Website Privacy Notice (UK) – The Timebank (UK) Limited

Effective date: 04 June 2026
Last reviewed: 04 June 2026

Next review date: 01 November 2026

This Privacy Notice is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies strictly to visitors of our public website, marketing leads, and business prospects. It does not apply to the data we process on behalf of our clients when delivering our contract services. Client service data is governed exclusively by our separate Client Service Agreements and Data Processing Agreements (DPAs), where our clients act as the Data Controller and we act as the Data Processor.

1) Who we are

This website (www.thetimebank.co.uk) is operated by The Timebank (UK) Limited (“The Timebank”, “we”, “us”). We are the data controller for the personal information collected through this website.

Contact details:

Email: info@thetimebank.co.uk

Telephone: 01432 355322

Postal address: 4-5 High Town, HEREFORD, HR1 2AA

Data Protection contact: Lauren Bower, dataprotection@thetimebank.co.uk

2) What information we collect

We only collect personal information that you choose to give us directly. This happens when you:

- Fill out a contact form or inquiry form.

- Sign up for a newsletter or updates.

- Email us directly through links on our website.

The information we collect typically includes your name, email address, phone number, and any message details you provide.

3) How we use your information

Here’s how we use personal information:

A. To respond to enquiries and provide information

What we use:

- Name, contact details, enquiry content

Why:

- To reply and provide what you asked for

Lawful basis:

- Legitimate interests (running our business and responding to requests)

- Contract (where steps are taken at your request prior to entering a contract)

B. Marketing and business development

What we use:

- Contact details, marketing preferences, interactions

Why:

- To send relevant updates (where permitted) and understand what services may be useful

Lawful basis:

- Consent (for electronic marketing communications, where required under UK law)

- Legitimate Interests (for limited B2B communications where permitted)

C. To improve and protect our website and services

What we use:

- Cookie/analytics data, technical identifiers, logs

Why:

- Site performance, analytics, troubleshooting, security monitoring

Lawful basis:

- Legitimate interests (running and securing our website)

4) Our Website Hosting and Security (Cookies)

Our website is built using Webflow. To keep our website secure, stable, and fast, Webflow routes network traffic through trusted infrastructure partners. This triggers the following essential cookies:

_cfuvid: Provided by Cloudflare to monitor server traffic and prevent automated spam attacks. This deletes when you close your browser.

_Secure-ENID: Provided by Google to prevent security fraud on our online forms and remember core system preferences. This lasts for 13 months.

These are "strictly necessary" cookies. They do not track your browsing history on other sites, and they are required for our website to function safely.

Third-party cookies and tools

We also use trusted third-party services that may set cookies on your device:

- Mailchimp We use Mailchimp to manage email communications and marketing campaigns. Mailchimp may use tracking technologies (such as pixels and cookies) within emails and landing pages to help us understand engagement (e.g. whether emails are opened or links clicked).

- Vimeo We embed videos hosted on Vimeo. When you view these videos, Vimeo may set cookies and collect information about your interaction with the video (e.g. playback activity, device and browser data).

These third-party providers may collect information directly from your browser and process it in accordance with their own privacy policies.

5) Who we share your information with

We do not sell, rent, or trade your personal data with third-party advertisers. However, we do use trusted third-party services to help run our business. If you submit a form, we may share your personal information with the following categories of third-party service providers, who process data on our behalf as data processors:

- Webflow, Inc. We use Webflow to host and operate our website. As a result, Webflow may process personal data submitted through our website (such as information entered into contact forms) on our behalf. Webflow acts as a data processor and is bound by a Data Processing Agreement. Data may be transferred outside the UK; where this occurs, Webflow relies on Standard Contractual Clauses (SCCs) or equivalent safeguards approved under UK data protection law.

