Privacy Policy
How Pametan Ltd collects, uses and protects personal data — including data processed through Mailgun and Google Analytics.
1. Who we are
This privacy policy is issued by Pametan Ltd (“Pametan”, “we”, “us”, “our”) — a private limited company registered in England and Wales (Company No. 16023621), with its registered office at 20 Wenlock Road, London, England, N1 7GU.
Pametan is the data controller for personal data collected through this website (pametan.co) and through our direct business communications.
You can contact our privacy team at privacy@pametan.co.
2. What we collect
We only collect personal data we need to run our business. Specifically:
2.1 Information you give us
- Contact form submissions: name, work email, company name, region, project description and anything else you choose to include.
- Newsletter sign-ups: email address and (optionally) first name. We may also store sign-up date and source page.
- Direct correspondence: any information contained in emails or messages you send us, including signatures and attachments.
- Engagement records: if we work together, contractual contacts, billing addresses and project documentation.
2.2 Information we collect automatically
- Server logs: IP address, user-agent, page requested, referrer and timestamp. Held for 30 days for security and abuse prevention.
- Analytics: if you consent, Google Analytics 4 collects pseudonymous identifiers (cookies / client IDs), pages visited, approximate location (city level) and session metrics. IP addresses are not stored by GA4 by default.
- Email engagement: when we send you a newsletter via Mailgun, we may record opens, clicks and bounces in aggregate. You can opt out of tracking at any time using the unsubscribe link.
3. How we use your information
We use personal data only for the purposes listed below:
- To respond to enquiries. When you complete the contact form or email us, we use your details to reply and to discuss potential engagements.
- To send newsletters and marketing communications — only if you have explicitly opted in. You can withdraw consent at any time.
- To deliver services. If we sign a master services agreement, we use your contact and billing data to perform our contract with you.
- To improve the site. Where you have consented to analytics, we use aggregated metrics to understand which pages are useful and which to improve.
- To meet legal obligations. Tax records, anti-money-laundering checks where applicable, and responses to lawful requests from authorities.
- To secure the site. Detect and prevent fraudulent or malicious activity using server logs and rate-limiting.
4. Our lawful bases (UK / EU GDPR)
Under the UK GDPR and EU GDPR, we rely on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Replying to enquiries | Legitimate interest (responding to a request you initiated) |
| Sending marketing newsletters | Consent (Article 6(1)(a)) |
| Delivering services under a contract | Performance of a contract (Article 6(1)(b)) |
| Analytics & performance cookies | Consent (Article 6(1)(a)) — see Cookie Policy |
| Strictly necessary cookies | Legitimate interest (essential site function) |
| Security & fraud prevention | Legitimate interest |
| Tax, accounting & statutory records | Legal obligation |
5. Sharing your data and our processors
We do not sell personal data, and we do not share it with third parties for their own marketing. We do, however, use carefully selected service providers (“processors”) to run our business:
| Processor | Purpose | Location |
|---|---|---|
| Mailgun Technologies, Inc. | Sending transactional and newsletter emails; recording open/click metrics; managing unsubscribes. | United States |
| Google LLC (Google Analytics 4) | Analysing how visitors use this site, where you have consented. | United States / Ireland |
| Amazon Web Services, Inc. (AWS) | Hosting the website (S3 + CloudFront), the contact-form backend (API Gateway + Lambda), DNS (Route 53), and platform secrets (Secrets Manager + KMS). | Primary region: Ireland (eu-west-1). Content is delivered globally via CloudFront edge locations; the TLS certificate for the edge is hosted in the United States (us-east-1) as required by CloudFront. |
| HubSpot, Inc. | Customer relationship management — contact records, sales pipeline tracking, and marketing communications. Data is hosted in HubSpot’s EU data residency region. | European Union |
Each processor is bound by a written data processing agreement that requires them to handle your information only on our instructions and with appropriate safeguards.
We may also disclose data where required by law (e.g. court orders, regulatory requests), where necessary to investigate fraud or security incidents, or in connection with a sale, merger or restructuring of our business — in which case the new controller will be subject to the same commitments.
