Legal · Privacy

Privacy Policy

How we collect, use, store, and protect personal data when you visit digitopialabs.com or engage with Digitopia Labs services. Written to comply with UK GDPR and the Data Protection Act 2018.

Last updated17 July 2026
Versionv1.7
Effective from17 July 2026
Data controllerDigitopia Design Ltd

01Who we are

This site, digitopialabs.com, is operated by Digitopia Design Ltd, a company registered in England and Wales. Digitopia Labs is the trading name for our AI infrastructure work.

Data controllerDigitopia Design Ltd, 124 City Road, London, EC1V 2NX, United Kingdom. Registered company number 12037302. ICO data protection register reference ZC160761. Contact: hello@digitopialabs.com.

As the data controller, we determine how and why your personal data is processed. We're committed to handling it transparently and minimally - collecting only what we need, keeping it only as long as necessary, and never selling it or sharing it for marketing purposes.

02What data we collect

We collect personal data only in specific, limited circumstances. Here's exactly what we collect and when:

Data typeWhen collectedWhy
Name + emailYou book a call or contact usReply to enquiries, schedule meetings
Company + roleYou request a proposal or engage usTailor the engagement, invoice correctly
Billing detailsYou become a paying clientProcess payments, issue invoices
Email + purchase recordYou buy a ready-made skillGive you access to what you bought, let you sign back in later, meet accounting obligations
Sign-in eventsYou sign in with a magic linkKeep your account secure (we email a link, we don't store a password)
Voice Match answers + writing sampleYou use Voice MatchGenerate your voice profile and let you return, edit, regenerate or delete it
Engagement contentDuring an active projectDeliver the work (brand materials, prompts, etc.)
Engagement intake answers + uploaded documentsYou complete an Audit or Blueprint intakeStart the engagement from the right place and deliver it; files stored privately, deletable, never used to train
Email + scorecard answersYou complete the AI ScorecardSend your result by email; if you tick the marketing box, enrol in the nurture sequence
Email + project answersYou use the AI Project StarterGenerate your one-page brief (your answers are processed by Anthropic's API) and email it to you; stored so we can run the tool fairly and improve it
Email + saved comparison linkYou email yourself an AI Cost Calculator comparisonSend your saved comparison and cost tips by email - nothing else is stored
Marketing-consent recordYou tick a marketing box (scorecard, Project Starter, Cost Calculator, or checkout)Evidence when (and whether) you consented to marketing - timestamped on submission
UTM tags + referrerYou arrive via a tracked link (e.g. an ad)Understand which campaigns send leads; stored alongside the scorecard or Project Starter submission
Site analyticsYou visit the siteUnderstand what content is useful (anonymised)

We don't ask for, or accept, any special category data (health, ethnicity, religion, etc.) unless it's genuinely necessary for an engagement and we have explicit consent.

03Lawful basis for processing

Under UK GDPR we must have a lawful basis for processing your data. We rely on the following bases:

  • Contract - when you engage us for a paid product or retainer, we process the data needed to deliver the work and invoice for it.
  • Legitimate interests- when you contact us via the booking form, one of the free tools (the AI Scorecard, the AI Project Starter, or the AI Cost Calculator), or email, we process your enquiry to respond. Our legitimate interest is responding to people who've contacted us. For the free tools specifically: you completed the tool and asked for the result by email, so sending that one email is processing in your interest - it doesn't enrol you in anything.
  • Consent - for ongoing marketing emails (the nurture sequence that follows the scorecard or another free tool, updates about our ready-made skills if you buy one and tick the optional box at checkout, and our newsletter), we only enrol you if you've ticked the separate marketing consent box. We record the timestamp of that consent. You can withdraw it any time via the unsubscribe link in every marketing email, or by emailing us. Non-essential cookies (analytics, ad pixels) are also gated on consent via the cookie banner - see our Cookie Policy for detail.
  • Legal obligation - we retain financial records (invoices, payments) for the period required by HMRC and UK accounting regulations.

04How we use your data

We use the data we collect for these specific purposes only:

  • Responding to enquiries and scheduling discovery calls
  • Delivering paid engagements (Audits, Blueprints, Sprints, Skills, retainers)
  • Issuing invoices and processing payments
  • Maintaining ongoing client relationships and retainer work
  • Understanding which parts of our site are useful (via anonymised analytics)
  • Complying with our legal and accounting obligations

Voice Match and your writing sample

Voice Match generates a “voice profile” from questionnaire answers and a writing sample you paste in. We store your answers and sample so you can return, edit and regenerate your profile. To generate the profile, your answers and sample are sent to Anthropic's API (the provider of the Claude model) for processing; we send only what's needed to generate your profile - not your email or account identifiers. We do not use your writing sample to train anything, we don't share it with anyone else, and our staff don't read it in the ordinary course of business. You can delete your sample and profile from your account at any time, which removes them from our systems. Legal basis: performance of a contract.

What we don't do

We don't sell your data. We don't share it with advertisers. We don't add you to a mailing list without asking. We don't use AI training services that ingest customer data. If you've engaged us for client work, we don't reference your engagement publicly without your explicit permission, given in writing.

