Privacy policy | Heritage Gardens

01

Who we are

This privacy policy applies to Heritage Gardens Ltd, a company registered in England (company number 03847291) with its registered office at The Old Barn, Brailsford, Derbyshire DE6 3BU.

For the purposes of UK data protection law, we are the data controller for any personal information you share with us through this website, by phone, email, or in person. If you'd like to discuss how we handle your data, please email [email protected].

02

What information we collect

We only collect what we genuinely need to do our work. Specifically:

Information you give us directly

Your name and contact details (phone, email, postcode) when you submit an enquiry form or call us
Information about your project — garden size, location, photographs you choose to share, budget if you tell us
Any correspondence you send us by email or post
Payment information if you become a client (handled by our accountants — see Section 6)

Information collected automatically

IP address (truncated for privacy), browser type, device type, and approximate location (country/region only)
Pages you visit, time spent on each, the page you arrived from
Referral source (search engine, social media, direct visit)

We collect this automatic information only when you've consented to analytics cookies. You can decline that consent at any time.

03

How we use your information

We use your personal data for these specific purposes:

Replying to your enquiries. When you contact us about a project, we use your contact details to respond.
Arranging site visits and quotes. Your address, postcode, and project details help us prepare for an initial site visit.
Delivering work we've been commissioned to do. Once you become a client, we use your information to plan, deliver, and follow up on the work.
Improving our website. Anonymised analytics data helps us understand which content visitors find useful, so we can improve over time.
Meeting our legal obligations. We're required to retain certain records for tax, accounting, and HMRC purposes.

We do not use your information for marketing emails, sell it to third parties, or share it with companies you haven't directly engaged with.

04

Legal basis for processing

UK GDPR requires us to have a lawful basis for processing personal data. The bases we rely on are:

Legitimate interest — for replying to enquiries and conducting normal business operations
Contract — for fulfilling work we've been commissioned to deliver
Consent — for analytics cookies and any future marketing communications (always opt-in, never pre-ticked)
Legal obligation — for retaining records that HMRC, Companies House, or other authorities require

05

Cookies & tracking

Cookies are small text files stored on your device when you visit a website. We use them sparingly and never without your consent (except for those strictly necessary to operate the site).

Categories we use

Category	Purpose	Consent required
Strictly necessary	Session management, form submission protection, storing your cookie preferences themselves.	No (legal exemption)
Analytics	Google Analytics 4 — anonymised page-view tracking. Cookie names: `_ga`, `_ga_*`.	Yes
Marketing	Currently not in use. Reserved for any future advertising or remarketing tools.	Yes

Changing your mind. Use the "Cookie settings" link in the site footer to update your preferences at any time. We respect your choice immediately.

We do not use Facebook Pixel, TikTok Pixel, LinkedIn Insight, or similar third-party advertising trackers. If we add any in the future, this policy will be updated and your consent will be requested.

06

Who we share data with

We work with a small number of carefully chosen suppliers who process data on our behalf. Each is contractually bound to handle your information securely and only for the purposes we specify:

Cloudflare (US/global) — website hosting and DNS. Acts as our data processor for traffic.
Resend (US/EU) — sends transactional emails (e.g. enquiry confirmations) on our behalf.
Google (US/EU) — provides Google Analytics 4 if you've consented to analytics cookies. Data is anonymised and IP-truncated.
Our accountants (UK) — Lawson & Co., Derbyshire — handle invoicing and tax records for clients we work with.
Specialist suppliers (UK) — for clients only, we may share your project location and timing with subcontractors or material suppliers strictly to deliver your project.

Some of these processors are based outside the UK. Where personal data is transferred internationally, we rely on Standard Contractual Clauses or UK adequacy decisions to ensure equivalent protection.

We will never sell or rent your personal information to anyone, and we don't share it with companies for their own marketing purposes.

07

How long we keep data

Data type	How long	Why
Enquiries that don't become projects	2 years	For follow-up if you contact us again
Client project records	10 years	Aftercare guarantee period
Financial records (invoices, receipts)	7 years	HMRC requirement
Website analytics data	14 months	Google Analytics default; anonymised
Email correspondence	5 years	Client reference and dispute resolution

You can request deletion of your data at any time, subject to our legal retention obligations. See your rights below.

08

Your rights

Under UK GDPR you have the following rights regarding your personal data:

Right of access — request a copy of the personal data we hold about you
Right to rectification — ask us to correct any inaccurate information
Right to erasure ("right to be forgotten") — request deletion, subject to legal retention requirements
Right to restrict processing — ask us to limit how we use your data
Right to data portability — receive your data in a structured, machine-readable format
Right to object — to processing based on legitimate interests
Right to withdraw consent — for any processing based on consent (e.g. cookies)
Right to complain — to the Information Commissioner's Office (ico.org.uk) if you're unhappy with how we've handled your data

To exercise any of these rights, email [email protected] with details of your request. We aim to respond within one calendar month.

09

How we protect your data

We take reasonable technical and organisational steps to protect your information:

Our website uses HTTPS encryption for all communications
Data is stored on secure, professionally managed cloud infrastructure (Cloudflare)
Only authorised members of our team have access to client data, and only when needed for their work
Passwords and access credentials are managed via a password manager with two-factor authentication
We review our security practices annually and after any significant operational change

No system is perfectly secure. If we ever become aware of a data breach affecting your information, we'll notify you and the Information Commissioner's Office within the legally required timeframes.

10

How to contact us

For any questions, requests, or complaints about how we handle your personal data:

Email: [email protected]
Phone: 01629 555 0123
Post: Data Protection, Heritage Gardens Ltd, The Old Barn, Brailsford, Derbyshire DE6 3BU

If you're not satisfied with our response, you have the right to complain to the Information Commissioner's Office:

Website: ico.org.uk
Phone: 0303 123 1113

This policy may be updated from time to time. The "Last updated" date at the top of the page will reflect any changes. Material changes will be communicated to existing clients by email.