Your data,
treated properly.
We collect what we need to do our job, nothing more. We don't sell it, we don't share it with anyone who doesn't need it, and we delete it when you ask. Plain English version below.
LAST UPDATED · 2 JUNE 2026
1 · Who we are
This Privacy Policy explains how Flanstack Ltd ("Flanstack", "we", "us", "our") collects and uses your personal data when you visit our website, request our services, or otherwise interact with us.
We are a private limited company registered in England and Wales:
- Company name: Flanstack Ltd
- Company registration number: 17168933
- Registered office: Flat 4 Heanor House, Church Street, Heanor, Derbyshire, DE75 7XF, United Kingdom
- Contact email: info@flanstack.co.uk
We act as the data controller for personal data collected through this website and our services. This means we decide what data is collected and how it's used.
2 · What information we collect
The personal data we collect depends on how you interact with us. Below is what we may collect and why.
When you submit the audit form
- Your name and business name
- Your email address and phone number
- Your trade and area of operation
- Information about your current website or marketing setup
When you book a demo or contact us
- Your name, email, phone number, and business name
- Any information you share during the conversation
- Booking time, date, and notes
When you become a customer
- All of the above, plus billing information processed through our payment provider
- Account credentials and usage data within the platform we provide you
- Data your own customers share with you through systems we operate on your behalf (we are the processor for this data; you are the controller)
Automatically when you visit our website
- IP address, browser type, device type, operating system
- Pages visited, time on site, referring source
- Anonymous analytics data collected via our hosting and analytics providers
3 · How we use your data
We use your personal data for the following purposes:
- To deliver our services · setting up your account, running your campaigns, providing customer support
- To respond to your enquiries · answering audit requests, demo bookings, contact form submissions, and emails
- To process payments · billing you for the service tier you've signed up for
- To send service communications · updates about your account, system notifications, important changes
- To send marketing communications · only if you've opted in or where we have a legitimate interest and you haven't objected
- To improve our services · analysing how the website is used, what features are valuable, where we can do better
- To comply with legal obligations · keeping records as required by tax, accounting, and regulatory law
What we don't do with your data
To be clear, we never:
- Sell your data to anyone
- Share it with advertisers or marketing networks
- Use it to train AI models
- Build advertising or targeting profiles
- Use it for purposes outside this Privacy Policy without asking first
4 · Legal basis for processing
Under the UK GDPR, we rely on the following legal bases to process your data:
- Performance of a contract · when you've signed up as a customer, we need to process your data to deliver what you've paid for
- Legitimate interests · for responding to enquiries, improving our services, and limited marketing to business contacts. Our legitimate interest is running and growing our business in a way that's expected and not harmful to you
- Consent · for any marketing communications outside of a pre-existing business relationship. You can withdraw consent at any time
- Legal obligation · for tax records, regulatory compliance, and similar required record-keeping
5 · Who we share your data with · and where it actually lives
We only share your data with third parties where it's necessary to deliver our services. We never sell your data.
Importantly, the technology stack Flanstack runs on is built from established third-party platforms. Your data lives on those platforms (not on Flanstack's own servers). Below is a full picture of where what is stored:
| Platform | What's stored there | Provider |
|---|---|---|
| GoHighLevel | Account data, contacts, conversations, automations, websites, pipelines | HighLevel Inc. (US) |
| LeadConnector | SMS, voice, and email delivery infrastructure | HighLevel subsidiary (US) |
| Twilio | Underlying phone numbers, SMS routing, voice routing | Twilio Inc. (US) |
| Stripe | Payment card data, billing info, invoices | Stripe, Inc. (US/UK) |
| Mailgun | Email sending infrastructure, delivery logs | Sinch (EU) |
| Google Workspace | Internal team email, document collaboration | Google LLC (US) |
| Google Business Profile | Review data, business listing info (for clients using this integration) | Google LLC (US) |
| Cloudflare | Website hosting, DNS, performance, security | Cloudflare Inc. (US) |
| HMRC and regulators | Tax, accounting, and regulatory records (only as legally required) | UK Government |
We have data processing agreements (or equivalent) in place with each of these providers, ensuring they handle your data to the same standards we do. Each provider has its own privacy policy governing the data they hold · we recommend reviewing them if you want full visibility.
One important detail: because we operate on third-party platforms rather than our own infrastructure, the security and uptime of those platforms is governed by their own terms. We work with reputable providers but don't control their systems.
