Privacy

Who runs this site

Goliath Web Services LTD, company number 11873385, registered at 1105–1111 High Road, London N20 0PT. Operating under the trade name Goliathus. Contact: [email protected].

For the purposes of UK GDPR and the UK Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), we are the data controller for any personal information processed through this website and in the course of any engagement.

What we collect, why, and how long we keep it

Site visits. We use Plausible Analytics, which is hosted in the EU and does not use cookies. Plausible records the URL you visited, your country, your device type, your browser, and your referrer (which site sent you to us). It does not record your IP address or identify you personally. This information is retained for 24 months.

Brief submissions. When you submit a brief through /begin, we collect your name, email, company, role, and the answers you provide. This is held in our secure database for 24 months, after which it is permanently deleted unless you have become a client (see below).

Intake submissions. If we invite you to complete the deeper intake at /intake, the answers you provide are held for the duration of any engagement plus 24 months for case study and reference purposes.

Client correspondence. Email exchanges are retained for the duration of any engagement plus 7 years (for tax and legal record-keeping). Email is stored in Fastmail’s servers (located in the United States, with EU-equivalent safeguards in place).

Client project data. Any data we process on your behalf as part of an engagement (your existing content, your customer data if relevant, etc.) is governed by a separate Data Processing Agreement that we sign at engagement start.

What we don’t collect

We don’t use:

• Tracking cookies of any kind
• Third-party advertising trackers
• Heatmap or session replay tools (Hotjar, FullStory, etc.)
• Social media tracking pixels
• Email open or click tracking

If you visit this site without submitting a form, we have no record of you beyond an anonymous, country-level visit count.

Cookies. This site sets no cookies of its own and loads no third-party cookies, so there is nothing to consent to and you will not see a cookie banner. If you change a display preference, that single choice is stored locally in your own browser — it is not a cookie, and it never reaches us. Because we set no non-essential cookies, no consent is required under the Privacy and Electronic Communications Regulations (PECR).

Who we share data with

We don’t sell data, ever. We share data with the following service providers, each of whom is contracted to handle it on our behalf:

Any change to this list is a material change to this policy and will be communicated to current clients by email.

Your rights under UK GDPR

You have the right to:

• Request a copy of any personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Request restriction of processing
• Object to processing
• Request data portability (we’ll provide your data in a structured, commonly-used format)
• Withdraw consent at any time
• Complain to the UK Information Commissioner’s Office (ico.org.uk)

To exercise any of these rights, email [email protected]. We respond without undue delay and at the latest within one calendar month, usually much sooner.

International transfers

Some of our service providers are located outside the UK and EU (primarily the United States). We rely on the UK–US Data Bridge, the EU–US Data Privacy Framework, or Standard Contractual Clauses where applicable, to ensure that any international transfer of your personal data is protected by appropriate safeguards.

Children

Goliathus is a business-to-business practice. This site and our services are intended for companies and the adults who run them — they are not directed to children, and we do not knowingly collect personal data from children.

Where a digital age of consent is relevant: in the UK it is 13 (UK GDPR, Article 8); across the EU it ranges from 13 to 16 depending on the member state. We do not provide services to anyone below these ages. If you believe a child has provided us with personal data, email [email protected] and we will delete it promptly.

Security

We take reasonable, industry-standard measures to protect your data: encryption in transit (TLS 1.3), encryption at rest, principle of least privilege for access, regular backups, and a documented incident response procedure. No system is perfectly secure, but we treat your data with the care we would expect for our own.

Changes to this policy

If we make material changes to this policy, we will update the “Last updated” date at the top of this page, and we will notify any current clients by email. Non-material changes (clarifying language, fixing typos) may be made without notice.

Contact

For any privacy question, complaint, or request, email [email protected]. We respond within one business day, usually within hours.

Complaints. If you are unhappy with how we have handled your personal data, you can raise a complaint with us directly at [email protected]. We will acknowledge it within 30 days and respond without undue delay — reflecting the data protection complaints duty introduced by the Data (Use and Access) Act 2025.

If you remain unsatisfied with our response, you have the right to complain to the UK Information Commissioner’s Office:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

0303 123 1113

ico.org.uk