Privacy Policy
This Privacy Policy explains what personal information Mat Black Web Design (the website at mbwd.net, referred to below as “we”, “us”, or “our”) collects when you visit our website, how we use it, who we share it with, and the rights you have over it. We are the data controller for the information described here.
If you have any questions about this policy or about how we handle your data, please contact us at info@mbwd.net.
1. Who we are
Mat Black Web Design is a sole-trader business operated by Matthew Blackmore, based in the United Kingdom, offering web design, web development, and SEO consultancy services. The primary contact for data-protection correspondence is the email address given below.
For UK and EU GDPR purposes, Matthew Blackmore, trading as Mat Black Web Design, is the data controller for any personal information you give us or that we collect about you via this website.
2. What information we collect
We collect a deliberately small amount of information. Specifically:
2.1 Information you give us via the contact form
When you fill in the enquiry form on our website, we collect:
- Your name
- Your email address
- Any other information you choose to include in the message field (for example, your company name, website URL, or a description of what you need help with)
We do not collect, and we ask you not to send, special-category data (information about health, race, religion, political opinions, sexual orientation, etc.) or financial details (card numbers, bank details) through the contact form.
2.2 Information collected automatically when you visit the site
Google Analytics 4 (GA4). We use Google Analytics to understand how visitors find and use our site so we can improve it. GA4 sets cookies in your browser and collects:
- Pages you visit on our site and how long you stay on them
- The website or search that referred you to us
- General device and browser information (device type, operating system, browser, screen size)
- Approximate geographic location (typically city- or region-level, derived from your IP address — Google does not store the IP address itself in GA4)
- A randomised identifier so that GA4 can recognise the same browser across pages within a session
GA4 is provided by Google Ireland Limited (for visitors in the UK/EU) and Google LLC (elsewhere). Google may transfer this data to servers in the United States. See section 6 below for how this transfer is safeguarded.
Server logs. Our web host automatically records standard request logs (your IP address, the page requested, the timestamp, the response status, and your browser’s User-Agent string). These are used only for security monitoring and to diagnose technical problems, and are typically deleted on a rolling basis by the hosting provider.
2.3 What we do not collect
We do not run any advertising pixels (no Meta/Facebook Pixel, no LinkedIn Insight Tag, no TikTok Pixel). We do not track you across other websites. We do not buy or rent marketing lists, and we do not enrich your contact details from third-party data brokers.
3. Why we use this information, and our lawful basis
Under the UK GDPR and EU GDPR, we must have a “lawful basis” for processing your personal information. Here’s how that breaks down:
| What we do | Why | Lawful basis (UK/EU GDPR) |
|---|---|---|
| Reply to your enquiry, send you a quote, discuss working together | To respond to a request you have made | Legitimate interests (responding to people who contact us about our services), or Steps prior to entering a contract if you’ve asked for a proposal |
| Keep a record of past enquiries so we can recognise repeat senders and pick up old conversations | To run our consultancy in an organised way | Legitimate interests (keeping reasonable business records) |
| Run Google Analytics on the site | To understand how visitors find and use our site so we can improve it | Consent (where required by UK PECR / EU ePrivacy rules — see the cookie banner) |
| Keep web-server logs | To protect the site against attack and diagnose technical issues | Legitimate interests (keeping the site secure and working) |
If you’d like more detail on the “legitimate interests” assessment for any of the above, please email us and we’ll explain.
4. Who we share your information with
We keep your data inside a very short list of providers:
- Our email provider (Zen Hosting) — your contact-form message is delivered to our inbox and stored there until we no longer need it. The email provider acts as our processor.
- Our web host (Zen Hosting) — operates the server that this website runs on and keeps standard server logs.
- Google (Google Analytics 4) — receives the analytics events described in section 2.2.
We do not sell your personal information. We do not share it with advertisers or data brokers. We do not disclose it to third parties for their own marketing purposes.
We may disclose information if we are legally required to (for example, a valid court order or a request from a regulator with proper authority), or if we genuinely believe disclosure is necessary to protect someone’s safety, prevent fraud, or defend our legal rights.
5. Cookies
This site uses cookies in two ways:
- Strictly-necessary cookies — set by the website itself (for example, to remember your cookie-consent choice). These do not need consent and cannot be switched off.
