Tell us what's broken

Privacy Policy

Last updated: 28 May 2026
Effective date: 28 May 2026

This Privacy Policy explains what personal data Business aid (“we”, “us”, “our”) collects when you visit business-aid.top or engage us as a client, why we collect it, how we use it, who we share it with, and the rights you have over your data. We’ve written it in plain language and structured it to satisfy the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).

If anything below is unclear, write to admin@business-aid.top — we’ll explain in writing and in plain English.

1. Who we are

Business aid is a web-stack support service operating at business-aid.top. We provide restoration, security, integrations, mail, AI and general support work across WordPress, OpenCart, Drupal, and the Linux servers and hosting layers underneath them.

For the purposes of this policy, the data controller is Business aid, contactable at admin@business-aid.top. If you’re an EU or UK resident exercising rights under GDPR, this is the contact point for all data-subject requests.

2. What personal data we collect

We only collect what we need to deliver our services and run the website.

2.1. Data you provide directly

  • Contact-form submissions: name, email, company name (optional), phone (optional), the service and platform you select, and the message you send through any form on the site.
  • Email correspondence: any content, attachments and follow-up messages you choose to share when you write to us.
  • Call recordings: only when you explicitly consent at the start of a call. We never record without consent.
  • Contractual data: if we engage on a project — billing details, signed scope of work, and the project credentials we need to deliver it.

2.2. Data collected automatically

  • Server access logs: IP address, user-agent string, requested URL, referer, timestamp. Retained for 30 days for security and abuse prevention.
  • Analytics events: page views, scroll depth, clicks on key elements (CTA, navigation, search). IP addresses are anonymised before storage.
  • Cookies and local storage: session cookies, language preference, consent status. See section 4.

We do not collect payment card data (handled directly by the payment processors named in section 5 — we never see card numbers), biometric data, health data, political opinions, religious beliefs, trade-union membership, sexual orientation, or any other special category of personal data under GDPR Article 9.

3. How and why we use your data

Each category of data has a specific lawful basis under GDPR Article 6:

  • To respond to enquiries (Art. 6(1)(b) — pre-contractual measures): we use contact-form submissions and email to send quotes, schedule calls and answer questions.
  • To deliver paid services (Art. 6(1)(b) — contract performance): we use contractual data to scope, build, deploy and maintain the work you’ve engaged us for.
  • To improve the site (Art. 6(1)(f) — legitimate interest): anonymised analytics help us understand which content is useful, fix broken flows, and improve performance.
  • To prevent abuse (Art. 6(1)(f) — legitimate interest): server logs and session data help us detect bot traffic, brute-force attempts, and scraping.
  • To meet legal obligations (Art. 6(1)(c)): we retain invoicing and contractual records for the period required by applicable tax law in our jurisdiction (typically 5–7 years).
  • To send marketing communication (Art. 6(1)(a) — consent): only if you explicitly opt in. We do not buy email lists. We do not send unsolicited cold pitches.

4. Cookies and similar technologies

This site uses cookies and local storage. They fall into three categories under the EU ePrivacy Directive.

4.1. Strictly necessary cookies

Required for the site to function — session ID, CSRF protection, language preference. These cannot be disabled. Lawful basis: legitimate interest (essential function); ePrivacy exemption applies.

4.2. Analytics cookies

We use Google Analytics 4 (via Site Kit) with IP anonymisation, no Google Signals, and no advertising features enabled. Cookie names: _ga, _ga_*. Retention: 14 months. Lawful basis: consent. You can opt out at any time by writing to us.

4.3. Marketing cookies

We do not use marketing or advertising cookies. We do not run remarketing. We do not embed third-party trackers (Facebook Pixel, LinkedIn Insight, TikTok Pixel, etc.). If we ever add any, we’ll update this policy and request fresh consent before activating them.

5. Third-party services

We use a small number of third-party services to run the site and deliver our work. Each processes a defined slice of personal data under its own privacy policy:

  • Hosting provider: Hetzner — processes server logs and uploaded site data. Hetzner Privacy.
  • CDN and DNS: Cloudflare — processes IP addresses and request metadata for caching, DDoS protection, and DNS resolution. Cloudflare Privacy.
  • Analytics: Google Analytics 4 via Site Kit (anonymised, consent-required). Google Privacy.
  • Search Console: Google Search Console via Site Kit — processes aggregated search-query and URL data. Google Privacy.
  • Email delivery: outbound transactional email is sent through our hosting server or a designated SMTP provider (currently the same hosting infrastructure as the website). Recipient address and message body are stored in our queue for up to 72 hours then purged.
  • Form submissions: our contact form is self-hosted on this site — submissions save to a private WordPress post type and stay on our own server. No external form SaaS is involved.
  • Project management (during active engagement): issue-tracking, chat, and document tools agreed in writing before access is granted. We use these only after a scope of work is signed.
  • Payment processing: Stripe or Wise — we do not store card or bank-account data ourselves. Stripe Privacy, Wise Legal.

