EasySites Privacy Notice
Last updated: 3 April 2026
Business Direct Online Ltd (trading as "EasySites")Company No. 09215025, registered in England and Wales
7 St George's Park
Kirkham
Preston
Lancashire
PR4 2EF
United Kingdom
Phone: 01253 968004
This Privacy Notice explains how Business Direct Online Ltd trading as EasySites ("EasySites", "we", "us", "our") uses personal data in connection with the EasySites platform, public pages, help and support services, domains, hosting, email, and related operations. It should be read together with our Terms and Conditions, Cookie Policy, Acceptable Use Policy, and, where relevant, our Domain Services Schedule, Email Services and Acceptable Use Policy, Copyright, IP, and Takedown Procedure, and Sub-processor Register.
1) Scope of this notice
This notice applies to personal data processed by EasySites for our own business and platform operations, including account management, authentication, billing, support, product administration, security, and EasySites-owned websites or help pages.
This notice does not replace the privacy notice that an EasySites customer may need to publish on their own website. If a customer uses EasySites to operate a website, collect leads, publish reviews, run popups, host media, use cookies, or send marketing, that customer will usually need their own privacy and cookie information for their visitors and end users.
2) Our roles: controller, processor, and separate controller activity
EasySites acts in different legal roles depending on the data and the context.
- We act as controller for our own account management, user authentication, billing, service communications, support operations, fraud prevention, platform telemetry, and EasySites-owned pages.
- We act as processor where customers use EasySites to host websites, collect form submissions, store uploaded files, manage website visitor data, or otherwise process personal data through the platform on the customer's behalf.
- We may act as an independent controller for certain domain, registrant, abuse-handling, anti-fraud, legal-compliance, and registry or registrar related activities where we must meet our own obligations or the obligations imposed on us by upstream providers or law.
Role analysis is activity-specific. EasySites is not always controller and is not always processor.
3) Personal data we may collect or receive
Depending on how EasySites is used, we may collect or receive the following categories of personal data:
- Account and identity data: names, usernames, company or trading details, job titles, account ownership information, and authorised user information.
- Contact data: business email addresses, phone numbers, billing contacts, postal addresses, and communication preferences.
- Authentication and security data: password reset events, two-step verification activity, login history, IP addresses, allow-list entries, session identifiers, browser or device details, and security logs.
- Service and billing data: orders, plan details, invoice records, payment status, support entitlements, domain records, renewal dates, and service history.
- Website and hosted content: page content, media libraries, documents, blogs, reviews, testimonials, uploaded files, transformed images, thumbnails, backups, and deployment-related files.
- Domain, DNS, email, and hosting data: registrant contact data, nameserver settings, DNS records, mailbox metadata, forwarding settings, and hosting configuration data.
- Support and operational data: support tickets, emails, chats, attachments, screenshots, troubleshooting notes, diagnostics, and service alerts.
- Usage and product data: help-centre usage, feature interactions, product telemetry, service events, error traces, and product-improvement information.
- AI-related data: prompts, instructions, blocked phrases, generated outputs, and related review or moderation information where AI-assisted features are used.
4) Where the data comes from
We collect personal data directly from you, from your authorised users, from your use of EasySites, from support requests, from cookies and similar technologies on EasySites-owned pages, from registrars or registries, from payment or service providers, and, in some cases, from public sources or lawful complaints.
5) How we use personal data and the lawful bases we rely on
Where UK GDPR applies to processing for which we are controller, we rely on one or more of the following lawful bases: contract, legitimate interests, legal obligation, and, where appropriate, consent.
