Civio Digital – Privacy Policy
Effective Date: 14th April 2026
Our Commitment to Your Privacy
We, Civio Digital, take the protection of your personal data seriously. We are committed to processing your data fairly, lawfully, and transparently in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, share, and protect your personal data — and how you can exercise your rights.
Data Controller: Civio Digital Ltd
Address: 337 Wimborne Road, BH15 3ED
Email: [email protected]
Website: www.civiodigital.com
ICO Registration Number: ZC103750
We do not currently have a Data Protection Officer, as we are not legally required to appoint one at this stage.
Contents
What Personal Data We Collect
Lawful Basis for Processing
How We Collect Your Data
How We Use Your Data
Data Sharing with Third Parties
International Data Transfers
Our Role as Data Processor
Cookies
Special Category Data
How Long We Keep Your Data
Security
Data Breach Handling
Children
Your Data Protection Rights
Contact Us and Complaints
Changes to This Policy
1. What Personal Data We Collect
We only collect the data we actually need. Here is what we collect and the legal basis for each:
When you submit an enquiry through our website or landing page:
Name, email address, phone number, and business name
Any other information you choose to include in your message
Legal basis: Legitimate interests — we need this to respond to your enquiry and assess whether we can help.
When you book a call or meeting:
Name, email address, and phone number
Date, time, and any pre-call notes you provide
Legal basis: Legitimate interests — to manage and deliver the booked call.
When you visit our website:
IP address, browser type, pages visited, and time of visit
Cookie and analytics data (see Section 5)
Legal basis: Legitimate interests — to understand how our site is used and improve it.
When you become a client:
Business details, billing information, and contact details
Information shared during onboarding and the delivery of services
Legal basis: Contract — we need this to deliver our services and manage the client relationship.
2. Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for every type of processing we carry out. We rely on the following:
Contract
Where processing is necessary to deliver our services to you or to fulfil a contract we have entered into with you.
Legitimate Interests
Where we have a genuine business reason to process your data that does not override your rights. This includes responding to enquiries, managing client relationships, improving our services, and sending relevant communications to existing clients. We carry out a Legitimate Interests Assessment for each activity we rely on this basis for.
Legal Obligation
Where we are required by law to process your data — for example, retaining financial records in line with HMRC requirements.
Consent
Where you have given us your clear, specific agreement to process your data for a particular purpose. You can withdraw consent at any time by contacting us at
3. How We Collect Your Data
We collect personal data in the following ways:
Directly from you — when you fill in a form, submit an enquiry, book a call, or contact us
Automatically — when you visit our website (IP address, browser data, cookies — see Section 8)
From clients — when clients share information needed to deliver our services on their behalf
4. How We Use Your Data
We use your personal data to:
Respond to enquiries and assess whether we can help
Deliver our marketing automation and CRM services to clients
Manage client accounts, billing, and communications
Send fortnightly performance reports to clients
Improve our website and understand how people find us
Send relevant updates and information to existing clients
Comply with our legal and regulatory obligations
We do not sell your data. We do not use it for any purpose you would not reasonably expect.
5. Data Sharing with Third Parties
We use a small number of trusted third-party platforms to operate and deliver our services. Your data may pass through these tools as part of how we work:
GoHighLevel — CRM, funnels, automations, SMS, email, website hosting (US-based)
Meta — paid advertising (US-based)
Google LLC — Analytics, Ads, Gemini AI features (US-based)
Stripe — payment processing (US-based)
Build My Agent — AI chatbot (US-based)
Calendly — appointment booking (US-based)
We only share the minimum data necessary with each provider. We do not share your data with third parties for their own marketing purposes. We do not sell your data.
6. International Data Transfers
Some of our third-party providers are based outside the United Kingdom, including GoHighLevel, Build my agent, Meta, and Google, which are US-based. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses as approved for use under UK GDPR.
7. Our Role as Data Processor
When we deliver services to clients — managing CRM systems, running automated campaigns, handling inbound leads — we process personal data belonging to their customers. In this context:
Our clients are the data controllers — they determine the purpose and means of processing
We act as a data processor — we process the data only on their documented instructions
We ensure appropriate safeguards are in place when processing client customer data
Clients are responsible for ensuring their own customers have been properly informed of how their data is used, including processing carried out by Civio Digital on their behalf.
8. Strictly Necessary Cookies
Our website uses only essential cookies that are required for the site to function — for example, to remember your session or maintain basic functionality. These do not collect personal tracking information and do not require your consent.
Analytics and Advertising Cookies
We do not currently use Google Analytics, the Meta Pixel, or any other analytics or advertising tracking tools on our website. No non-essential cookies are set.
If this changes in future, we will update this policy, implement a cookie consent banner before activating any tracking, and obtain your consent before placing any non-essential cookies on your device.
9. Special Category Data
We do not intentionally collect or process special category personal data (such as health information, ethnicity, religious beliefs, or political opinions). If we inadvertently receive such data, we will delete it promptly. If this changes in future, we will update this policy and seek your explicit consent before any such processing takes place.
10. How Long We Keep Your Data
Enquiry and contact data: 12 months from first contact, or longer if we enter into a contract
Client account and billing records: 6 years from the end of the contract (HMRC requirement)
Website analytics data: 26 months (standard Google Analytics retention, if used)
Client customer data (processed on behalf of clients): deleted or returned within 30 days of the contract ending
We review our data holdings regularly and do not keep data for longer than we need to.
11. Security
We take reasonable steps to keep your data secure, including:
Two-factor authentication on all platforms that hold personal data
Strong, unique passwords managed via a password manager
Encryption in transit across all platforms we use
Access to personal data restricted to those who need it
No digital system is 100% secure. If we become aware of a breach that is likely to affect your rights, we will notify you and the ICO as required by law.
12. Data Breach Handling
If we become aware of a personal data breach, we will:
Assess the nature and impact of the breach immediately
Notify the ICO within 72 hours if the breach is likely to risk people's rights and freedoms
Notify affected individuals without undue delay if the risk is high
Record all breaches in our internal breach log, regardless of severity
13. Children
Our services are directed at businesses and adult professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently received a child's data, please contact us and we will delete it promptly.
14. Your Data Protection Rights
Under UK GDPR you have the right to:
Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate or incomplete data
Erasure — ask us to delete your data in certain circumstances
Restriction — ask us to pause processing of your data
Portability — receive your data in a portable, machine-readable format
Object — object to processing based on legitimate interests or for direct marketing
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days at no charge. We may ask you to verify your identity before processing a request.
15. Contact Us and Complaints
For any privacy-related questions, contact us at [email protected] or write to us at 337 Wimborne Road, BH15 3ED.
If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would always appreciate the opportunity to address your concern directly before you contact the ICO.
16. Changes to This Policy
We may update this policy from time to time. When we do, we will update the effective date at the top and publish the latest version at www.civiodigital.com/privacy-policy. We will notify existing clients of any material changes by email.