05Third-party services we use

To deliver the site and our services, we use a small number of carefully chosen third-party tools. Each one has its own privacy policy:

ServiceUsed forData shared
VercelSite hostingStandard request logs
Supabase (EU)Database, magic-link sign-in, purchases, Voice Match profiles, and private storage for engagement source materialEmail, purchase/entitlement records, sign-in, Voice Match answers + writing sample + generated profile, engagement intake answers + uploaded documents (private bucket), scorecard answers + score, Project Starter answers + generated brief, marketing-consent flag + timestamp, UTM tags
ResendTransactional email (scorecard results, Project Starter briefs, Cost Calculator comparisons, purchase access + receipts)Email address + the email contents
MailerLiteMarketing emails (only with your consent)Email; for free-tool leads, which tool you used (and for the scorecard, your verdict/score band); for skills buyers who opt in, which skills you own and your licence type - only if you ticked the marketing box
Cal.comCall schedulingName, email, call details
StripePayment processingBilling details, payment info
Google WorkspaceEmail + docsClient communications
Anthropic (Claude)AI infrastructure work; Voice Match profile generation; Project Starter brief generationClient engagement content during active delivery; for Voice Match, your questionnaire answers + writing sample; for the Project Starter, your project answers (none of it used for training)
Cloudflare TurnstileBot protection on the free toolsBrowser and interaction signals used to tell humans from bots; no account data
Google Analytics 4Site analytics (consent-gated)Aggregate page-view data, no PII sent
PostHog (EU)Product analytics, session replay with inputs masked (consent-gated)Page-view + interaction data, no PII sent
CookieYesCookie consent managementAnonymous consent record
LinkedInAdvertising measurement (consent-gated, when campaigns live)Ad-click attribution data

We only use third-party services where we've reviewed their privacy practices and they meet UK GDPR requirements. We don't share your data with any third party for marketing purposes.

06How long we keep your data

We keep personal data only for as long as we need it for the purposes set out above, then we delete it.

  • Enquiry contacts - kept for 12 months after our last contact, then deleted
  • Active client data - kept for the duration of the engagement plus 6 months
  • Invoices and financial records - kept for 7 years to comply with HMRC requirements
  • Skill purchase records + account entitlements - kept while your account is active so you keep access to what you bought; the underlying payment records are held for 7 years under the accounting rules above
  • Voice Match data (answers, writing sample, generated profile) - kept while your account is active, or until you delete it. You can delete it at any time from your account, which removes it from our systems
  • Engagement deliverables (the work we produce for you) - typically deleted within 90 days of project completion (you retain ownership; we don't need long-term copies). This is separate from the source material you upload, covered under Retention and deletion below.
  • Scorecard submissions - kept for 24 months from the submission date, then deleted. If you opted into marketing, we also keep the consent timestamp for that long as evidence of the lawful basis for emailing you.
  • Marketing subscriber records (MailerLite) - held until you unsubscribe, or for 24 months of inactivity (no opens / clicks), whichever comes first; then removed.
  • Site analytics - anonymised at point of collection; not associated with you personally

You can request earlier deletion at any time (see “Your rights” below).

07Your rights

Under UK GDPR you have the following rights regarding your personal data:

  • Right of access - get a copy of the personal data we hold about you
  • Right to rectification - correct inaccurate or incomplete data
  • Right to erasure - ask us to delete your data (subject to legal retention requirements)
  • Right to restrict processing - limit how we use your data
  • Right to data portability - receive your data in a portable format
  • Right to object - object to specific kinds of processing
  • Right to withdraw consent - where we rely on consent, you can withdraw it anytime

To exercise any of these rights, email hello@digitopialabs.com. We'll respond within one month.

If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. We'd prefer you came to us first so we can put things right.

08Cookies

This site uses minimal cookies. Essential cookies (for site function) load automatically. Non-essential cookies (analytics) only load with your consent.

For full detail on what cookies we use and how to manage them, see our Cookie Policy.

09Children

Our services are designed for businesses and adult professionals. We don't knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, contact us and we'll delete it.

10Changes to this policy

We may update this Privacy Policy from time to time - when our services change, when third-party tools change, or when legal requirements change. The “Last updated” date at the top of this page shows when changes were made.

For material changes that affect how we process your data, we'll notify active clients directly by email before changes take effect.

11When you work with us on an Audit or Blueprint

Intake answers

If you buy an engagement (such as the AI Audit or AI Blueprint), we ask structured questions about your business so the work starts from the right place. Your answers are stored against your account so you can return, edit and complete them, and so we can prepare for and deliver your engagement. Legal basis: performance of a contract.

Documents you upload

For some engagements we ask for source material - for example brand documents, existing content, or presentations. Files you upload are stored privately (Supabase Storage, access restricted to you and to us for delivery of your engagement), are never made public, and are never used to train anything. Please don't upload anything you're not permitted to share - if a document contains someone else's confidential or personal information, it's your responsibility to have the right to share it with us.

AI processing

We prepare and deliver engagements using AI tooling, including Anthropic's Claude, inside our own workspaces. That means your intake answers and uploaded documents may be processed by Anthropic's API on our instructions as part of delivering your engagement. As with Voice Match data, API inputs are not used by Anthropic to train models under the commercial terms we operate on.

Retention and deletion

Engagement materials are kept for the duration of the engagement and for up to 12 months after completion (so we can support you on what was delivered), then deleted. You can ask us to delete uploaded documents earlier at any time; before an intake is submitted you can delete it yourself from your account. Deleting removes the files from our storage, not just from view.

Confidentiality

Engagement materials are treated as confidential client information. They're accessed only for delivering and supporting your engagement, and only by the people doing that work.

12Contact us

For any questions about this Privacy Policy or how we handle your personal data, get in touch:

Post
Digitopia Design Ltd, 124 City Road, London, EC1V 2NX, United Kingdom
Company no.
12037302 (England and Wales)
ICO complaint
ico.org.uk - if you'd prefer to escalate