Privacy Notice

Why Marketing · Version 1.0 · June 2026

What this document covers

What personal and commercial data we collect and why
Who processes your data and where it is stored
How your data is protected and how long we keep it
Your rights, and how to exercise them

1. Who we are

Why Marketing is the trading name of Alan Edwards, sole trader, based in the United Kingdom. We are the data controller for the personal data collected through the Capital Efficiency Report diagnostic tool. Contact: alan@why-marketing.com

2. What data we collect and why

2.1Contact data. When you proceed to checkout, we collect your name, company name, and work email address. We use this to deliver your report, send confirmation emails, and manage your account if you purchase a subscription. The lawful basis is contract — this data is necessary to deliver the service you have purchased.

2.2Commercial and financial inputs. The diagnostic tool asks you to enter business data including revenue, gross margin, customer counts, acquisition costs, pipeline figures, and related metrics. This data is used solely to calculate your diagnostic results. It is company-level financial data rather than personal data in most cases, but we treat it with the same care and confidentiality. The lawful basis for processing is contract.

2.3Payment data. Payments are processed by Stripe. Card details never reach our servers — Stripe's checkout is hosted entirely by Stripe, which is PCI-DSS compliant. We receive a payment confirmation and a reference identifier only. Stripe's own privacy policy governs how Stripe handles your payment data.

2.4Session and technical data. We store a random session token, timestamps, and payment status to manage your access to the diagnostic tool and your report. We do not use tracking cookies for advertising or analytics purposes.

2.5Anonymised benchmark data. After your session data is deleted (see section 5), we retain a stripped, anonymised record containing only your revenue band, sector, and ratio metrics — no names, no company, no absolute financial figures. This is used to build sector benchmarks. We are satisfied this anonymised record falls outside the scope of personal data.

3. Who processes your data — our sub-processors

We use the following third-party services to operate the diagnostic tool. Each acts as a data processor on our behalf.

Netlify

Hosting, serverless functions, and CDN delivery. Data processed in the United States (AWS us-east-2).

Neon (via Netlify DB)

PostgreSQL database storing session records, diagnostic inputs and outputs, and contact data. Data stored in the United States (AWS us-east-2).

Stripe

Payment processing, subscription management, VAT/tax-ID collection. Stripe Technology Europe (Ireland) is the EU establishment; data may transfer to the United States.

Resend

Transactional email delivery — report delivery, receipts, and confirmation emails. Account data stored in the United States.

4. International data transfers

4.1Your data is stored and processed in the United States. We are a UK-based business. For transfers of UK personal data to the United States, we rely on the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), in effect since 12 October 2023. The Data Bridge permits restricted transfers to US firms that are specifically self-certified under the UK Extension — certification under the base EU-US DPF alone is not sufficient. We verify that each relevant sub-processor holds current UK Extension certification at dataprivacyframework.gov. Certifications can lapse, so we conduct this check periodically. Where any sub-processor is not UK Extension certified, we rely instead on the International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with a UK Addendum as the transfer mechanism.

4.2Neon (our database provider) operates via Netlify DB. Its transfer position is covered either under Netlify's own arrangement or its own certification — we confirm which applies as part of our sub-processor due diligence and maintain a transfer record accordingly.

4.3For buyers based in the European Union, the Data Bridge is UK-only and does not apply. For EU personal data, we rely on the EU-US Data Privacy Framework (the EU-US DPF) where each vendor holds active EU-US DPF certification, and on Standard Contractual Clauses where they do not. Buyers should note that the EU-US DPF certification and the UK Extension are separate designations — we verify both independently.

4.4We have executed, or will execute before launch, Data Processing Agreements with each sub-processor. We maintain a transfer record mapping each vendor to the applicable transfer mechanism. This is available to the ICO on request and can be shared with enterprise buyers on request.

4.5We note that adequacy frameworks can be challenged or withdrawn, as occurred with Privacy Shield in 2020. We maintain IDTA and SCCs as a known fallback for each sub-processor relationship so that a transition, if required, can be implemented without interruption to the service.

4.6If your organisation requires data residency within the UK or EU, please contact us before completing the diagnostic. We can discuss whether an alternative configuration or the enterprise route is appropriate for your needs.

5. How long we keep your data

5.1Session records — including your diagnostic inputs, outputs, and contact details — are retained for six months from the date of your session. After six months, all identifiable data is permanently deleted. A daily automated process manages this deletion.

5.2For subscription customers, session records from each diagnostic run are retained for six months from that run date.

5.3The anonymised benchmark record described in section 2.5 is retained indefinitely for benchmarking purposes.

5.4Payment records are retained as required by our legal and tax obligations, typically seven years.

6. Security

We apply the following technical measures to protect your data: HTTPS encryption throughout; database credentials stored as secret environment variables and never exposed client-side; session tokens generated randomly and used as access keys; payment webhook calls signature-verified to reject forged events; and access controls on all systems holding your data.

Your diagnostic inputs are computed in your browser as you enter them, and nothing is transmitted while you build the diagnostic. Your data is sent to us only when you choose to proceed to checkout. If you never proceed to checkout, none of your diagnostic data reaches our servers. If you proceed to checkout but do not complete payment, the data submitted is held as an incomplete record and deleted within seven days, and in all cases under our six-month retention process (see section 5).

7. Your rights

As a data subject under UK GDPR, you have the right to: access the personal data we hold about you; correct inaccurate data; request deletion of your data (subject to any legal retention obligations); object to processing; and request that we restrict processing in certain circumstances.

To exercise any of these rights, contact alan@why-marketing.com. We will respond within one calendar month.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data appropriately.

8. Changes to this notice

We will update this notice when our data practices change. The version number and date at the top of this document identify the current version. Where changes are material, we will notify active subscribers by email.

9. Contact

For any data protection queries: alan@why-marketing.com

Why Marketing · commercial logic applied · Privacy Notice · Version 1.0 · June 2026