Legal
Privacy policy
Last updated: April 2026. Policy version: 1.0.
Short version
We're Vantara Labs Ltd, a small UK company. On this site (vantaralabs.co.uk) we collect almost nothing by default: just what you send us through the contact form, plus standard server logs for security. Analytics is off until you opt in via the cookie banner. We never sell your data, never use advertising cookies, and never profile you for ads. Our products (Pelosi Tracker and Leyden) have their own privacy notices on their own domains.
Who we are
The data controller for personal data collected on this website is Vantara Labs Ltd, a company registered in England & Wales under Companies House number 17133349.
Vantara Labs Ltd is registered with the UK Information Commissioner's Office as a data controller under reference ZC129018.
Registered office: Gibson House, Hurricane Court, Hurricane Close, Stafford, ST16 1GZ, United Kingdom.
Privacy contact: [email protected].
What this policy covers
This policy applies to personal data we collect through vantaralabs.co.uk. It does not cover our separate products, each of which has its own privacy notice:
- Pelosi Tracker — see pelositracker.app .
- Leyden — privacy notice published when the product launches.
What we collect and why
Contact form submissions
When you use the form at /contact , we collect the name, email address, subject and message you provide. We use this only to read and reply to your message. The form is protected by Cloudflare Turnstile, which checks whether the submission is made by a human (see sub-processors below).
Lawful basis: legitimate interests (Art. 6(1)(f) UK GDPR) — responding to unsolicited enquiries. You can object at any time by emailing us.
Server logs
Our hosting and serverless providers (Google / Firebase) record standard request metadata for every page view and API call: IP address, user-agent string, request path, response code and timestamp. We use these logs only to investigate abuse, debug errors, and keep the site secure and available. We do not build profiles from them.
Lawful basis: legitimate interests (Art. 6(1)(f) UK GDPR) — network and information security.
Analytics (only if you opt in)
If — and only if — you accept analytics via the cookie banner or the cookie preferences page, Google Analytics 4 records a pseudonymous identifier, the pages you view, referring URL, approximate (city-level) location, and basic device and browser information. IP addresses are truncated by Google before storage. We use this only to understand which content is useful.
Lawful basis: your consent (Art. 6(1)(a) UK GDPR, and reg. 6 PECR for storing information on your device). You can withdraw consent at any time on the preferences page.
What we don't collect
- We don't run user accounts or logins on this site.
- We don't take payment on this site. Paid subscriptions live on the relevant product's own domain.
- We don't use advertising cookies, cross-site trackers, or data brokers.
- We don't sell or rent personal data, and we don't share it for cross-context behavioural advertising.
- We don't geolocate you before the cookie banner appears — the banner is shown to every first-time visitor.
Who we share data with (sub-processors)
We keep the list short and keep it current. Each provider acts as a data processor on our behalf under a written contract that includes UK GDPR / EU SCCs where applicable.
| Provider | Purpose | Location |
|---|---|---|
| Google Ireland Ltd (Firebase Hosting, Cloud Functions, Analytics) | Serves the site, runs the contact form backend, and provides consent-gated analytics. | EU, with onward transfers to Google LLC (US) under UK GDPR adequacy and EU-US DPF. |
| Cloudflare, Inc. (Turnstile) | Bot-protection challenge on the contact form. Processes request metadata only; no personal data you type into the form. | Global edge network. Transfers covered by UK IDTA / EU SCCs. |
| Twilio Inc. (SendGrid) | Delivers the email containing your contact-form message to our inbox. | US, under UK IDTA / EU SCCs and EU-US DPF. |
We will update this list before adding any new sub-processor that handles personal data from this site.
Business transfers
If we're ever involved in a merger, acquisition, financing, or sale of all or part of our business, personal data may be transferred as part of that transaction. We'll let you know before your data becomes subject to a different privacy policy and, where you've actively sent us data (for example via the contact form), we'll give you a reasonable opportunity to request deletion first.
International transfers
Some of our sub-processors (listed above) are based in the United States or operate global infrastructure. Where personal data leaves the UK, we rely on:
- the UK's adequacy regulations for the EU / EEA; and
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where the recipient is in a non-adequate country; and
- the EU-US Data Privacy Framework, where the US recipient is certified under it.
How long we keep data
| Category | Retention |
|---|---|
| Contact-form emails in our mailbox | Up to 12 months, then deleted unless kept for an ongoing conversation. |
| Server / Cloud Function logs | 30 days (provider default), then deleted. |
| Analytics (if you consent) | 14 months at user-/event-level in Google Analytics, then aggregated. |
| Your consent choice | Stored locally in your browser until you clear it. Never transmitted to us. |
Your rights
Under UK GDPR and the Data Protection Act 2018 you have the right to:
- Be informed about how we use your data — that's what this page is for.
- Access a copy of the personal data we hold about you.
- Rectification of inaccurate personal data.
- Erasure of your personal data ("right to be forgotten") where one of the statutory grounds applies.
- Restrict processing of your personal data in certain circumstances.
- Data portability — a copy of the data you provided, in a structured, machine-readable format.
- Object to processing based on our legitimate interests, including any direct marketing.
- Withdraw consent for analytics at any time via the cookie preferences page, without affecting the lawfulness of processing carried out before you withdrew.
To exercise any of these rights, email [email protected]. We'll respond within one month, as required by Art. 12(3) UK GDPR. The deadline can be extended by up to two further months for complex requests; if that happens we'll tell you within the first month and explain why.
Complaints
If you think we've mishandled your personal data, we'd appreciate the chance to fix it — email us first at [email protected]. You also have the right to complain to a data protection supervisory authority:
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint , helpline 0303 123 1113.
- EU / EEA: your local data protection authority. The European Data Protection Board maintains a directory at edpb.europa.eu .
Security
The site is served only over HTTPS. The contact form is protected by Cloudflare Turnstile and backend rate limiting. We don't collect payment data or special-category data on this site. Access to the inbox receiving contact-form emails is limited to Vantara Labs personnel who need it, and is protected by multi-factor authentication.
No system is perfectly secure. If you discover a vulnerability, please email [email protected] rather than posting it publicly, and we'll acknowledge within two working days.
Breach notification
If a personal-data breach occurs and is likely to result in a risk to your rights and freedoms, we'll notify the UK Information Commissioner's Office within 72 hours of becoming aware of it, as required by Art. 33 UK GDPR. Where the breach is likely to result in a high risk to you, we'll also contact you directly without undue delay.
Children
This site is not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe a child has sent us data via the contact form, email [email protected] and we'll delete it.
Changes to this policy
If we make material changes we'll update the "Last updated" date at the top of this page and, where the change is significant (for example, a new sub-processor or a new category of personal data), we'll flag it on the site for at least 30 days before it takes effect.
Related
- Cookie policy : what we set in your browser and why.
- Cookie preferences : change your analytics consent.
- Terms of service : the rules for using this website.