How we handle your work and your data.

Data we hold

We collect only what the audit or build requires: your name, email, company, and the workflow details you send us. We do not scrape, infer, or buy data about you. If you submit a workflow through the audit form, the details stay in our CRM and your audit report. Nothing else.

We do not process payment card details. Invoicing and payment are handled by Stripe, and card data never touches our systems.

How we use it

• To produce and deliver your audit or build.
• To follow up on the audit (the day 2, 5, and 12 sequence) unless you tell us to stop.
• To send the occasional build note by email. No spam, unsubscribe anytime.
• That is the full list. We do not use your data for advertising, profiling, or resale.

Who sees it

Nifty Labs is operated by Ben Hales as a sole trader. Ben has direct access to the CRM, the audit reports, and the inbox. No one else has access unless you explicitly bring them in or we engage a specialist with your written permission.

For builds that involve partner specialists, we share only what is needed for their piece of the work, and they are bound by the same confidentiality terms.

Security

• All data in transit is encrypted (TLS 1.2+). Our website and all subdomains enforce HTTPS.
• CRM and workflow data is stored in a self-hosted instance of Twenty, access-controlled with strong passwords and two-factor authentication.
• Audit reports are stored in Google Drive, protected by Google Workspace access controls.
• Infrastructure is hosted on Vercel (application) and Hetzner (CRM, automation, database), both with industry-standard physical and network security.
• We do not store audit data longer than needed. Inactive records are removed within 12 months of the last interaction unless you ask us to keep them.

Confidentiality

Every build engagement is covered by a confidentiality clause in the service agreement. Audit submissions are treated as confidential by default. We will not share, publish, or reference your audit or your data without your explicit written permission.

Case studies and testimonials are only published with your consent, and you can withdraw that consent at any time.

Subprocessors

We use a small number of services to operate. Each processes data only to the extent needed to provide their function:

• Vercel — application hosting and deployment
• Google Workspace — email, documents, calendar
• Stripe — payment processing (card data never reaches us)
• Cal.com — booking scheduling
• Twenty (self-hosted on Hetzner) — CRM and contact management
• Telegram — audit delivery notifications

We do not use advertising platforms, analytics vendors with cross-site tracking, or data brokers.

Your rights

You can ask us to:

• See what personal data we hold about you.
• Correct anything that is wrong.
• Delete it entirely (we will remove it from all systems within 30 days).
• Stop receiving communications (the unsubscribe link works, or email us).

Email ben@niftylabs.co.uk for any of these. We respond within 14 days.

Questions

Anything not covered here, email ben@niftylabs.co.uk. We keep it straightforward.