Who is the data controller
Stelvox Technologies ("Stelvox", "we", "us") is the data controller for personal data we collect through this website (stelvox.com), our configurator, our forms, and our direct correspondence.
We are a UK-registered engineering studio. For data protection purposes, our supervisory authority is the UK Information Commissioner's Office (ICO).
Data protection contact: hello@stelvox.com — mark the subject line with [PRIVACY] for fastest routing. We respond within five business days.
What we collect & why
We try to collect as little personal data as possible. Specifically:
| What | Why · lawful basis |
|---|---|
| Name, email, company | To respond to enquiries, send quotes, and operate engagements — contract / legitimate interests |
| Brief content (vision, feel, infra, other) | To scope and quote your build — contract |
| Company country + applicant location | To compute the correct VAT / tax jurisdiction and schedule across timezones — contract |
| IP address (truncated for analytics) + accept-language | To detect language and currency on first visit — legitimate interests |
| Cookies (lang, currency, country, consent, abandonment flag) | To remember your preferences — consent for non-essential, legitimate interests for essential |
| Order references, invoice line items, milestone status | To deliver and bill the engagement — contract |
| Support emails and call notes | To deliver the engagement and improve our service — contract / legitimate interests |
We do not collect special-category data (health, religion, sexual orientation, etc.) and never knowingly collect data from anyone under 16.
How long we keep it
- →Prospect enquiries that don't convert: 24 months from last contact, then deleted.
- →Active-engagement records: for the term of the engagement plus 7 years for tax/audit compliance.
- →Invoices and payment records: 7 years from issue, per HMRC requirements.
- →Marketing-list email (if you subscribed to Field Notes): until you unsubscribe, then 30 days for processing.
- →Cookies: as per their individual expiry (1 year for preferences; session for transient).
- →Server logs: 90 days, then aggregated and the raw logs deleted.
Who we share data with (sub-processors)
We use the following carefully-chosen sub-processors. Each is bound by a written agreement that requires GDPR-equivalent protection. We do not sell personal data to anyone, for any purpose.
| Sub-processor | Service · region |
|---|---|
| Paddle.com Market Limited | Merchant of record · payment processing · UK / EU |
| Lemon Squeezy (Squarespace Inc.) | Alternative merchant of record (where listed) · US |
| Vercel Inc. | Application hosting & CDN · US / EU multi-region |
| Hostinger International Ltd. | VPS hosting for stelvox.com · EU (Lithuania) |
| Cloudflare Inc. | DNS · edge security (where enabled) · US / EU |
| Anthropic PBC | LLM inference for the AI scoping assistant · US |
| ip-api.com / ipapi.co | IP-based country lookup for currency detection · EU |
| Resend / Postmark (when configured) | Transactional email · EU / US |
| Vercel Analytics + Speed Insights | Aggregate, cookie-free traffic analytics · EU |
| GitHub Inc. | Source-code hosting · US |
Additional sub-processors used during a specific engagement are listed in the SOW's data-processing appendix.
International transfers
Where personal data is transferred outside the UK or EEA, we rely on:
- →The UK addendum to the EU Standard Contractual Clauses;
- →Or another transfer mechanism recognised under UK and EU GDPR (e.g. adequacy decisions).
A copy of our executed SCCs is available on request to the named billing contact.
Your rights
Under UK and EU GDPR you have the right to:
- →Access — request a copy of the personal data we hold about you;
- →Rectification — ask us to correct inaccurate data;
- →Erasure — ask us to delete your data, subject to legal-retention requirements;
- →Restriction — ask us to limit how we process your data;
- →Portability — receive your data in a structured, machine-readable format;
- →Object — to processing based on legitimate interests, including direct marketing;
- →Withdraw consent — for processing where consent was the basis;
- →Lodge a complaint with a supervisory authority (in the UK: ico.org.uk).
To exercise any of these rights, email hello@stelvox.com with [PRIVACY] in the subject line. We respond within one month and don't charge for ordinary requests.
Cookies & tracking
We use a small number of cookies. Essential cookies are set without consent because the site cannot work without them; non-essential cookies are set only after you click "Accept" in the cookie banner.
| Cookie · purpose | Lifetime |
|---|---|
| stelvox-lang · interface language | 1 year |
| stelvox-currency · displayed currency | 1 year |
| stelvox-country · ISO country code for tax routing | 1 year |
| stelvox-dash · signed dashboard session (HTTP-only) | 30 days |
| stelvox-consent · your cookie-banner choice | 1 year |
| stelvox-configurator-v2 · your in-progress quote (localStorage) | Until cleared |
| stelvox-locale-refined / -abandonment-* · UX flags (session/local storage) | Session / 30 days |
We do not use Facebook Pixel, Google Analytics, or any cross-site tracking. Vercel Analytics + Speed Insights run cookie-free and IP-anonymised on the edge.
Security
We protect personal data with appropriate technical and organisational measures, including TLS 1.2+ in transit, AES-256 (or equivalent) at rest, role-based access controls, audit logging, MFA on all admin accounts, and a documented incident-response plan.
Detailed security posture: see our Security Overview at /docs/security-overview.md.
For Client Personal Data breaches we notify the Client within 48 hours of awareness, per the DPA.
Children's privacy
Our services are B2B and not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact hello@stelvox.com and we will delete it.
Changes to this policy
Material updates are announced via the named billing contact and on our /changelog page at least 14 days before they take effect. Minor clarifications and typo fixes are made silently; the "last updated" date at the top of this page reflects the most recent change.
Contact
For privacy questions, data-subject requests, or breach notifications: hello@stelvox.com with [PRIVACY] in the subject.
For complaints you cannot resolve with us, contact the UK Information Commissioner's Office at ico.org.uk or your local supervisory authority.
Privacy questions or a data-subject request?
Email hello@stelvox.com with [PRIVACY] in the subject. We respond within one month, free of charge for ordinary requests.