Who we are
Verithora is a sole-trader firm based in Reigate, Surrey, United Kingdom. We act as the data controller for the personal data described on this page.
If you want to talk to us about your data, email [email protected].
ICO registration: Verithora (Ethan Carlton, sole trader) is registered with the Information Commissioner's Office; registration is currently in progress (application reference C1963248).
What we collect, why, and for how long
We try to collect as little as we can. Specifically:
- If you contact us via the form or email: your name, your email address, and whatever you choose to write to us. We use this to reply, scope work, and (if we end up working together) deliver the service. We keep it for as long as we are corresponding plus 24 months. Legal basis: legitimate interests (you wrote to us) and, once a contract exists, contract.
- If you become a client: the data we need to invoice you and run the service — company name, billing address, VAT registration if relevant, ownership of any content you send us for the site. Kept for the life of the engagement plus seven years (HMRC retention). Legal basis: contract and legal obligation.
- Visitors to the public marketing pages: we do not run any analytics or tracking on the public marketing pages of this site - no cookies, no pixel, no fingerprinting. Our host (Cloudflare) keeps standard, short-lived server logs to protect the site from abuse and to serve it reliably; those logs are Cloudflare's, retained briefly, and not used by us to profile you. Legal basis for the security logging: legitimate interests (running and protecting the site).
- Visitors to a personalised proposal preview page: when we send a business a proposal, the preview page (a separate, unlisted page, not part of the public marketing site) uses PostHog product analytics, including a session recording (replay) of the visit (with any text you type masked), so we can see whether the proposal was opened and read. PostHog is hosted in the EU (no transfer outside the UK or EEA). We use it only to understand engagement with the proposal we sent you - not to advertise to you and not to follow you around the web. The cookie notice describes exactly what this does on your device. Legal basis: legitimate interests (understanding whether the business we contacted has engaged with our proposal).
If we contact you with a proposal (prospective clients)
Part of how we find work is to look for local businesses whose website we think we could genuinely improve, and to send them a single, personalised proposal. If you received an unsolicited proposal from us, this section explains exactly what we did and what your rights are. We think it is fair to be completely open about it.
Where we got your details. We only use business contact information that is already public. Specifically, we take the business name, the email address or phone number a business publishes on its own website, the website address itself, and public registration information, from sources such as:
- the business's own website;
- Google, including a Google Business Profile listing; and
- Companies House.
We do not buy marketing lists, scrape personal social-media accounts, or guess personal email addresses. We use the contact route the business has chosen to publish.
What we do with it, and why. We use these details once: to send a single, personalised website proposal to a local business we think could benefit from the service. The proposal lives on an unlisted preview page that search engines are told not to index.
Our lawful basis. We rely on legitimate interests (UK GDPR Article 6(1)(f)): our interest in offering a relevant service to a local business that publishes its contact details, balanced against your interest in not being bothered. We have written down that balancing assessment and we keep the outreach low-volume, relevant, and easy to stop.
What we hold, and for how long. The personalised preview page is unlisted and marked no-index, and we take it down after about two weeks. We delete a prospect's contact details on request. If you ask us not to contact you again, we keep only the minimum needed to honour that - a single suppression entry (for example your email address or domain) so that we do not approach you by mistake in future.
Your rights here. You can object to this outreach at any time; the right to object to direct marketing is absolute, and a reply asking us not to contact you is honoured immediately and permanently. You can also ask what we hold, ask us to delete it, and complain to the Information Commissioner's Office at ico.org.uk. Email [email protected] and that is the end of it.
What we do not do
- We do not sell your data.
- We do not run third-party advertising or remarketing on this site.
- We do not place tracking cookies on the public marketing pages of this site. The only things a visitor may encounter here are strictly-necessary items set by our host (Cloudflare) for bot protection, and — when you use the contact form — Cloudflare Turnstile's anti-spam check. The one exception is a personalised proposal preview page, which sets a PostHog analytics cookie and records the session; our cookie notice spells out exactly what those are.
- We do not use a chat-bot vendor or a customer-success tool that reads your messages.
Sub-processors
We use a small list of third parties to actually run the business. They are:
- Cloudflare — hosts this site (Cloudflare Pages), protects it from abuse, runs the spam protection on the contact form (Cloudflare Turnstile), and processes contact-form submissions through a Cloudflare Worker that emails them to us. UK / EU edge serving. Privacy policy.
- Email provider — handles inbound and outbound email to [email protected].
- Accounting / invoicing software — generates invoices and stores them for HMRC retention.
- Payment processor — receives client payments for monthly fees. We never see your card details.
- PostHog - product analytics and session recording (session replay, with typed input masked) on our personalised proposal preview pages only (not the public marketing site), used to see whether a proposal was opened and read. EU region (eu.posthog.com); no data leaves the EU or UK. Privacy policy.
Specific vendor names are kept current on this page. If we change one materially, we update this list and the Last updated date above.
Your rights under UK GDPR
You have the right to:
- Ask what data we hold about you, in a copy you can read.
- Ask us to correct anything wrong.
- Ask us to delete what we hold, where we can do so (we cannot delete invoices and similar records before HMRC retention runs out).
- Object to processing based on legitimate interests.
- Withdraw consent at any time, where consent is the basis (it rarely is on this site).
- Complain to the Information Commissioner's Office at ico.org.uk.
Email [email protected] to exercise any of these. We reply inside seven days.
Children
This site is not aimed at children. We do not knowingly collect data from anyone under 16. If you believe we have, email us and we will delete it.
International transfers
Our hosting and email vendors operate from the UK, EU, and US. Where data is processed outside the UK, our vendors operate under UK International Data Transfer Agreement safeguards or equivalent (Standard Contractual Clauses). We do not transfer client data outside the UK or EEA unless the vendor we use to deliver the service requires it. Our proposal analytics provider, PostHog, is configured to use its EU region, so proposal-engagement data stays within the EU.
Changes to this notice
When we change this notice in a way that materially affects you, we update the date at the top and (if you are a client) we email you. Cosmetic changes are not announced.
Plain-English notice, written by a person, reviewed by Verithora before publishing.