Legal
Privacy Policy
Version 2.0 · Last updated: 3 May 2026
BuiltByGo Ltd (“we”, “us”, “our”) is committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and related data protection laws. This policy explains how we collect, use, and safeguard your personal data when you visit our website, contact us, or engage with us about our services.
BuiltByGo Ltd is a private limited company registered in England and Wales (Company No. 11121829). Registered office: The Mill House Court Farm, Church Lane, Norton, Worcester, WR5 2PS. ICO registration: ZA564668.
We are the data controller for personal data collected through this website and through pre-engagement enquiries.
For data we process on behalf of clients in the course of delivering services (where the client is the controller), see our Data Processing Agreement and Sub-processors register. Different terms apply.
Information we collect
We may collect the following categories of personal data when you use our website or contact us:
- Identity data — name, company name, job title
- Contact data — email address, phone number
- Enquiry data — project details, service preferences, budget information, and messages you submit through our contact form
- Technical data — IP address (anonymised for analytics), browser type and version, device information, time zone setting, operating system
- Usage data — pages visited, time spent on pages, referral source, clickstream data (only with your consent)
We do not collect any special category personal data through this website (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation).
We do not knowingly collect personal data from children under 16.
How we use your data
| Purpose | Lawful basis |
|---|---|
| To respond to enquiries and provide quotations | Legitimate interests (operating our business and responding to prospective clients) |
| To deliver our services to you under a contract | Performance of a contract |
| To improve our website and services through analytics | Consent (managed via cookie banner) |
| To comply with legal obligations | Legal obligation (e.g. tax records, regulatory reporting) |
| To protect our legitimate interests in security and fraud prevention | Legitimate interests |
We will never sell your personal data to third parties.
We do not use automated decision-making (including profiling) that produces legal or similarly significant effects concerning you.
Lawful bases — quick reference
We process your personal data under the following lawful bases as set out in Article 6 of the UK GDPR:
- Consent — for non-essential cookies and analytics tracking, which you can manage via our cookie banner
- Contract — where processing is necessary for the performance of a contract with you, or to take steps at your request before entering a contract
- Legitimate interest — for responding to enquiries, improving our services, maintaining the security of our website, and operating our business
- Legal obligation — where we are required to process data by applicable law
Data retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data type | Retention period |
|---|---|
| Enquiry data (contact form submissions, emails) | 2 years from last contact |
| Client project data | 6 years from project completion (to comply with contractual and legal obligations, including under Limitation Act 1980) |
| Analytics data | 26 months (Google Analytics default) |
| Technical logs (Cloudflare) | 30 days |
| Backups (where in scope) | 30 days rolling, encrypted |
For data processed on behalf of clients under our services, retention is configured per engagement and documented in the relevant Statement of Work and DPA. See our DPA for that framework.
Sub-processors (for this website)
We use the following sub-processors to deliver our website and respond to your enquiries:
| Sub-processor | Role | Region | Transfer safeguard |
|---|---|---|---|
| Cloudflare, Inc. | CDN, DNS, DDoS protection, security services | Global edge | Cloudflare DPA incorporating UK IDTA |
| Google LLC (Google Analytics) | Anonymous usage tracking (consent only) | US-based, EU + UK servers | Google DPA incorporating SCCs and UK IDTA |
Cloudflare Workers (contact.builtbygo.com) | Contact form processing endpoint | Cloudflare global edge | Cloudflare DPA incorporating UK IDTA |
For sub-processors involved in client engagements (where the client is the controller of the personal data), see our Sub-processors register. The list there is broader and reflects our service-delivery operations, not this website.
International transfers
Your personal data may be transferred to, and processed in, countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
- Cloudflare Inc. (US-based, global infrastructure) — data is processed under Cloudflare's DPA which incorporates the UK International Data Transfer Agreement (IDTA)
- Google LLC (Google Analytics) (US-based) — data is processed under Google's DPA which incorporates Standard Contractual Clauses and the UK International Data Transfer Addendum
For client engagement data, transfer mechanisms are documented per sub-processor in our Sub-processors register.
Your rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right to access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data where there is no compelling reason for us to continue processing it
- Right to restrict processing — ask us to suspend processing your data in certain circumstances
- Right to data portability — request a copy of your data in a structured, commonly used, machine-readable format
- Right to object — object to processing based on legitimate interests, including direct marketing
- Rights related to automated decision-making — we do not use automated decision-making that produces legal effects concerning you, but you have the right to be informed if this changes
- Right to withdraw consent — for processing based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal
To exercise any of these rights, please contact us at privacy@builtbygo.com. We will respond within one calendar month of receipt, extendable by up to two months for complex requests (you'll be notified within the first month if an extension applies).
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's independent data protection regulator. ICO website: ico.org.uk. ICO helpline: 0303 123 1113.
Cookies
For detailed information about how we use cookies and similar technologies, please see our Cookie Policy. You can manage your cookie preferences at any time via our cookie banner.
Data Processing Agreement
If you engage our services and require a Data Processing Agreement, our standard DPA is publicly available at builtbygo.com/dpa. It reflects UK GDPR Article 28 requirements and is included by reference in all client engagements. Per-engagement specifics are recorded in each Statement of Work.
For Latam-scope engagements, our DPA also accommodates Brazilian LGPD and Mexican LFPDPPP requirements.
Data Protection contact
We do not have a statutory Data Protection Officer (BuiltByGo's processing activities do not meet the GDPR Article 37 threshold for mandatory appointment). All privacy-related queries are handled by our management team:
privacy@builtbygo.com
BuiltByGo Ltd, The Mill House Court Farm, Church Lane, Norton, Worcester, WR5 2PS, United Kingdom.
Security
We take the security of your personal data seriously. See our Security & Trust page for our information security framework, controls, and certifications.
Document history
| Version | Date | Changes |
|---|---|---|
| 1.0 | May 2026 | Initial publication |
| 2.0 | 3 May 2026 | Privacy contact updated to privacy@builtbygo.com; clarified scope distinction between this Policy (for builtbygo.com itself) and the DPA / Sub-processors register (for client engagements); added Children's data and Sensitive data clarifications; added ICO complaint contact details; added retention table; added LGPD / LFPDPPP cross-reference for Latam engagements; clarified DPO position |