Privacy.
We don't share your information, and we collect as little as possible. This page exists to tell you exactly what that means in practice.
Who runs this site
Goliath Web Services LTD, company number 11873385, registered at [Registered address — to be confirmed before public launch]. Operating under the trade name Goliathus. Contact: hello@goliathus.co.uk.
For the purposes of UK GDPR and the UK Data Protection Act 2018, we are the data controller for any personal information processed through this website and in the course of any engagement.
What we collect, why, and how long we keep it
Site visits. We use Plausible Analytics, which is hosted in the EU and does not use cookies. Plausible records the URL you visited, your country, your device type, your browser, and your referrer (which site sent you to us). It does not record your IP address or identify you personally. This information is retained for 24 months.
Brief submissions. When you submit a brief through /begin, we collect your name, email, company, role, and the answers you provide. This is held in our secure database for 24 months, after which it is permanently deleted unless you have become a client (see below).
Intake submissions. If we invite you to complete the deeper intake at /intake, the answers you provide are held for the duration of any engagement plus 24 months for case study and reference purposes.
Client correspondence. Email exchanges are retained for the duration of any engagement plus 7 years (for tax and legal record-keeping). Email is stored in Fastmail's servers (located in the United States, with EU-equivalent safeguards in place).
Client project data. Any data we process on your behalf as part of an engagement (your existing content, your customer data if relevant, etc.) is governed by a separate Data Processing Agreement that we sign at engagement start.
What we don't collect
We don't use:
- Tracking cookies of any kind
- Third-party advertising trackers
- Heatmap or session replay tools (Hotjar, FullStory, etc.)
- Social media tracking pixels
- Email open or click tracking
If you visit this site without submitting a form, we have no record of you beyond an anonymous, country-level visit count.
Who we share data with
We don't sell data, ever. We share data with the following service providers, each of whom is contracted to handle it on our behalf:
| Service | Purpose | Location | Safeguards |
|---|---|---|---|
| Cloudflare | Site hosting, DNS, CDN | Global, EU edge servers | UK ICO approved DPA |
| Supabase | Database for briefs and project data | EU (Frankfurt) | EU GDPR compliant |
| Sanity | Content management (when applicable to your project) | EU (Amsterdam) | EU GDPR compliant |
| Fastmail | Email hosting | US, with EU-equivalent safeguards | UK-US Data Bridge framework |
| Resend | Transactional emails (confirmations) | US | Standard Contractual Clauses |
| Stripe | Payment processing (clients only) | Global | UK ICO approved |
| Plausible Analytics | Site analytics (no cookies, no PII) | EU (Germany) | EU GDPR compliant |
| Clerk | Client portal authentication (clients only) | US, EU regional | Standard Contractual Clauses |
| 1Password Business | Secrets storage (clients only) | Global | Encrypted, zero-knowledge |
Any change to this list is a material change to this policy and will be communicated to current clients by email.
Your rights under UK GDPR
You have the right to:
- Request a copy of any personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (subject to legal retention requirements)
- Request restriction of processing
- Object to processing
- Request data portability (we'll provide your data in a structured, commonly-used format)
- Withdraw consent at any time
- Complain to the UK Information Commissioner's Office (ico.org.uk)
To exercise any of these rights, email hello@goliathus.co.uk. We respond within 30 days, usually much sooner.
International transfers
Some of our service providers are located outside the UK and EU (primarily the United States). We rely on the UK-US Data Bridge, the EU-US Data Privacy Framework, or Standard Contractual Clauses where applicable, to ensure that any international transfer of your personal data is protected by appropriate safeguards.
Children
This site is not intended for and does not knowingly collect data from children under 16. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
Security
We take reasonable, industry-standard measures to protect your data: encryption in transit (TLS 1.3), encryption at rest, principle of least privilege for access, regular backups, and a documented incident response procedure. No system is perfectly secure, but we treat your data with the care we would expect for our own.
Changes to this policy
If we make material changes to this policy, we will update the "Last updated" date at the top of this page, and we will notify any current clients by email. Non-material changes (clarifying language, fixing typos) may be made without notice.
Contact
For any privacy question, complaint, or request, email hello@goliathus.co.uk. We respond within one business day, usually within hours.
If you are unsatisfied with our response, you have the right to complain to the UK Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
0303 123 1113
ico.org.uk
See also: Terms of Engagement · Data Processing Agreement