Privacy Policy

1. Who we are

Mirentha Ltd ("Mirentha", "we", "us", "our") is the data controller responsible for your personal data. We are a digital products studio incorporated in England and Wales (company number 17207914) with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

If you have any questions about this privacy policy or how we handle your data, or you wish to exercise your rights, please contact us at [email protected] or write to us at the address above. For general enquiries you can also reach us at [email protected].

2. What data we collect

We keep the personal data we hold to a minimum, and what we collect depends on how you interact with us:

Prospecting data: As part of our website-audit and outreach work, we collect business contact details from public sources (such as company websites and public registers like Companies House), occasionally a named individual where that is the public business contact, and notes on issues we have observed on a business's own public website.

Enquiry data you provide directly: When you use our contact form or email us, we collect your name, email address, and the content of your message. We only collect what is necessary to respond to your enquiry.

Client and project data: When you work with us, we collect the contact details of the people we deal with, the project brief and any reference material you provide, and the deliverables we produce for you.

Administration data: We collect the billing and transaction details we need to run the business and meet our accounting obligations.

Technical data collected automatically: When you visit our website, our hosting provider (Cloudflare) may collect standard technical information such as your IP address, browser type and version, time zone setting, operating system, and pages visited. This data is collected for security and performance purposes.

Cookie data: Our website uses Cloudflare Turnstile on the contact form, which sets a small number of cookies to verify that submissions come from real people rather than bots. See Section 7 below for full details on cookies.

3. How we use your data and our lawful bases

We use your personal data for the following purposes, relying on the lawful bases set out below:

To carry out prospecting and outreach — we use business contact details and our notes to identify businesses that may benefit from our services and to get in touch. The legal basis is our legitimate interest in promoting our services (Article 6(1)(f) UK GDPR); we have carried out a legitimate interests assessment, and you can object at any time.

To respond to your enquiry — when you contact us, we use your name and email to reply to your message. The legal basis is our legitimate interest in responding to potential client enquiries (Article 6(1)(f) UK GDPR), or taking steps at your request before entering into a contract.

To provide our services to clients — we use client and project data to deliver the work you have engaged us for. The legal basis is performance of a contract (Article 6(1)(b) UK GDPR).

To meet our legal obligations — we process billing and transaction data for accounting and tax purposes. The legal basis is compliance with a legal obligation (Article 6(1)(c) UK GDPR).

To protect our website — Cloudflare Turnstile processes limited data to prevent spam and abuse. The legal basis is our legitimate interest in maintaining the security of our website (Article 6(1)(f) UK GDPR).

To improve our website — we may use anonymised, aggregated technical data to understand how our site performs. This data cannot be used to identify you personally.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you (Article 22 UK GDPR).

4. AI tools

We use AI tools to help us analyse websites and draft material. We minimise personal data before any AI processing, and for anything that could contain personal data we use a commercial service under a data processing agreement, where inputs are not used to train models. We never put client or prospect personal data into consumer AI tools. The AI provider we use is named in Section 5 below.

5. Who we share your data with

We do not sell your personal data to anyone. We may share data with the following categories of service providers (sub-processors) who process data on our behalf:

Cloudflare, Inc. — our website hosting and security provider. Cloudflare processes data in accordance with their privacy policy and is certified under the EU-US Data Privacy Framework and its UK Extension. Cloudflare Privacy Policy.

Google LLC — we use Google for email, documents, and backups (Gmail/Google Workspace and Google Drive). Google is certified under the EU-US Data Privacy Framework and its UK Extension. Google Privacy Policy.

Anthropic, PBC — our AI provider, used under a commercial data processing agreement where inputs are not used to train models. Anthropic Privacy Policy.

6. International data transfers

Some of our service providers are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place — relying on the protections the law recognises, such as UK adequacy regulations, providers certified under the EU-US Data Privacy Framework and its UK Extension, the International Data Transfer Agreement (IDTA), or the UK addendum to the EU Standard Contractual Clauses, as applicable.

7. Cookies

Our website uses a limited number of cookies. We do not use advertising cookies, tracking cookies, or third-party analytics.

Strictly necessary cookies: Cloudflare Turnstile and Cloudflare's bot-protection systems set cookies (such as __cf_bm and, where a security challenge is issued, cf_clearance) that are essential for the contact form to function securely. These cookies help verify that form submissions are genuine and protect against spam and abuse. Because they are strictly necessary for the functionality you have requested, they do not require consent under PECR.

Third-party services we link to: If you click on a link to an external service such as LinkedIn, GitHub, or X (Twitter), those services may set their own cookies on your device under their own privacy policies. We have no control over those cookies.

If we introduce any non-essential cookies in the future (such as analytics), we will update this policy and request your consent before setting them.

8. How long we keep your data

We keep personal data only as long as we need it. In summary (the full detail is in our internal retention schedule):

Raw scanned website content from our audits is not retained beyond the moment of analysis.

Contact form submissions and enquiries are retained for up to 24 months from the date of your enquiry, after which they are securely deleted.

Client project files are kept for the duration of the engagement plus about 12 months.

Signed contracts are kept for 6 years after the engagement ends.

Accounting and tax records are kept for 6 years from the end of the relevant accounting period.

Suppression list — if you ask us not to contact you, we keep the minimum information needed to honour that request.

Technical logs collected by Cloudflare are retained according to Cloudflare's own data retention policies and are typically deleted within 72 hours. Our working data is backed up to Google Drive, where deleted items are purged from Trash after about 30 days.

9. Your rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access — you can request a copy of the personal data we hold about you.

Right to rectification — you can ask us to correct any inaccurate or incomplete data.

Right to erasure — you can ask us to delete your personal data where there is no compelling reason for us to continue processing it.

Right to restrict processing — you can ask us to suspend the processing of your data in certain circumstances.

Right to data portability — you can request your data in a structured, commonly used, machine-readable format.

Right to object — you can object to processing based on legitimate interests at any time, and your right to object to direct marketing is absolute.

Right to withdraw consent — where we rely on your consent to process your data, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month, which we may extend for complex requests (we will tell you if so). We may ask you to verify your identity before fulfilling a request.

If you are unhappy with how we have handled your personal data, please tell us first at [email protected] so we can try to put it right. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint.

10. Children's privacy

Our website and services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically.