Privacy policy.
How we collect, use, and protect your personal data — written in line with the UK General Data Protection Regulation and the Data Protection Act 2018.
RapidRebuild is operated by Emerald Mendoza ("I", "we", "us"), trading as RapidRebuild. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, I am the Data Controller responsible for your personal data.
If you have any questions about how your data is handled, contact me at hello@rapidrebuild.dev.
We collect the following categories of personal data:
- Identity & Contact Data: your name, email address, and any information you voluntarily provide during the discovery call booking process or via email.
- Payment Data: payment transaction references and amounts processed via Stripe. We do not store full card details — these are held exclusively by Stripe under PCI DSS compliance.
- Technical Data: IP address, browser type, operating system, and pages visited, collected via server logs and analytics.
- Communications Data: the content of emails and messages you send to us.
We use your personal data for the following purposes:
- Service Delivery: to process your booking fee, schedule the discovery call, and deliver the agreed project.
- Communication: to send booking confirmations, project updates, invoices, and post-delivery support.
- Legal Compliance: to meet our obligations under applicable law, including tax and financial record-keeping requirements.
- Legitimate Interests: to improve our services, detect fraud, and maintain the security of our systems.
We process your personal data on the following legal bases under UK GDPR:
- Contract: processing is necessary to perform the contract between us (e.g. booking confirmation, project delivery).
- Legal Obligation: processing is required to comply with our legal obligations (e.g. financial record-keeping).
- Legitimate Interests: processing is necessary for our legitimate interests in operating the business, preventing fraud, and securing our systems, provided those interests are not overridden by your rights.
We use the following third-party services that may process your personal data on our behalf:
- Stripe — payment processing. Your payment data is governed by Stripe's Privacy Policy. Stripe is certified to PCI Service Provider Level 1.
- Cal.com — discovery call scheduling. Booking data you provide when scheduling is governed by Cal.com's Privacy Policy.
- Hetzner / DigitalOcean — server infrastructure. Our servers are located in the EU/EEA.
We do not sell your personal data to any third party.
We retain your personal data only for as long as necessary for the purposes described in this policy:
- Client records and invoices: retained for 7 years to comply with HMRC tax obligations.
- Booking fee records: retained for 7 years for financial compliance.
- Email communications: retained for the duration of the project plus 2 years.
- Server logs: retained for 90 days and then deleted.
After the applicable retention period, data is securely deleted or anonymised.
Under UK GDPR, you have the following rights regarding your personal data:
- Right of Access: you may request a copy of the personal data we hold about you.
- Right to Rectification: you may ask us to correct inaccurate or incomplete data.
- Right to Erasure: you may request deletion of your data where there is no legitimate reason to retain it.
- Right to Restriction: you may ask us to pause processing of your data in certain circumstances.
- Right to Data Portability: you may request a machine-readable copy of data you provided to us.
- Right to Object: you may object to processing based on legitimate interests.
To exercise any of these rights, email hello@rapidrebuild.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
This site uses essential cookies only — specifically, the Laravel session cookie required for the client portal to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.
The session cookie is a first-party, HTTP-only, secure cookie. It expires at the end of your browser session unless you select "Remember me" on login, in which case it persists for up to 30 days.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- HTTPS enforced across all pages via TLS
- Passwords hashed using bcrypt with a high cost factor
- Server hardening with firewall rules restricting access to necessary ports
- Regular dependency updates and security patching
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.
Your data is primarily processed within the UK and EEA. Where third-party services (e.g. Stripe) may transfer data outside the EEA, they do so under appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms approved by the ICO.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The "Last updated" date at the top of this page will be revised accordingly. Where changes are material, we will notify active clients by email.
For any questions, requests, or complaints regarding this Privacy Policy or our data practices, contact:
Emerald Mendoza — RapidRebuild
hello@rapidrebuild.dev