Webgro
Start a project
Start a project
Home

[ Legal ] Privacy

Privacy Policy

This is the plain-English version of how Webgro handles your personal data. It covers what we collect, why we collect it, how long we keep it, and what you can ask us to do with it.

Last reviewed · April 2026

Who we are

Webgro Ltd is a company registered in England and Wales under company number 10889889, with its registered office at 12 Longshot Lane, Bracknell, Berkshire, RG12 1RL. Webgro is part of the Broadbridge Group.

For anything relating to this policy or your personal data, contact us at hello@webgro.co.uk. We are the data controller responsible for your data as described on this page.

What this policy covers

This policy applies to personal data we collect through webgro.co.uk. It does not cover third-party sites we link to, or the separate systems we use on client engagements (those are governed by the contracts we sign with each client).

What we collect and why

Contact form submissions

When you submit the contact form on our site, we collect your name, email address, optional phone number, the service you’re interested in, your ballpark budget, and whatever you tell us in the message field. We use this information for one thing only: to reply to your enquiry and, if you want to work with us, to scope a project together.

Lawful basis: legitimate interest (Article 6(1)(f) UK GDPR). You contacted us to ask about our services, and we use the data you supplied to respond.

Emails you send us directly

If you email hello@webgro.co.uk or another Webgro address, we collect whatever you chose to send. We use it to reply, and if the conversation turns into a project, to scope and deliver that project.

Server logs

Our hosting provider retains standard server logs (IP address, timestamp, page requested, user agent) for operational and security purposes. These are retained for 30 days and are not tied to named individuals.

Lawful basis: legitimate interest (keeping the site online and secure).

Analytics (only if you opt in)

If you accept analytics cookies on the cookie banner, we load Google Analytics 4 with IP anonymisation. GA4 tells us which pages get visited, which don’t, and roughly where visitors come from. We do not combine this with any other Google product or use it for advertising.

Lawful basis: consent (Article 6(1)(a) UK GDPR). You can withdraw consent at any time from the cookie controls, which removes analytics scripts from future page loads.

Bot protection (Cloudflare Turnstile)

When you submit the contact form, Cloudflare Turnstile runs a short challenge to distinguish humans from bots. Cloudflare receives the minimum needed for the challenge (headers, a short token) and returns a pass/fail. This is necessary to keep the contact form usable without drowning in spam.

Lawful basis: legitimate interest (preventing abuse of the form).

What we don’t collect

We don’t run advertising pixels, remarketing tags, or behavioural-profiling scripts. There is no commercial “profile” of you being built anywhere.

How long we keep your data

  • Unsuccessful enquiries: 12 months after last contact, then deleted.
  • Active clients and prospects: for the duration of our working relationship, plus 7 years after the last invoice (UK tax and accounting requirements).
  • Server logs: 30 days.

Who we share it with

We use a small set of third-party tools to run the business. None of them sell your data or use it for their own marketing. Each is a data processor acting on our instructions.

  • Email provider — to receive and send email (Microsoft 365 or Google Workspace, operated in the UK/EU).
  • Hosting provider (Vercel, US) — to serve the site. Processes request metadata such as IP and user agent for routing and logging. UK International Data Transfer Agreement in place.
  • Resend (US) — transactional email delivery for contact form submissions. Processes only the content of each submission and the recipient address. UK IDTA in place.
  • Cloudflare Turnstile (US) — bot-protection challenge on the contact form. Receives challenge metadata, not the content of your submission. UK IDTA in place.
  • Google Analytics 4 (US, consent-only) — anonymised page analytics. Only processes your data if you accept analytics cookies on the cookie banner.
  • Accounting and invoicing software — for active clients, to issue invoices and meet HMRC obligations.

Where personal data is transferred outside the UK or European Economic Area (typically to US-based providers above), we rely on the UK International Data Transfer Agreement or the EU Standard Contractual Clauses with the UK Addendum as the appropriate safeguard.

Your rights

Under the UK GDPR you have the right to:

  • Ask for a copy of the personal data we hold on you.
  • Ask us to correct anything that’s wrong.
  • Ask us to delete your data (subject to legal retention obligations, like the 7-year HMRC rule above).
  • Ask us to restrict how we use it, or to port it to another provider.
  • Object to us processing it on legitimate-interest grounds.
  • Withdraw any consent you gave (where consent was the basis).

To exercise any of these rights, email hello@webgro.co.uk. We’ll respond within one working day and complete your request within one calendar month.

If you’re unhappy with how we’ve handled your data, you have the right to complain to the UK’s Information Commissioner’s Office at ico.org.uk. We’d appreciate the chance to fix it first.

Children

Our services are aimed at businesses. We do not knowingly collect personal data from anyone under 18. If you believe we have, contact us and we’ll delete it.

Changes to this policy

We review this page at least once a year, and update it any time the site’s data practices change. The “last reviewed” date at the top of the page reflects the most recent review.