Client Privacy Policy
Effective date: 19 March 2026ICO registration: C1930046
Contact: team@masser.uk
This privacy policy explains how Penovex Limited ("Masser", "we", "us") collects, uses, stores, and protects your personal data when you use our services as a client. This policy applies to business owners and individuals who subscribe to Masser's web design and hosting service.
This policy is separate from the privacy policy displayed on your Masser-hosted website, which covers your website visitors' data (see Visitor Privacy Policy).
1. Who We Are
Penovex Limited trades as Masser and is the data controller for the personal data described in this policy. We are registered with the Information Commissioner's Office (ICO) under registration number C1930046.
2. What Data We Collect
2.1 Data You Provide Directly
- Contact details — full name, email address, phone number
- Business information — business name, industry, services offered, business address, opening hours
- Website content — text, images, logos, testimonials, and any other content you provide for your website
- Design preferences — colour choices, style preferences, site goals, brand inspiration
- Account credentials — email address used for portal login (passwords are managed by our authentication provider, Supabase)
- Payment information — processed and stored by Stripe; we do not store card numbers or bank details
- Communications — emails, support requests, change requests, and feedback you send us
2.2 Data We Collect Automatically
- Existing website data — if you have an existing website, we crawl it to extract business information (services, contact details, testimonials) to inform your new site build. This is limited to publicly available content.
- Portal usage — pages visited within the client portal, features used, change requests submitted
- Technical data — IP address, browser type, and device information when you access the portal
2.3 Data We Generate
- Website builds — the HTML, CSS, and JavaScript code we create for your site
- Analytics summaries — aggregated performance data about your website's visitors (page views, traffic sources, session duration)
- Deliverable tracking — status of setup tasks (hosting, domain, SEO, analytics configuration)
- Generated assets — AI-generated images, videos, and logos created for your website using your business information and preferences
3. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal basis |
|---|---|
| Building and hosting your website | Performance of contract |
| Processing payments and managing your subscription | Performance of contract |
| Sending transactional emails (confirmations, updates, deliverable progress) | Performance of contract |
| Providing customer support and processing change requests | Performance of contract |
| Managing your domain registration (if purchased through us) | Performance of contract |
| Sending marketing emails (upsells, feature announcements) | Legitimate interest (with opt-out) |
| Improving our service, AI build quality, and design templates | Legitimate interest |
| Producing aggregated, anonymised performance benchmarks | Legitimate interest |
| Displaying your site in our portfolio | Legitimate interest (with opt-out — see Client Terms Section 10) |
| Complying with legal obligations (tax, fraud prevention) | Legal obligation |
4. Aggregated and Anonymised Data
We collect anonymised, aggregated performance data from visitor activity across all Masser-hosted websites. This includes metrics such as page views, session durations, conversion rates, device types, geographic regions, and traffic sources.
This aggregated data:
- Cannot identify you, your business, or your website visitors
- Is used internally to improve our products, AI build quality, and service delivery
- May be used to produce industry benchmark reports and performance insights
- May be shared with or licensed to third parties (including market research firms, trade bodies, and commercial partners), provided no individual business or visitor is identifiable
- Is retained indefinitely, including after your subscription ends
For clarity: We will never sell, share, or disclose your individual business data, your visitors' personally identifiable information, or any data that could identify you or your visitors to any third party. All third-party use is strictly limited to aggregate, anonymised data from which no individual business or person can be identified.
5. Who We Share Your Data With
We share your personal data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, name, payment method |
| Supabase | Database and authentication | Email, name, business data, website content |
| Resend | Transactional email delivery | Email, name |
| Anthropic (Claude AI) | Website generation and content changes | Business info, content, design preferences |
| Netlify | Website hosting and deployment | Website HTML/CSS/JS code |
| Namecheap | Domain registration (if applicable) | Name, email, business address |
| Analytics, Tag Manager (if configured by you) | Visitor analytics data | |
| Crisp | Live chat support | Name, email, chat messages |
| fal.ai | Image and video generation | Business info, industry, design preferences |
| Sentry | Error monitoring and service reliability | Technical error data (no personal content) |
We do not sell your personal data to any third party. We may disclose your data if required by law, regulation, or legal process.
6. Data Retention
| Data type | Retention period |
|---|---|
| Active subscription data | Duration of subscription |
| Website files after cancellation | 90 days (then permanently deleted) |
| Payment records | 7 years (legal requirement) |
| Communications and support history | 2 years after subscription ends |
| Aggregated, anonymised data | Indefinite |
| Portal account data | Deleted on request or 90 days after cancellation |
| Sol conversation history | Duration of subscription plus 90 days |
7. Your Rights
Under the UK General Data Protection Regulation (UK GDPR), you have the following rights:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal retention requirements)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest (including marketing)
- Right to withdraw consent — where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at team@masser.uk. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- All data transmitted over HTTPS/TLS encryption
- Database access restricted by role-based permissions
- Payment data handled entirely by PCI DSS-compliant Stripe
- Authentication managed by Supabase with secure token handling
- Access to production systems limited to authorised personnel
9. International Transfers
Some of our service providers (Stripe, Supabase, Anthropic, Netlify) process data in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the ICO.
10. Cookies
The client portal uses essential cookies for authentication and session management. We do not use tracking cookies on the portal. For cookies on your Masser-hosted website, see the separate Cookie Policy.
11. Children's Data
Our services are designed for businesses and are not directed at individuals under 18. We do not knowingly collect data from children.
12. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The latest version is always available on this page.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
14. Contact
For any questions about this privacy policy or your data:
- Email: team@masser.uk
- Company: Penovex Limited