Privacy Policy: Data Protection & User Rights
This policy explains what data we collect on hdcopywriting, why we collect it, and the choices you have about it.
Introduction and Scope
If you've ever filled out a contact form and wondered where that information goes, this page is the straight answer.
This Privacy Policy applies to this website and the ways you interact with it—reading pages, submitting forms, and emailing us. It covers personal data we process as a controller (meaning we decide why and how it's used).
It does not cover third-party websites you might reach via links from our pages. If you click out, their rules apply.
Scope note: This policy focuses on website and inquiry data. It doesn't try to map every edge case that can happen in a client's own systems once a project is underway.
How We Use Your Information
We use data to run the site, respond to you, and keep the basics secure.
Strategy overview
Most processing falls into two buckets: (1) communication you initiate, and (2) routine website operations. In practice, that means we keep enough information to reply, follow up, and prevent abuse.
Tactical details
- Respond to inquiries: when you contact us, we use your details to reply and keep a thread of the conversation.
- Provide requested services: if you become a client, we use information needed to deliver the work and manage the relationship.
- Operate and secure the site: logs and technical data help us detect spam, troubleshoot errors, and maintain performance.
- Administrative needs: scheduling, invoicing, and record-keeping where relevant.
Expected results
You should see faster replies, fewer dropped threads, and a site that doesn't fall over when it gets noisy traffic.
Legal bases may include consent (for form submissions), legitimate interests (site security and operations), and contract performance (client work).
Data We Collect
We keep collection tight: what we need to communicate, and what the server needs to function.
Common mistake → root cause → fix
Common mistake: assuming "we don't collect data" because there's no checkout.
Root cause: web servers and forms create data trails by default—IP addresses in logs, timestamps, message content, and email headers.
Fix: we treat those trails as personal data and handle them accordingly (limited access, purpose-limited use, and retention that matches the reason we collected it).
What we may collect
| Category | Examples | Why it's collected |
|---|---|---|
| Contact details | Name, email address, company (if provided) | To respond and keep a record of the conversation |
| Message content | What you write in a form or email | To understand your request and reply accurately |
| Technical data | IP address, browser type, device info, timestamps, referring pages | Security, debugging, and basic site operations |
| Client project data (if you hire us) | Briefs, drafts, feedback, stakeholder notes | To deliver the work you requested |
We don't intentionally collect special category data (e.g., health, political opinions). If you include it in a message, you're choosing to share it.
Third-Party Processors
Some data has to pass through vendors to make the site work—hosting, email delivery, and basic infrastructure.
Two valid approaches
Approach A: "All-in-one platform." Fewer moving parts, but you hand a lot of surface area to one provider.
Approach B: "Best tool per job." More control and sometimes better performance, but you have more contracts and settings to keep tidy.
Trade-offs
- Using established processors can improve reliability and security patching cadence.
- More processors can mean more places data could be stored or logged.
- Misconfigured integrations are a common source of accidental over-collection.
- Vendor changes can affect where data is processed geographically.
Recommendation
We keep the vendor set small and use processors under data protection terms where required. When a processor acts on our instructions, it does so as a processor; when it determines its own purposes, it acts as a separate controller under its own policy.
Your Rights Under GDPR
If you're in the UK/EU (and in many cases beyond), you have practical rights over your personal data.
What you can ask for
- Access: what we have, and why we have it.
- Rectification: fix inaccurate or incomplete data.
- Erasure: delete data where we don't have a valid reason to keep it.
- Restriction: pause processing in specific situations.
- Objection: object to processing based on legitimate interests.
- Portability: receive certain data in a usable format where applicable.
- Withdraw consent: where processing is based on consent.
How to exercise your rights
Send your request via the contact details on our Contact page. Tell us what you're asking for and the email address you used to reach out.
To protect you, we may ask for enough information to verify identity before we act on a request. That step is boring, but it prevents the wrong person from pulling your data.
Timing note: Some requests depend on what systems the data touched (for example, email threads versus server logs), so response time can vary by data type.
Changes to This Policy
If we change how we collect or use data, we'll update this page.
Most edits are small: clarifying wording, reflecting a new processor, or tightening retention language. When a change materially affects user rights or the categories of data we process, we'll make the update obvious on the page rather than burying it.
Last updated: February 2026
If you have a privacy question that doesn't fit neatly into a form field, send it through and we'll handle it like a real conversation.
Contact us about privacy