Privacy Policy

This policy explains what personal data I collect, why I collect it, how I use it, and what your rights are. I've tried to keep it readable rather than impenetrable — if anything isn't clear, just get in touch.

Last updated: 17 March 2026

Classic Niall Limited is a company registered in England and Wales. I trade under three names — Classic Niall (my general trading identity), ByDesign (web development, systems administration, hosting, digital care, and IoT), and Distraction Tactics (games and interactive media). All three operate under Classic Niall Limited, and this policy applies across all of them.

For data protection purposes, Classic Niall Limited is the data controller. My ICO registration number is ZC100739. You can contact me at hello@classicniall.co.uk.

1. Who this policy applies to

This policy applies to anyone who interacts with me professionally — prospective clients, current clients, and past clients, as well as anyone who contacts me about my services. It covers data collected through this website at www.classicniall.co.uk, directly by email, phone, or messaging, and in the course of delivering work.

I only work with adults and businesses. I do not offer services to, and do not knowingly collect or process data relating to, anyone under the age of 18.

2. What data I collect

I only collect data that is relevant to working with you. This includes:

  • Contact details — your name, email address, phone number, and business name.
  • Billing and financial information — your billing address, company registration number (if applicable), and VAT number (if applicable). Payment processing is handled by third-party providers; I don't store card details myself.
  • Project-related data — files, credentials, access details, content, or other materials you share with me so I can carry out the work. The nature of this varies by service — for example, server credentials for systems administration work, or game assets for development projects.
  • Communication history — emails, messages, and notes from conversations relating to projects or enquiries, including messages sent via WhatsApp Business.
  • Contact form submissions — if you use the contact form on this site, I collect your name, email address, and the content of your message. This data is transmitted via my API and an email service provider and lands in my inbox. It is used solely to respond to your enquiry.
  • Managed asset registration details — where I register or create third-party accounts on your behalf (domains, email hosting, app store accounts), I collect and submit your legal name and company details to the relevant registrar or platform as required.
  • Calls and SMS — calls and text messages are received on my business device. These are not formally logged or stored anywhere beyond the device itself.

I don't collect sensitive personal data (such as health information, ethnicity, or political views) and have no reason to.

3. How I use your data

I use the data I collect to:

  • Deliver the services you have engaged me for — development, hosting, systems administration, IoT, domain management, digital care, app publishing, or agency support.
  • Communicate with you about projects, deadlines, and deliverables.
  • Send invoices and manage billing via my accounting software.
  • Register and manage third-party accounts and assets on your behalf.
  • Maintain records as required for legal and tax purposes.
  • Respond to enquiries from prospective clients.

My legal basis for processing your data is primarily contract performance — I need your data to do the work you have hired me for. Where we are not yet in a contract (for example, during an initial enquiry), my basis is legitimate interests. Some data is processed to comply with legal obligations, such as keeping financial records for HMRC.

4. Where data is stored

Your data may be stored in the following places:

  • Accounting and invoicing software — I use dedicated accounting software for invoicing, time tracking, and project notes. Client billing and contact information is processed through this platform.
  • Email service provider — email correspondence is stored on my email provider's servers. This includes enquiries, project communications, and any attachments exchanged by email.
  • WhatsApp Business (Meta) — if we communicate via WhatsApp, messages are stored on Meta's infrastructure and are subject to Meta's own privacy policy in addition to this one. I'd recommend avoiding sending sensitive information — such as passwords or confidential documents — via WhatsApp.
  • My own infrastructure — project files, tickets, and technical data may be stored on my self-hosted systems, including a self-hosted Git and issue tracking platform. These are managed directly by me.
  • Business devices — data may be stored locally on my business devices (laptops, desktop, and phone) as part of day-to-day work.
  • Hosting infrastructure — where I provide hosting services, your data and website files reside on infrastructure provided by my hosting partners under my reseller agreement. You do not have a direct account relationship with the underlying provider.
  • Domain registrars and DNS providers — where I manage domain registration or DNS on your behalf, your legal name and company details are submitted to the relevant registrar as registrant. You are the legal owner of the domain.
  • App store platforms — where I create and manage app store accounts on your behalf (including Apple App Store and Google Play), your legal entity name and company details are registered with the platform. You are the account holder and legal owner of all listings and associated assets. These platforms are subject to their own privacy policies.
  • Productivity and collaboration platforms — depending on the engagement, data may be shared or stored via productivity or collaboration platforms, either at your request or as part of the project setup.

