Privacy Policy
Last updated: 20 May 2026 — How Watermelon collects, uses and protects personal data under UK GDPR and EU GDPR.
Who we are
Watermelon ("we", "us", "our") is a business automation and analytics consultancy based in London, United Kingdom. Watermelon is operated by Charlie Bailey and is the controller of any personal data collected through this website (https://itswatermelon.com) and from clients during the course of our services.
Contact details for data protection matters
- Email: charlie@itswatermelon.com
- Postal address: 40 Bowling Green Lane, London EC1R 0NE, United Kingdom
You can contact us using either of the methods above to exercise your rights under the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and, where applicable, the EU General Data Protection Regulation ("EU GDPR").
What this policy covers
This privacy policy explains what personal data we collect when you:
- visit this website (itswatermelon.com);
- enquire about our services through a contact form, email or booking link;
- become or work for one of our clients;
- subscribe to email updates from us; or
- interact with us through third-party platforms (Cal.com, LinkedIn, etc.).
It also describes how we use that data, who we share it with, how long we keep it, and the rights you have under data protection law.
Personal data we collect
Information you give us directly
- Name, email address, phone number, company name, role and any free-text message you submit through our contact form, our Cal.com booking page or by email.
- Information you provide during automation discovery and consulting work (for example, descriptions of your business processes, screenshots of internal tools, sample data files). We treat this as confidential client information.
- Billing information necessary to issue invoices (company name, billing address, VAT number where applicable).
Information we collect automatically
- Technical information such as your IP address, approximate location (city-level), browser type and version, device type, referring URL and pages viewed.
- Cookie and similar tracking data — see the Cookies and analytics section below.
Information we receive from third parties
- Aggregate analytics from Google Analytics 4 and Google Search Console.
- Business information from publicly available sources (your company website, Companies House, LinkedIn) when we prepare for a meeting or proposal.
We do not knowingly collect special category data (e.g. health, biometric, political opinions) through this website. Please do not include such information in contact forms or unsolicited emails.
How we use your data and the legal basis we rely on
| Purpose | Legal basis (UK / EU GDPR) |
|---|---|
| Responding to enquiries and providing the services you've requested | Contract performance (Art. 6(1)(b)) — or where we don't yet have a contract, our legitimate interest (Art. 6(1)(f)) in responding to inbound business enquiries |
| Sending you a quote, proposal or follow-up message after you contact us | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing emails (only if you've opted in) | Consent (Art. 6(1)(a)) — you can withdraw at any time using the unsubscribe link |
| Issuing invoices and meeting tax / accounting obligations | Legal obligation (Art. 6(1)(c)) under UK tax law |
| Measuring website traffic and improving the site (only after you accept analytics cookies) | Consent (Art. 6(1)(a)) — via our cookie banner |
| Detecting and preventing fraud, abuse or security incidents | Legitimate interest (Art. 6(1)(f)) |
Where we rely on legitimate interests we have carried out a balancing test and concluded that those interests are not overridden by your rights and freedoms. You can object at any time using the contact details above.
Cookies and analytics
Our website uses a small number of cookies and similar technologies. Categories:
- Strictly necessary cookies — required for the site to function (for example, remembering your cookie preferences). These do not require consent.
- Analytics cookies — Google Analytics 4 (measurement ID
G-TJNEJZKBH9). These help us understand how visitors use the site so we can improve it. Loaded only after you give consent through our cookie banner. We use Google Consent Mode v2 with all advertising and analytics signals defaulted to denied until you opt in. - Booking and embed cookies — Cal.com sets cookies when you open the booking modal. These are only set if you interact with the booking widget.
You can change or withdraw your consent at any time by clearing your cookies for itswatermelon.com and reloading the page — the consent banner will reappear. Most browsers also let you block or delete cookies via the settings menu.
Who we share your data with
We share personal data only with the providers and partners listed below, and only to the extent necessary to run our business. Each is bound by a data processing agreement and appropriate safeguards.
- Google Ireland Limited / Google LLC — Google Analytics 4 and Google Search Console (website analytics).
- Cal.com, Inc. — scheduling and booking when you use our Cal.com link.
- Cloudflare, Inc. — content delivery, DNS, security and edge rendering for itswatermelon.com.
- Xano, Inc. — application database and API platform that powers our website's content and forms.
- Make.com (Celonis / Integromat s.r.o.) — workflow automation platform used for internal pipelines. Data is only routed through Make.com where it forms part of a service we are providing to you.
- Email and productivity providers — Google Workspace (email) and other office tools we use to communicate with you.
- Accountants and professional advisers — strictly for tax, accounting and legal compliance.
We will also disclose personal data where we are legally required to do so (for example, in response to a valid request from a regulator or court).
We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.
International transfers
Some of our providers (notably Google, Cloudflare, Cal.com, Xano and Make.com) are located in or transfer data to countries outside the UK and the European Economic Area, including the United States. Where this happens we rely on one of the following safeguards:
- a UK or EU adequacy decision (for example, the UK-US Data Bridge / EU-US Data Privacy Framework where the receiving organisation is certified); or
- Standard Contractual Clauses approved by the UK ICO or the European Commission, supplemented as needed.
You can ask us for a copy of the safeguards we rely on for a specific transfer using the contact details above.
How long we keep your data
We keep personal data only for as long as we need it:
- Enquiry data (contact form, email exchanges where you didn't become a client): up to 24 months after our last contact, then deleted.
- Client records and project files: for the duration of the engagement and for 6 years after the end of the engagement, to meet UK tax and statutory record-keeping obligations.
- Accounting and invoicing records: 6 years from the end of the relevant financial year, in line with HMRC requirements.
- Marketing subscribers: until you unsubscribe, plus a short suppression record so we don't accidentally email you again.
- Website analytics: Google Analytics 4 data retention is set to 14 months. Aggregate, non-personal reports may be kept for longer.
Your rights
Under UK and EU GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your data ("right to be forgotten") where there is no overriding reason to keep it.
- Restrict our processing of your data while a query is resolved.
- Object to processing based on legitimate interests, including any direct marketing.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent at any time where we rely on consent (without affecting prior lawful processing).
- Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you. We do not currently make such decisions.
To exercise any of these rights, email us at charlie@itswatermelon.com. We will respond within one month.
If you are not satisfied with our response, you have the right to complain to a supervisory authority:
- UK: Information Commissioner's Office (ICO) — ico.org.uk, 0303 123 1113.
- EEA: the data protection authority of your country of residence.
Security
We use commercially reasonable technical and organisational measures to protect personal data, including TLS encryption in transit, access controls on our admin systems, hardened authentication for cloud accounts, and least-privilege access for sub-processors. No system is perfectly secure; if we ever discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO and (where required) you, in line with Art. 33–34 GDPR.
Children
Our services are aimed at businesses. We do not knowingly collect personal data from children under 16. If you believe we have, please contact us and we will delete it.
Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of the page shows the most recent version. Material changes will be flagged on this page or, where appropriate, communicated to you directly.
Contact us
Questions, requests or concerns about this policy or your personal data — please contact us at:
- Watermelon
- Charlie Bailey
- 40 Bowling Green Lane, London EC1R 0NE, United Kingdom
- charlie@itswatermelon.com