| Activity | Typical role | Main lawful basis |
|---|---|---|
| Creating and managing accounts, plans, and service access | Controller | Contract |
| Authenticating users, securing sessions, monitoring abuse, and investigating incidents | Controller | Legitimate interests and contract |
| Invoicing, tax, accounting, and record-keeping | Controller | Legal obligation and contract |
| Providing support, answering queries, and maintaining service continuity | Controller and, in some cases, processor | Contract and legitimate interests |
| Hosting customer websites, media, forms, and visitor data | Usually processor | Customer instructions under our contract with the customer |
| Managing domains, registrar interactions, anti-abuse activity, and registry compliance | Controller or separate controller, depending on the flow | Contract, legal obligation, and legitimate interests |
| Operating EasySites-owned websites, help pages, analytics, and service-improvement tooling | Controller | Legitimate interests and, where required, consent or a lawful storage/access exception |
| Sending service messages, renewal notices, and legal or security updates | Controller | Contract and legitimate interests |
| Sending marketing where allowed | Controller | Consent and/or legitimate interests where PECR permits |
6) Customer websites, forms, popups, and end-user data
EasySites lets customers create websites, forms, reviews, popups, and other visitor-facing features. In most cases, the customer decides what personal data to collect, how long to keep it, what integrations to add, and what wording or consent mechanisms to use. In those cases, the customer is usually the controller and EasySites acts as processor or hosting provider.
If a customer adds analytics scripts, ad pixels, embedded media, chat widgets, or custom HTML, CSS, or JavaScript, that may cause third parties to collect information directly from visitors. Customers are responsible for assessing those tools, obtaining any required consent, and giving their own visitors appropriate privacy and cookie information.
7) Uploads, media libraries, and stored content
Customers may upload images, videos, logos, documents, and other files to EasySites. To run the service, we may store, copy, cache, scan, resize, compress, optimise, thumbnail, convert, restore, and distribute those files through our infrastructure and delivery systems.
Uploaded files may contain embedded information such as EXIF metadata, geolocation, timestamps, device information, or personal data contained in the file itself. Customers are responsible for checking files before upload and ensuring they have the rights, permissions, notices, and lawful bases needed for the content and the personal data it contains.
Deleted or replaced files may persist for a limited period in caches, transformed copies, logs, and backups before they are overwritten or aged out of our systems.
8) Support access, human review, and security monitoring
Support or engineering staff may need limited access to account data, settings, tickets, logs, screenshots, or hosted content where necessary to investigate problems, answer questions, secure the platform, or respond to incidents. We aim to keep this access proportionate and limited to what is reasonably needed, and to log or otherwise record that access where it is reasonably practicable to do so.
We also operate logs, monitoring, and anti-abuse controls to help protect EasySites, its users, and third parties. These controls may involve automated and manual review of unusual activity, complaints, harmful scripts, suspicious content, or security events.
9) AI-assisted features
Where customers use AI-assisted features, prompts and outputs may be processed by EasySites and, where enabled, by third-party AI providers used to deliver the feature. AI tools are optional and are intended to help with drafting, analysis, or workflow support rather than to replace human review.
Customers remain responsible for deciding what to submit to AI features and for reviewing all generated outputs before use or publication. Customers should avoid submitting sensitive personal data or confidential information to AI features unless they are satisfied they may lawfully do so.
Third-party AI providers used for EasySites features may process prompts, outputs, and limited technical or safety information needed to deliver the requested feature, maintain service quality, prevent abuse, and comply with law. If EasySites introduces a materially different AI data-handling model for a feature, we will update the relevant notice or feature information.
10) Who we share personal data with
We share personal data only where relevant to providing EasySites, operating the business, protecting the platform, or complying with law. Recipients may include:
- hosting, infrastructure, CDN, DNS, anti-spam, email-delivery, monitoring, ticketing, and AI service providers;
- domain registries, registrars, and related operators where domains are registered, renewed, transferred, or managed;
- professional advisers, auditors, insurers, payment providers, and service partners who support the business;
- courts, regulators, law-enforcement bodies, or other authorities where required or justified by law; and
- a buyer, investor, successor, or restructuring party in connection with a merger, sale, financing, or reorganisation of the business.
Where we use sub-processors for customer personal data, the current list is described in our Sub-processor Register.
11) International transfers
Some EasySites providers may process data outside the UK. Where that happens, we use a lawful transfer mechanism that is valid at the time of transfer, such as an adequacy decision, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another recognised safeguard.
