01Who we are
This site, digitopialabs.com, is operated by Digitopia Design Ltd, a company registered in England and Wales. Digitopia Labs is the trading name for our AI infrastructure work.
As the data controller, we determine how and why your personal data is processed. We're committed to handling it transparently and minimally - collecting only what we need, keeping it only as long as necessary, and never selling it or sharing it for marketing purposes.
02What data we collect
We collect personal data only in specific, limited circumstances. Here's exactly what we collect and when:
| Data type | When collected | Why |
|---|---|---|
| Name + email | You book a call or contact us | Reply to enquiries, schedule meetings |
| Company + role | You request a proposal or engage us | Tailor the engagement, invoice correctly |
| Billing details | You become a paying client | Process payments, issue invoices |
| Engagement content | During an active project | Deliver the work (brand materials, prompts, etc.) |
| Email + scorecard answers | You complete the AI Readiness Scorecard | Send your result by email; if you tick the marketing box, enrol in the nurture sequence |
| Marketing-consent record | You tick the scorecard marketing box | Evidence when (and whether) you consented to marketing - timestamped on submission |
| UTM tags + referrer | You arrive via a tracked link (e.g. an ad) | Understand which campaigns send leads; stored alongside the scorecard submission |
| Site analytics | You visit the site | Understand what content is useful (anonymised) |
We don't ask for, or accept, any special category data (health, ethnicity, religion, etc.) unless it's genuinely necessary for an engagement and we have explicit consent.
03Lawful basis for processing
Under UK GDPR we must have a lawful basis for processing your data. We rely on the following bases:
- Contract - when you engage us for a paid product or retainer, we process the data needed to deliver the work and invoice for it.
- Legitimate interests- when you contact us via the booking form, the AI Readiness Scorecard, or email, we process your enquiry to respond. Our legitimate interest is responding to people who've contacted us. For the scorecard specifically: you completed the assessment and asked for the result by email, so sending that one email is processing in your interest.
- Consent - for ongoing marketing emails (the nurture sequence that follows the scorecard, and any future newsletter), we only enrol you if you've ticked the separate marketing consent box. We record the timestamp of that consent. You can withdraw it any time via the unsubscribe link in every marketing email, or by emailing us. Non-essential cookies (analytics, ad pixels) are also gated on consent via the cookie banner - see our Cookie Policy for detail.
- Legal obligation - we retain financial records (invoices, payments) for the period required by HMRC and UK accounting regulations.
04How we use your data
We use the data we collect for these specific purposes only:
- Responding to enquiries and scheduling discovery calls
- Delivering paid engagements (Audits, Blueprints, Sprints, Skills, retainers)
- Issuing invoices and processing payments
- Maintaining ongoing client relationships and retainer work
- Understanding which parts of our site are useful (via anonymised analytics)
- Complying with our legal and accounting obligations
What we don't do
We don't sell your data. We don't share it with advertisers. We don't add you to a mailing list without asking. We don't use AI training services that ingest customer data. If you've engaged us for client work, we don't reference your engagement publicly without your explicit permission (and where we do - see our case studies - you've approved it in writing).
05Third-party services we use
To deliver the site and our services, we use a small number of carefully chosen third-party tools. Each one has its own privacy policy:
| Service | Used for | Data shared |
|---|---|---|
| Vercel | Site hosting | Standard request logs |
| Supabase (EU) | Scorecard lead database | Email, scorecard answers + score, marketing-consent flag + timestamp, UTM tags |
| Resend | Transactional email (scorecard result + future receipts) | Email address + the result email contents |
| MailerLite | Marketing nurture sequence (only with your consent) | Email, scorecard verdict band, score band - only if you ticked the marketing box |
| Cal.com | Call scheduling | Name, email, call details |
| Stripe | Payment processing | Billing details, payment info |
| Google Workspace | Email + docs | Client communications |
| Anthropic (Claude) | AI infrastructure work | Client engagement content during active delivery only |
| Google Analytics 4 | Site analytics (consent-gated) | Aggregate page-view data, no PII sent |
| PostHog (EU) | Product analytics, session replay with inputs masked (consent-gated) | Page-view + interaction data, no PII sent |
| CookieYes | Cookie consent management | Anonymous consent record |
| Advertising measurement (consent-gated, when campaigns live) | Ad-click attribution data |
We only use third-party services where we've reviewed their privacy practices and they meet UK GDPR requirements. We don't share your data with any third party for marketing purposes.
06How long we keep your data
We keep personal data only for as long as we need it for the purposes set out above, then we delete it.
- Enquiry contacts - kept for 12 months after our last contact, then deleted
- Active client data - kept for the duration of the engagement plus 6 months
- Invoices and financial records - kept for 7 years to comply with HMRC requirements
- Engagement deliverables - typically deleted within 90 days of project completion (you retain ownership; we don't need long-term copies)
- Scorecard submissions - kept for 24 months from the submission date, then deleted. If you opted into marketing, we also keep the consent timestamp for that long as evidence of the lawful basis for emailing you.
- Marketing subscriber records (MailerLite) - held until you unsubscribe, or for 24 months of inactivity (no opens / clicks), whichever comes first; then removed.
- Site analytics - anonymised at point of collection; not associated with you personally
You can request earlier deletion at any time (see “Your rights” below).
07Your rights
Under UK GDPR you have the following rights regarding your personal data:
- Right of access - get a copy of the personal data we hold about you
- Right to rectification - correct inaccurate or incomplete data
- Right to erasure - ask us to delete your data (subject to legal retention requirements)
- Right to restrict processing - limit how we use your data
- Right to data portability - receive your data in a portable format
- Right to object - object to specific kinds of processing
- Right to withdraw consent - where we rely on consent, you can withdraw it anytime
To exercise any of these rights, email hello@digitopialabs.com. We'll respond within one month.
If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd prefer you came to us first so we can put things right.
08Cookies
This site uses minimal cookies. Essential cookies (for site function) load automatically. Non-essential cookies (analytics) only load with your consent.
For full detail on what cookies we use and how to manage them, see our Cookie Policy.
09Children
Our services are designed for businesses and adult professionals. We don't knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, contact us and we'll delete it.
10Changes to this policy
We may update this Privacy Policy from time to time - when our services change, when third-party tools change, or when legal requirements change. The “Last updated” date at the top of this page shows when changes were made.
For material changes that affect how we process your data, we'll notify active clients directly by email before changes take effect.
11Contact us
For any questions about this Privacy Policy or how we handle your personal data, get in touch: