Privacy notice

Last updated: 2 June 2026

bygild ("we", "us", "bygild") is a software studio operated by Khalid Mohamed, sole trader, based in London, United Kingdom. This notice explains what personal information we handle when you visit bygild.com, contact us, or use our client portal, and what your rights are under the UK GDPR and the Data Protection Act 2018.

Two roles, two privacy positions

bygild handles personal data in two distinct ways, each with a different legal basis. This notice covers both.

• As data controller, for: the founding-partner signup on this site, direct enquiries by email/phone/contact form, our cold outreach to prospective clients, and the administration of our own client portal.
• As data processor, for: the personal data uploaded by tenant clients (for example, Noor Hair & Beauty) into their portal account. In that arrangement the client is the controller and we process the data on their written instructions under a separate Article 28 Data Processing Agreement.

What we collect when you visit bygild.com

The public site is a brochure. It does not set advertising or analytics cookies. It does not run third-party trackers. The third parties invoked when a page loads are:

• Cloudflare, sitting in front of bygild.com to provide the content delivery network, basic DDoS protection, and cookieless Web Analytics. Cloudflare may record your IP address, request headers, and similar technical signals in short-lived security logs. Personal data may transit international Cloudflare edge nodes under Standard Contractual Clauses.
• Google Fonts, currently used to serve the typeface stylesheet. We are migrating to self-hosted fonts on the bygild.com public surface (already done on the client portal). This change will remove the only outbound third-party request from the public site.

If you submit the founding-partner signup form on /gild, we receive: your email address (for cohort updates and to contact you about the founding partner programme), your IP address (rate-limiting and abuse prevention, retained 90 days then anonymised), your browser/OS string (security, retained 90 days then anonymised), the page you came from if your browser sends a referrer, the submission timestamp, and a record of whether you ticked the marketing-emails consent box (PECR Regulation 22(2) record-of-consent).

Lawful basis: consent (UK GDPR Article 6(1)(a)). You can withdraw consent at any time by emailing hello@bygild.com or by replying STOP / unsubscribe to any email we send you.

Marketing emails: we only send cohort and founding-partner updates to addresses where the marketing-consent box was ticked at signup. Without that consent, your address is held to confirm your founding-partner reservation and for nothing else.

Retention: founding-partner signup records are kept while the founding cohort programme runs and for up to 24 months after the cohort closes, then deleted. IP address and user-agent fields are stripped at 90 days. You can ask for earlier deletion at any time by emailing hello@bygild.com.

The form is the only way to actively submit personal data through this site: there is no comment box, no newsletter signup, and no account creation.

What we collect when you contact us directly

If you email hello@bygild.com, call us, or reply to one of our outreach emails, we receive the contact details and the contents of your message. We hold this in our mailbox and, where relevant, in a CRM-style record so we can carry on the conversation.

Outreach to prospective clients

We contact organisations we think would benefit from our software. Where the recipient is a corporate subscriber (a registered company, charity, or similar) we rely on legitimate interests (UK GDPR Article 6(1)(f)) and the PECR business-to-business exemption to direct marketing rules. Every outreach message includes a clear identifier, a real reply address, and a one-tap unsubscribe instruction. We default to not contacting individual subscribers (sole traders, residential addresses, named-person email patterns) until we can confirm they are a corporate subscriber. To opt out of all future outreach, reply with the word "unsubscribe" or email hello@bygild.com.

Lawful basis for processing

We rely on the following UK GDPR Article 6(1) bases, depending on the activity:

• Consent (Art 6(1)(a)): the founding-partner email signup. Withdraw any time at hello@bygild.com.
• Contract (Art 6(1)(b)): portal access for paying clients and any work delivered under a signed agreement.
• Legal obligation (Art 6(1)(c)): accounting, tax, and statutory record keeping.
• Legitimate interests (Art 6(1)(f)): security logs, business-to-business outreach as described above, general running of the studio.

