Privacy Policy

2. What personal data we collect

We only collect personal data you choose to give us, together with limited technical data needed to run a secure website.

2.1 Enquiry form

When you submit the form at /contact, we collect:

• Your name
• Your organisation (optional)
• Your email address
• The nature of your enquiry
• The message you write
• The date and time of submission

2.2 Direct email

If you email us at curious@lily-labs.co.uk or privacy@lily-labs.co.uk, we receive and retain the contents of your email and your email address.

2.3 Technical data

Our hosting provider (Vercel Inc.) keeps standard request logs — IP address, user agent, referring URL, and timestamps — as part of normal web-server operation. We do not use this data to track or profile visitors.

2.4 Privacy-preserving analytics

We use Vercel Web Analyticsto understand aggregate traffic patterns — how many people visit, which pages they look at, which research areas get most interest. Vercel's analytics are cookieless: they do not set any cookies on your device, do not store IP addresses, and do not build a profile of individual visitors. Data is aggregated and anonymised before we see it. Because no personal data is collected, no consent banner is required under the Privacy and Electronic Communications Regulations (PECR).

2.5 No tracking or marketing cookies

We do not use advertising, remarketing, or cross-site tracking cookies of any kind. The only cookies set by this site, if any, are strictly necessary session cookies used to make the site function securely; these are exempt from consent requirements under PECR.

3. Why we process your data — lawful basis

• To reply to your enquiry — UK GDPR Article 6(1)(f), our legitimate interest in responding to people who have written to us. Where a commercial engagement follows, we rely on Article 6(1)(b), processing necessary for the performance of a contract.
• To keep a record of correspondence — Article 6(1)(f), our legitimate interest in maintaining professional continuity and defending against future legal claims.
• To secure the site — Article 6(1)(f), our legitimate interest in preventing abuse, fraud, and spam.

We do not send marketing email to enquirers without a separate, explicit opt-in. If we introduce a mailing list, it will be double-opt-in with a clear unsubscribe link on every message, as required by the Privacy and Electronic Communications Regulations (PECR).

4. Who we share your data with

We do not sell your data. We do not share it with third parties for marketing. We use a small number of carefully chosen processors to operate the site:

• Vercel Inc.— website hosting, request logs, and cookieless Web Analytics. Data is served from Vercel's UK/EU edge regions where possible. See Vercel's privacy policy.
• Sendinblue SAS (trading as Brevo) — transactional email delivery for enquiry-form submissions. 7 rue de Madrid, 75008 Paris, France. Data is processed in EU data centres. See Brevo's privacy policy.

We will only share your data with other parties where we are legally required to do so (for example, in response to a valid order from a UK court or regulator).

5. How long we keep your data

We keep enquiry-form submissions and associated correspondence for 24 months from the date of last contact, after which they are deleted — unless the enquiry has become an active client engagement, in which case standard business records retention applies (up to 7 years for accounting and tax purposes under UK statute).

Request a shorter retention at any time by writing to privacy@lily-labs.co.uk.

6. International transfers

Our processors store and process personal data within the United Kingdom and the European Economic Area. We do not currently rely on transfers to countries outside the UK/EEA for processing enquiry-form data. If this changes, we will update this notice and put in place an appropriate transfer mechanism (UK International Data Transfer Agreement, UK–US Data Bridge extension, or equivalent).

7. Your rights

Under the UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your data where it is no longer needed for the purpose it was collected
• Restriction — ask us to limit how we use your data while a query is resolved
• Objection — object to processing based on legitimate interests
• Portability — receive your data in a structured, machine-readable format
• Withdraw consent — where processing is based on consent, withdraw that consent at any time

To exercise any of these rights, write to privacy@lily-labs.co.uk. We will respond within one calendar month.

8. Complaints

If you are not satisfied with how we handle your personal data, please tell us first — we would rather hear about it and fix it than not. You also have the right to complain to the UK Information Commissioner's Office:

9. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. The site is served over HTTPS only; processor access is restricted; API keys are held in secure environment storage. No system is perfectly secure, but we treat this obligation seriously.

10. Changes to this notice

If we materially change how we handle personal data, we will update this page and revise the “last updated” date at the top. Material changes affecting existing enquirers will be notified by email where we hold one.