Legal

Privacy Policy

Last updated: April 2026

This policy is currently available in English only. If you’d like a version in French, Spanish, or Arabic, contact us and we’ll send one over.

1. Who we are

EBM Solutions (“we”, “us”, “our”) is a United Kingdom-based consultancy that builds software and systems for small and mid-sized businesses.

This policy explains what personal information we collect when you use our website, why we collect it, what we do with it, and the rights you have over it. It is written in plain English on purpose.

For the purposes of UK GDPR and the Data Protection Act 2018, EBM Solutions is the data controller for the information we collect through this website.

2. What we collect

We only collect personal information you actively give us, plus a small amount of technical information needed to keep the site running.

From the contact form

  • Your name — so we know who we’re talking to.
  • Your email address — so we can reply.
  • Your company name (optional) — to give us context.
  • Your message — whatever you choose to tell us about your enquiry.

Automatically, from your browser

  • Your IP address — recorded by our hosting provider for security and abuse-prevention purposes.
  • Your browser and device type — standard technical headers used to serve the site correctly.

We do not use tracking pixels, advertising cookies, or third-party analytics that identify you personally.

3. Why we collect it

We only collect information for specific, limited purposes:

  • To respond to your enquiry. If you contact us through the form, we use your name, email, and message to reply to you. Legal basis: legitimate interest (you contacted us first) and consent (you chose to send the form).
  • To keep the site secure and available. Standard hosting logs (IP addresses, timestamps) help us detect abuse and keep the site online. Legal basis: legitimate interest (running a secure service).
  • To remember the conversation. If we start working together, we keep a copy of your enquiry and our correspondence as part of normal business records. Legal basis: legitimate interest (managing client relationships) and contractual necessity (if we enter into an engagement).

4. Who we share it with

We don’t sell your information, and we don’t share it with anyone for advertising. We do rely on a small number of trusted third parties to run the service:

  • Cloudflare — hosts this website and delivers it to your browser. Cloudflare may process your IP address and basic technical data for security and delivery. See their privacy policy.
  • Google Fonts — serves the typefaces used on this site. Google may collect basic technical information when your browser requests the fonts. See Google’s privacy policy.
  • Flaticon — the source of our logo icon (linked in the footer). They are not involved in serving our site but are credited for licensing reasons.

If and when we wire up our email service, we’ll update this policy to disclose the provider.

5. International transfers

Some of our service providers (notably Cloudflare and Google) are based outside the United Kingdom. Where personal data is transferred internationally, it is protected by standard contractual clauses or equivalent safeguards, as required by UK GDPR.

6. How long we keep it

  • Contact form submissions: retained for up to two years from the date of our last communication with you, unless you ask us to delete them sooner.
  • Client engagement records: retained for up to seven years after the engagement ends, to meet UK tax and accounting record-keeping requirements.
  • Server logs: retained by our hosting provider on a rolling short-term basis (typically under 30 days) for security and diagnostic purposes.

7. Cookies

This website does not set any tracking, advertising, or analytics cookies of its own. Our hosting provider (Cloudflare) may set a small number of strictly-necessary cookies for security and performance purposes — these are not used to track you across the internet.

We will update this policy if we add analytics or any other cookie-setting service in future, and we will ask for your consent first where required.

8. Your rights

Under UK GDPR you have the following rights:

  • Right of access — ask for a copy of the personal information we hold about you.
  • Right of rectification — ask us to correct inaccurate information.
  • Right of erasure (“right to be forgotten”) — ask us to delete your information, where it is no longer necessary for us to keep.
  • Right to restrict processing — ask us to pause using your information while a dispute is resolved.
  • Right to data portability — ask us to provide your information in a portable format.
  • Right to object — object to our processing of your information, including direct marketing (we don’t do any).
  • Right to withdraw consent — where we rely on your consent, you can withdraw it at any time.

To exercise any of these rights, email us at hello@ebmhq.com. We’ll respond within one month.

If you’re not happy with how we’ve handled your information, you have the right to complain to the UK’s Information Commissioner’s Office (ICO): ico.org.uk. We’d appreciate the chance to put things right first, though.

9. Security

We take reasonable, industry-standard steps to protect the information we hold — including encrypted connections (HTTPS), secure hosting, and limiting access to personal data to the people who genuinely need it. No system is perfectly secure, but we won’t treat your information carelessly.

10. Children

This website is not aimed at children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has sent us information through the site, please contact us and we’ll delete it.

11. Changes to this policy

We may update this policy occasionally — for example, if we change service providers or add new features. The “last updated” date at the top of this page tells you when it last changed. Significant changes will be highlighted on the home page for a reasonable period.

12. Contact us

For any privacy question, or to exercise any of the rights above, get in touch:

A note on this policy: This policy was prepared in plain English to meet the requirements of UK GDPR and the Data Protection Act 2018. It is not a substitute for bespoke legal advice. If you have specific concerns about how this policy applies to your circumstances, we recommend consulting a qualified solicitor.