Skip to main content

Privacy notice

Privacy and securityLegal

Introduction

I respect the EU's General Data Protection Regulation (GDPR), and I respect you and your rights over the data you share with me. This document explains how I collect and treat any information you give me. You won't find complicated legal terms or long passages of unreadable text. I have no desire to trick you into agreeing to something you might later regret.

When you share your information with me, either by using my website, working with me, or collaborating with me on a project, I am responsible for your personal data. This gives me the role of data controller.

I value your privacy as much as I do my own, and I'm committed to keeping your personal and business information safe. I'm uncomfortable with the amount of information companies, governments, and other organizations keep on file, so I only ask for the strictly necessary information from the people I work and collaborate with.

I'll never use your personal information for any reason other than why you gave it to me, and I'll never give anyone access to it unless I'm required to by law.

Information I collect

Personal data means any information capable of identifying you. It does not include anonymized data. The categories below cover what I may collect and process. I do this on the grounds of legitimate interest, to perform a contract between us, or with your consent.

I occasionally use your contact information to send you details of my products and services. When I do, you have the option to unsubscribe and I won't send them again. I might also email or phone you about my products and services, but if you tell me not to, I won't get in touch again. I will use your information to send you invoices, statements, and reminders.

User data

Information about how you use my online services, plus anything you post for publication on my website or through other online channels. I process this data to operate, secure, and back up my website and databases, and to enable publication and administration of my website, other online services, and business.

Customer data

When you do business with me or hire my services, I collect information such as your name, address, email, phone number, business information, and bank details. I keep records of the invoices I send you and the payments you make. All card payments are processed by Stripe, my payment processor. I never have access to your credit card information.

Marketing data

Your preferences for receiving marketing from me and your communication preferences. I will occasionally use this information to send you details of my products and services.

Communication data

Anything you send me via forms on my website, email, text, social media, or any other channel. I collect this so I can communicate with you and keep records.

Sensitive data

I do not collect any sensitive data about you. Sensitive data refers to information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, and genetic and biometric data. I do not collect any information about criminal convictions or offences.

I run two services where you may share data with me: the public website at doingwellandgood.com and the client portal at erp.wellandgood.tech. The principles above apply to both. The specifics of what I collect on each are below.

What I collect on the public website (doingwellandgood.com)

  • Cookies. Strictly necessary WordPress cookies for the site to function. No tracking cookies. See the cookie notice for the full list.
  • Analytics. I use Fathom Analytics, which doesn't rely on cookies and anonymizes traffic. I get rough usage data without collecting your personal data.
  • Comments. If you leave a comment, I collect what's in the comment form, your IP address, and your browser to help with spam detection.
  • Avatars. If you leave a comment, an anonymized hash of your email may be sent to Gravatar to check for a profile picture. Your avatar is visible alongside your comment.
  • Media. If you upload images, avoid embedded location data (EXIF GPS). Visitors can extract it.
  • Links and embeds. No native social media buttons that build profiles of your activity. No embeds from sites like YouTube that drop cookies during playback.
  • Newsletter signups. If you sign up to my newsletter, I collect your name, email address, communication preferences, and your interactions with the emails I send.

What I collect on the client portal (erp.wellandgood.tech)

  • Cookies. Frappe session cookies for authentication. No tracking cookies.
  • Form submissions. Anything you submit through portal forms (intake, requests, support tickets) is stored and processed for the purpose you submitted it.
  • Project and billing data. Your customer record, project status, quotes, invoices, contracts, and payment history are stored to deliver the work you've contracted.
  • Communications. Messages and ticket threads exchanged on the portal are retained for record keeping and continuity.

Collection methods

I collect data when you provide it directly: filling in forms on my site, sending emails, signing up to the newsletter, requesting a quote, or onboarding as a client. I may ask for further information about you and your business if we are going to work together.

Data storage

I am responsible for the security of your information. You can contact me by email at privacy@doingwellandgood.com or by phone at +46 (0) 76 183 4310 if you have any concerns about the information I store.

Data retention

I will only retain your personal data for as long as necessary to fulfil the purposes I collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For specifics, see my data retention policy.

Data protection

I have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorization. For details, see my data protection policy.

International transfers

Sometimes it is unavoidable that I transfer your data to third parties outside the European Economic Area (EEA). When I do, I ensure safeguards are in place so that those parties provide a similar level of protection:

  • I may transfer your data to countries that the European Commission has approved as providing an adequate level of protection.
  • Where I use service providers established outside the EEA, I rely on standard contractual clauses (SCCs) approved by EU regulators, or codes of conduct or certification mechanisms, to give your data the same protection it has in the EEA.

Your legal rights

Under data protection laws you have rights regarding your personal data: access, correction, erasure, restriction, transfer, the right to object to processing, portability, and (where the lawful ground is consent) the right to withdraw consent. I want to honor every request that the law allows. To make a request, fill out the form on my data requests page.

I would appreciate it if you contacted me first if you have a complaint, so I can try to resolve it for you. If we can't resolve it together, your specific rights and the supervisory authority that backs them depend on where you live. Find your region below.

If you're in the European Union You have the right to complain to the data protection authority of the country in which you are based. Each EU member state has its own supervisory authority. The European Data Protection Board maintains a [list of national authorities](https://www.edpb.europa.eu/about-edpb/about-edpb/members_en).
If you're in the United Kingdom You have the right to complain to the [Information Commissioner's Office (ICO)](https://ico.org.uk/), the UK supervisory authority for data protection issues. The UK GDPR gives you the same core rights as the EU GDPR.
If you're in the United States Your rights depend on the state you live in. California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and a growing list of other states grant rights to access, delete, correct, and opt out of the sale or sharing of personal information. To exercise any of these, use my [data requests page](/data-requests). I will respond within the timeframe required by the law that applies to you.
If you're in Australia You have rights under the Australian Privacy Act 1988, including the right to access and correct your personal information. If you believe I have breached the Australian Privacy Principles, you can complain to the [Office of the Australian Information Commissioner (OAIC)](https://www.oaic.gov.au/).
If you're somewhere else If your country has data protection laws and a supervisory authority, you can use them. If you're not sure, get in touch and I'll help you figure out the right route. Either way, the rights I commit to honoring above (access, correction, erasure, restriction, transfer, objection, portability) apply to you regardless of jurisdiction.

This privacy notice borrows heavily from Suzanne Dibble's template from her GDPR training materials.

Effective 2024-08-25 - Version 1.0