/privacy

Privacy policy.

What data is collected, why it's collected, and what you can do about it.

Last updated: May 2026

/ 01 Who is the data controller

I'm Romans Krums, trading as RomansCode. I'm based in the United Kingdom and I'm the data controller for the information described in this policy.

For privacy questions, email hello@romanscode.com.

/ 02 What this policy covers

This policy covers romanscode.com and any work carried out for clients. It explains what personal information is collected, how it's used, who it's shared with, and your rights under UK GDPR.

/ 03 What data is collected

When you fill in a form

Both the contact form and project form ask for your name, email, and message. The project form also asks for project type and budget range.

When you create an account

Your name, email, and a hashed version of your password are stored. The actual password is never stored or visible — the hash is one-way and cannot be reversed.

Automatically

When a form is submitted, the IP address used to submit it is recorded. This is for spam prevention and audit purposes.

Basic logs of failed login attempts (IP, attempted email, timestamp) are kept for security.

During project work

If we work together, additional information may be received: business details, access credentials to your hosting or services, files you send, and the contents of email conversations.

/ 04 Why it's collected

  • To respond to your enquiry. A form submission needs a way to be replied to.
  • To deliver work. If you hire me, project information is needed to do the job.
  • To keep records. Submission history, invoices, and project notes are kept to run the business and meet legal record-keeping requirements (HMRC requires keeping financial records for at least 6 years).
  • To prevent abuse. IP addresses and login logs help block spammers and detect unauthorised access.
  • To verify identity. The email verification step confirms ownership of the email address used during registration.

/ 05 Legal basis (UK GDPR)

Three legal bases under UK GDPR apply:

  • Contract. When you hire me, processing your data is necessary to deliver the work.
  • Legitimate interests. Replying to enquiries, preventing spam, and keeping security logs are reasonable for running a business and don't override your privacy rights.
  • Legal obligation. Some records (financial, tax) must be kept by law.

/ 06 Who data is shared with

Your data is never sold. It's never shared for marketing.

Some third-party services are used to run the business. These providers may handle your data on behalf of RomansCode:

  • Hosting provider. The server where this site runs and where data is stored.
  • Email provider. The service that delivers emails between us.
  • Payment processor. If you pay for work, the payment is handled by a third-party provider (e.g. bank, Stripe). Full card details are never seen or stored.

Data may be shared with HMRC, an accountant, or legal authorities if required by law.

/ 07 How long it's kept

  • Form submissions: kept for up to 2 years, then archived or deleted.
  • Account data: kept for as long as the account is active. If the site is no longer used, deletion can be requested by email.
  • Project records and invoices: kept for at least 6 years (HMRC requirement).
  • Login attempt logs: kept for 30 days then pruned.
  • Email correspondence: kept for as long as needed for the business relationship, then archived.

/ 08 Where it's stored

All data is stored on UK or EU-based servers. If a third-party service moves data outside the UK/EU, appropriate safeguards are in place (e.g. UK–US Data Bridge, standard contractual clauses).

/ 09 Your rights

Under UK GDPR, you have the right to:

  • Access the personal data held about you.
  • Correct data that's wrong or out of date.
  • Delete your data, where it's not legally required to be kept.
  • Restrict how your data is processed in certain situations.
  • Object to processing based on legitimate interests.
  • Data portability — receive your data in a usable format.
  • Withdraw consent at any time, where consent is the legal basis.
  • Complain to the UK Information Commissioner's Office (ICO) if you believe your data has been handled unfairly. ico.org.uk

To exercise any of these rights, email hello@romanscode.com. A response will follow within 30 days.

/ 10 Cookies

A small number of essential cookies are used to make the site work:

  • Session cookies — keep you signed in to your account or admin area. Deleted when the browser is closed or you sign out.
  • CSRF tokens — protect forms from cross-site attacks.

No tracking cookies, analytics cookies, or third-party advertising cookies are used. Essential cookies don't require consent under UK law.

/ 11 Security

Reasonable steps are taken to protect your data:

  • Passwords are stored as one-way hashes (bcrypt). Plain text passwords are never seen or stored.
  • The site runs over HTTPS — data sent between you and the server is encrypted.
  • Failed login attempts are rate-limited to slow down brute-force attacks.
  • Access to admin areas is restricted to authenticated users only.

No system is perfect. In the event of a data breach, affected people will be notified without delay and the ICO will be informed if required.

/ 12 Changes to this policy

This policy may be updated from time to time. The date at the top shows when it was last changed. If a change materially affects how data is handled, registered users will be notified by email before the change takes effect.

Got a question about your data? Email hello@romanscode.com and you'll get a reply.