Privacy notice

Northbrik Systems Ltd ("Northbrik", "we", "us") is a private limited company registered in England and Wales with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. We are the data controller for personal data processed through this website, the client portal at northbrik.com, and the engagements we run for client organisations.

For any data protection question or to exercise a right under UK GDPR, email hello@northbrik.com and put "Privacy" in the subject line. We aim to reply within two UK working days and always within one calendar month, which is the statutory maximum for access and erasure requests.

As a small UK studio we are not required to appoint a statutory Data Protection Officer. The founder acts as the named privacy contact, and is responsible for every decision described on this page.

We try to collect the minimum information we need to answer you, deliver a project, and meet our legal and tax obligations. That means we treat every form field as a deliberate choice rather than a default. The categories below are exhaustive.

Enquiry data

Name, work email, organisation, the text of your message, and optional referral source. Collected when you submit the contact form, the onboarding flow, or email us directly.

Portal account data

Email, authentication identifier, organisation link, role and activity timestamps. Collected only for people invited into an engagement.

Engagement data

Project title, scope, milestone notes, messages, file names and metadata, delivery-log entries, invoices and payment references. Collected because it is the work.

Billing data

Company name, billing address, VAT status, invoice totals and payment state. Card data is handled by our payment processor; we never see or store the full card number.

Technical data

Server logs including IP address, user-agent, and timestamps for access to protected routes. Retained briefly for security and abuse prevention.

Under UK GDPR we must identify a lawful basis for each processing purpose. Ours are listed below so you can match an activity to a basis in writing.

Legitimate interests · Art. 6(1)(f)

For responding to an enquiry, pitching relevant work, maintaining the website, and keeping records of communication. We only rely on this where the impact on you is proportionate, and you can object at any time.

Contract · Art. 6(1)(b)

For delivering an engagement to which your organisation is a party, including portal access, messages, deliverables, invoices and support.

Legal obligation · Art. 6(1)(c)

For keeping tax and company records we are required to keep under UK law, and for responding to lawful requests from regulators.

Consent · Art. 6(1)(a)

Where we rely on consent (for example, optional non-essential analytics, if we ever introduce them) we make the request specific, granular, and as easy to withdraw as to give.

We keep personal data only as long as we need it. The periods below are our defaults; contractual or statutory obligations can extend them, and we will tell you if they do.

Unsuccessful enquiries

Kept for up to 24 months so we can follow up a warm lead, then deleted. You can ask us to delete sooner and we will.

Active engagement records

Kept for the duration of the engagement plus 6 years, aligned with UK Limitation Act periods for contract claims.

Tax and financial records

Kept for 6 years after the end of the relevant accounting period, in line with HMRC requirements.

Security and access logs

Retained for up to 90 days, then aggregated or deleted unless an incident is under investigation.

We use a small, deliberately short list of sub-processors. Every provider below has a commitment to UK GDPR equivalent safeguards, and we hold written data processing agreements with each.

Cloud hosting & database

Supabase (Postgres, authentication, storage) in EU/UK regions. Processes portal account, engagement and portal file metadata.

Application hosting

Vercel (edge/SSR compute) in EU/UK regions where available. Processes request logs and serves the website and portal.

Transactional email

Resend for outbound email (enquiry acknowledgements, invoice notifications, portal alerts). Processes recipient email address and message body.

Payments

Stripe Payments Europe Ltd (Ireland). Processes billing contact, invoice amount and card data under their own controller-to-controller terms; we only see tokens and payment status.

Error monitoring

Enabled only where explicitly configured for an engagement; never on the public site by default. Payloads are scrubbed for personal data before upload.

A live, dated list of sub-processors for your specific engagement is available on request. Where an engagement requires a bespoke sub-processor (for example, a client-provided CRM), we treat that as part of our Data Processing Agreement and notify you in writing before processing begins.

By default, data stays in the UK or EU. Where a US-resident provider is strictly necessary (for example, Stripe or a client-specified tool), we rely on the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, backed by the provider's own adequacy certifications (DPF, Binding Corporate Rules).

We never move client personal data outside the UK/EU without first noting it on the engagement's sub-processor register and confirming the transfer mechanism in writing.

Security is an engineering concern, not a marketing one. The controls below apply to this site and the client portal as a baseline; engagement-specific controls are documented separately in the contract.

• TLS 1.2+ for every public endpoint; HSTS enabled.
• Principle of least privilege for database access; row-level security policies enforced at the database layer in the client portal.
• Secrets managed via provider-native secret stores; never committed to source control.
• MFA required on every administrative account (hosting, database, email, payments, domain).
• Laptops use full-disk encryption and automatic locking; devices are enrolled in a management profile.
• Third-party dependencies are pinned and audited on every release; security advisories are triaged within one working day.
• Backups are encrypted at rest and tested for restoration every 90 days.

Under UK GDPR you have the rights below. They apply to any personal data we hold about you, not only data collected through this website. We will not charge for a first copy of your data and we will not put procedural barriers in front of a valid request.

• Right of access — ask for a copy of the personal data we hold about you.
• Right to rectification — have inaccurate or incomplete data corrected.
• Right to erasure — ask us to delete data, subject to statutory retention above.
• Right to restrict processing — pause processing while a question is resolved.
• Right to data portability — receive data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right not to be subject to a decision based solely on automated processing — we do not make such decisions.

To exercise any right, email hello@northbrik.com. If you are not satisfied with our response you can complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.

Our services are aimed at UK-based businesses and organisations. We do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, please email hello@northbrik.com and we will delete it.