- Analytics cookies — set by Google Analytics. These only load if you accept the analytics option in our cookie banner. If you decline, GA4 is not loaded and no analytics cookies are set.
You can also block or delete cookies through your browser’s settings at any time. The major browsers’ cookie controls are documented at aboutcookies.org.
6. International data transfers
When you use Google Analytics on our site, your data may be transferred to and processed in the United States by Google LLC. The UK and EU do not currently consider the US to provide an equivalent level of data protection by default, so this transfer relies on:
- The UK Extension to the EU–US Data Privacy Framework (for UK visitors), and the EU–US Data Privacy Framework (for EU/EEA visitors), under which Google LLC is certified, and
- Google’s Standard Contractual Clauses as a backup safeguard.
You can read Google’s transfer documentation at policies.google.com/privacy/frameworks.
We do not transfer your contact-form data outside the UK or EEA unless our email provider’s infrastructure does so under equivalent safeguards.
7. How long we keep your information
- Contact-form enquiries — we keep these in our inbox for as long as needed to respond to you, follow up on a proposal, or maintain a working relationship, and then we delete them when they are no longer needed. You can ask us to delete your enquiry sooner at any time (see section 8).
- Google Analytics data — GA4 is configured with a user-data retention period of 14 months. Aggregated, non-identifying reports may be retained longer.
- Web-server logs — typically rotated and deleted by our host within 30–90 days.
8. Your rights
Under the UK GDPR and EU GDPR, you have the following rights over your personal information:
- Right to be informed — what this policy is for.
- Right of access — you can ask us for a copy of the personal information we hold about you.
- Right to rectification — you can ask us to correct anything that is wrong or incomplete.
- Right to erasure (“right to be forgotten”) — you can ask us to delete your information.
- Right to restrict processing — you can ask us to pause processing while we investigate a query.
- Right to data portability — you can ask us to provide your information in a structured, machine-readable format.
- Right to object — you can object to processing we carry out under “legitimate interests”.
- Right to withdraw consent — where we relied on consent (for example, analytics cookies), you can withdraw it at any time.
To exercise any of these rights, email us at info@mbwd.net. We will respond within one month. There is no charge for a reasonable request.
8.1 If you are a California resident (CCPA / CPRA)
In addition to the rights above, California residents have the following rights under the California Consumer Privacy Act (as amended by the CPRA):
- Right to know what personal information we collect, use, and disclose about you.
- Right to delete personal information we have collected from you, subject to certain exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of “sale” or “sharing” of personal information. We do not sell your personal information and we do not share it for cross-context behavioural advertising.
- Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
- Right to non-discrimination — we will not treat you differently for exercising any of these rights.
To make a CCPA/CPRA request, email us at info@mbwd.net with “California privacy request” in the subject line. We may need to verify your identity before responding. You can also designate an authorised agent to make a request on your behalf.
8.2 How to complain
If you are unhappy with how we have handled your personal information, please tell us first so we can try to put it right. If you are still unhappy, you have the right to lodge a complaint with a supervisory authority:
- UK residents — the Information Commissioner’s Office (ICO), ico.org.uk/make-a-complaint, phone 0303 123 1113.
- EU/EEA residents — your national data-protection authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
- California residents — the California Privacy Protection Agency, cppa.ca.gov, or the California Attorney General, oag.ca.gov/privacy.
9. Security
We take reasonable technical and organisational measures to protect your personal information against loss, misuse, and unauthorised access. These include HTTPS encryption for everything sent to and from this website, multi-factor authentication on the email accounts that receive contact-form messages, and limiting access to that data to the people who need it to do their job (in practice, that means Matthew Blackmore).
No system can be guaranteed completely secure. If we ever become aware of a personal-data breach that affects you, we will notify you and the relevant supervisory authority as required by law.
10. Children
This website is not directed at children, and we do not knowingly collect information from anyone under the age of 16. If you believe a child has submitted information to us, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time — for example, if we add a new tool to the site or if the law changes. When we do, we will update the “Last updated” date at the top of this page. For material changes, we will make the update clearly visible on the website for a reasonable period.
12. Contact us
For any question about this Privacy Policy, or to exercise any of the rights described above, please contact:
Mat Black Web Design
Matthew Blackmore
Email: info@mbwd.net