This policy applies to semitro.com and, where Semitro is installed on a client site, to the data processing activities Miller Capital Ltd performs on behalf of that client. If you have arrived here from a third-party site that uses Semitro analytics, the data controller for that site's visitor data is the site owner, please consult their privacy policy for details.
Miller Capital Ltd (trading as Semitro) is the data controller for data collected on semitro.com. We are registered in England and Wales. Our registered address is available upon request.
You can contact our data protection point of contact at: luke@semitro.com.
We are registered with the Information Commissioner's Office (ICO) under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The table below lists every category of personal data we collect, the purpose for which we collect it, and the legal basis we rely on under UK GDPR.
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Visitor ID - a unique identifier stored in the _bvid cookie (first-party, 365-day expiry) | Recognise returning visitors across sessions; connect separate page visits to a single person; enable session replay | Consent (PECR, required before placing the cookie on your device) | 365 days from last visit, then deleted |
| Session ID - a random UUID stored in sessionStorage, expires when you close your browser tab | Distinguish separate browsing sessions from the same visitor; group events into a single session | Legitimate interests (necessary to provide meaningful analytics) | Duration of browser tab session only |
| Pages visited and page URL | Understand which content is most visited; improve navigation and content | Legitimate interests | 24 months |
| Time on page and session duration | Measure engagement; identify pages where visitors drop off | Legitimate interests | 24 months |
| Scroll depth milestones (25%, 50%, 75%, 90%, 100%) | Understand how much of each page visitors read; identify where attention ends | Legitimate interests | 24 months |
| Click events (element clicked, text of element, section of page) | Identify which calls to action are used; improve page layout and copy | Legitimate interests | 24 months |
| Text highlighted on the page (first 60 characters only; no passwords or sensitive fields) | Understand which copy resonates most with visitors | Legitimate interests | 24 months |
| Section visibility (which named sections were seen, and at what scroll position) | Measure reach of each content block | Legitimate interests | 24 months |
| Traffic source (referrer URL, UTM parameters, source code from ?s= parameter) | Attribute sessions to marketing channels; measure which campaigns drive enquiries | Legitimate interests | 24 months |
| Browser type, device type, viewport width and height | Ensure the site renders correctly across devices; segment analytics by device | Legitimate interests | 24 months |
| IP address | Rate limiting and abuse prevention; approximate geolocation (country/city level only) | Legitimate interests | Not stored beyond the session; country/city data retained 24 months |
| Email address (if submitted via the enquiry form or quiz) | Respond to your enquiry; connect your browsing session to your identity; send relevant follow-up | Contract performance / consent | 36 months, or until you request deletion |
| Name and business details (if submitted via enquiry form) | Respond to your enquiry; assess fit for our services | Contract performance / consent | 36 months, or until you request deletion |
| Booking details from Calendly (name, email, meeting time, cancellation status) | Manage client onboarding; track the full funnel from visit to booked call | Contract performance | 36 months |
| Session recording data (scroll position over time, sequence of clicks, section visibility sequence; no form field values) | Replay visitor sessions to diagnose UX problems and improve the site | Legitimate interests | 24 months |
We use the following third-party companies to operate this website. Each has been selected for their data protection standards and we have entered into appropriate data processing agreements with each.
| Sub-processor | Role | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Database - stores all session data, events, visitor records, and form submissions | United States | UK-US Data Bridge (adequacy decision, effective October 2023) and/or IDTA-amended Standard Contractual Clauses |
| Vercel Inc. | Website hosting and serverless function execution | United States | UK-US Data Bridge and/or IDTA-amended Standard Contractual Clauses |
| Resend Inc. | Transactional email - sends enquiry confirmations and notifications | United States | UK-US Data Bridge and/or IDTA-amended Standard Contractual Clauses |
| Calendly LLC | Meeting scheduling - processes name, email, and meeting time for booked calls | United States | UK-US Data Bridge and/or IDTA-amended Standard Contractual Clauses |
We will update this table if we add or change sub-processors. We will not add a new sub-processor that materially changes the risk to your data without updating this policy and (where required) seeking fresh consent.
All sub-processors listed above are based in the United States. Transfers of your personal data to the US are protected by the UK-US Data Bridge, an adequacy framework recognised by the UK government in October 2023. Where a specific sub-processor is not certified under the Data Bridge, we rely on UK International Data Transfer Agreements (IDTAs) incorporating the UK Addendum to the EU Standard Contractual Clauses.
If you would like a copy of the transfer mechanisms we rely on for any specific sub-processor, contact us at luke@semitro.com.
| Data type | Retention period | Reason |
|---|---|---|
| _bvid cookie | 365 days from last visit | Rolling window to identify returning visitors |
| Session and event data (page views, clicks, scroll, etc.) | 24 months from collection | Sufficient for longitudinal analytics; proportionate to business need |
| Enquiry and form submission data | 36 months from submission | Reasonable commercial retention for prospective client records |
| Booking records (Calendly) | 36 months | Commercial record of client interactions |
| IP address (raw) | Not stored beyond session processing | Processed transiently for rate limiting; not persisted |
At the end of each retention period, data is permanently deleted from our systems and those of our sub-processors. You can request earlier deletion at any time, see Section 07 below.
Under UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these by emailing luke@semitro.com. We will respond within one calendar month (we may extend this by two further months for complex requests, and will notify you if so).
You have the right to obtain confirmation of whether we process personal data about you, and if so, a copy of that data along with information about how it is processed, where it is stored, and with whom it is shared.
If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected.
You have the right to request deletion of your personal data. We will delete it unless we have a legitimate legal reason to retain it. Deletion of your visitor record will also delete all associated session and event data.
In certain circumstances, you can request that we pause processing of your data, for example while a query about its accuracy is resolved.
For data you provided directly and that we process by automated means on the basis of consent or contract, you have the right to receive it in a structured, commonly used, machine-readable format.
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an unconditional right to object to direct marketing.
Where we process your data on the basis of consent (specifically, the _bvid analytics cookie), you can withdraw that consent at any time by clearing your cookies or contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
If you are not satisfied with how we have handled your data, you can lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.
We take reasonable and appropriate measures to protect personal data against loss, unauthorised access, disclosure, alteration, or destruction. Specifically:
No system is perfectly secure. If you believe your data has been subject to a breach, please contact us immediately at luke@semitro.com.
This website is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
We may update this policy from time to time, for example when we add new sub-processors, introduce new data collection, or in response to changes in law. The “Last updated” date at the top of this page will always reflect the most recent version. For material changes, we will make a reasonable effort to notify affected users (for example, via a notice on the website or by email if we hold your address). Continued use of the website after a material change constitutes acceptance of the updated policy.
For any questions about this policy, to exercise your rights, or to request a copy of our data processing agreements with sub-processors:
We aim to respond to all enquiries within 5 business days.