[DRAFT — requires legal review before publication. AI-assisted draft, not legal advice.]

Privacy Policy

Last updated: 1 May 2026

1. Who we are

This privacy policy is issued by MDMX, operated by Michael Maybury, sole trader. MDMX provides marketing services to UK home improvement and trade businesses.

• Contact email: michael@mdmx.digital
• Postal address: MDMX, c/o Michael Maybury, [STREET ADDRESS LINE 1], [STREET ADDRESS LINE 2], Woking, [POSTCODE], United Kingdom

We are the data controller for personal data collected through our own websites and marketing activities, and a data processor for personal data processed on behalf of our clients (e.g. leads generated through campaigns we run for them). Where we act as a processor, the relevant client is the data controller and their privacy policy will also apply.

2. What data we collect

We collect and process the following categories of personal data:

• Form submissions on websites we operate, or operate on behalf of our clients — typically name, phone number, email address, postcode, and a description of the job or enquiry.
• Lead data delivered to our clients via Meta Lead Ads and landing pages we host on their behalf.
• Analytics and tracking data captured via cookies and similar technologies, including the Meta Pixel and (where deployed) Google Analytics.
• Communication records generated when we contact leads on behalf of our clients via WhatsApp, SMS, or email — including message content, timestamps, and delivery metadata.

3. Why we collect it (lawful bases under UK GDPR)

We rely on the following lawful bases under Article 6 of the UK GDPR:

• Contract — to provide marketing services to our clients under our agreement with them.
• Legitimate interest — to improve service delivery, prevent fraud, secure our systems, and analyse the performance of marketing campaigns. We have assessed that these interests are not overridden by the rights and freedoms of the individuals concerned.
• Consent — for marketing communications sent directly by us, and for non-essential cookies, where consent is required. You may withdraw consent at any time.

4. How long we retain it

• Lead data: retained for up to 7 years in line with HMRC tax record-keeping requirements.
• Marketing analytics: aggregated and anonymised data may be retained indefinitely; data identifying an individual is retained for up to 2 years.
• Communication records: retained for up to 7 years.

When the retention period expires, data is securely deleted or fully anonymised.

5. Third parties we share data with

We share personal data with the following named processors and partners, only to the extent necessary to deliver our services:

• Meta Platforms, Inc. — Facebook and Instagram advertising, lead capture, pixel-based analytics.
• GoHighLevel — lead nurture automation and WhatsApp messaging infrastructure.
• Supabase / Postgres — database hosting (UK / London region).
• GoCardless — direct debit payment processing.
• QuickBooks / Intuit — accounting and invoicing.
• Microsoft — business email and calendar via Microsoft Graph.
• Google — Google Analytics, Google Drive (file storage), Google Calendar.

We do not sell personal data to third parties.

6. International transfers

Some of the processors listed above (including Meta, Google, Microsoft, GoCardless, and Intuit) are based in or transfer data to the United States or other jurisdictions outside the UK. Where this happens, transfers are made under appropriate safeguards — typically the UK International Data Transfer Agreement, the EU Standard Contractual Clauses with the UK Addendum, or equivalent UK-recognised transfer mechanisms.

7. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") — to have your data deleted in certain circumstances.
• Right to restriction of processing.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent at any time, where consent is the lawful basis.

To exercise any of these rights, email michael@mdmx.digital. We will respond within one month of receiving a valid request.

8. Cookies

We use Meta Pixel for advertising analytics and Google Analytics for website analytics. By continuing to use this site you accept these cookies. A detailed cookie preference center is in development — until then, you can manage cookies via your browser settings.

9. Complaints

If you believe we have handled your personal data incorrectly, please contact us first at michael@mdmx.digital so we can investigate. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority:

• Website: ico.org.uk
• Helpline: 0303 123 1113

10. Changes to this policy

We will update the "Last updated" date at the top of this policy when we make changes. Material changes will be communicated directly to individuals where we hold their contact details and the change is relevant to them.