We do not sell your data to third parties. We do not share it for advertising or marketing purposes. The only sharing happens with the processors listed above, strictly to deliver the service you’ve engaged us for.

6. Data retention

  • Contact-form submissions (no contract): 12 months from submission, then deleted.
  • Active client data: for the duration of the engagement, plus 30 days post-launch grace period.
  • Invoicing & contractual records: 5–7 years depending on the applicable tax authority in our jurisdiction.
  • Server access logs: 30 days.
  • Analytics events: 14 months in Google Analytics, after which Google deletes them automatically.
  • Email correspondence: retained while professionally relevant. Anonymised or deleted on request.

7. Your rights

If you’re an individual whose personal data we hold, you have the following rights. We respond to all requests within 30 days at no cost.

  • Right of access (GDPR Art. 15): a copy of all personal data we hold about you, with information on processing purposes and recipients.
  • Right to rectification (Art. 16): correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 — “right to be forgotten”): deletion of your data when it’s no longer needed and there’s no legal obligation to keep it.
  • Right to restrict processing (Art. 18): we’ll keep the data but stop using it while a dispute is being resolved.
  • Right to data portability (Art. 20): a machine-readable export of data you provided to us, transferable to another controller.
  • Right to object (Art. 21): for processing based on legitimate interest — we’ll stop unless we can demonstrate compelling grounds that override your rights.
  • Right to withdraw consent (Art. 7(3)): at any time, equally easy as giving it. Doesn’t affect lawfulness of prior processing.
  • Right to lodge a complaint with a supervisory authority: your local Data Protection Authority. The European Data Protection Board maintains a list at edpb.europa.eu. In the UK, the Information Commissioner’s Office at ico.org.uk.

To exercise any right, email admin@business-aid.top with the subject line “Privacy request” and a brief description of what you want. We may ask for proof of identity to prevent unauthorised access — we’ll explain exactly what proof and why.

8. Additional rights for California residents (CCPA)

If you’re a California resident, the CCPA grants you the right to know what categories of personal information we collect, the right to request deletion, the right to opt out of sale or sharing of personal information (we do not sell or share), and the right to be free from retaliation for exercising these rights.

To exercise a CCPA right, email admin@business-aid.top with the subject “CCPA request”. We process CCPA requests within 45 days.

9. International data transfers

Some of our processors (Google, Cloudflare) operate servers outside the European Economic Area and the United Kingdom — primarily in the United States. When transferring personal data internationally, we rely on the European Commission’s adequacy decisions where applicable, or on Standard Contractual Clauses (SCCs) approved by the European Commission and (for UK data) the UK International Data Transfer Addendum. We have data-processing agreements with each processor that include the required safeguards.

10. Security measures

  • Encryption in transit: all traffic to and from business-aid.top uses TLS 1.3.
  • Encryption at rest: production databases use volume-level encryption (AES-256).
  • Access control: two-factor authentication enforced on all admin accounts; principle of least privilege; audit log for all admin actions.
  • Backups: daily encrypted backups; 30-day retention with point-in-time recovery.
  • Vulnerability management: weekly security patching for WordPress core, plugins, and OS packages; periodic third-party penetration testing.
  • Incident response: defined breach-notification procedure compliant with GDPR Art. 33-34 — affected individuals informed within 72 hours of a confirmed breach.

11. Children’s privacy

Our services target businesses, not minors. We do not knowingly collect personal data from anyone under 16. If you’re aware that a child has submitted personal data to us, please contact us at admin@business-aid.top and we will delete it promptly.

12. Changes to this policy

We update this policy when our practices change or when new legal requirements come into effect. The “Last updated” date at the top reflects the most recent revision. For material changes — a new third-party processor, a new data category, a change to retention periods — we’ll notify you by email if we have an active engagement, and post a banner on the site for 30 days. Continued use of the site after the effective date constitutes acceptance.

13. Contact

For all privacy-related questions, requests or complaints:

  • Email: admin@business-aid.top (subject: Privacy request)
  • Response time: within 30 days for GDPR/CCPA requests; within 7 business days for general enquiries.

You may also contact a supervisory authority directly. The European Data Protection Board maintains a list of national DPAs at edpb.europa.eu. In the UK, that’s the Information Commissioner’s Office at ico.org.uk.