Summary
We’re Mecha Site Ltd, a UK company that runs a platform for managing websites. This page explains every kind of data we hold, why we hold it, who we share it with, and the rights you have over it. Read on for detail, or jump to a section using the menu.
- We are the controller of data about you (our account holder) and a processor of data about visitors to the websites we manage on your behalf.
- We rely on five lawful bases: consent, contract, legal obligation, legitimate interest, and recognised legitimate interest under the UK Data (Use and Access) Act 2025.
- We do not sell your data and we don’t use it for advertising profiling.
- You can access, correct, export, restrict, or erase your data at any time — see Section 10.
- You can complain to us at /legal/complaints (we respond within 30 days, statutory under DUAA §103) — and to the ICO at any time.
1. Who we are
Mecha Site Ltd is a company registered in England & Wales. Our trading name is “Mecha Site”. We act as the data controller for personal data about our account holders, and as a data processor for personal data flowing through the websites we manage.
Our Data Protection Officer (DPO) function is provided externally on retainer; you can reach the DPO at dpo@mechasite.com.
2. Our two roles — controller and processor
Mecha Site has two distinct relationships with personal data. This notice covers both. If you only want to know about one, jump straight to the relevant tab.
Section A · Data about YOU
Controller role
When you create a Mecha Site account or use the platform, we are the controller of your data. We decide what we collect, why, and how long we keep it. Sections 3-14 below cover this role.
Section B · Data about your VISITORS
Processor role
When a visitor uses a website we manage for you (fills a form, browses pages), we process that data on your behalf as a processor. You decide the purposes; we follow your instructions under our Data Processing Agreement. This notice does not describe what your visitors should expect from your website — that is your privacy notice, not ours.
3. Data we collect
We only collect what we need. The full list, kept up to date by our engineering team, lives in a public artefact at docs/pii-manifest.json on our source repository — auditors can read it directly.
Data you give us
- Name and work email address (required to create an account).
- Password hash (we never store the password itself).
- Multi-factor authentication secrets, encrypted at rest.
- Billing details for paid plans (handled by Stripe — we hold only customer ID and last 4 digits).
- Content of support tickets, complaints, and any free-text fields you submit.
Data we collect automatically
- Login events, IP address (truncated to a network range after 30 days), and user-agent for security and audit.
- Anonymous browser stableID for aggregate analytics on public pages (only if you accept the “Statistical” cookie category).
- Error reports from your browser if you accept the “Statistical” cookie category.
- Session-replay recordings only if you explicitly opt in to the “Marketing” cookie category. All text is masked and media is blocked by default.
Data from third parties
- If you sign in via Google, GitHub, or another OAuth provider we receive your name, email address, and a profile identifier from them.
- Stripe sends us subscription status changes via webhook (no card data).
4. Why we use it
- To run the platform you signed up for — keep you logged in, save your work, deliver the service.
- To bill you — process subscriptions and produce VAT-compliant invoices (HMRC requires us to keep these for 7 years).
- To keep the service secure — detect brute-force attempts, fraudulent accounts, and abuse.
- To improve the product — using aggregated, anonymous metrics; we never use your individual content for product analytics.
- To send service emails — password resets, security alerts, billing receipts. We don’t send marketing emails without your explicit consent.
- To respond to legal requests — when we’re legally required to (e.g., HMRC, court order).
5. Lawful bases for processing
We rely on five lawful bases under the UK GDPR + Data (Use and Access) Act 2025. We tell you below which one applies to which activity.
5a. Consent (Art. 6(1)(a))
Used for: marketing emails, session-replay recordings, personalised feature experiments. You can withdraw consent at any time using the cookie preferences link or by emailing privacy@mechasite.com. Withdrawal does not affect processing carried out before you withdrew.
5b. Contract (Art. 6(1)(b))
Used for: account creation, plan delivery, subscription billing, handling support tickets, providing the live editor and dashboard you signed up for. Without this data we cannot perform the contract.
5c. Legal obligation (Art. 6(1)(c))
Used for: VAT-compliant invoice retention (HMRC, 7 years), responding to data-subject requests within statutory deadlines, breach notification to the ICO within 72 hours, complaints handling within 30 days under DUAA §103.
5d. Legitimate interest (Art. 6(1)(f))
Used for: protecting the service against fraud and abuse, basic error logging, network-level rate limiting, and aggregate engineering analytics. We’ve carried out a Legitimate Interests Assessment for each activity; you can request a copy from privacy@mechasite.com. You can object at any time — see Section 10.