6 · When you become a customer · your customers' data
This is an important distinction for B2B customers (i.e., trades businesses that pay us to run their marketing systems).
When you sign up as a Flanstack customer and start using the systems we configure for you, you'll capture data from your customers (their names, phone numbers, email addresses, the enquiries they send you, etc.).
Who's responsible for what
- You are the Data Controller for your customers' data. You decide what's collected, why, and how it's used.
- Flanstack acts as a Data Processor on your behalf, but only to the limited extent necessary to configure, maintain, and support the systems you've signed up for.
- The third-party platforms (GoHighLevel, Twilio, Stripe etc.) act as sub-processors under their own terms.
Your responsibilities as a Data Controller
- Obtain valid consent from your customers before contacting them (or rely on legitimate interest / pre-existing relationships, as applicable)
- Provide your own privacy notice to your customers explaining how you use their data
- Honour data subject requests from your customers (access, deletion, etc.)
- Comply with PECR (Privacy and Electronic Communications Regulations 2003) for SMS and email marketing
- Keep records of consent and opt-outs
Our responsibilities as Processor
- Process your customers' data only on your instructions and as part of the service we provide
- Keep that data secure (insofar as it's within our control)
- Help you respond to data subject requests where reasonable
- Notify you of any breach affecting your data without undue delay
- Not use your customers' data for our own purposes
A formal Data Processing Agreement (DPA) is provided as part of your service agreement. If you need a copy, email info@flanstack.co.uk.
7 · How long we keep your data
We keep personal data only as long as we need it for the purpose it was collected, or as long as we're required to by law.
- Audit submissions and enquiries that don't become customers: up to 24 months from last contact, then deleted
- Customer account data: for the duration of your contract, plus 6 years afterwards (to meet tax and accounting record-keeping requirements)
- Marketing data: until you unsubscribe or object, whichever comes first
- Anonymous analytics data: retained indefinitely in aggregated form
You can request deletion of your data at any time (see Section 8 below).
8 · Your rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access · request a copy of the data we hold about you
- Right to rectification · ask us to correct inaccurate or incomplete data
- Right to erasure · ask us to delete your data (subject to certain legal exceptions)
- Right to restrict processing · ask us to limit how we use your data
- Right to data portability · receive your data in a portable format to transfer elsewhere
- Right to object · object to processing based on legitimate interests, including marketing
- Right to withdraw consent · where we rely on consent, you can withdraw it at any time
- Right to complain to the ICO · if you're unhappy with how we handle your data, you can lodge a complaint with the Information Commissioner's Office at ico.org.uk
To exercise any of these rights, email info@flanstack.co.uk. We'll respond within one month.
9 · Cookies
We use a small number of essential cookies to make the website work properly. These don't track you across the internet or build profiles for advertising.
Specifically, we use:
- Functional cookies · required for the chat widget and form submissions to work
- Analytics cookies · anonymous data about which pages are visited and how the site performs (no personal identification)
We don't use advertising or tracking cookies. You can disable cookies in your browser settings if you prefer, though some site features may not work as expected.
10 · International data transfers
Some of our service providers (notably GoHighLevel, Stripe, and Cloudflare) process data outside the UK, primarily in the United States. Where this happens, we rely on:
- Standard Contractual Clauses (SCCs) approved by the UK government, or
- The UK Extension to the EU-US Data Privacy Framework, where applicable
These mechanisms ensure your data receives a similar level of protection abroad as it does in the UK.
11 · Security
We take security seriously. Measures we take include:
- HTTPS encryption across the website and all platforms we use
- Strong access controls and two-factor authentication on internal systems
- Working only with reputable service providers that meet recognised security standards
- Limiting who in our team has access to customer data on a need-to-know basis
No system is completely secure, but we work hard to keep your data safe and will notify you and the ICO without undue delay if a data breach affects you.
12 · Children
Our services are not directed at children. We don't knowingly collect personal data from anyone under 18. If you believe we've inadvertently collected data from a child, please contact us and we'll delete it.
13 · Changes to this policy
We may update this Privacy Policy from time to time. When we do, we'll update the "Last Updated" date at the top of this page. Significant changes will be communicated by email to customers or via a prominent notice on the website.
14 · How to contact us
For any privacy-related questions, requests, or concerns:
- Email: info@flanstack.co.uk
- Post: Flanstack Ltd, Flat 4 Heanor House, Church Street, Heanor, Derbyshire DE75 7XF, United Kingdom
We aim to respond to all enquiries within 5 working days, and to formal data subject requests within one month.