Client portal

The client portal lives at bygild.com/clients/portal/. It uses session cookies (strictly necessary, no consent required under PECR Reg 6(4)). When a tenant uploads data through the portal (opening hours, services, gallery photos, testimonials, contact-form submissions from their public site), bygild acts as a data processor on their behalf. The Article 28 DPA between bygild and each tenant sets out the technical and organisational measures we apply, the sub-processors we use, and the data return and deletion process at the end of the engagement.

If you are a member of the public who has used a tenant's public site (for example, booking at noorhairdressers.com), the controller is that tenant, not bygild. Contact the tenant directly to exercise your rights, and consult their privacy notice for full detail.

Internal admin surface

bygild.com/app is a private surface used only by Khalid Mohamed for running the studio. It is locked behind passkey login, served over HTTPS only, and never indexed.

Sub-processors and infrastructure providers

The third parties that may handle personal data on our behalf or on our infrastructure:

• Cloudflare, Inc. (United States) - content delivery network, security, cookieless analytics in front of bygild.com and most tenant sites. Self-certified under the UK Extension to the EU-US Data Privacy Framework; an International Data Transfer Addendum (IDTA) is in place as a fallback safeguard.
• Namecheap UK Ltd (Stellar shared hosting, United Kingdom) - PHP web hosting and IMAP mail for bygild.com and tenant subdomains. UK-based.
• Resend, Inc. (United States) - transactional email delivery for portal notifications and outreach. UK-to-US transfer covered by the UK Extension to the EU-US Data Privacy Framework, IDTA fallback.
• Backblaze, Inc. (United States) - encrypted offsite backups of portal data. UK-to-US transfer covered by the UK Extension to the EU-US Data Privacy Framework, IDTA fallback.

We do not sell, rent, or share personal data with any third party for their own marketing purposes.

Cookies

The bygild.com public site does not set non-essential cookies. Cloudflare may set short-lived strictly necessary cookies to protect the site against attacks (PECR Reg 6(4) exemption, no consent required). The client portal uses a session cookie for login, also strictly necessary. We do not run advertising, marketing, profiling, or social-media tracking cookies anywhere.

How long we keep your data

• Founding-partner email signups: until you ask us to remove your address, or until we close the programme and notify everyone who signed up, whichever comes first.
• Email and phone correspondence: up to 24 months from your last contact, then deleted unless we are required to retain for accounting reasons.
• Outreach records: 12 months from last contact for active prospects, then archived; anyone who unsubscribes is added to a permanent suppression list (which is the minimum personal data needed to honour the opt-out).
• Portal data (where bygild is processor): for the duration of the engagement plus 30 days, then deleted unless the client asks us to extend.
• Accounting and tax records: six years, as required by HMRC.
• Cloudflare security logs: up to 30 days, retained by Cloudflare and accessible to us only for incident review.

International data transfers

Some of our sub-processors (Cloudflare, Resend, Backblaze) operate from the United States. Each transfer relies on the UK Extension to the EU-US Data Privacy Framework where the recipient is self-certified, with the ICO's International Data Transfer Addendum (IDTA) as a fallback. Web hosting and mailbox storage are UK-based.

Your rights

Under the UK GDPR and the Data Protection Act 2018, you have the right to:

• Access: ask for a copy of the personal data we hold about you
• Rectification: ask us to correct anything inaccurate or incomplete
• Erasure: ask us to delete your data ("right to be forgotten")
• Restriction: ask us to limit how we use your data
• Portability: ask for your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests, including direct marketing
• Withdraw consent: where we rely on consent, you can withdraw it at any time. Withdrawal does not affect processing already carried out

To exercise any of these, email hello@bygild.com. We respond within one calendar month. There is no charge.

Complaints

If you are unhappy with how we handle your personal data, you have the right to complain to the Information Commissioner's Office (ICO):

• Online: ico.org.uk/concerns
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

ICO registration

bygild is registered with the Information Commissioner's Office under reference [ICO REGISTRATION NUMBER, pending].

Changes to this notice

We may update this notice from time to time. The "last updated" date above shows when. Material changes that affect how we process your data will be communicated directly to anyone whose data is affected.

Contact

Data controller: Khalid Mohamed, trading as bygild, sole trader, London, United Kingdom.

Privacy questions: hello@bygild.com