What Information Enters Our Systems

Details reach us through multiple channels, each triggered by different interactions you choose to initiate.

When You Contact Us

Initial outreach generates basic records: your name, whatever email address you provide, phone details if you share them, and the substance of your enquiry. Forms on our site capture what you enter. Direct emails contain what you write. Phone conversations might generate notes we keep for project continuity.

During Project Work

Active engagements create different data streams. We document your preferences about design direction. Your feedback on mockups gets recorded. File sharing generates metadata. Communication history builds up. Payment processing creates transaction records that our accounting systems require.

Project files themselves contain embedded information — modification timestamps, author metadata, revision history. These prove useful when questions arise about development timelines or when reconstructing design decisions months later.

System-Generated Records

Our infrastructure captures certain technical details automatically. Server logs note when someone accesses our site, though we don't obsessively analyze this data. Error logs help diagnose technical problems. Backup systems create redundant copies of project files because hard drives fail and ransomware exists.

Why These Records Exist

Every category of information we maintain serves specific operational needs. Nothing gets collected because it might prove useful someday.

Contact details let us respond to enquiries and maintain ongoing project communication. Without your email address, delivering design files becomes problematic. Phone numbers enable quick clarification when written communication creates confusion.

Project preferences and feedback drive the actual design work. Your stated goals shape our approach. Your reactions to initial concepts determine next iterations. Recording these prevents us from forgetting crucial direction mid-project.

Technical logs support system maintenance and security monitoring. When something breaks at 3am, those logs help identify the cause. When someone attempts unauthorized access, patterns become visible through log analysis.

Legal compliance creates retention obligations we can't sidestep. Beyond regulatory requirements, contract disputes occasionally surface years later, making historical project records valuable for both parties.

Who Accesses Your Information

Not everyone at Manthex sees everything. Access follows necessity.

Internal Team Members

Designers working on your project see project files, communication history, and stated preferences. Developers receive technical requirements and content specifications. Account managers access communication records and project timelines. Our bookkeeper sees invoices and payment records but not design files.

External Service Providers

Certain functions require third-party tools. Email hosting means our provider stores message content. Cloud storage systems hold project files. Payment processors handle financial transactions. Each vendor receives only what their service requires.

• Email hosting services store correspondence between us
• Cloud storage platforms hold project files and deliverables
• Payment processors receive billing details and transaction amounts
• Project management tools contain task lists and communication threads
• Accounting software stores invoice details and financial records

We've vetted these providers for security practices and data handling policies. Contracts with vendors include confidentiality obligations. That said, we can't control their internal operations completely — hence this disclosure.

How Information Gets Protected

Security measures exist in layers because single defenses fail.

Encryption protects data during transmission between your browser and our servers. Stored files sit on systems with access controls and authentication requirements. Backups get encrypted before leaving our primary infrastructure. Physical servers reside in facilities with security monitoring and restricted access.

Team members use password managers and two-factor authentication. Devices with client data require encryption. We enforce regular password updates and prohibit password reuse across systems.

Despite these precautions, perfect security doesn't exist. Sophisticated attackers occasionally breach well-defended systems. Hardware fails unexpectedly. Human errors happen regardless of training. We've designed our systems to minimize risk, not eliminate it entirely — that would be a false promise.

When security incidents occur, we follow an incident response protocol: assess scope, contain damage, notify affected parties, implement corrective measures, and document lessons learned.

What Control You Retain

Several rights remain yours regardless of our operational needs.

Access and Verification

You can request copies of information we hold about you. We'll provide this in readable format within 30 days. If you spot inaccuracies, we'll correct them promptly once you flag them.

Deletion Requests

You can request deletion of your information, subject to certain limitations. Active projects require certain records for delivery. Financial regulations mandate tax document retention. Legitimate legal claims create preservation obligations. Beyond these constraints, we'll delete what you specify.

Objections and Restrictions

If you object to specific uses of your information, tell us. We'll stop unless legal obligations or contractual necessities prevent it. You can request restricted processing where appropriate — we'll store but not actively use certain data.

Data Portability

For information you've directly provided, you can request portable copies in common formats. Project files, communication histories, and submitted data can be transferred to you or another provider you designate.

How Long Records Persist

Retention periods vary by information type and legal requirements.

Financial records stay for seven years — UK tax law demands this. Project files remain accessible for three years after completion because questions surface long after delivery. Communication records persist eighteen months beyond active engagement. Technical logs cycle every 90 days unless needed for investigating security incidents.

Marketing enquiries that don't convert get purged after two years. Contact details for completed projects stay in our CRM until you request removal or we lose touch for over three years. Old backups eventually get overwritten as retention windows expire.

We periodically review stored information and purge data that no longer serves business needs or legal requirements. This happens quarterly, though urgent deletion requests get processed immediately when justified.

Legal Foundations for Processing

UK data protection law requires legitimate grounds for holding information. We rely on several legal bases depending on context.

Contract performance justifies most project-related data. We can't deliver design work without processing your requirements, feedback, and contact details. This covers the bulk of operational records.

Legal obligations mandate financial record retention and certain security practices. Tax compliance, corporate law requirements, and regulatory frameworks create processing necessities beyond our preference.

Legitimate interests support some activities where our needs align with reasonable client expectations. Security monitoring falls here — detecting attacks benefits everyone. System improvement through error analysis serves mutual interests.

Consent underpins optional activities like newsletters or case study participation. When we rely on consent, we'll request it explicitly and honor withdrawals promptly.

Cross-Border Data Considerations

Our primary operations occur within the United Kingdom. Some service providers maintain infrastructure elsewhere, meaning information occasionally crosses borders during routine processing.

Cloud storage providers use data centers across multiple jurisdictions. Email routing follows internet backbone geography. Payment processors operate internationally. When transfers occur, we verify that receiving jurisdictions provide adequate protections or that contractual safeguards exist.

European Economic Area transfers benefit from adequacy decisions and standard contractual clauses. Other jurisdictions receive case-by-case assessment. We won't transfer information to regions with problematic privacy frameworks unless legally compelled or you explicitly consent.

Updates to This Policy

Operational practices evolve. Legal requirements change. New technologies emerge. This document will be updated periodically to reflect current reality.

Significant changes trigger email notification to active clients. Minor clarifications or formatting updates happen without fanfare. The version date at the top indicates when the last revision occurred.

We maintain archives of previous versions. If you need to reference historical language for contract interpretation or dispute resolution, request the relevant dated version.