Privacy Policy

EMPEX DIGITAL LTD is established in the United Kingdom. Company number: 16489057. VAT number: 511230750.

EMPEX DIGITAL is the data controller for personal data collected for its own website, enquiries, bookings, marketing, sales and business administration.

Current EMPEX services include website design and development, web and application development, e-commerce, AI integration and automation, Smart Alerts and digital workflows, SEO and digital strategy, email infrastructure, Website Audits and Website Aftercare for EMPEX-built projects.

Privacy questions can be sent to support@empexdigital.io or through the contact form. EMPEX has not identified a dedicated Data Protection Officer in this website codebase.

This policy applies when you visit the EMPEX website, submit a contact or quotation form, book a consultation, subscribe to updates, purchase a Website Audit or another online service, communicate by email, telephone, social media or live chat, become a client, interact with EMPEX as a business prospect, or use a website or service where EMPEX is itself the controller.

Separate notices or agreements may apply to recruitment, employee information, client-owned applications, Website Aftercare and data processed on behalf of clients. The Cookie Policy supplements this Privacy Policy, and the Terms & Conditions explain general service terms.

EMPEX as controller

EMPEX acts as controller when it decides why and how personal data is used for operating its own website, handling enquiries, consultations, sales, client administration, payments and invoices, marketing, website analytics, security and legal compliance.

EMPEX as processor

EMPEX may act as processor when it hosts a client-owned website or application, accesses customer records to provide support, processes contact-form or booking information for a client, maintains a client database, operates an automation on the client’s documented instructions, or backs up or monitors a client system.

The client is normally the controller for its own customer or user data. Processing is governed by the project agreement and, where required, a Data Processing Agreement. Client end users should read the client’s own privacy notice. This public Privacy Policy does not replace an Article 28 processor agreement. Website Aftercare terms are available at Website Aftercare and support-maintenance terms.

The categories depend on the particular service and how you interact with EMPEX.

For Website Audit checkout, complete payment-card details are handled by Stripe Checkout rather than stored directly by EMPEX. EMPEX may receive transaction IDs, payment status, billing details and limited payment metadata.

EMPEX may obtain personal data directly from forms, during calls and meetings, by email or telephone, from contracts and project communications, through payments and online orders, automatically through website technologies, from referrals, from clients where EMPEX acts as processor, and from publicly available business sources for relevant B2B prospecting.

Public sources may include business websites, professional social profiles, business directories, public company registers and public social-media business pages. Publicly available does not mean personal information can be used without limits; EMPEX assesses whether use is fair, relevant and reasonably expected.

Contact and quote forms may collect name, email, selected topic or service, message content, a hidden anti-spam field, reCAPTCHA data and the IP address used for rate limiting and reCAPTCHA verification. EMPEX uses this information to respond, assess requested services, prepare next steps and maintain enquiry records.

Submissions may be stored in the EMPEX database, emailed to authorised EMPEX staff through Amazon SES and included in administrator SMS alerts through Amazon SNS where enabled. Forms may be checked for spam or security threats using Google reCAPTCHA and internal rate limiting. Please do not submit unnecessary sensitive information. An enquiry does not automatically create a contract.

Booking data may include name, email, phone, selected service, date/time, notes, terms acceptance and a reference number. It is used for appointment scheduling, confirmations, reminders, calendar administration and follow-up.

Bookings are stored in the EMPEX database. The booking flow integrates with Microsoft Calendar through Microsoft Graph to check busy events and create calendar events, and uses Amazon SES for booking emails. Cancellation and no-show records may be retained for administration and dispute handling.

EMPEX maintains records needed to plan and deliver projects, including authorised contacts, technical access, project messages, supplied content, approvals and project documentation. Credentials should be transferred securely where possible, and clients should avoid sending passwords through insecure channels or public forms.

Relevant information may be shared with authorised team members and subcontractors where needed to deliver the service. Project records may be retained after completion for support, legal, accounting and continuity reasons.

Website Audit orders may collect contact, business, website and payment-related information including full name, business name, email, phone, website URL, website type, platform, website size, goals, concerns, known bugs, access availability and extra notes.

This information is used to process the order, create a Stripe Checkout session, deliver the report and send service communications. Website Audit records may be retained for contract, financial and dispute purposes. Website Audit terms are available at Website Audit Terms.

Stripe processes Website Audit payment information under its own privacy terms. EMPEX may receive transaction IDs, Stripe Checkout session IDs, payment intent IDs, payment status, billing name, billing email and limited payment metadata. EMPEX does not sell payment information.

Invoices, transaction records and tax records are kept as required for accounting and legal compliance. Failed, refunded and disputed transactions may also be recorded.

Website Aftercare is available only for EMPEX-built projects. It may involve hosting, monitoring, backups, maintenance and support. EMPEX may process technical logs and client end-user data as processor when maintaining a client-owned project.

The client remains responsible for its own privacy notice and lawful basis. Processing responsibilities should be defined in a Data Processing Agreement. Infrastructure and subprocessors depend on the project. Data may remain in backups according to rolling backup cycles, and termination and deletion are governed by the Aftercare agreement and applicable law. See support-maintenance terms.

EMPEX may identify relevant businesses using publicly available professional information to introduce relevant website design and digital services, notify businesses about publicly visible website issues, follow up on prior business communication and maintain a reasonable suppression list.

