LEGAL

Privacy Policy

Last updated: May 2026

Who we are

Gopher Labs Limited (Companies House 09965667) operates this website at gopher.co.uk. We are the data controller for personal data collected through this site.

You can contact us at hello@gopher.co.uk.

What data we collect

Contact form. When you submit our contact form, we collect your name, email address, company name (optional), and message. We also record your IP address for abuse prevention and rate limiting. This data is stored in our CRM database (Supabase) so we can manage the enquiry through to completion.

Analytics. If you consent, we use PostHog to collect anonymised usage data: pages visited, approximate location (country/region), browser type, and how you arrived at the site. No personally identifiable information is collected via analytics. See our Cookie Policy for details.

How we use your data

  • To respond to your enquiry (contact form data)
  • To manage the enquiry through our sales process (CRM record in Supabase)
  • To understand how visitors use the site and improve it (analytics, consent-based)
  • To prevent abuse of the contact form (IP address, rate limiting only)

We do not sell your data, share it with third parties for marketing, or use it for automated decision-making.

Legal basis

Contact form data is processed under legitimate interests: responding to business enquiries you have initiated.

IP address collection for rate limiting is processed under legitimate interests: preventing abuse of our contact form. IP addresses are retained for no longer than the CRM record they are associated with.

Analytics data is processed only with your consent, given via the cookie banner when you first visit the site.

Third-party processors

We use the following processors to handle data on our behalf:

  • Supabase (database, EU region). Contact form submissions are stored as CRM records in a Supabase PostgreSQL database hosted in the EU. Records contain your name, email, company, message, and IP address. Supabase processes data under GDPR-compliant data processing agreements.
  • Resend (email delivery). Contact form submissions are forwarded to our inbox via Resend. Resend processes data in the EU/US under standard contractual clauses.
  • Upstash (rate limiting). We use Upstash Redis to enforce a rate limit on the contact form. Your IP address is stored transiently (a rolling 10-minute window) solely to prevent abuse. No other personal data passes through Upstash.
  • PostHog(analytics, EU region). Data is stored on PostHog's EU-hosted infrastructure. Only activated with your consent.
  • Vercel(website hosting). Your requests pass through Vercel's infrastructure. Vercel processes data under GDPR-compliant data processing agreements.

Retention

Contact form submissions are retained as CRM records for as long as the enquiry is relevant to a potential or ongoing business relationship, typically no longer than two years. Email copies are retained in our inbox for the same period.

If you request deletion of your data, we will remove your name, email address, message, and IP address from the CRM record within 30 days. A deletion marker is retained to prevent accidental re-creation from duplicate submissions.

Analytics data is retained for 12 months in PostHog, after which it is automatically deleted.

Rate limiting data (IP addresses in Upstash) is automatically discarded after a rolling 10-minute window.

Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure of your data
  • Object to processing based on legitimate interests
  • Withdraw consent for analytics at any time
  • Lodge a complaint with the ICO (ico.org.uk)

To exercise any of these rights, email hello@gopher.co.uk.

Changes to this policy

We may update this policy from time to time. The date at the top of the page reflects the most recent revision. Continued use of the site after a change constitutes acceptance of the updated policy.