Privacy Policy

Plain English, UK GDPR. Effective 6 May 2026. Last updated 6 May 2026.

1. Who we are.

Flat Roof North West is a UK flat roofing service and the data controller for any personal data you share with us. Lancashire based, serving Lancashire, Greater Manchester, Cumbria, and North Yorkshire. Contact: info@lproofing.co.uk.

2. What we collect.

• When you use a free tool (contact form, quote request): your name, email, phone (if given), postcode, and the inputs you provide (roof type, symptoms, etc).
• When you book a survey: the same plus the address we'd visit and any photos or notes you share.
• When we complete work for you: billing/invoicing details, before-and-after photos (with your permission), warranty records.
• When you visit the site: anonymous usage data (page views, referrer, rough location from IP, device type) via Google Analytics 4, Microsoft Clarity (anonymised heatmaps + session replay), and Meta Pixel (only if those are configured). All controllable via the cookie banner.
• Server logs: your IP address and request metadata, held by our hosts (Netlify, Cloudflare) for security and abuse prevention for up to 30 days.

3. Why we have it (legal basis).

• Replying to your enquiry — legitimate interest (you asked us to).
• Doing the work you've booked — performance of a contract.
• Sending occasional service emails (e.g. survey reminder) — legitimate interest; you can opt out.
• Analytics + heatmap cookies — your consent; you can refuse or withdraw.
• Accounting and tax records — legal obligation (HMRC requires 6 years).

4. Who we share it with.

Only the providers we need to run the service. All UK/EU data-protection compliant or under UK-adequate transfer arrangements:

• Netlify and Cloudflare — hosting, DNS, form submissions.
• Google Workspace — email, documents.
• Resend — outbound email delivery (confirmations, notifications).
• TextMagic — sends the speed-to-lead SMS confirmation when you supply a UK mobile.
• Telegram — internal notification only (alerts us when you submit a form so we can reply quickly).
• Cal.com (EU) — when you book a survey slot online.
• Google Analytics 4 and Microsoft Clarity — anonymous site analytics + heatmaps + session replays. Fire only if you accept analytics cookies in the banner.
• Google Ads and Meta (Facebook) Pixel — paid-traffic attribution and retargeting. Fire only if you accept advertising cookies in the banner.
• Cure It GRP, Elevate EPDM, Flex-R, ResTec, Rapid Roof Pro, Cromar HydroSil — manufacturer warranty registration when work is fitted under their systems. Limited to: customer name, postcode, system and date of installation, roof area in m². Required to register the manufacturer-backed warranty.
• HMRC and our accountant — for tax and statutory records.

We do not sell, rent, or swap your data. Ever. Not used to train AI models.

5. How long we keep it.

• Enquiries that don't turn into surveys: up to 12 months, then deleted.
• Customer records: life of the project + 6 years after, for HMRC.
• Analytics data: 14 months (Google Analytics default), anonymised after.
• Server logs: up to 30 days.

6. Your rights under UK GDPR.

You have the right to:

• Ask what data we hold about you (subject access request)
• Correct anything that's wrong
• Ask us to delete your data (subject to our legal record-keeping duties above)
• Restrict or object to processing — including opt-out of any service email
• Receive a copy of your data in a portable format
• Withdraw consent at any time

Email info@lproofing.co.uk to exercise any of these. We reply within one working day and act within the statutory 30 days.

7. Cookies.

We split cookies into three categories. The banner you saw on first visit lets you choose which to allow. You can change your mind any time:

• Necessary — small first-party cookies essential for the site to work (session, preference memory). Always on.
• Analytics — Google Analytics 4 (_ga, _ga_*, retained 14 months) and Microsoft Clarity (_clck, _clsk, retained 1 year). Help us see which pages convert. Off by default.
• Advertising — Google Ads (_gcl_*, retained up to 90 days) and Meta Pixel (_fbp, fr, retained up to 90 days). Used for paid-traffic attribution and retargeting. Off by default.

Manage cookie preferences →

8. Security.

The site runs on TLS (https everywhere). Form submissions are encrypted in transit. Customer data is held in access-controlled accounts with 2FA. If we ever suffer a data breach that puts your rights at risk, we will notify you and the ICO within 72 hours as required.

9. Complaints.

If you're unhappy with how we've handled your data, please email us first — we'd rather put it right. If we can't resolve it, you have the right to complain to the UK Information Commissioner's Office: ico.org.uk, 0303 123 1113.

10. Updates to this notice.

If we update this notice we'll refresh the date at the top.