6. International data transfers
Some of our processors are based outside the United Kingdom and the European Economic Area — most notably Mailgun and Google Analytics, which are headquartered in the United States.
Where we transfer personal data internationally, we rely on at least one of the following safeguards:
- UK Addendum to the EU Standard Contractual Clauses issued by the ICO, which contractually requires the recipient to apply UK-equivalent protection.
- EU Standard Contractual Clauses (2021 module) for transfers from the EEA.
- EU–US Data Privacy Framework certification, where the recipient is enrolled (Mailgun and Google are both certified).
- Adequacy decisions, where the receiving country has been recognised by the UK government or European Commission.
Copies of the relevant transfer mechanisms are available on request.
7. How long we keep data
| Category | Retention |
|---|---|
| Contact form submissions | 24 months from last interaction, then deleted |
| Newsletter subscriber list | Until you unsubscribe, plus 12 months in suppression list to prevent re-subscription in error |
| Server access logs | 30 days |
| Google Analytics data | 14 months (configured retention) for user-level data; aggregated reports are retained indefinitely |
| Contracts & project records | 7 years from end of engagement (UK statutory minimum for tax records) |
| Accounting and tax records | 6–7 years per HMRC / IRS / CRA requirements depending on jurisdiction |
8. Your rights
Depending on where you live, you have a number of rights over your personal data. We honour all of these regardless of jurisdiction:
8.1 If you are in the UK or EU (UK / EU GDPR)
- The right to be informed (this policy).
- The right of access — request a copy of the data we hold about you.
- The right to rectification — ask us to correct inaccurate data.
- The right to erasure (“right to be forgotten”).
- The right to restrict processing.
- The right to data portability.
- The right to object — including a right to object to direct marketing at any time.
- Rights related to automated decision-making (we do not use automated decision-making with legal effect).
- The right to withdraw consent where processing is based on consent.
- The right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.
8.2 If you are in the United States (CCPA / CPRA — California residents)
- The right to know what categories of personal information we collect.
- The right to delete personal information we have collected from you.
- The right to correct inaccurate personal information.
- The right to opt out of the sale or sharing of personal information — note we do not sell or share personal information for cross-context behavioural advertising.
- The right not to be discriminated against for exercising any of these rights.
8.3 If you are in Canada (PIPEDA / Quebec Law 25)
- The right to access and correct your personal information.
- The right to know to whom we have disclosed your information.
- The right to withdraw consent at any time, subject to legal or contractual restrictions.
- For Quebec residents: the right to data portability and the right to be informed of automated decisions affecting you.
- The right to file a complaint with the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec.
To exercise any of these rights, email privacy@pametan.co. We will respond within 30 days (UK / EU), 45 days (California) or as soon as reasonably possible. We may need to verify your identity before we act on a request.
9. Cookies and similar technologies
Our use of cookies — including the Google Analytics cookies set when you opt in — is described in detail in our Cookie Policy. You can change your preferences at any time by clicking Manage cookies.
10. Security
We take security seriously. Specifically, we:
- Encrypt data in transit using TLS 1.2 or higher.
- Encrypt data at rest in our hosting provider’s storage.
- Apply role-based access control across systems with single sign-on and mandatory MFA.
- Operate to SOC 2 Type II-aligned controls and are working towards ISO 27001 certification.
- Maintain incident response procedures, including notifying you and the ICO within 72 hours of a notifiable breach where required.
11. Children’s data
This is a B2B website for regulated software development. It is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have collected information from a child, contact privacy@pametan.co and we will delete it.
12. Changes to this policy
We may update this policy to reflect changes in our practices, our processors, or applicable law. The “Last updated” date at the top of this page reflects the most recent revision. We will notify newsletter subscribers of material changes by email at least 30 days before they take effect.
13. How to contact us
For any privacy-related question or to exercise your rights:
- Email: privacy@pametan.co
- Post: Privacy Team, Pametan Ltd, 20 Wenlock Road, London N1 7GU, United Kingdom