This privacy policy applies to data we handle about and on behalf of our customers. Our website privacy policy (including our website’s GDPR compliance) also applies and can be found here.

In this document ‘we’ or ‘us’ refers to Lucid Rhino Web Design and ‘you’ or ‘your’ refers to the customer/client.


We collect and processes personal information, or personal data, relating to our customers relevant to the services we provide them. We may hold this personal information on paper or in electronic format.

We are committed to protecting your privacy and we will only use the information that we collect about you lawfully, in accordance with the Data Protection Act 1998 and EU General Data Protection Regulation 2016.

Who we are

If you have any questions regarding this privacy policy or to request a copy, update or deletion of your data, you may contact us using the information below:

FAO: Aidan Ashby
87 Ashley Rd

01172 39 38 36

Our Responsibilities

Under the GDPR, there are six data protection principles we must comply with. These dictate that the personal information we hold about you must be:

  1. Processed lawfully, fairly and in a transparent manner.
  2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
  3. Adequate, relevant and limited to what is necessary in relation to those purposes.
  4. Accurate and, where necessary, kept up to date.
  5. Kept in a form which permits your identification for no longer than is necessary for those purposes.
  6. Processed in a way that ensures appropriate security of the data.

We are responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.

What personal data we collect and why we collect it


When you initiate an enquiry we store the contact information you provide in order to respond to leads and provide a consistent and professional service. This includes your:

  • Contact name
  • Email address
  • Business or residential address
  • Phone number
  • Preferred contact method


We use Wave for our accounting, and you can read their privacy policy here. The one-time and recurring initiation of card payments for our services is handled by Wave, with payments then processed by Stripe, who have their own robust privacy policy which you can read here.

We recommend paying non-recurring bills by direct bank transfer as this involves the fewest parties (details provided in invoices or on request).

We recommend communicating bank account details in person or over the phone rather than by email or messaging app.

Any bank account details you send us will be promptly transferred to Wave’s secure recurring payment system and any stored methods of transmission (e.g email) immediately deleted. We will never continue to store your bank account details outside of Wave.

Wave may transfer (or otherwise make available) your personal information to third parties who provide services on their behalf. Wave uses Plaid Inc. (“Plaid”) to gather your data from financial institutions for, for instance, preventing fraud. Wave only shares the information these service providers need to do their job and doesn’t authorize them for any other use or disclosure of personal information.

All the services we use in the transfer of customer accounting data are made through encrypted connections.

We will keep information on transactions as long as reasonable for filing and future custom unless deletion of personal data is requested, whereupon we will delete any data we don’t anonymise.

How we handle access to third party customer data

An example of when this may apply would be when we host and provide support for an ecommerce website that stores data on that website’s customers. The exact data this may include wholly depends on the setup of that website, but would typically include the following customer data:

  • Name
  • Email address
  • Shipping and billing addresses
  • Purchase history

Ecommerce websites that we build always use external payment gateways so don’t store bank or card details in their database or files, however, again, the exact data stored in a site depends on that individual site setup.

Where we have access to third-party data through services we provide it will only ever be accessed where strictly necessary, with the most upright confidentiality and in parity with our handling of direct customer data as outlined in this document.

Who we share your data with

We do not and never will sell your data to any other company. We will not email you in the future unless:

  1. You have given us your consent through initiating an enquiry, and only then in line with reasonable correspondence to offer or update you on our available services.
  2. You have given us your consent through becoming our customer, and only then in line with reasonable correspondence to carry out requested services.

We will only share your personal data with external collaborative parties (e.g SEO consultants or artists) with your permission, and only to the extent required by the task. This will never include bank account or bank card details.

We may also share your personal information with other third parties in the context of a potential sale or restructuring of some or all of our business. In those circumstances, your personal information will be subject to confidentiality undertakings.

We may also need to share your personal information with a regulator or to otherwise comply with the law.

Where we send your data

Customer enquiries are logged in a private password protected Google Docs Spreadsheet, which is covered by Google’s GDPR policy.

How we protect your data

We do not store any data offline, and all devices used to access data are password protected. Any data that gets printed (e.g the printing of emails for discussion in a client meeting) will not be stored long-term and will be securely destroyed as soon as it is no longer immediately useful. All online data processing services we use are protected by a 256bit http-01 SSL security certificate, making data transferred between our router and the servers we interact with unintelligible to unintended recipients.

Our handling of email is also encrypted by a similar security certificate, but the security of any external email accounts we interact with is dependent on the security of those respective email services.

How long we retain your data

We will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.

If you ask us to delete your personal data held by us this will be securely and effectively destroyed or permanently erased from our IT systems, subject to legal limitations (see below under ‘what rights you have over your data’). We will also require third parties to destroy or erase such personal information where applicable.

We will maintain anonymised data for accounting purposes for a longer period.

What rights you have over your data

We comply with GDPR, giving you the following rights:

  • If we have access to your personal data you can request to receive a file of the personal data we hold about you, including any data you have provided to us.
  • You can request rectification of your personal information.
  • You can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes, or anonymised data.
  • You can ask us to transfer your personal data to another party so you can reuse it across different services for your own purposes

If you wish to exercise any of these rights, please contact ngise1721854049d.oni1721854049hrdic1721854049ul@ol1721854049leh1721854049 requesting a ‘SAR’ (subject access request) form, or alternatively contact us using the details provided at the top of this page. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.