Portrait of Martin

Privacy policy

Because I store people’s personal data, I have obligations under the General Data Protection Regulation (GDPR). I can be contacted with requests or questions relating to this on:

Summary

GDPR is about how people’s personal data is collected, processed, and stored. It requires that the data be collected and processed only for well-defined purposes; stored and processed securely; kept up to date; and retained no longer than necessary.

I collect, process and store personal data for various purposes in various places, each of which is detailed in this policy.

I use the word ‘customer’ to mean any person who has contacted me in relation to the services I offer.

Address book

For each customer, I store basic contact details like their name, address, email address and phone number.

I call the sum of this information my ‘address book’, and its main purpose is the legitimate interest of serving customers in a more personal way. For example, when a customer phones me I can greet them by name, or when they require a visit I can look up their address rather than ask for it each time. It also enables me to provide proper invoices.

I keep my address book in Google Workspace, protected by two-factor authentication. It is synchronised to my computer and backed up to an external drive, both of which are encrypted. It is also synchronised to my mobile phone, which is encrypted and set to erase after 10 incorrect passcode attempts.

In April each year, or soon thereafter, I compare my address book to my financial records for the year just ended and the two before it and delete from the address book any customers who don’t appear in those records: in essence, I delete the personal data of customers I haven’t served for at least three years. Customers can also contact me to request that their data in my address book be updated or deleted, or to request a copy of this data. Updates or deletion may take several months to propagate to backup copies.

Email messages

Many customers contact me via email, and I retain email messages for two legitimate interests. First, it means I can maintain context for subsequent messages – in other words, ‘threads’ or ‘conversations’ – as is expected in email. Second, I can refer back to information that may help me serve customers better in future. For example, if a customer previously told me details of a problem they were having, and then one day asks for help with a similar problem, I can go back and check those details.

I keep my email messages in Google Workspace, synchronise them to my phone, archive them to my computer, and back them up to an external drive — all of which are protected as described in the address book section above. Customers can contact me to request a copy of my historic email exchanges with them.

Approximately once a year I delete all email messages older than five years. This deletion may take several months to propagate to backup copies.

Text, iMessage and WhatsApp conversations

An increasing number of customers contact me by text message, Apple iMessage and WhatsApp. I retain these messages for the same reasons as email messages, detailed above.

The messages are synchronised between my phone and computer, both of which are protected as described in the address book section above. Customers can contact me to request a copy of my recent text, iMessage or WhatsApp conversations with them.

My devices are set to delete text and iMessage messages automatically after 30 days. Automatic deletion is not available in WhatsApp, but I endeavour to delete old messages periodically.

Mailing list

I operate a mailing list to communicate occasional tips and significant IT news. Customers join this list by giving their explicit consent. I periodically ‘refresh’ this consent by reminding customers of their membership and asking them to remain opted in.

I record customers’ membership of the list by adding their entries in my address book (see above) to a group.

A customer can update their email address or withdraw their consent (be removed from the list) by contacting me.

Financial records

I have a legal obligation to keep financial records, including for self-assessment and payment of income tax. These records include customers’ names, along with the products or services purchased from me and amounts paid.

I keep my financial records in Google Workspace, and back them up to my computer and external drive — all of which are protected as described in the address book section above.

HMRC requires that I keep financial records for at least five years. After this time, I anonymise customer data in them. This anonymisation may take several months to propagate to backup copies.

Invoicing systems

In addition to bank transfer, cash and cheque, customers can choose to pay me by debit card, credit card or PayPal. I use SumUp to send invoices and accept payments by card, and PayPal to send invoices and accept payments both by card and directly via PayPal. With both companies, I keep necessary information about customers and their purchases – much the same as in my address book and financial records (see above) – and any personal and financial information entered by customers when settling SumUp and PayPal invoices will be processed and stored by these companies.

‘Coffee’ contributions

The explanatory articles and how-to guides on my website include links to my page on Buy Me a Coffee, via which anyone can buy me one or more ‘coffees’ as a show of appreciation (it’s not really coffee, just a small financial contribution). Personal information entered during this process will be processed and stored by both Buy Me a Coffee and Stripe.

Feedback

I welcome feedback to help me improve this privacy policy and the clarity with which it is explained here. I can be contacted on 07837 751985 or martin@martinedwards.co.uk.