12) How long we keep personal data
We keep personal data only for as long as needed for the purposes described in this notice, subject to legal, accounting, abuse-prevention, dispute, and backup requirements. Our current retention position is set out below.
| Category | Typical retention period | Notes |
|---|---|---|
| Customer account records and core service administration data | While the account is active and for 24 months after closure | Used for continuity, reactivation, fraud prevention, and short post-termination issues |
| Contracts, orders, invoices, VAT, and core accounting records | At least 6 years after the end of the relevant financial year | Kept for tax, accounting, audit, and legal record-keeping |
| Support tickets, support emails, and ordinary support attachments | 24 months after closure of the ticket or support matter | May be kept for up to 6 years if linked to a complaint, dispute, legal hold, refund issue, or abuse investigation |
| Routine authentication, session, and security logs | 12 months | Confirmed abuse or security incident records may be kept for 24 months or longer if legally required |
| Sales enquiries and non-customer lead data | 12 months from the last meaningful contact | Shorter periods may apply where a lead opts out sooner |
| Marketing suppression or unsubscribe records | Kept as a minimal record indefinitely | Used only to make sure we honour opt-outs and do not send unwanted marketing again |
| Hosted website content, uploaded assets, and generated derivatives | While the service is active | Deleted content may remain in recovery states, caches, transformed copies, or backups for a limited period |
| Deleted content still held in operational recovery windows | Up to 30 days | Some items may disappear sooner depending on system behaviour and overwrite cycles |
| Backups containing deleted website content or assets | Up to 90 days | Retained for resilience and disaster recovery, then overwritten or deleted in rotation |
| Mailbox content where email hosting is provided on customer instructions | While the mailbox is active, plus any short recovery or backup window then in force | If mailbox recovery is available, deleted mailbox content may remain in restore states for up to 30 days and in backups for up to 90 days |
| Customer form submissions stored through EasySites | Default 12 months unless the customer configures or instructs a different period | The customer usually decides the retention period as controller |
| Operational diagnostics, raw identifiable error traces, and troubleshooting metadata | 30 days | Aggregated or anonymised service-improvement metrics may be kept for longer where they no longer identify individuals |
| Domain, DNS, registrant, renewal, transfer, and dispute records | While active and for 6 years afterwards | Used for billing, disputes, registrar or registry obligations, and legal defence |
| Email administration records and abuse-handling records | While active and for 12 months afterwards | Abuse, blacklisting, or security matters may be kept for 24 months or longer if required |
| AI prompts and temporary AI outputs not saved into customer content | Up to 30 days | If a prompt or output is saved into website content, support tickets, or abuse records, the relevant retention category applies instead |
| Abuse reports, takedown requests, complaint files, and related legal-enforcement records | 6 years from closure or resolution | Used for legal defence, repeat-abuser handling, insurer requirements, and regulatory follow-up |
We may keep data for longer where required by law, court order, insurance, tax, fraud prevention, abuse handling, or an active dispute or legal hold. Where possible, we may anonymise data instead of retaining it in identifiable form.
13) Cookies, similar technologies, and product telemetry
EasySites uses cookies and similar technologies on EasySites-owned pages and services. Some are strictly necessary for security or functionality, while others support preferences, analytics, or product improvement. More detail is set out in our Cookie Policy. Customer-added tracking, scripts, tags, and widgets on customer websites remain the customer's responsibility under the EasySites Terms and Conditions and Acceptable Use Policy.
14) Marketing and service communications
We may send service-related messages about accounts, invoices, renewals, outages, security events, legal updates, and support matters. These messages are not the same as optional marketing.
Where we send marketing, we will do so in line with PECR and data-protection rules, including providing opt-out or unsubscribe options where required.
15) Your rights
Where UK data-protection law applies, you may have rights to request access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where consent is the basis relied on. These rights are not absolute and may depend on the context.
If EasySites acts only as processor for personal data held on behalf of one of our customers, we may need to direct your request to that customer as controller.
16) Complaints and contact
If you have a privacy question or want to exercise a right, contact legal@easysites.uk. You may also complain to the Information Commissioner's Office if you believe your personal data has been handled unlawfully.