For more information, see Webflow's Privacy Policy: https://webflow.com/legal/eu-privacy-policy

- Cloudflare, Inc. We use Cloudflare to provide DNS management, security, and performance services for our website. As your web traffic is routed through Cloudflare's network, Cloudflare may process certain technical personal data — such as IP addresses and HTTP request metadata — as part of delivering these services. Cloudflare acts as a data processor and is bound by a Data Processing Agreement. Data may be transferred outside the UK; where this occurs, Cloudflare relies on Standard Contractual Clauses (SCCs) or equivalent safeguards approved under UK data protection law.

For more information, see Cloudflare's Privacy Policy: https://www.cloudflare.com/privacypolicy/

- Microsoft Corporation (Microsoft 365) We use Microsoft 365 to manage and facilitate business communications, including email correspondence with prospective clients. Microsoft processes personal data on our behalf in accordance with our instructions. Microsoft acts as a data processor and is bound by a Data Processing Agreement. Data may be transferred outside the UK; where this occurs, appropriate safeguards are in place, including Microsoft's use of the UK International Data Transfer Addendum (UK IDTA) or equivalent Standard Contractual Clauses (SCCs).

For more information, see Microsoft's Privacy Statement: https://privacy.microsoft.com

- Rocket Science Group LLC (Mailchimp)

We use Mailchimp to manage and distribute our marketing newsletter. If you have consented to receive marketing communications from us, your name and email address will be shared with Mailchimp for this purpose. Mailchimp acts as a data processor and is bound by a Data Processing Agreement. Data may be transferred outside the UK; where this occurs, Mailchimp relies on Standard Contractual Clauses (SCCs) or equivalent safeguards approved under UK data protection law.

You may withdraw your consent and unsubscribe from our newsletter at any time by clicking the "unsubscribe" link in any email we send, or by contacting us directly.

For more information, see Mailchimp's Privacy Policy: https://mailchimp.com/legal/privacy/

We only share what is necessary, and we expect recipients to keep it secure and use it lawfully.

6) International transfers

We do not directly transfer personal data collected through our website outside of the UK ourselves. However, we use trusted third-party providers who may process and store personal data outside of the UK on our behalf.

Where this happens, we ensure that appropriate safeguards are in place to protect your personal information. These safeguards may include:

- the use of standard contractual clauses (SCCs) approved by the UK Government

- transfers to countries that have been deemed to provide an adequate level of protection

- or other legally approved transfer mechanisms

We take reasonable steps to ensure that any international transfers carried out by our service providers are handled securely and in accordance with applicable data protection laws.

7) How long we keep your information

We keep personal information only for as long as necessary for the purposes outlined in this notice. We take into account the nature of the data, legal obligations, and legitimate business needs when determining retention periods.

Retention guide:

- Enquiries: 12–24 months after last contact

- Marketing lists: until you opt out

8) How we keep your information secure

We use appropriate technical and organisational measures to protect personal information. While we take security seriously, no website can be 100% secure, and internet transmission always carries some risk.

9) Your data protection rights

Depending on the circumstances, you may have rights to:

- request access to your personal information

- request correction of inaccurate information

- request deletion of information (in certain situations)

- restrict or object to processing (in certain situations)

- data portability (where applicable)

- withdraw consent (where we rely on consent)

To exercise your rights, contact us using the details in section 1. These rights may be limited in certain circumstances, for example where fulfilling your request would adversely affect the rights of others or where we are required to retain data for legal reasons.

10) Complaints

If you have a concern about how we handle your personal data, you have the right to lodge a formal complaint with us.

- How to submit: Please email your complaint to our Data Compliance Team at dataprotection@thetimebank.co.uk with the subject line "Formal Data Protection Complaint".

- Our process: In accordance with the UK Data Protection Act, we will formally acknowledge your complaint within 30 days of receipt. We will promptly investigate the matter, keep you updated on our progress, and provide a final outcome without undue delay.

- Escalation: Please note that under UK law, you are expected to exhaust our internal complaints procedure before escalating the matter to the Information Commissioner’s Office (ICO).

ICO website: https://ico.org.uk/

11) Changes to this notice

We may update this Privacy Notice from time to time. We recommend checking this page occasionally for the latest version.