consent (via our cookie banner/CMP), where required by PECR; otherwise Legitimate interests with privacy‑friendly settings.	Usage data, device information, events.
Marketing communications (newsletters, updates) and audience building for ads.	Consent for email/SMS marketing to individuals; Legitimate interests for B2B outreach where permitted; Consent for marketing cookies.	Contact details, preferences, cookie IDs.
Billing, accounting, tax and compliance.	Legal obligation (tax/accounting) and Contract.	Billing details, transaction records.

4) Cookies & similar technologies

We use cookies, pixels and local storage to operate the site, keep it secure, measure performance and, with your consent, personalise marketing. Under UK PECR, non‑essential cookies require prior consent. You can change your preferences anytime via the cookie banner or review your cookie settings.

Typical categories

Strictly necessary – required for core functionality and security (e.g., Cloudflare __cf_bm / cf_clearance).
Analytics – privacy‑centric measurement (e.g., Google Analytics with IP masking; or self‑hosted alternatives).
Marketing – ad pixels and identifiers (e.g., Google Ads, Meta, LinkedIn, TikTok) set only with consent.

We may use a Consent Management Platform (e.g., Cookiebot) to record and honour your choices. Cookie declarations (specific cookie names, lifetimes and providers) are available in the banner details and may change over time.

6) International data transfers

Some providers may process data outside the UK/EEA. Where they do, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs) and UK Addendum/IDTA, plus supplementary measures where necessary.

7) Data retention

We keep personal data only as long as needed for the purposes described or to comply with legal, accounting or reporting requirements. Typical periods:

Inquiry data: 18 months after last interaction (unless we begin a business relationship).
Client records & contracts: 6–7 years after the end of the engagement (for tax/legal obligations).
Marketing consents: until you withdraw consent or we determine the address is inactive.
Security logs: up to 12 months unless needed longer for investigations.

8) Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), firewalling/CDN protection, access controls, principle of least privilege, regular updates, backups and staff awareness. No online service is 100% secure, but we work to protect your data.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will assess it promptly and notify the ICO and affected users when required by law.

9) Your rights (UK/EU)

Subject to conditions and exemptions, you have the right to request: access, rectification, erasure, restriction, portability and to object to certain processing (including where based on legitimate interests). Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights

Email us at [email protected] with your request. We may need to verify your identity. We aim to respond within one month.

10) Marketing preferences

You can opt out of marketing emails at any time by using the unsubscribe link or contacting us.
Advertising cookies/pixels are used only with your consent and can be managed via the banner.
For B2B outreach, we balance our legitimate interests with your privacy expectations and provide easy opt‑out.

11) Children

Our services are not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, please contact us to delete it.

12) Questions & complaints

Questions about this policy or our data practices? Contact our Data Protection Lead at [email protected].

If you are not satisfied, you have the right to complain to the UK Information Commissioner’s Office (ICO). See ico.org.uk/make-a-complaint for guidance.

13) Changes to this notice

We may update this policy to reflect changes in law, technology or our services. When we post changes, we will update the “Last updated” date above. Significant changes may be communicated by notice on the site or email where appropriate.