This privacy policy explains how Coppermark Ltd ("Coppermark", "we", "us", "our") collects, uses and protects personal data when you visit our website at coppermark.co.uk, enquire about our services, attend an Overwhelm Audit, or hold a retainer with us.
Coppermark is the data controller for the personal data described in this policy.
When we deliver workflow automations on behalf of a retainer client, the personal data flowing through those workflows belongs to the client's customers, suppliers and staff. In that context the client is the controller and Coppermark acts as a processor under a written Data Processing Addendum (DPA). Where a retainer client is itself acting as a processor for someone else (for example, a marketing agency, an IT MSP or a bookkeeping firm processing data on behalf of their own client), Coppermark acts as a sub-processor in that chain, under the same written DPA. This policy does not cover either form of processor activity — see your supplier's privacy policy and the DPA we have in place with them.
We only collect personal data that we genuinely need. The categories below describe everything we hold.
| Where it comes from | What we collect |
|---|---|
| Website contact form, email, phone | Name, business name, email address, phone number, the message you send us |
| Overwhelm Audit booking | Name, business name, email, phone, the workflow notes you share during the session |
| Retainer onboarding | Billing contact, authorised users, business address, VAT number (if applicable), bank/payment details |
| Support requests | Anything you include in tickets, emails, or chat messages |
| Source | What we collect |
|---|---|
| Website analytics | IP address, approximate location (country/region), browser and device type, pages visited, referrer, session timing |
| Cookies / similar technologies | See Section 10 |
| Service logs | Login times, IP address, the actions you take in your isolated n8n instance — used for security and troubleshooting |
| Source | What we collect |
|---|---|
| Referral partners (e.g. accountants) | Name, business name and contact details when you have agreed to a warm introduction |
| Public sources (Companies House, business directories, LinkedIn) | Business contact details for prospect research, only where the lawful basis is met |
| Payment provider (Stripe) | Confirmation that a payment has been made and metadata related to the transaction — we do not see full card numbers |
We do not routinely process special category data (health, ethnicity, religion, etc.) or children's data. If a workflow you ask us to build will involve special category data on behalf of your business, that is covered separately under our DPA, not this policy.
Under the UK GDPR we must have a lawful basis for every use of personal data. Each purpose below states that basis.
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Replying to enquiries and proposals | Legitimate interests — responding when you ask us to |
| Delivering Overwhelm Audits and retainer services | Contract — performing our agreement with you |
| Issuing invoices, taking payment, accounting and tax records | Legal obligation (HMRC) and contract |
| Sending service-related emails (changes, downtime, security notices) | Contract |
| Sending occasional marketing emails to existing business customers about similar services | Legitimate interests, with an unsubscribe link in every email |
| Sending marketing to non-customers | Consent — we ask first, and you can withdraw at any time |
| Securing our infrastructure, detecting fraud and abuse | Legitimate interests |
| Improving our service — anonymised usage analysis | Legitimate interests |
| Complying with regulatory requests, court orders or law-enforcement obligations | Legal obligation |
We never sell your personal data, and we do not use it to train third-party AI models without your specific consent.
We keep our supplier list short and we contract carefully. Where a supplier processes personal data on our behalf we have a data processing agreement in place with them, and where transfers leave the UK/EEA we rely on UK‑IDTA, the UK Addendum to the EU SCCs, or an adequacy regulation as required by Articles 44–49 UK GDPR.
| Supplier | Purpose | Data location |
|---|---|---|
| Hetzner Online GmbH | Hosting all servers (Coolify control plane, n8n containers, Postgres, Vault) | Germany (EEA) |
| Stripe Payments Europe Ltd | Recurring billing and card processing | Ireland (EEA), with onward transfers to the US under SCCs |
| OpenAI Ireland Ltd / OpenAI, L.L.C. | LLM API calls used in our internal tooling and proposals | EEA + US, under SCCs |
| Anthropic, PBC | Claude API for long-document drafting in our tooling | US, under SCCs |
| Google Ireland Ltd | Google Workspace (email, calendar, drive) for our own operations | EEA + US, under SCCs |
| Microsoft Ireland Operations Ltd | Azure OpenAI for clients requiring documented EU data residency | EEA |
| Notion Labs Inc. | Internal documentation and project management | US, under SCCs |
| GitHub Inc. | Workflow template version control (no client personal data) | US, under SCCs |
A full, current list of sub-processors is available on request from [email protected].
We do not share personal data with advertising networks.
Most of our infrastructure is hosted in the European Economic Area (Germany via Hetzner). Where we use providers based outside the UK or EEA — in particular OpenAI, Anthropic, Stripe, Google, Notion and GitHub — the transfer is protected by:
For clients who need documented UK/EU data residency in their workflows (typically professional services such as solicitors and accountants), we route relevant LLM calls to Microsoft Azure OpenAI in EU West, or run Ollama locally on Hetzner as part of a Pro tier deployment. Those arrangements are recorded in your DPA, not in this policy.
You can request a copy of the relevant transfer mechanism by emailing [email protected].
| Data | Retention |
|---|---|
| Enquiries that don't lead to a contract | Up to 12 months from last contact, then deleted or anonymised |
| Active retainer client records | For the duration of the engagement, plus 6 years (HMRC requirement on financial records) |
| Invoices, payment records and tax documents | 6 years from end of relevant accounting period |
| Marketing contact lists | Until you unsubscribe or 24 months of inactivity, whichever comes first |
| Website analytics | 14 months (Google Analytics default) or shorter |
| Service logs (n8n login activity, audit trail) | 12 months for security investigation, then deleted |
| Backups | Rolling 30 days; backups are deleted on schedule and not used for live access |
When the retention period ends we either securely delete the data or anonymise it so it can no longer identify you.
Our technical and organisational measures include:
No system is completely secure. If we ever experience a personal data breach that is likely to result in a risk to your rights, we will report it to the ICO within 72 hours and tell you directly without undue delay where the law requires.
Under the UK GDPR you have the right to:
To exercise any of these rights, email [email protected]. We will respond within one calendar month. There is no charge unless your request is manifestly unfounded or excessive.
If you are not satisfied with our response, you can complain to the Information Commissioner's Office (ICO):
We would prefer the chance to put things right first, so please do contact us before going to the ICO.
If you are an existing customer we may occasionally email you about similar services we offer, on the basis of legitimate interests under PECR. Every email contains a clear unsubscribe link.
If you are not an existing customer we will only send you marketing if you have asked us to or have not objected to receiving it during a business introduction. You can unsubscribe at any time, including by replying to any of our emails or contacting [email protected].
We do not pass your details to other organisations for their own marketing.
Our website uses cookies and similar technologies. The categories we use are:
| Category | Purpose | Consent |
|---|---|---|
| Strictly necessary | Make the site work (session, security, load balancing) | No consent required (PECR exemption) |
| Analytics | Understand which pages are useful and improve them | Loaded only after you accept the banner |
| Functional | Remember preferences (e.g. cookie-banner dismissal) | Loaded only after you accept |
We do not use advertising or cross-site tracking cookies. You can withdraw cookie consent at any time from the cookie banner or via your browser settings.
Our service is provided to businesses, not to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.
We may update this policy from time to time. The "Last updated" date at the top will reflect any change. If we make a material change we will notify retainer clients by email at least 14 days before it takes effect, where it is reasonable to do so.
For any privacy question, request, or complaint, please email [email protected] or write to us at [REGISTERED ADDRESS].
We aim to respond to every privacy enquiry within 5 working days.