Privacy Policy

Last updated: 22 March 2026

1. Who we are

Thirty3 Labs is a web development and AI tools agency based in London, UK. We build websites, automations, AI tools, lead generation systems, and SEO services for small businesses.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we are the data controller. That means we decide how and why your personal data is processed.

Contact: hello@thirty3labs.co.uk

2. What data we collect

We only collect what we actually need. Here is what that looks like:

  • Contact details — name, email address, phone number, business name. Collected when you fill in our contact form, email us, or start a project with us.
  • Project information — briefs, content, assets, and feedback you share with us during a project.
  • Payment information — billing details processed through our payment provider. We never store card numbers directly.
  • Website usage data — pages visited, time on site, referring URL, device type, browser, and approximate location. Collected automatically via cookies and analytics tools.
  • Communication records — emails, messages, and call notes related to our working relationship.

3. Why we collect it (legal basis)

Under UK GDPR, we need a lawful reason to process your data. Here are ours:

  • Contract— to deliver the services you have hired us for (building your website, running your SEO, etc.).
  • Legitimate interest — to improve our services, understand how our website is used, and communicate with prospective clients. We balance this against your rights every time.
  • Consent— when you opt in to marketing emails or accept non-essential cookies. You can withdraw consent at any time.
  • Legal obligation — to comply with tax, accounting, and regulatory requirements.

4. How we use your data

  • To respond to enquiries and provide quotes.
  • To deliver and manage projects.
  • To process payments and send invoices.
  • To send project updates and relevant communications.
  • To improve our website and services based on usage patterns.
  • To send marketing emails (only with your explicit consent).
  • To meet legal and regulatory obligations.

5. Who we share your data with

We do not sell your data. We never have, and we never will.

We may share data with trusted third parties who help us run our business:

  • Hosting providers — to serve our website and client projects (e.g. Vercel, cloud infrastructure providers).
  • Analytics tools — to understand website traffic (e.g. privacy-focused analytics).
  • Payment processors — to handle invoicing and payments securely.
  • Email services — to send project communications and, where opted in, marketing.
  • AI service providers — where AI tools are part of the project deliverables, data may be processed by AI APIs. This is always covered in the project agreement.
  • Legal and regulatory bodies — if required by law, regulation, or legal process.

All third parties are contractually required to protect your data and only use it for the purposes we specify.

6. International data transfers

Some of the services we use (hosting, analytics, AI APIs) may process data outside the UK. Where this happens, we make sure appropriate safeguards are in place, such as Standard Contractual Clauses or UK adequacy decisions, so your data stays protected.

7. How long we keep your data

We keep your data only as long as we need it:

  • Client project data — for the duration of the project plus 6 years (to cover legal and tax obligations).
  • Enquiry data — up to 2 years if the enquiry does not lead to a project.
  • Marketing contacts — until you unsubscribe.
  • Analytics data — aggregated and anonymised, retained indefinitely.

When data is no longer needed, we securely delete or anonymise it.

8. How we protect your data

We use reasonable technical and organisational measures to keep your data safe, including encrypted connections (HTTPS), access controls, secure password practices, and regular reviews of our security setup.

No system is 100% secure. If a data breach occurs that poses a risk to your rights, we will notify you and the ICO as required by law.

9. Your rights

Under UK GDPR, you have the right to:

  • Access— request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure— ask us to delete your data (where there is no legal reason for us to keep it).
  • Restriction — ask us to limit how we use your data.
  • Portability — request your data in a structured, machine-readable format.
  • Objection— object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, email us at hello@thirty3labs.co.uk. We will respond within 30 days.

10. Cookies

Our website uses cookies. For full details on what cookies we use and how to manage them, see our Cookie Policy.

11. Children

Our services are designed for businesses, not children. We do not knowingly collect data from anyone under 16. If you believe we have, please contact us and we will delete it immediately.

12. Changes to this policy

We may update this policy from time to time. When we do, we will update the date at the top. For significant changes, we will make reasonable efforts to notify you (e.g. via email or a notice on our website).

13. Complaints

If you are not happy with how we handle your data, please contact us first at hello@thirty3labs.co.uk and we will do our best to resolve it.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. Contact us

Thirty3 Labs
London, UK
hello@thirty3labs.co.uk