Nebula Craft Design Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and disclose personal data when you visit nebulacraftdesign.com, contact us through our website, or otherwise engage with our studio.
We process personal data in accordance with the United Kingdom General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
By using our website or providing your information to us, you confirm that you have read and understood this policy.
Nebula Craft Design Ltd is the data controller responsible for your personal data. We are a company registered in England and Wales.
Data controller
Nebula Craft Design Ltd is not currently registered with the Information Commissioner's Office. We will register if and when our processing activities require it under the Data Protection (Charges and Information) Regulations 2018.
We only collect personal data that is necessary for the purposes set out in this policy. The categories of data we may collect are:
Contact and enquiry data
- Name
- Email address
- Company or organisation name (optional)
- Project details, brief, and any information you choose to share in your message
Technical and usage data
- Anonymised IP-derived location (country / region only)
- Device, browser, and operating system metadata
- Pages visited, referring URL, and time spent on pages
- Performance metrics (Core Web Vitals) used to improve site speed
Technical and usage data is collected in an aggregated, privacy-respecting form via Vercel Analytics. We do not track you across other websites or build advertising profiles.
- Directly from you when you complete our contact form or email us at hello@nebulacraftdesign.com.
- Automatically when you browse our website, via cookies and similar technologies (see our Cookie Policy).
- From third-party platforms only when you have given them permission to share that data with us (for example, if you contact us through a social network).
Under UK GDPR, we must have a valid lawful basis to process your personal data. We rely on the following bases:
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries submitted via our contact form or email | Legitimate interests — to reply to your message and discuss potential work |
| Negotiating and entering into a client engagement | Contract — steps prior to entering into a contract with you |
| Fulfilling a signed client agreement | Contract |
| Measuring website performance and traffic (privacy-respecting) | Legitimate interests — to maintain and improve our website |
| Complying with legal, accounting, or tax obligations | Legal obligation |
| Defending or pursuing legal claims | Legitimate interests — to protect our rights |
Where we rely on legitimate interests, we have carried out a balancing test to ensure your rights and freedoms are not overridden by our processing.
We use your personal data only for the following purposes:
- To respond to your enquiry and provide the information or proposal you requested.
- To negotiate, prepare, and deliver design and development services where we enter into a client engagement.
- To send transactional emails relating to projects, invoices, or service updates.
- To maintain accurate business records as required by law.
- To monitor and improve the performance, security, and user experience of our website.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
Where we transfer your personal data outside the United Kingdom — for example to our hosting provider in the United States — we ensure that an appropriate safeguard is in place. This usually takes the form of the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an applicable adequacy regulation.
You can request a copy of the safeguards we use by contacting us at hello@nebulacraftdesign.com.
We retain personal data only for as long as is necessary for the purposes we collected it.
| Data category | Retention period |
|---|---|
| Enquiries that do not progress to an engagement | Up to 24 months from last contact, then deleted |
| Client project records and correspondence | 7 years after engagement ends (for accounting and tax law compliance) |
| Invoices and accounting records | 7 years (HMRC requirement) |
| Website analytics (aggregated, non-identifying) | Up to 24 months |
When the retention period expires, we securely delete or irreversibly anonymise the relevant data.
You have a number of rights in relation to the personal data we hold about you. These rights are not absolute and may be subject to exemptions, but in general you have the right to:
Your eight rights
To exercise any of these rights, please email us at hello@nebulacraftdesign.com. We will respond within one calendar month. We do not charge a fee unless your request is manifestly unfounded or excessive.
We may ask you for proof of identity before acting on your request, to ensure your data is not disclosed to anyone other than you.
If you are unhappy with the way we have handled your personal data, please contact us first so we can try to resolve the issue.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection.
Information Commissioner's Office
We take the security of your personal data seriously. We use a combination of technical and organisational measures appropriate to the nature of the data and the risk of harm, including:
- HTTPS encryption across our entire website
- Access controls and authentication on internal systems
- Reputable hosting and email providers with strong security posture
- Regular review of our processing activities and supplier arrangements
No method of transmission over the internet is completely secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.
Our website and services are intended for businesses and adults aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Effective date" at the top of this page indicates when the policy was last revised.
Material changes will be communicated through a prominent notice on our website. We encourage you to review this policy periodically.
If you have any questions about this Privacy Policy or our handling of your personal data, please contact us: