Privacy Policy
Last updated: 9 July 2026
This notice explains how Velocity Web — Martin Shelton, trading as Velocity Web — handles personal data collected through velocityweb.co.uk. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Velocity Web is a web design, ecommerce and digital marketing agency based in the South West of England, founded in 1998 by Martin Shelton. We build and manage 65 client websites across public sector, ecommerce, academic and business sectors.
The business is operated by Martin Shelton as a sole trader, trading as Velocity Web.
Business address: 1 Queen Square, Bath, BA1 2HA
Data protection contact: [email protected]
For the purposes of UK data protection law, Martin Shelton (trading as Velocity Web) is the data controller for personal data collected through this website.
For client work, Velocity Web is a data processor acting on behalf of clients whose sites we host or support. Those clients’ data-handling is governed by separate contracts and their own privacy policies.
2. What personal data we collect
When you contact us through the enquiry form, by email or by phone, we collect:
- your name
- your email address
- your phone number (if provided)
- the content of your message
- the date and time of your enquiry
When you use the on-site chat widget (Momentum Concierge), we collect:
- the content of your chat messages
- basic session data (browser, timestamp)
- your name, email or phone if you provide them
Chat responses are generated by AI (currently via the Anthropic Claude API). Chat transcripts may be reviewed by Velocity Web to improve responses and — where you request it — to follow up personally. Complex enquiries can be escalated to Martin Shelton via WhatsApp.
When you visit any page, our web server automatically logs:
- your IP address (masked where possible)
- your browser type and version
- the pages you visit and how long you spend on them
- the referring page
These logs are used for security, performance monitoring and abuse prevention. They are not linked to your identity unless you also submit a form or chat message.
Analytics and marketing tracking. With your consent, we use:
- Google Analytics 4 (via Google Tag Manager) to understand how visitors use the site, which pages they read, and where they came from. GA4 uses cookies (
_ga,_ga_*) and collects a pseudonymised client ID, referring URL, device and browser type, and IP address (masked by Google before storage). - Meta Pixel to measure the effectiveness of any advertising we run on Facebook or Instagram, and to build audiences of past visitors to show relevant ads. The Pixel uses cookies (
_fbp,_fbc) and reports page views, button clicks and form submissions back to Meta.
These trackers only load if you accept them via the cookie consent banner. You can change your consent at any time by clicking the “Cookie settings” link in the footer.
Cookies. We set essential cookies to operate the site, plus optional analytics and marketing cookies only with your consent. See section 8.
3. Legal basis under UK GDPR
We process personal data on these legal bases:
| Data | Basis |
|---|---|
| Contact form and email enquiries | Consent (you chose to contact us) and legitimate interests (responding to enquiries about our services) |
| Chat widget messages | Consent (you chose to send the message) |
| Server logs and security data | Legitimate interests (keeping the site secure and available) |
| Google Analytics 4 and Meta Pixel tracking | Consent (given via the cookie banner; withdraw at any time) |
| Client-project data (during a working engagement) | Contract (the agreement between us and you as a client) |
4. How we use your data
We use the personal data described above to:
- respond to your enquiry
- provide a quote or scope a project
- send you occasional project or business updates during an active engagement
- keep the website operating securely
- comply with legal obligations (for example, retaining invoices and tax records)
We do not sell your data. We do not send marketing emails to enquirers unless you explicitly opt in.
5. How long we keep it
- Enquiry data (form submissions, email correspondence): kept for up to 3 years after our last contact, then deleted unless you become a client.
- Client-project data: kept for the duration of the engagement plus 7 years after (to meet HMRC record-keeping requirements for invoices and contracts).
- Chat transcripts: kept for up to 12 months, then deleted.
- Server logs: rotated within 30 days.
- Cookies: expiry varies by cookie (see section 8).
6. Who we share your data with
We use the following third-party processors to run this website and our business. Each is contractually bound to protect your data:
| Processor | Purpose | Location |
|---|---|---|
| Cloudways (managed WordPress hosting) | Website hosting and server-level backups | United Kingdom / EU |
| Cloudflare | CDN, DDoS protection, WAF | Global (with UK-region routing where possible) |
| Momentum Technology Solutions Ltd | Powers the Momentum Concierge chat widget | United Kingdom |
| Anthropic PBC | AI responses in the chat widget (via Claude API) | United States (see international transfers below) |
| Google (Analytics 4 + Tag Manager) | Site analytics — only with your consent | United States (masked-IP mode) |
| Meta Platforms Ireland | Meta Pixel — advertising measurement, only with your consent | Ireland / United States |
| Google Workspace | Email correspondence with us | European Union / United States |
| Xero | Invoicing and accounting (if you become a client) | United Kingdom / Australia |
We may disclose personal data if required to do so by law, court order or a valid request from a UK regulator.
7. International transfers
Some of our processors — most notably Anthropic (chat AI), Google (Analytics, Tag Manager, Workspace) and Meta (Pixel) — process data outside the UK, typically in the United States or European Union. Where this happens we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision to ensure your data remains protected to UK GDPR standards.
8. Cookies
Cookies on this site are managed by Complianz, which shows you a consent banner on your first visit and remembers your choices.
Essential cookies are always on — they’re required to run the site (WordPress session cookies for login, Cloudflare security cookies, the Momentum Concierge session cookie, and Complianz’s own cookie-consent record).
Analytics cookies (Google Analytics 4 via Google Tag Manager — _ga, _ga_*, _gid) load only if you accept them via the cookie banner. They record which pages you visit and where you came from, so we can improve the site.
Marketing cookies (Meta Pixel — _fbp, _fbc) load only if you accept them. They measure ad performance on Facebook and Instagram and let us show relevant follow-up ads.
A full, always-current list of every cookie on this site — including exact names, purposes and durations — is available on our Cookie Policy page, generated by Complianz from a live scan of the site.
You can review, accept, reject or change your cookie choices at any time by clicking “Manage cookie settings” in the footer. Rejecting analytics and marketing cookies will not stop you using the site.
Most browsers also let you refuse or delete cookies at the browser level; instructions vary by browser. Blocking essential cookies may break parts of the site.
9. Your rights under UK GDPR
You have the right to:
- access the personal data we hold about you
- correct inaccurate or incomplete data
- erase your data (“right to be forgotten”) where the legal basis no longer applies
- restrict or object to certain kinds of processing
- data portability — receive your data in a portable format
- withdraw consent at any time (where consent was the legal basis)
- complain to the Information Commissioner’s Office (ICO) — ico.org.uk — if you’re unhappy with how we’ve handled your data
To exercise any of these rights, email [email protected]. We’ll respond within one month.
10. Security
We host on Cloudways with our own Velocity Bolt performance and security stack — Cloudflare CDN and WAF, LiteSpeed server, daily off-site backups, and up-to-date WordPress + plugin patching. All access to the admin area is over HTTPS and requires strong passwords plus two-factor authentication.
No system is perfectly secure. If you believe your data has been affected by a breach on our systems, contact us immediately at [email protected]. We will notify the ICO within 72 hours where required by law.
11. Children
This website is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have, please contact us and we will delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be flagged at the top of the page with a revised “last updated” date. Continued use of the site after a change means you accept the updated policy.
