Legal

Privacy policy

Last updated: 9 June 2026

Who we are

This website is operated by Loki Denicolo trading as devbyloki, a sole trader based in Farnborough, Hampshire, United Kingdom.

Contact: hello@devbyloki.com

What data we collect

We collect personal data only when you actively provide it:

  • Contact form: Name, email address, business name, message
  • Project brief (/start): Name, email, business details, package selection, domain name
  • Project page (/project): File uploads (logo, brand assets), API keys you choose to provide, message thread content
  • Hosting subscription: Billing email via Stripe — we do not store card details

We do not use tracking pixels, advertising cookies, or third-party analytics.

How we use your data

  • To respond to your enquiry or quote request
  • To manage your project and communicate progress
  • To send transactional emails related to your project (stage updates, invoices, hosting)
  • To process hosting subscription payments via Stripe
  • To fulfil our contract with you

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Legal basis (UK GDPR)

We process your personal data under the following lawful bases:

  • Contract: Processing necessary to perform or prepare for a contract with you
  • Legitimate interests: Responding to enquiries and managing business communications
  • Consent: Where you voluntarily provide optional data (e.g. API keys for third-party services)

Data storage & security

Your data is stored in Cloudflare's infrastructure (D1 database, KV store, R2 storage) within the European Union. Sensitive credentials (API keys) are encrypted using AES-256-GCM before storage and are never logged or visible to us in plaintext.

Payment processing is handled by Stripe, which is PCI-DSS compliant. We never store card numbers.

Transactional emails are sent via Resend. We have a Data Processing Agreement in place with Resend.

How long we keep your data

  • Project data: retained for 6 years after project completion (UK legal requirement for business records)
  • Enquiries that did not become projects: deleted after 12 months
  • API keys and credentials: deleted within 90 days of project cancellation or on your written request
  • Hosting billing data: retained as required by Stripe and UK tax law

Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data (right to erasure)
  • Restrict or object to how we process your data
  • Receive your data in a portable format
  • Withdraw consent at any time (where consent is the legal basis)

To exercise any right, email hello@devbyloki.com. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO).

Cookies

We use only essential, functional cookies:

  • Admin session token: stored in sessionStorage for the duration of your admin panel session
  • No advertising, tracking, or analytics cookies are set

Contact

For any privacy-related questions: hello@devbyloki.com