Privacy policy · Fixed Price Software

Who we are

Fixed Price Software is the trading name of the business operating this website. We're the "data controller" for the personal information described on this page. If you want to contact us about anything privacy- related, hello@fixedpricesoftware.co.uk reaches a real person.

What this policy covers

This page describes how we handle personal data collected via this website — the marketing pages, the enquiry form, and (once it launches) the logged-in client portal. It is written in plain English; we'd rather be clear than thorough-but-impenetrable. Where a UK GDPR or PECR term has a specific legal meaning, we use it; otherwise we use ordinary words.

If your engagement with us moves beyond a website enquiry into a paid project, the contract for that engagement will include its own data- handling terms tailored to the work. This policy keeps applying to the website itself either way.

What we collect, and when

When you visit the marketing pages (Home, Services, Process, Pricing, FAQ, etc.):

Anonymous page-view counts via Cloudflare Web Analytics. The beacon doesn't set cookies and Cloudflare doesn't store raw IP addresses — they're hashed at the edge and discarded.
Standard server logs (URL, timestamp, user-agent, referrer) held by our hosting provider Vercel for operational purposes. Vercel retains these for up to 30 days.

That's everything for unauthenticated visitors. We do not run behavioural advertising, do not embed third-party trackers, do not fingerprint your browser, and do not share any of the above with ad networks.

When you submit the enquiry form we collect:

Your name
Your email address
Your company (optional)
A rough project budget you selected
The description of the project you wrote

We use this to reply to your enquiry and assess fit. Once the enquiry becomes either a project or a "not for us" decision, we keep the original message for our records — see Retention below.

When you sign in to the client portal (planned, not yet live) we'll additionally hold:

Authentication metadata (email, password hash, sign-in timestamps, optional MFA secrets) — handled by our backend provider Supabase
Files and documents you choose to upload as part of your project
Comments, signatures, and timeline activity you produce

Specific retention and access controls for portal data will be documented here when the portal launches.

What we don't collect

We don't set tracking cookies. The site sets a single localStorage entry (theme) recording your light/dark mode preference — strictly necessary for the UI, never sent over the network.
We don't collect special-category data (race, religion, health, etc.). Don't put it in the project description either, please.
We don't capture form input until you press Submit.
We don't run session replay or screen-recording.

Where the data goes

Data	Processor	Where	Purpose
Page-view counts	Cloudflare	Global edge, no row-level personal data	Aggregate site analytics
Server logs	Vercel	EU / global	Hosting + operational debugging
Enquiry submissions	Resend (email delivery) + our inbox	EU	Reaching you with a reply
Future portal data	Supabase	EU region	Project workspace + auth
Error reports (when on)	Sentry	EU (when configured)	Diagnosing crashes

All processors above sign data-processing agreements with us and either operate inside the UK / EEA or use the UK government's approved transfer mechanisms.

Your rights under UK GDPR

You can, free of charge, ask us to:

Tell you what we hold about you (subject access request)
Correct anything wrong
Delete your data ("right to be forgotten") — subject to a small set of legal-hold exemptions (e.g. tax records)
Restrict how we use it
Export it in a portable format
Object to particular uses
Withdraw consent for any processing that relies on it

Email hello@fixedpricesoftware.co.uk with your request. We aim to respond within one working week and will always respond within one calendar month.

If you're not happy with our response you can complain to the UK Information Commissioner's Office at ico.org.uk.

Retention

Data	How long we keep it
Page-view analytics	6 months (Cloudflare default)
Server logs	30 days (Vercel default)
Enquiry submissions that didn't become a project	12 months
Enquiry submissions that did become a project	duration of project + 7 years (tax / dispute records)
Portal account + project data	duration of account + 90 days after deletion request
Error reports	90 days

You can shorten any of these for your own data by asking — see Your rights above.

Security

We follow current best practice on the technical side: TLS in transit, encryption at rest where the provider supports it, role- based access control, no shared accounts, MFA on every administrative surface. Our infrastructure (Vercel, Supabase, Cloudflare) hold SOC 2 / ISO 27001 certifications and run global edge networks with DDoS protection.

No system is unbreakable, so if a personal-data breach affecting you ever does occur we'll tell you and the ICO within 72 hours, per UK law.

International transfers

The processors listed above may move data within Vercel / Supabase / Cloudflare / Sentry / Resend global infrastructure. In practice client portal data is held in EU regions; analytics and server logs may transit through US infrastructure. Where this is the case, we rely on UK government-approved transfer mechanisms (UK Addendum to the EU Standard Contractual Clauses).

Changes to this policy

We'll update this page when our practice changes — the Last updated date at the top of the page reflects the most recent revision. We don't track which version of this page you saw on which visit, so we recommend bookmarking and re-reading if data handling matters to you.

Final note

This policy is written to be clear and accurate. It is not legal advice; if you need that we're not the right people to provide it. For anything material we recommend taking your own legal view before submitting personal data via the enquiry form or signing up to the portal.