PRIVACY POLICY
What we collect, why, and what you can ask us to do.
A plain-English account of every piece of personal data we touch, the legal basis for touching it, the third parties involved, and the rights you can exercise.
1. Who is the data controller
The data controller for this site is Horizon Workflow Limited, a private limited company registered in England and Wales (company number 15898019), whose registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
You can reach the data controller by emailing hello@mikefraser.me.
2. ICO registration
Horizon Workflow Limited is registered with the UK Information Commissioner's Office under the Data Protection (Charges and Information) Regulations 2018. Registration reference: C1930166. The public register entry is searchable at ico.org.uk/ESDWebPages/Search.
3. What personal data we collect
We collect the minimum personal data needed to run the site and to deliver the services described on it.
- Email address, and where provided, first name. When you submit a form on the site (lead-magnet download, newsletter signup, fit-call enquiry), this information is passed to our email service provider, Kit. The full list of fields on any given form is visible on the form itself.
- Anonymised analytics data. When you visit any page on the site, Google Analytics 4 records the page viewed, the approximate country (derived from your IP, which is anonymised at collection), the device and browser type, and the referring source. IP addresses are not stored.
- Purchase information. When you buy a digital toolkit, Paddle (the merchant of record) collects your name, email address, billing address, and payment method to process the sale. Paddle is a separate data controller for this information. We receive only summary order data (order ID, product, net amount, buyer email) from Paddle.
- Theme preference. If you toggle the site to dark mode, your choice is stored in your browser's localStorage. This is local to your device and never sent to us.
4. Why we collect it (legal basis under UK GDPR)
| Data | Purpose | Legal basis |
|---|---|---|
| Email and name (form submission) | To send you the requested lead magnet, newsletter, or fit-call response | Consent (you opt in by submitting the form; you can withdraw at any time) |
| Email (post-purchase) | To send onboarding, support, and follow-up emails after a toolkit purchase | Legitimate interest in supporting buyers; you can opt out at any time |
| Analytics data | To understand how the site is used and improve it | Legitimate interest in operating the site effectively |
| Purchase data (held by Paddle) | To complete the sale, issue an invoice, and process refunds | Performance of a contract |
5. Third parties who process data for us
We use the following processors. Each is bound by a data-processing agreement and by Standard Contractual Clauses where international transfers are involved.
- Kit (Kit.com Inc.), United States. Email service provider. Hosts the subscriber list, sends transactional and marketing emails, and stores tags reflecting the form you signed up through. Standard Contractual Clauses in place for the international transfer.
- Paddle (Paddle.com Market Limited), United Kingdom. Merchant of record for toolkit purchases. Paddle is a separate data controller, not a processor on our behalf. Its privacy policy is at paddle.com/legal/privacy.
- Google Analytics 4 (Google LLC), United States. Site analytics. Configured with IP anonymisation. Subject to Standard Contractual Clauses and to the EU-US and UK-US Data Privacy Frameworks.
- GitHub Pages (GitHub Inc.), United States. Static hosting for the site itself. GitHub processes server logs (IP, timestamp, user-agent) for security purposes. Standard Contractual Clauses apply.
6. Cookies and local storage
The site uses the following client-side storage. There are no advertising cookies, no third-party tracking pixels, and no cross-site tracking.
- Google Analytics 4 cookies (
_ga,_ga_YMWVQ2X1VC). Used to distinguish unique visitors and sessions. Retention: 14 months. - Theme preference. Stored in
localStorage, never transmitted off-device.
7. How long we keep your data
- Email subscribers. Held in Kit until you unsubscribe. On unsubscribe, removed within 30 days.
- Analytics. 14 months in GA4 (the default user-data retention setting). Aggregated reports are kept indefinitely.
- Purchase records. Paddle retains the full transaction record per its own policy. We receive summary order data which we retain for accounting purposes for 6 years from the end of the financial year, as required by UK statutory record-keeping obligations.
8. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you
- Have inaccurate data corrected
- Have your data erased ("right to be forgotten"), subject to our legal record-keeping obligations
- Restrict processing of your data
- Receive your data in a portable format
- Object to processing based on legitimate interest
- Withdraw consent at any time, where consent is the legal basis
To exercise any of these rights, email hello@mikefraser.me. We will respond within one month and confirm what action we have taken.
9. Complaints
If you are unhappy with how we have handled your personal data, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. We would prefer the chance to put things right first, so please contact us before escalating if you can.
10. Changes to this policy
We may update this policy from time to time. The current version is always at this URL. Material changes will be flagged in the next regular newsletter, and the "Last updated" date below will change.