Because I store people’s personal data, I have obligations under the General Data Protection
Regulation (GDPR). I can be contacted with requests or questions relating to this on:
GDPR is about how people’s personal data is collected, processed, and stored. It requires
that the data be collected and processed only for well-defined purposes; stored and processed
securely; kept up to date; and retained no longer than necessary.
I collect, process and store personal data for various purposes in various places, each of
which is detailed in this policy.
I use the word ‘customer’ to mean any person who has contacted me in relation to the services I
For each customer, I store basic contact details like their name, address, email address and
- I obtain some of these details ‘implicitly’. For example, if a new customer phones me, their
number will most likely show up on my phone and I’ll save it from there.
- I obtain some details explicitly. For example, I might ask a customer for their address in
order to visit them.
- I obtain some details from public sources, usually to fill gaps or verify other information.
For example, if a customer gives me just their house number and road name, I might use Google
Maps to find the postcode.
I call the sum of this information my ‘address book’, and its main purpose is the
interest of serving customers in a more personal way. For example, when a customer phones
me I can greet them by name, or when they require a visit I can look up their address rather
than ask for it each time. It also enables me to provide
I keep my address book in Google Workspace, protected by two-factor authentication. It is
synchronised to my computer and backed up to an external drive, both of which are encrypted. It
is also synchronised to my mobile phone, which is encrypted and set to erase after 10 incorrect
In April each year, or soon thereafter, I compare my address book to my financial records for
the year just ended and the two before it and delete from the address book any customers who
don’t appear in those records: in essence, I delete the personal data of customers I haven’t
served for at least three years. Customers can also contact me to request that their data in my
address book be updated or deleted, or to request a copy of this data. Updates or deletion may
take several months to propagate to backup copies.
Many customers contact me via email, and I retain email messages for two legitimate interests.
First, it means I can maintain context for subsequent messages – in other words, ‘threads’ or
‘conversations’ – as is expected in email. Second, I can refer back to information that may help
me serve customers better in future. For example, if a customer previously told me details of a
problem they were having, and then one day asks for help with a similar problem, I can go back
and check those details.
I keep my email messages in Google Workspace, synchronise them to my phone, archive them to my
computer, and back them up to an external drive — all of which are protected as described in the
address book section above. Customers can contact me to request a copy of my historic email
exchanges with them.
Approximately once a year I delete all email messages older than five years. This deletion may
take several months to propagate to backup copies.
Text, iMessage and WhatsApp conversations
An increasing number of customers contact me by text message, Apple iMessage and WhatsApp. I
retain these messages for the same reasons as email messages, detailed above.
The messages are synchronised between my phone and computer, both of which are protected as
described in the address book section above. Customers can contact me to request a copy of my
recent text, iMessage or WhatsApp conversations with them.
My devices are set to delete text and iMessage messages automatically after 30 days.
Automatic deletion is not available in WhatsApp, but I endeavour to delete old messages
I operate a mailing list to communicate occasional tips and significant IT news. Customers
join this list by giving their explicit
I periodically ‘refresh’ this consent by reminding customers of their membership and asking them
to remain opted in.
I record customers’ membership of the list by adding their entries in my address book (see
above) to a group.
A customer can update their email address or withdraw their consent (be removed from the list)
by contacting me.
I have a
obligation to keep financial records, including for self-assessment and payment of income
tax. These records include customers’ names, along with the products or services purchased from
me and amounts paid.
I keep my financial records in Google Workspace, and back them up to my computer and external
drive — all of which are protected as described in the address book section above.
HMRC requires that I
records for at least five years. After this time, I anonymise customer data in them. This
anonymisation may take several months to propagate to backup copies.
In addition to bank transfer, cash and cheque, customers can choose to pay me by debit card,
credit card or PayPal. I use SumUp to send invoices and accept payments by card, and PayPal to
send invoices and accept payments both by card and directly via PayPal. With both companies, I
keep necessary information about customers and their purchases – much the same as in my address
book and financial records (see above) – and any personal and financial information entered by
customers when settling SumUp and PayPal invoices will be processed and stored by these
The explanatory articles and how-to guides on my website include links to my page on Buy Me
a Coffee, via which anyone can buy me one or more ‘coffees’ as a show of appreciation (it’s not
really coffee, just a small financial contribution). Personal information entered during this
process will be processed and stored by both Buy Me a Coffee and Stripe.
explained here. I can be contacted on 07837 751985 or