5. International data transfers

Some of the platforms I use may store or process data outside the United Kingdom. Where this is the case, I select platforms that comply with UK GDPR and operate under appropriate safeguards, such as adequacy decisions or standard contractual clauses. If you have questions about a specific platform's data residency, I'm happy to point you to their documentation.

6. Third parties and sub-contractors

I never sell your data or share it with third parties for marketing purposes.

Occasionally I engage freelancers or sub-contractors to assist with specific parts of a project. Where this requires them to access client data, I will let you know — either in the project agreement or at the relevant point during the work. Data processing agreements are in place with sub-contractors who handle client data, setting out their responsibilities and obligations.

I may also use remote access software during support and development work. The specific tool used depends on the engagement or your existing setup. Access is limited to what is necessary for the task and is conducted under the terms of our client agreement.

7. Hosting services and client data

Where I provide hosting services, you are the data controller for your website and any data your users submit to it. I act as a data processor — I provide and maintain the infrastructure, but I don't determine how your users' data is collected or used. You are responsible for your own privacy policy, cookie compliance, and GDPR obligations towards your end users.

My responsibility is to maintain appropriate security on the infrastructure I manage and to notify you promptly if there is a breach affecting your hosted data.

8. IoT hardware and deployment

Where I supply, configure, or deploy IoT hardware as part of a project, any data collected by those devices — such as sensor readings, usage logs, or telemetry — is transmitted to systems you control, not to me. Once deployed, you are the data controller for that device data. I don't retain ongoing access to device data after a project is complete unless specifically agreed as part of a support arrangement.

9. Managed accounts and asset ownership

Where I register domains, manage DNS, create email hosting accounts, or set up app store accounts on your behalf, your legal name and company details are used as the registrant or account holder. You are the legal owner of these assets. I act as your operational manager, holding credentials and managing the accounts on your behalf.

On termination of our engagement, I will facilitate transfer or handover of all assets within 28 days, subject to outstanding balances being settled. For app store accounts, this means credential and administrative access handover — listings, apps, reviews, and associated data remain with the account and transfer with it.

You remain responsible for your own compliance with the terms and policies of any platform associated with your managed accounts, including app store guidelines and domain registrar policies.

10. Cookies

This website does not use cookies. There is no analytics, no ad tracking, and no third-party scripts that set cookies. You can use this site without any cookie consent interaction because there is nothing to consent to.

11. Data retention

I retain personal data for 7 years from the end of our client relationship or last contact, after which it is securely deleted or anonymised. This covers the 6-year HMRC requirement for financial records, with an additional year as a buffer.

Project files are archived when a project ends or a client's retainer lapses, and deleted at the 7-year mark. Calls and SMS messages exist only on my business device and are not subject to a formal retention schedule beyond the device's own lifecycle.

12. Security

I take reasonable steps to protect your data. My business devices are secured with appropriate access controls and encryption. My business phone has remote wipe capability in case of loss or theft. Self-hosted infrastructure is maintained and updated by me directly.

No system is completely immune to risk. In the event of a data breach that is likely to pose a risk to your rights and freedoms, I will notify you promptly and report to the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR.

13. Your rights under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:

  • Right of access — you can ask me what personal data I hold about you.
  • Right to rectification — you can ask me to correct data that is inaccurate or incomplete.
  • Right to erasure — you can ask me to delete your data, subject to any legal obligations that require me to keep it.
  • Right to restriction — you can ask me to limit how I use your data in certain circumstances.
  • Right to data portability — where your data was provided by you and processed by automated means, you can ask for it in a structured, machine-readable format.
  • Right to object — you can object to me processing your data where I am relying on legitimate interests as my legal basis.

To exercise any of these rights, get in touch using the contact details in section 16. I will respond within one month as required by law and will not charge you for reasonable requests.

14. The right to complain

If you are unhappy with how I have handled your data, please contact me first and I will do my best to resolve it. If you are still not satisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

15. Changes to this policy

I may update this policy from time to time — for example, if I start using new platforms, or if the law changes. The "last updated" date at the top of the page will always reflect the most recent version. I will notify active clients of any significant changes.

16. Contact

For any questions about this policy, or to make a data rights request:

For information about my terms of engagement, see my Terms of Service.