Legal
Privacy Notice
Last updated: 9 February 2026
1. Who we are
Zelly is a sole trader business based in the United Kingdom that designs, builds, and hosts bespoke websites for small businesses. Our registered address is 64 Nile Street, Shoreditch, London N1 7SR. For the purposes of UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018), Zelly is the data controller responsible for your personal data.
If you have any questions about this privacy notice or how we handle your personal data, please contact us at privacy@zelly.studio.
2. What data we collect
We collect and process the following categories of personal data depending on how you interact with us:
When you submit an enquiry
- First name and last name
- Email address
- Phone number (optional)
- Business name (optional)
- Which pricing plan you are interested in
- Your message describing what you need
When you create an account
- Email address
- Password (stored in hashed form - we never store or have access to your plain-text password)
When you subscribe to a plan
- Payment card details (processed and stored securely by Stripe - we do not store your full card number)
- Billing name and address
- Transaction and invoice history
- Subscription plan and status
Automatically collected data
- IP address and browser interaction data (collected by Cloudflare Turnstile for anti-bot protection when you submit a form)
- Authentication session tokens (stored in cookies to keep you logged in)
3. How and why we use your data
We only process your personal data when we have a lawful reason to do so. The table below sets out each purpose and the corresponding legal basis under UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Responding to your enquiry and providing you with a quote | Legitimate interest (responding to prospective customers) and, where applicable, taking steps prior to entering into a contract at your request (Article 6(1)(b)) |
| Creating and managing your account | Performance of a contract (Article 6(1)(b)) |
| Processing subscription payments and issuing invoices | Performance of a contract (Article 6(1)(b)) and compliance with a legal obligation to maintain financial records (Article 6(1)(c)) |
| Sending you service-related emails (e.g. website updates, account notifications) | Legitimate interest (keeping you informed about your website and account) (Article 6(1)(f)) |
| Protecting our website from spam and abuse (Cloudflare Turnstile) | Legitimate interest (security and fraud prevention) (Article 6(1)(f)) |
| Maintaining authentication sessions (cookies) | Strictly necessary for the service you have requested |
We do not use your personal data for automated decision-making or profiling. We do not sell your personal data to third parties. We do not send marketing emails unless you have explicitly opted in to receive them.
4. Who we share your data with
We share your personal data only with trusted third-party service providers who help us operate our business. Each provider processes your data solely on our instructions and is bound by data processing agreements:
- Supabase - Cloud database and authentication. Stores your account data and enquiry submissions.
- Stripe - Payment processing. Handles your subscription payments, stores your payment method, and generates invoices. Stripe is a PCI DSS Level 1 certified payment processor.
- Resend - Transactional email delivery. Receives your name and email address to send you service-related notifications.
- Cloudflare - Content delivery and anti-bot protection (Turnstile). Processes your IP address and interaction data to verify you are a real person.
We may also disclose your personal data if required to do so by law, regulation, or legal process (for example, in response to a court order or a request from a regulatory authority such as HMRC).
5. International transfers
Some of the third-party services we use are based outside the United Kingdom. When your personal data is transferred outside the UK, we ensure it is protected by appropriate safeguards:
- Stripe (United States) - Certified under the UK-US Data Bridge and the EU-US Data Privacy Framework.
- Supabase - Transfers are protected by standard contractual clauses approved by the UK Government.
- Resend (United States) - Transfers are protected by standard contractual clauses.
- Cloudflare (global network) - Transfers are protected by standard contractual clauses.
6. How long we keep your data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data | Retention period |
|---|---|
| Contact form enquiries | 2 years from your last contact with us, unless the enquiry leads to a customer relationship |
| Account data | Duration of your account plus 30 days after deletion |
| Financial and billing records | 6 years after your subscription ends (as required by HMRC for tax and accounting purposes) |
| Service email logs | 2 years |
| Authentication session cookies | Duration of your browser session or until you log out |
7. Cookies and similar technologies
Our website uses a limited number of cookies and browser storage technologies:
- Authentication cookies - Strictly necessary cookies set by Supabase to maintain your login session. Without these, you would not be able to stay logged in. These cannot be disabled.
- Theme preference - We store your light/dark mode preference in your browser's local storage so your chosen theme persists between visits. This is not a cookie and does not contain personal data.
- Cloudflare Turnstile - May set cookies or use browser storage to verify you are a real person when you submit a form. See Cloudflare's privacy policy for details.
We do not use any analytics, advertising, or tracking cookies.
8. Your rights
Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access - You can request a copy of the personal data we hold about you.
- Right to rectification - You can ask us to correct any inaccurate or incomplete data.
- Right to erasure - You can ask us to delete your personal data, subject to any legal obligations we have to retain it.
- Right to restrict processing - You can ask us to temporarily stop processing your data in certain circumstances.
- Right to data portability - You can request a copy of your data in a structured, commonly used, machine-readable format.
- Right to object - You can object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue.
- Right to withdraw consent - Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please email us at privacy@zelly.studio. We will respond to your request within one month.
9. How to complain
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We would appreciate the chance to address your concerns before you approach the ICO, so please contact us at privacy@zelly.studio in the first instance.
10. Changes to this notice
We may update this privacy notice from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the “last updated” date at the top of this page. We encourage you to review this notice periodically.