5e. Recognised Legitimate Interest (Art. 6(1)(ea), DUAA Sch. 4)
The Data (Use and Access) Act 2025 creates a new lawful basis for a specific list of public-interest activities. We currently rely on this basis only for safeguarding-related disclosures (e.g., reporting credible threats of harm to relevant authorities). We do not use it for direct marketing, intra-group data sharing, or network security — those rely on standard legitimate interest with a documented LIA.
5f. DUAA-exempt categories with opt-out
DUAA exempts certain low-risk storage from prior consent — currently theme/appearance preferences and admin workflow state. We still tell you what these are (see /legal/cookies) and you can opt out at any time using the cookie preferences modal. EU/EEA visitors get the standard opt-in banner instead — we honour the strictest applicable regime.
6. Sub-processors and other third parties
We use a small number of sub-processors to deliver the service — hosting, email, error monitoring, payment processing. The full current list (vendor name, purpose, country) lives at /legal/sub-processors. You can subscribe to email notifications of changes there. We give at least 30 days’ notice before adding a new sub-processor that processes your data.
We have a Data Processing Agreement (or equivalent contractual terms) with every sub-processor. We do not knowingly engage processors that do not meet our security baseline.
7. International transfers
Most of your data stays in the United Kingdom or European Economic Area. Where data does leave the UK, we rely on one of the following mechanisms per the destination cluster:
- UK adequacy decision — for transfers to countries the UK Government has assessed as offering adequate protection.
- UK Extension to the EU-US Data Privacy Framework — for transfers to certified US recipients.
- UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs — when the above are not available.
For each sub-processor we maintain a Transfer Risk Assessment documenting the destination country’s legal framework against the “not materially lower” standard introduced by DUAA. We review these annually or sooner if relevant law changes.
8. How long we keep your data
We keep different types of data for different periods:
- Account data — for as long as your account is active, plus 30 days after deletion (recovery window).
- Invoices — 7 years (HMRC). Pseudonymised after account deletion; only legal-name and total are retained.
- Consent records — 6 years (CNIL standard for demonstrability).
- Complaints + DSAR records — 6 years (ICO limitation period).
- Breach incident records — 7 years; affected- individual fields pseudonymised after 2 years.
- Security logs — 1 year (de-identified after that).
- Session replay recordings — 30 days.
- Webhook idempotency records — 1 year.
A scheduled job runs daily to purge data past its retention period. Each purge category has independent monitoring; a failed purge raises an internal alert and a tracked remediation ticket.
9. Security
Our security details are at /legal/security. In summary: passwords are hashed with Argon2; secrets and CMS credentials are encrypted at rest with AES-256 (Fernet) using rotatable keys; all transport is TLS 1.3; we run multi-factor authentication on all admin accounts; access is least-privilege and audit-logged. We’re working towards SOC 2 Type II certification (target Q2 2027).
10. Your rights
Under UK GDPR and DUAA you have the right to:
- Access a copy of the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data, subject to our legal-obligation and audit retention (Art. 17).
- Restrict processing while we investigate a dispute (Art. 18).
- Port data you provided to us in machine-readable form (Art. 20). This includes your full consent decision history.
- Object to processing based on legitimate interest (Art. 21).
- Withdraw consent for any consent-based processing, at any time, without penalty.
- Not be subject to solely automated decisions with legal or significant effects (Art. 22). We don’t make any such decisions.
Request these by emailing privacy@mechasite.com or via the in-app privacy controls (coming Phase 3 — currently by email only). We aim to respond within one calendar month, extending by two further months for complex requests with prior notice to you.
11. Complaints
If you believe we’ve mishandled your data, please tell us first so we can put it right.
To us: use the form at /legal/complaints or email dpo@mechasite.com. We will acknowledge within 30 calendar days as required by DUAA §103, and respond substantively as soon as we can.
To the regulator: you can also lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint at any time, whether or not you contact us first. EEA visitors can contact their national supervisory authority instead.
12. Children
Mecha Site is a B2B service intended for businesses managing their own websites. It is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has signed up, please contact dpo@mechasite.com and we will delete the account.
13. Changes to this notice
When we make a material change — for example a new processing purpose, a new sub-processor handling a new category of data, or a longer retention period — we’ll ask you to re-accept the notice the next time you sign in. We give a clear summary of what changed and why. Non-material changes (typos, reorganisation, clarifications) are recorded in the version history without re-acceptance.
You can always see the current version date at the top of this page. Past versions are kept on file and available on request.
14. Contact
- General privacy questions: privacy@mechasite.com
- Data Protection Officer: dpo@mechasite.com
- Complaints: /legal/complaints
- Postal address: Mecha Site Ltd, [registered office], United Kingdom.