Legal

Privacy Policy

How Megabite Ltd collects, uses and protects personal data — under the UK GDPR, the Data Protection Act 2018, and (where applicable) the EU GDPR.

Last updated 1 May 2026 Effective 1 May 2026 Version 2.0

01Who we are

Megabite Ltd (“Megabite”, “we”, “us”, “our”) is a technology consultancy with offices in the United Kingdom and Mallorca (Illes Balears, Spain). We build custom web and mobile applications, Square-partner POS systems, AI agents and bespoke automation for ambitious businesses.

For the purposes of UK and EU data protection law, Megabite is the data controller of personal data collected through this website and through our pre-engagement and consultancy activities. Where we process personal data on behalf of a client as part of a software build or hosted system, we act as a data processor under that client’s instructions, governed by a separate Data Processing Agreement (DPA).

02Scope of this policy

This policy covers personal data we process when you:

  • visit our website at megabite.io;
  • contact us by phone, email, the website enquiry form, or social channels;
  • engage Megabite as a client, prospective client, supplier or partner; or
  • are an employee, contractor or authorised representative of an organisation that does any of the above.

It does not cover data we process as a processor on behalf of our clients (see your contract with that client), or third-party services we may link to from this site.

03Data we collect

We try to collect only the data we genuinely need. Specifically:

3.1 Information you give us

  • Contact details — name, company, email address, phone number and any message you choose to provide through our enquiry form, by email, by phone, or in meetings.
  • Project information — details about your business, requirements, existing systems and operational data shared during scoping, proposals, build and support.
  • Commercial details — billing information, purchase orders and supplier records where applicable.

3.2 Information we collect automatically

  • Technical data — IP address (truncated where possible), browser type and version, device type, operating system, referring URL, language preference and timezone.
  • Usage data — pages visited, time on page, navigation paths, and similar interaction data, collected via privacy-respecting analytics. We do not use ad-tracking pixels.

3.3 Information from third parties

  • Publicly available business information (e.g. Companies House records, LinkedIn profiles) used for qualification and proposal preparation.
  • Referral information when an existing client or partner introduces you.

We do not knowingly collect personal data from children under 16. The site is not directed at children.

04How & why we use it

Purpose Lawful basis (UK/EU GDPR)
Responding to your enquiries and providing quotes Steps taken at your request prior to entering a contract
Delivering services under our engagement letter (project work, support, hosting, training) Performance of a contract
Sending project updates, invoices and operational communications Performance of a contract
Sending occasional company updates or relevant new-service news to existing clients Legitimate interests (keeping clients informed) — you can opt out at any time
Improving the website, services and our security posture Legitimate interests
Complying with legal, accounting and tax obligations Legal obligation
Establishing, exercising or defending legal claims Legitimate interests

We do not sell personal data, and we do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on you.

05Sharing & processors

We share personal data only where necessary, and only with parties bound by appropriate confidentiality and data protection obligations. Typical recipients include:

  • Cloud infrastructure providers — for hosting our website and operational systems (e.g. Google Cloud / Firebase, AWS, regional UK/EU data centres).
  • Productivity and business tools — email, calendar, CRM and document storage (e.g. Google Workspace, Microsoft 365).
  • Payment and accounting providers — for invoicing and bookkeeping (e.g. Stripe, Xero, QuickBooks).
  • Partner platforms used in client builds — only with explicit project scope (e.g. Square, Shopify, Madisa, Twilio, OpenAI).
  • Professional advisors — lawyers, accountants and insurers, where strictly required.
  • Authorities — where required by law, court order or to protect our rights.

We keep an internal record of processors and review them periodically. A current list is available on request.

06International transfers

Megabite operates in the United Kingdom and Spain. Personal data is primarily processed in the UK and the European Economic Area (EEA). Where a processor is located outside the UK/EEA (for example, certain US-based cloud services), we rely on appropriate safeguards:

  • UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses;
  • EU Standard Contractual Clauses (SCCs) for EU-originating transfers; and
  • UK or EU adequacy decisions where they apply (e.g. the UK-US Data Bridge / EU-US Data Privacy Framework where the recipient is certified).

A copy of the relevant safeguard for a specific transfer is available on request.

07Retention

We keep personal data only as long as we need it for the purpose we collected it for, including any legal, accounting or reporting requirements.

  • Enquiry data that does not progress to a project — up to 24 months from last contact, then deleted or anonymised.
  • Client project data — for the duration of the engagement, plus 6 years after final invoice for tax/legal record-keeping (or as separately agreed in the engagement letter).
  • Financial records — 6 years from end of relevant accounting period (UK statutory requirement).
  • Marketing preferences — until you opt out, then we keep a minimal suppression record to honour your choice.

08Your rights

Under UK and EU GDPR you have the following rights in relation to your personal data. To exercise any of them, email Email Us. We will respond within one calendar month.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data where there is no good reason to keep it.
  • Restriction — ask us to limit how we use your data.
  • Objection — object to processing based on our legitimate interests, including direct marketing.
  • Portability — request your data in a structured, machine-readable format.
  • Withdraw consent — where we rely on consent (e.g. for marketing), you can withdraw it at any time.
  • Lodge a complaint — with the UK Information Commissioner’s Office (ico.org.uk) or the Spanish data protection authority AEPD (aepd.es). We’d appreciate the chance to address your concerns first.

09Security

We take security seriously and apply measures appropriate to the data we handle:

  • encryption in transit (TLS) and at rest where supported by our infrastructure;
  • role-based access control, least-privilege principles and multi-factor authentication for staff;
  • regular software updates, dependency scanning and security review of code we ship;
  • UK and EU-based hosting by default for client production data, unless otherwise agreed;
  • incident response procedures aligned with UK GDPR 72-hour breach notification requirements;
  • vendor due diligence on processors handling personal data.

Breach notification. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO (and, where applicable, the AEPD) within 72 hours, and notify affected individuals where the risk is high.

10Cookies & analytics

Our website uses a minimal number of cookies and similar technologies:

  • Strictly necessary — required for the site to function (e.g. CSRF protection, user preferences). These are always on.
  • Analytics — anonymised aggregate usage metrics so we can improve the site. We use privacy-respecting analytics with IP anonymisation and no cross-site tracking.

We do not use advertising cookies. You can control cookies through your browser settings; blocking all cookies may affect some functionality.

11Changes to this policy

We may update this policy from time to time to reflect changes in our practices, services, or applicable law. The “Last updated” date at the top of this page shows when it was most recently changed. Material changes will be highlighted when you next visit the site or, where appropriate, communicated to active clients directly.

12Contact us

For any privacy questions, data subject requests, or to receive a copy of our processor list or international transfer safeguards:

Megabite Ltd - Data Protection contact

Email: Email Us

Mallorca · Illes Balears

Registered office address available on request.