Skip to content

Privacy Policy

Version 1.0Last updated 15 April 2026

Privacy Policy

Version: 1.3 Effective date: 15 April 2026 Last updated: 15 April 2026

1. Who we are

Senhuo Ltd (trading as Senhuo Digital) ("we", "us", "our") operates a website building platform for small businesses in the United Kingdom.

Senhuo Ltd (trading as Senhuo Digital) Email: hello@senhuo.co.uk Company number: 16761659

For the purposes of UK GDPR, we are the data controller for the personal data we collect about you as a user of our Platform, and a data processor for the personal data your website visitors submit through your generated website (e.g. booking forms, contact forms, enquiry forms).

We have not appointed a Data Protection Officer (DPO) as we are a small organisation and our core activities do not involve large-scale processing of special category data or systematic monitoring of individuals. If this changes, we will update this policy. For any data protection queries, contact us at hello@senhuo.co.uk.

2. What this policy covers

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and what rights you have.

This policy applies to users of our Platform (business owners who sign up to have a website built), visitors to our own website (senhuo.co.uk), and visitors to websites we generate and host on behalf of our customers.

3. What data we collect

Data we collect from Platform users (business owners)

Account information: name, email address, phone number, business name, business address. This is collected at registration and through surveys.

Survey responses: business type, services offered, pricing, opening hours, team member details, design preferences, and other business information you provide. This is used to build your website.

Payment information: we do not store card details. Payments are processed by Stripe, who handle card data under their own privacy policy and PCI DSS compliance.

Usage data: how you interact with the Platform (pages visited, features used, login times). Collected via server logs and analytics.

Communications: emails, support requests, and feedback you send us.

Data we collect from website visitors (your customers)

When someone visits a website we host on your behalf, we may collect IP address and approximate location (via server logs), browser type and device information, pages visited and time spent, and form submissions (name, email, phone, message content) if they use a contact, booking, or enquiry form on your site.

This data is collected automatically through server logs (for technical data) and through form submissions made voluntarily by the visitor.

We process this data on your behalf as a data processor. You (the business owner) are the data controller for your website visitors' data.

Is providing your data required?

Some personal data is required to use the Platform. You must provide your name, email address, and business information to create an account and for us to build your website — this is a contractual requirement. If you do not provide this information, we cannot provide our service.

Payment information is required to process your subscription. If you do not provide it, we cannot activate your plan.

Usage data is collected automatically when you use the Platform and cannot be opted out of, as it is necessary for security and service operation.

Cookies

Our Platform uses essential cookies required for the Platform to function (session cookies, authentication). We do not use advertising or tracking cookies on the Platform itself.

Websites we generate for you include only essential cookies (session management). If you request analytics integration in future, we will update this policy and implement a cookie consent mechanism.

4. Why we process your data (lawful basis)

Under UK GDPR, we must have a lawful basis for processing personal data. Here is how each basis applies:

Contractual necessity (Article 6(1)(b)): We process your account information, survey responses, and payment data because it is necessary to perform our contract with you (building and hosting your website).

Legitimate interests (Article 6(1)(f)): We process usage data and communications to improve the Platform, provide support, and ensure security. We have assessed that these interests do not override your privacy rights.

Legal obligation (Article 6(1)(c)): We may process data to comply with UK tax, accounting, or legal requirements.

Consent (Article 6(1)(a)): If we send marketing communications, we will only do so with your explicit consent. You can withdraw consent at any time.

5. How we use your data

We use your data to build, host, and maintain your website, process payments and manage your subscription, provide customer support, improve the Platform and develop new features, comply with legal obligations, and send service-related communications (e.g. subscription confirmations, maintenance notices).

We do not sell your personal data.

6. Automated decision-making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you.

The AI content generation described in Section 7 generates website text based on facts you provide. It does not make decisions about you, assess your creditworthiness, or determine your eligibility for any service. The output is reviewed and can be edited before your website goes live.

7. AI processing

We use AI tools (Claude by Anthropic) to generate website content based on the business information you provide. The AI processes your survey responses (business type, services, location, etc.) to create website copy, page structures, and SEO metadata.

The AI does not invent business facts — it works only with the information you provide. Your data is sent to Anthropic's API for processing. Anthropic's data processing terms apply to this processing.

We do not use your business data to train AI models. Anthropic's commercial API terms prohibit training on our inputs or outputs — see their terms of service.

8. Who we share your data with

We share data with the following categories of recipients, only as necessary to provide our service:

Stripe — payment processing. Stripe processes card details under their own privacy policy and PCI DSS certification. We do not have access to your full card number.

Anthropic — AI content generation. Survey data is sent to Anthropic's Claude API to generate website content. Anthropic processes this data under their data processing terms.

Cloud hosting provider (Google Cloud Platform) — website hosting and data storage. Data is stored in the UK or EEA.

Domain registrar — domain registration on your behalf. Your business name and contact details may be shared as required for domain registration.

Google — Google Search Console and Google Business Profile setup, if you have opted for Google visibility features.

We do not share your data with any other third parties for marketing or advertising purposes.

9. International data transfers

Your data is primarily stored and processed within the United Kingdom and the European Economic Area.

Where data is transferred outside the UK/EEA (e.g. to Anthropic in the United States for AI processing), we ensure appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, where applicable, or transfers to countries with an adequacy decision from the UK government.

10. How long we keep your data

We retain your data for as long as necessary for the purposes described in this policy:

Account data and survey responses: For the duration of your subscription. When you request account deletion, your data enters a two-phase deletion process: (1) a 30-day grace window during which you can sign in and restore your account at any time; (2) on day 30, personal data is scrubbed from our live systems (email, name, phone, addresses, survey answers, Stripe customer details); (3) on day 90, the account is purged entirely from our database. Stripe invoices and payment records are retained by Stripe for the 7 years HMRC requires, independently of our systems.

Payment records: 7 years after the transaction, as required by UK tax law (HMRC).

Website visitor data (form submissions): Retained for the duration of the business owner's subscription. The business owner can request deletion at any time.

Server logs: 90 days, then automatically deleted.

Support communications: 2 years after the last communication, then deleted.

11. Your rights

Under UK GDPR, you have the following rights:

Right of access: You can request a copy of the personal data we hold about you.

Right to rectification: You can ask us to correct inaccurate data.

Right to erasure: You can ask us to delete your data, subject to legal retention requirements.

Right to restriction: You can ask us to restrict processing in certain circumstances.

Right to data portability: You can request your data in a structured, machine-readable format.

Right to object: You can object to processing based on legitimate interests.

Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at hello@senhuo.co.uk. We will respond within one month as required by UK GDPR.

12. Data for website visitors

If you are a visitor to a website we host (not a Platform user), the business whose website you are visiting is the data controller for any personal data you submit (e.g. through contact forms or booking forms).

We act as a data processor on the business's behalf. If you wish to exercise your data rights regarding information submitted through a business's website, please contact that business directly.

13. Children's data

The Platform is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

14. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS/SSL) and at rest, regular security updates and patching, access controls limiting who can view personal data, daily encrypted backups, and secure authentication with hashed passwords.

No system is completely secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the Information Commissioner's Office within 72 hours as required by UK GDPR.

15. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you via email or through the Platform. The "Last updated" date at the top of this policy indicates when it was last revised.

16. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Website: ico.org.uk Telephone: 0303 123 1113

17. Contact us

For any questions about this policy or our data practices:

Senhuo Ltd (trading as Senhuo Digital) Email: hello@senhuo.co.uk