Privacy Policy

Last updated: 30 April 2026

1. Who we are

This website (fortisecology.co.uk) is operated by Fortis Ecology Ltd, a subsidiary of JDS Vanguard Holdings Ltd, registered in the United Kingdom. For the purposes of UK GDPR, Fortis Ecology Ltd is the data controller for personal data collected through this website.

You can contact us at info@fortisecology.co.uk with any questions about this policy or your personal data.

2. What personal data we collect

We collect only the personal data you actively give us, plus a small amount of analytics data if you consent to cookies. Specifically:

  • Enquiry form (contact page): name, email address, phone number (optional), the service you are enquiring about, the species you have identified (optional), your message, and any photos you choose to upload.
  • Newsletter sign-up (resources page): email address.
  • Training purchases (training page): processed via Stripe — we receive an email address and order reference but no card details. Stripe is the data controller for payment data.
  • Species sighting reports (UK invasive species map): species, postcode area, optional email address.
  • Analytics (optional, consent-gated): if you accept cookies, Google Analytics 4 collects pseudonymised usage data — pages viewed, approximate location (city level), device type, referring source. This is used to understand site performance.

3. Why we collect it (legal basis)

  • Enquiry forms: legitimate interests — to respond to your enquiry and provide a quote.
  • Newsletter: consent — you can unsubscribe at any time using the link in any email.
  • Training purchases: contract — to deliver the digital product you have paid for.
  • Analytics cookies: consent (PECR) — only set after you click Accept on the cookie banner.

4. How long we keep it

  • Enquiry submissions: 24 months from your last contact, then deleted.
  • Newsletter list: until you unsubscribe.
  • Order records (training): 6 years (to meet HMRC retention requirements).
  • Analytics: 14 months in Google Analytics 4 (Google's default), then aggregated.

5. Who processes your data

We use a small number of trusted processors who provide infrastructure for this site. They process data on our behalf under written agreements:

  • Netlify — hosts this website and processes contact-form submissions and newsletter sign-ups (servers in the EU/US, GDPR-compliant DPA).
  • Stripe — payment processor for training products (PCI-DSS Level 1 certified).
  • Google — analytics, only if you accept cookies.
  • Resend — transactional email delivery (e.g. download links after a training purchase).

We do not sell your data to third parties. We do not share it for marketing purposes.

6. Cookies

We use the minimum cookies needed to run the site, plus optional analytics cookies that fire only after you click Accept.

Cookie Purpose Lifetime Type
fortis_cookie_consentRecords your accept/reject choice on the cookie banner12 monthsEssential (PECR-exempt)
fortis_cartStores training products you have added to your cartSession / until clearedEssential (PECR-exempt)
_ga, _ga_*Google Analytics 4 — pseudonymised usage analyticsUp to 24 monthsOptional — consent required

You can change your cookie choice at any time by clearing site data in your browser, which will re-show the banner.

7. International transfers

Some of our processors (Stripe, Google) operate servers outside the UK. Where data is transferred internationally, it is protected by the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with UK addendum.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have it corrected if inaccurate
  • Have it erased ("right to be forgotten") where there is no overriding legal basis
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time (where consent is the legal basis)
  • Lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk

To exercise any of these rights, email info@fortisecology.co.uk. We respond within 30 days.

9. Security

The site is served over HTTPS with HSTS. Form submissions are encrypted in transit. Payment data is handled by Stripe and never touches our servers. We apply OWASP-recommended security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

10. Changes to this policy

We will update this policy from time to time. Material changes will be flagged on this page; the "Last updated" date at the top will always reflect the latest revision.

11. Contact

Questions, corrections, or rights requests: info@fortisecology.co.uk.