UK-basedLive in 48 hoursNo contracts, no setup fees
hello@onetapweb.co.uk
See your free mock-up →
Privacy policy

Your data, handled properly.

How OneTapWeb collects, uses and protects the personal information you share with us — plain English, no legalese, fully compliant with UK GDPR.

Last updated: 20 April 2026 Version 2.0 Governed by UK GDPR & DPA 2018

01Who we are

OneTapWeb ("we", "us", "our") is a UK business that builds and hosts websites for small businesses and sole traders. We operate at onetapweb.co.uk, onetaptrade.co.uk and onetapbeauty.co.uk.

We are the data controller for the personal information you share with us. That means we decide how and why it's used, and we're accountable for looking after it.

02What we collect

We only collect what we need to provide our service. In practice, that falls into a few buckets:

From enquiries & lead forms
Full name, email, phone number, business name, business type. Collected when you fill in a form on our site or an ad on Facebook, Instagram or another platform.
From clients
Business details (address, opening hours, services), account login email, billing address, and payment method (card details held by Stripe — we never see the full card number).
From your customers
If your OneTapWeb site has a booking widget, shop or contact form, we process the end-customer data on your behalf (as processor, not controller). You remain the controller of your customer list.
Automatically
Standard web logs: IP address, browser type, pages visited, referrer. We use a privacy-respecting analytics tool (Umami) that doesn't set advertising cookies or track you across other sites.
From ad platforms
If you respond to a Meta (Facebook/Instagram) Lead Ad, Meta passes us your name, email and phone. The ad's privacy notice links to this page.

03Why we collect it

Under UK GDPR, every piece of data we hold needs a legal basis. We rely on one of these four:

  • Contract — to deliver the service you've paid for (build your site, host it, send invoices, handle support).
  • Legitimate interests — to respond to enquiries, improve our service, prevent fraud, and occasionally send you a relevant product update if you're already a customer.
  • Consent — for marketing emails to non-customers (we only send these if you ticked the box).
  • Legal obligation — to keep financial records for HMRC, or to comply with a valid legal request.

04How we use your data

Specifically, we use your information to:

  • Build, deliver and host your website
  • Contact you about your enquiry or account (email, phone, SMS)
  • Take payment for your monthly hosting subscription via Stripe
  • Send invoices, receipts and service notices
  • Provide customer support when you need help
  • Monitor our systems for uptime, security and abuse
  • Very occasionally, let existing customers know about a new feature — with a one-click unsubscribe always available

We do not sell, rent or trade your personal data to anyone. Ever.

05Who we share it with

We work with a small number of carefully chosen providers to run the service. Each one has a contract with us requiring them to protect your data to at least the same standard we do:

  • Stripe — payment processing. Handles your card details so we don't have to.
  • Twilio — SMS delivery (reminders, notifications).
  • Our UK hosting provider — stores the servers your website and account data live on.
  • Umami — privacy-respecting website analytics (self-hosted, no ad tracking).
  • Google Workspace — our business email (hello@onetapweb.co.uk).
  • Meta (Facebook/Instagram) — if you submitted a Lead Ad form, your contact details came from Meta and we received them via their Lead Ads API.

We may also share your data if we're legally required to — for example, a court order or a valid request from HMRC or law enforcement.

06How long we keep it

  • Enquiry-only records (you contacted us but never became a customer) — 12 months, then deleted.
  • Active customer accounts — for as long as you're with us, plus 6 years after cancellation (HMRC requires business records be kept this long).
  • Financial records (invoices, receipts) — 6 years, per HMRC.
  • Web analytics — aggregated logs are kept 90 days; individual session data is not linked to an identifiable person.
  • Marketing consent — until you withdraw it (one-click unsubscribe in every email).

07Your rights

Under UK GDPR, you have the following rights over your personal data. We'll honour every one of them within one calendar month of receiving a valid request.

Your UK GDPR rights — in plain English

Access — get a copy of everything we hold about you.

Rectification — correct anything that's wrong or out of date.

Erasure ("right to be forgotten") — delete your data (unless we're legally required to keep it, e.g. HMRC records).

Restriction — tell us to hold your data but stop using it, while a dispute is sorted out.

Portability — get your data in a machine-readable format to take elsewhere.

Object — stop us processing your data for marketing or any use based on legitimate interests.

Withdraw consent — at any time, for anything you previously consented to.

To exercise any of these, email hello@onetapweb.co.uk. We don't charge a fee.

08Cookies & tracking

We use a small number of cookies on onetapweb.co.uk:

  • Essential cookies — keep you logged in, remember your cart, carry your session between pages. These don't need consent.
  • Analytics — Umami sets a cookieless identifier for counting unique visitors. No cross-site tracking, no advertising cookies.

We do not use Google Analytics, Facebook Pixel, or any other third-party advertising tracker on our marketing site. If you visit a client's site hosted on OneTapWeb, that client may have chosen to add different trackers — their site, their choice, their privacy policy.

09Security

We take practical, proportionate security measures to protect your data:

  • All traffic uses HTTPS (TLS 1.3 where supported).
  • Passwords are hashed with bcrypt — never stored in plain text.
  • Database backups are taken daily, encrypted at rest, and kept for 30 days.
  • Payment card details never touch our servers — Stripe handles that entirely.
  • Access to production systems is restricted to named individuals with multi-factor authentication.

If a data breach were ever to happen that was likely to affect your rights, we would notify the ICO within 72 hours and contact you directly without delay.

10International transfers

Our servers and primary operations are based in the UK. A small number of our suppliers (Stripe, Google Workspace, Twilio, Meta) are based in or may process data outside the UK/EEA — typically in the United States. Where this happens, we rely on the UK International Data Transfer Agreement and/or the European Commission's Standard Contractual Clauses to ensure your data is protected to UK standards.

11Changes to this policy

We may update this policy from time to time — typically when we add a new feature, switch a supplier, or when the law changes. The "Last updated" date at the top always reflects the latest version. For material changes that affect your rights, we'll email existing customers directly before they take effect.

12Contact & complaints

If you have any question about your data or this policy, get in touch. We don't have a dedicated Data Protection Officer (we're too small to require one under UK GDPR), but emails to the privacy address below go straight to the founder.

Get in touch

Email: hello@onetapweb.co.uk

For any privacy question, data request, or general enquiry — one address, straight to us.

We'll respond within 3 working days, usually much sooner.

If you're unhappy with how we've handled your data and we haven't been able to resolve it with you directly, you have the right to complain to the UK's Information Commissioner's Office (ICO):

  • Website: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF