Privacy Policy

How We Handle Data

This policy explains how Catallactic Labs handles enquiries, website data, service providers and project-related information.

Last updated: May 2026

Short Version

We collect the information you choose to send through our forms and the limited technical data needed to run, secure and improve this website.

We use carefully selected service providers for hosting, email delivery, website security, static assets and similar operational needs. We do not sell enquiry data.

If you ask us to build, consult on or support a project, any wider data use will depend on the services agreed for that project and will be handled under the relevant proposal, agreement or support arrangement.

Who We Are

Catallactic Labs provides software, websites, applications, CRM systems, automation, AI tools and technical consulting.

For privacy, legal or data questions, contact [email protected].

Controller Details

For this website and its enquiry forms, Catallactic Labs is the controller of the personal data you choose to provide and the technical data processed for website operation and security.

If you become a client, project-specific controller, processor and subcontractor responsibilities may be confirmed separately in the relevant proposal, contract or data processing terms.

Information We Collect

We collect information you provide directly, such as your name, email address, company, project notes, budget range, timeline, selected interests and any message you send.

We may also collect technical information connected with your visit or form submission, such as IP address, browser type, device information, referral source, landing page, UTM campaign fields and security signals.

We only ask for information that is useful for responding to your enquiry, protecting the website or managing a potential working relationship.

Please do not send special category data, confidential credentials or unnecessary sensitive information through the website forms.

How We Use Information

Purpose
What this means
Typical lawful basis
Responding to enquiries
Reviewing your request, replying by email and suggesting appropriate next steps.
Consent, legitimate interests or steps before a contract.
Preparing project work
Understanding scope, goals, budgets, timelines and technical context.
Steps before a contract and legitimate interests.
Website security
Preventing spam, bots, abuse, fraud and unreliable form submissions.
Legitimate interests.
Operations and records
Keeping business records, managing correspondence and maintaining service reliability.
Legitimate interests, contract or legal obligation.

Service Providers & Third Parties

We use third-party providers where needed to operate, secure, deliver or improve the website and our services. These providers may process limited personal or technical data depending on how you use the website.

Current and expected provider categories are listed below. Project-specific tools, payment methods, integrations or AI services may vary depending on what is agreed with a client.

Provider or category
Purpose
Typical data involved
DigitalOcean / hosting
Website hosting, database, static files and infrastructure.
Request metadata, server logs, form data, stored enquiry records.
Google / email
Sending and receiving enquiry and confirmation emails.
Names, email addresses, message content and delivery metadata.
Cloudflare Turnstile
Spam, bot and abuse prevention for protected forms.
IP address, browser/device data, request data, interaction signals and security tokens.
Fonts, icons and CDNs
Displaying fonts, icons, scripts and static website assets.
IP address, browser information, referrer and requested asset URLs.
Project services
APIs, AI tools, payments, analytics, maps, authentication, scheduling or other approved integrations.
Depends on the agreed project features and client instructions.
Hosting, storage and infrastructure +

The website may be hosted on infrastructure providers such as DigitalOcean. Hosting providers process request data such as IP address, user agent, pages requested, timestamps, server logs and any form data submitted through the website.

Static files, brand images and email images may also be served from storage or CDN services such as DigitalOcean Spaces. When these assets load, the provider may receive technical request data from the visitor or email recipient.

Email delivery and correspondence +

Form submissions and confirmation emails may be sent through email services such as Google/Gmail or another configured SMTP provider.

Email providers process message content, sender and recipient addresses, delivery metadata and related technical information needed to send and receive email.

Website security and spam prevention +

We may use services such as Cloudflare Turnstile to protect forms and website features from spam, bots, misuse and automated abuse.

When active, these services may process technical data such as IP address, browser and device information, request data, interaction signals and security tokens to verify that a request is genuine.

We use this processing because we have a legitimate interest in keeping the website secure, reliable and protected from abuse.

Fonts, icons, scripts and static assets +

This website may load fonts, icons, scripts or static assets from providers such as Google Fonts, Tailwind CDN, Iconify and jsDelivr.

When external assets load, those providers may receive technical data such as IP address, browser information, referrer and the asset URL requested. These services are used to display the website correctly and maintain its visual functionality.

Payments, cryptocurrency and subscriptions +

Payment methods, including cryptocurrency payments where appropriate, are agreed before work begins. Payment providers, banks, wallet services, exchanges or blockchain networks may process payment identifiers, transaction records, wallet addresses, billing information and related compliance data.

Cryptocurrency transactions may be recorded on public blockchains. We will confirm any practical payment details, taxes, settlement terms, fees and currency conversion arrangements separately.

Project tools, integrations and AI services +

Client projects may involve APIs, cloud services, maps, scheduling tools, analytics, authentication, payment processors, email services, AI providers or other integrations.

The data shared with those services depends on the system being built and the features a client approves. We aim to design systems so data sharing is purposeful, proportionate and appropriate for the agreed use case.

External links and social platforms +

If you follow links to external websites or social platforms, those services may process your data under their own privacy terms. This can include account information, cookies, IP address, device data and referral information.

Retention

We keep personal data only for as long as reasonably needed for the purpose collected, including business follow-up, record keeping, legal obligations, dispute handling and service continuity.

Record type
Typical retention approach
Website enquiries that do not become active work
Usually retained for up to 24 months for follow-up, context and duplicate handling, unless a longer period is reasonably required.
Client, project and accounting records
Usually retained for up to 6 years after the relationship or relevant transaction, where needed for contract, tax, legal or business records.
Security, server and form-abuse records
Usually retained for a shorter operational period unless needed to investigate abuse, protect systems or evidence an issue.

International Processing

Some providers may process data outside the UK. Where this happens, we rely on appropriate safeguards, provider terms, data processing agreements or other lawful transfer mechanisms where required.

Your Rights

Depending on the circumstances, you may have rights to access, correct, delete, restrict or object to the use of your personal data, and to complain to the UK Information Commissioner's Office.

To make a request, email [email protected]. We may need to verify your identity before acting on a request.

You can also complain to the UK Information Commissioner's Office if you are unhappy with how your data is handled.