Last updated: April 2026 · UK GDPR & Data Protection Act 2018 compliant
In plain English: we collect as little as we can get away with, store it in the EU, never sell it, and delete it when we don't need it. Everything below explains exactly what that means.
BudMaster Grow™ is a UK business based in Poole, Dorset. For the purposes of UK GDPR, we are the data controller for any personal data you give us through this website, pre-orders, email, or the phone line.
Contact for anything privacy-related: hi@budmastergrow.com · 01202 798433
We run PostHog (EU-hosted in Frankfurt) for product analytics. By default, before you give consent, nothing is sent to PostHog. Once you accept analytics cookies, PostHog captures:
We explicitly do not record your keystrokes, mouse movements, or form inputs. Session replays are off. Autocapture is off. We respect the Do Not Track browser header.
Lawful basis: consent (UK GDPR Art. 6(1)(a)) — you opt in via the cookie banner, and can withdraw at any time.
To let you know when we ship, we need:
Lawful basis: contract performance (UK GDPR Art. 6(1)(b)) — we can't fulfil an order without knowing where to send it.
The quiz stores your anonymous answers so we can understand which products are in demand. We store a one-way hash of your IP address (so the same person can't submit 500 times, but we can't de-anonymise it) — no email, no name, no identifying info.
Lawful basis: legitimate interest (UK GDPR Art. 6(1)(f)) — understanding demand with minimal data.
Your chat messages are sent to our server to generate a response. We keep chat logs for 30 days to debug conversations that go wrong, then delete them. We don't train AI models on your messages.
Lawful basis: legitimate interest (UK GDPR Art. 6(1)(f)) — keeping a working support channel.
We use Stripe (for card payments) and BTCPay Server (for Bitcoin / Lightning). Payment details — card numbers, Bitcoin wallet addresses — never touch our servers. They go directly between you and the payment processor. We only see: the payment confirmation, the amount, your email (to send a receipt), and your delivery address.
Lawful basis: contract performance. Stripe's privacy notice: stripe.com/privacy.
Our phone number (01202 798433) is handled by Voipfone. Calls go to voicemail; messages are transcribed and emailed to us. Voipfone holds call metadata (date, duration, incoming number) under their own privacy policy.
Lawful basis: legitimate interest — customer support.
We do not sell or trade personal data. Ever. We do use a small number of EU-hosted or UK-hosted third-party services:
| Service | What we share | Why |
|---|---|---|
| PostHog (Frankfurt, EU) | Anonymous session + page views (consent-gated) | Analytics |
| Stripe (Ireland EU entity) | Email, delivery address, amount | Card payments |
| BTCPay Server (self-hosted) | Email only | Bitcoin / Lightning payments |
| Voipfone (UK) | Phone call metadata | Phone line + voicemail |
| Anthropic Claude API (EU inference) | Bert chat messages (no identifiers) | Chat responses |
| Email provider (UK) | Order confirmation + support replies | Email delivery |
| Royal Mail / DPD / courier of your choice | Name + delivery address | Shipping |
All third parties above are GDPR-compliant and process data under written agreements with us.
All data stays in the UK or EU. We explicitly chose EU-region hosting (Frankfurt) for PostHog and EU-inference for Claude to avoid US data transfers. Our own servers are UK-hosted.
| Data | Kept for | Then |
|---|---|---|
| Order records (email, address, what you bought) | 6 years | UK tax law retention (HMRC) |
| Waitlist emails (no pre-order) | Until you unsubscribe, or 2 years of inactivity | Deleted |
| Bert chat logs | 30 days | Deleted |
| Voicemail messages | 90 days | Auto-deleted by Voipfone |
| PostHog analytics | 7 years max (platform default); anonymous sessions effectively forever but not linked to you | PostHog retention policy applies |
| Quiz submissions (hashed IP only) | 1 year | Aggregated into statistics, then deleted |
You can ask us, at any time, to:
Email hi@budmastergrow.com from the address we have on file. We'll respond within 30 days (usually within a week) and won't charge you.
We use a small number of cookies + local-storage items:
| Type | Name pattern | Purpose | Needs consent? |
|---|---|---|---|
| Essential | bm_cookie_consent | Remembers your cookie-banner choice | No |
| Analytics | ph_* (PostHog) | Anonymous session + page-view tracking | Yes |
| Payment | Set by Stripe during checkout | Fraud prevention (Stripe's domain) | Implicit via checkout |
You can change your consent any time by clicking "Manage cookies" in the footer, or by clearing your browser's site data.
Servers run current OS security patches. Payment details never touch our infrastructure (they go direct to Stripe / BTCPay). Admin access requires a password + IP allow-list. Customer data backups are encrypted at rest.
If we ever have a breach that puts your data at risk, we will notify you within 72 hours of discovery, as required by UK GDPR.
If you're not happy with how we handle your data, email us first — we'll do our best to put it right. If you're still not satisfied, you have the right to complain to the UK data-protection regulator:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113 · Website: ico.org.uk
If we change this policy, we'll update the date at the top of the page and, for material changes, email customers on the waitlist or order list. We keep previous versions on request.
← Back to BudMaster Grow