Privacy Policy

Contents

Who is the data controller
What we collect and why
Legal basis for processing
Who we share data with
International transfers
How long we keep data
Cookies and tracking
Your rights
Security
Changes to this policy
Contact

1. Who is the data controller

Essential Toolkits is the data controller for personal data we collect about you through this Site and our products.

Trading address: 10 South View, Christchurch, Dorset, BH23 1JH, United Kingdom.

Contact email for privacy queries: hello@essentialtoolkits.com

We are a small business and do not have a Data Protection Officer, but we treat privacy queries as a priority and respond within one working day where possible.

2. What we collect and why

If you contact us

When you fill in the contact form or send us an email, we collect your name, email address, organisation (if you provide it), and the content of your message. We use this to respond to your enquiry and, where relevant, to follow up on related matters.

If you use a “Notify me” mailto link

The Site contains links that open your email client pre-addressed to us. If you choose to send the email, we receive your email address and any content you include. We use this to add you to a notification list for the specific product mentioned, then email you when that product is on sale. You can ask to be removed at any time.

If you buy a product

Payments are processed by Lemon Squeezy (Lemon Squeezy LLC), who act as our merchant of record. Lemon Squeezy collects the payment details directly — we never see your card number. From Lemon Squeezy we receive: your name, email address, country, the product purchased, the order ID, and (where applicable) the organisation name and VAT number you provided at checkout. We use this to deliver the product, fulfil our tax and accounting obligations, and provide customer support.

If you use the PERFORM team assessment

The Hosted Product (PERFORM, at perform.essentialtoolkits.com) collects:

From the buyer (the licence holder): their email address, a randomly generated licence key, the names they give to the team sessions they create.
From respondents (people answering the questionnaire): the name they enter (which can be a first name, initial, or pseudonym — we do not require a real name), and their answer choices.

We store this so the buyer can see aggregated team results. Respondent data is visible to the buyer who set up the session and to us as the operator of the service. It is not shared with anyone else. Respondents can choose not to participate, or to use a pseudonym, at any time.

Server logs and security

Our hosting provider (Cloudflare) keeps short-lived logs of requests to the Site for the purpose of security, abuse prevention, and diagnosing technical issues. These logs may include IP address, timestamp and user-agent, and are retained for a limited period.

3. Legal basis for processing

Under UK GDPR we need a lawful basis for processing your personal data. We rely on:

Performance of a contract — for processing related to delivering a product you have bought, providing customer support, and operating PERFORM for licence holders.
Legitimate interests — for responding to enquiries, managing security, and keeping basic business records. Our legitimate interest is running our business effectively; we balance this against your rights.
Consent — for adding you to a notify-me list when you actively email us asking to be told when a product launches. You can withdraw consent at any time.
Legal obligation — for keeping records required by tax, accounting and consumer protection law.

We do not sell your data and we do not share it for advertising. We do share data with the following service providers, who process it on our behalf:

Lemon Squeezy — payment processing and merchant-of-record services. See their privacy policy.
Cloudflare — hosting and content delivery for the Site, the PERFORM Hosted Product, and our database. See their privacy policy.
Email provider — the service we use to send transactional emails such as licence delivery and support replies (currently configured via Resend). They process delivery metadata only.

We may also disclose personal data if required by law, court order, or to protect our rights, property or safety, or those of others.

5. International transfers

Some of our service providers (including Lemon Squeezy and Cloudflare) are based outside the UK or process data in countries outside the UK. Where this happens, we rely on the safeguards offered by those providers, including the UK’s adequacy decisions, Standard Contractual Clauses, and the UK International Data Transfer Addendum where applicable.

6. How long we keep data

Contact form / email enquiries: kept for as long as needed to handle your enquiry, then archived for up to 24 months in case you come back to us, then deleted.
Notify-me list: kept until you ask to be removed, or until 12 months after we have notified you about the product you signed up for.
Order records: kept for at least six years to meet UK tax and accounting requirements.
PERFORM session data: kept while your licence is active. We will delete or anonymise inactive session data on request, or after a reasonable period of inactivity.
Server logs: kept for up to 30 days unless needed for an active investigation.

7. Cookies and tracking

This Site does not use marketing or analytics cookies. We do not use Google Analytics, Meta Pixel, or any third-party advertising or tracking tags.

Strictly necessary cookies may be set by Cloudflare to keep the Site secure and to maintain your session if you log into PERFORM. These cookies do not require your consent under the Privacy and Electronic Communications Regulations.

Lemon Squeezy may set cookies during checkout to manage your purchase. Their cookie policy applies during checkout.

8. Your rights

Under UK GDPR you have the right to:

Access — ask for a copy of the personal data we hold about you.
Rectification — ask us to correct data that is inaccurate or incomplete.
Erasure — ask us to delete your data, where we are not required to keep it.
Restriction — ask us to limit how we use your data.
Portability — ask us to provide your data in a machine-readable format.
Object — object to processing based on legitimate interests, including any direct marketing.
Withdraw consent — where we rely on consent, withdraw it at any time without affecting earlier processing.

To exercise any of these rights, email hello@essentialtoolkits.com. We will respond within one month.

Right to complain. If you think we have mishandled your data, you can complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator: ico.org.uk/make-a-complaint. We’d appreciate the chance to put things right first — please contact us before going to the ICO if you can.

9. Security

We use HTTPS across the Site and the PERFORM Hosted Product. Data in our database is held on Cloudflare D1 with access restricted to authenticated requests. Buyer dashboard access uses a randomly generated licence key as a bearer token. Owner-only session controls (such as closing or reopening a PERFORM session) use a separate session-scoped owner key. We do not store payment card details — those are handled entirely by Lemon Squeezy.

No system is perfectly secure. If we become aware of a personal data breach that is likely to risk your rights and freedoms, we will notify the ICO within 72 hours and tell you without undue delay where the law requires it.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page tells you when. Material changes that affect existing customers will be communicated by email where we have your address.

11. Contact

Questions about this policy?

Essential Toolkits

Email: hello@essentialtoolkits.com

Or use the contact form.