EMPEX does not assume that all public information can be freely used. Outreach should be relevant to the recipient’s professional role. EMPEX considers legitimate interests and PECR requirements. Every marketing communication should identify EMPEX and provide an easy opt-out. Objections to direct marketing are honoured, and once someone objects, their details may be retained on a suppression list to ensure they are not contacted again. EMPEX does not sell prospect data.

Newsletter subscriptions are optional. Consent is not a condition of buying services. Subscribers can unsubscribe using the email link where provided or by contacting EMPEX through the contact form.

Withdrawing consent does not affect previous lawful processing. Service emails, such as booking confirmations or Website Audit updates, are not marketing emails. EMPEX may retain a minimal suppression record after unsubscribe to honour the opt-out.

Strictly necessary technologies may operate without optional consent where legally permitted. Analytics, advertising and other non-essential technologies should be controlled through the cookie-consent mechanism. Rejecting non-essential cookies should not block basic site use.

The current code loads the Google Analytics tag with default denied consent and grants analytics storage only after the cookie banner is accepted. The preference is stored as the empexConsent cookie. A dedicated in-banner withdrawal button was not identified in the repository; users can remove the cookie through browser settings, but an easier preference-change mechanism should be added. Cookie names, purposes and durations should be kept consistent in the Cookie Policy.

EMPEX provides AI integration and automation services for clients. Internally, EMPEX may use automation for limited administration such as form tracking events, spam detection, workflow notifications, booking administration and service communications where configured.

EMPEX does not rely on solely automated decisions producing legal or similarly significant effects on website visitors or prospects unless specifically disclosed. If such processing is introduced, EMPEX will provide appropriate information and safeguards. AI outputs may be reviewed by humans. Sensitive data should not be entered into AI systems unless an approved process and lawful basis exist. Client AI systems are governed by their own project and data-processing arrangements.

The website footer links to a separate careers domain. If you apply for a role through that careers service, any separate recruitment privacy notice or application terms provided there should apply. Candidate information may include contact details, CV, employment history, skills, references and application answers.

This public website policy does not cover detailed employee monitoring, payroll or HR administration unless EMPEX specifically collects that information through this website.

Based on the repository, EMPEX may share personal data with hosting and cloud infrastructure providers, email delivery and mailbox providers, database and storage providers, Stripe for payments, Microsoft Calendar/Microsoft Graph for booking administration, Google Analytics, Google reCAPTCHA, cookie-consent tooling, Amazon SNS for administrator alerts, live-chat systems, professional advisers, authorised contractors, regulators, courts and public authorities where required, and a buyer or successor in a genuine business transfer.

EMPEX does not sell personal data. Processors are permitted to use data only for agreed services and legal obligations. Some providers, such as payment processors, may also act as independent controllers for parts of their service. Sharing is limited to what is reasonably necessary.

Some providers may process data outside the UK. Where restricted international transfer processing occurs, EMPEX uses an applicable lawful safeguard where required. Safeguards may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses or another approved mechanism.

Transfer risk assessments may be required. Individuals may request information about applicable safeguards. This policy does not claim that all data remains in the UK because that has not been confirmed for every provider and backup location.

Retention may be extended for legal claims, fraud, security incidents or statutory obligations. Data should be deleted, anonymised or securely archived when no longer required, and periods should be reviewed regularly.

EMPEX uses appropriate measures which may include access controls, MFA where supported, encryption in transit, restricted administrative access, backups, monitoring, security updates, staff confidentiality and provider due diligence. No system is completely risk-free and EMPEX cannot guarantee absolute security.

Users should not send sensitive credentials through insecure forms. Suspected compromise should be reported promptly. EMPEX may temporarily restrict access where needed to protect systems.

Under UK data-protection law, applicable rights may include the right to be informed, access, rectification, erasure, restriction, portability, objection, withdrawal of consent, rights concerning automated decision-making where applicable and the right to complain to the Information Commissioner’s Office.

Rights are not absolute and depend on the processing and lawful basis. You have an absolute right to object to the use of your personal data for direct marketing.

To exercise your rights, contact support@empexdigital.io or use the contact form. No special wording is required.

EMPEX may request proportionate identification. Requests are normally answered within one month. Complex or multiple requests may take longer where the law permits, and EMPEX will explain any extension or refusal. Rights requests are normally free, subject to lawful exceptions. Do not submit sensitive identification through an ordinary public form unless a secure method is provided.

EMPEX’s general business website and services are not directed at children. EMPEX does not knowingly seek personal data directly from children through general enquiry or marketing forms. A parent or guardian should contact EMPEX if they believe a child has submitted data.

Child-related data inside a client-built project is governed by the client’s controller responsibilities and project-specific arrangements.

Links from the EMPEX website may lead to independent third-party sites. Their privacy practices are outside EMPEX’s control, and people should read the third party’s own privacy notice.

Please contact EMPEX DIGITAL at support@empexdigital.io so we can investigate.

If you remain dissatisfied, you can complain to the Information Commissioner’s Office. You do not have to contact EMPEX before exercising your right to complain. The ICO complaint page is available at ico.org.uk/make-a-complaint.

EMPEX may update this policy when services, technologies or legal requirements change. The current version is published on this page, and material changes may be highlighted or communicated where appropriate.

Changes do not retrospectively change the lawful basis for earlier processing. The last-updated date shows the current version.