O'Connor Logo
Menu
HomeHow It WorksEngine RoomAbout MeBook a Free Strategy Call

Tools

GEO Score CheckerLanding Page AuditorAI Cannibalisation AuditTechnical AuditorAI Visibility Audit

Privacy Policy

Version 2.1 · Last updated: 19 May 2026

1. Who I Am

I am a performance and growth strategist committed to privacy-first data practices. I help SME businesses generate more leads and more revenue through the right mix of channels, built on first-party data and proper attribution.

Nathan O'Connor is registered with the Information Commissioner's Office (ICO) under registration number C1919785.

2. What Data I Collect

I may collect and process the following types of personal data:

a) Website Interaction Data (via GTM & Analytics):

  • Pages visited, time on site, and navigation paths
  • Referrer and UTM parameters
  • Clicks and form interactions
  • IP address and approximate geolocation (if consented)

b) Form Submissions (via Twenty CRM):

  • Full name
  • Email address
  • Phone number
  • Business information (e.g., company name, website, job title)
  • Marketing preferences

c) Cookies and Tracking (via consent management & Google Tag Manager):

  • Consent preferences (stored via a consent cookie)
  • Google Click ID (GCLID) for ad attribution (only if consented)
  • Session data for engagement scoring (if implemented)

d) Customer Match & Email Marketing (via Google Ads):

  • Only with your explicit opt-in for marketing communications and remarketing
  • Email addresses or phone numbers (hashed when used for remarketing)

3. How I Collect Your Data

I collect data through:

  • Contact Forms: Submitted data is stored in Twenty CRM
  • Tracking Scripts: Implemented via Google Tag Manager and gated by CookieYes (a Google-certified Consent Management Platform) for GDPR-compliant consent management
  • Advertising Clicks: GCLID and UTM parameters stored if consent is granted
  • Manual Uploads: For marketing lists (only where you have opted in)

4. Why I Collect Your Data

I collect and process data to:

  • Respond to your enquiries and provide relevant services
  • Measure performance across marketing campaigns and platforms
  • Optimize conversion paths by understanding how users engage with my content
  • Feed high-quality conversion data back to Google Ads to improve bidding strategies (e.g., using GCLID and offline conversion imports)
  • Build privacy-compliant remarketing and lookalike audiences through hashed, consented user data
  • Contribute to Google Ads' Signals and Smart Bidding systems, helping to train models to better understand user intent and improve campaign performance
  • Attribute results accurately through my first-party data and server-side setups

I do not sell or rent your data. Any data shared with platforms like Google Ads is only done:

  • If explicit consent has been provided, and
  • In a hashed or anonymized form (where applicable)

5. Legal Basis for Processing

I process your data based on:

  • Consent (e.g., for cookies, email marketing, and remarketing)
  • Contractual necessity (e.g., responding to service enquiries)
  • Legitimate interest (e.g., site performance measurement, fraud prevention)

You can withdraw your consent at any time by adjusting your cookie settings or unsubscribing from emails.

6. How I Store and Protect Your Data

  • Contact and enquiry data is stored securely within Twenty CRM.
  • Form submissions and interactions are encrypted in transit and stored within GDPR-compliant systems.
  • Google Ads and analytics data is stored according to the platforms' own privacy policies and retention policies.
  • I use reasonable security measures to protect personal data against loss, misuse, unauthorized access, disclosure, alteration, and destruction.

7. How Long I Keep Your Data

  • CRM and contact form data: up to 2 years after your last interaction, or 3 years from your last engagement, whichever is later. Records related to an active or recently active client relationship are kept for the duration of the engagement plus 6 years to meet UK statutory and tax-record requirements.
  • Analytics data: retained according to Google Analytics settings (typically 14–26 months)
  • Marketing data: retained as long as you remain subscribed or until you withdraw consent
  • Tool usage events (Neon “tool_events”): URLs you submit to the free audit tools and the resulting scores are stored for up to 24 months for product analytics and abuse-prevention purposes, then deleted or aggregated.
  • Backups: deleted records may persist in encrypted backups for up to 35 days before being purged in line with vendor retention cycles.

8. Your Data Rights (GDPR)

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion ("right to be forgotten")
  • Withdraw consent
  • Lodge a complaint with a Data Protection Authority (ICO in the UK)

To exercise your rights, please email: info@nathanoconnor.co.uk

9. Third-Party Tools I Use

I share data with categories of third-party services under strict privacy terms:

  • Hosting and infrastructure (site hosting, database, edge workers, transactional email, image storage)
  • CRM and consent management (contact management and Consent Management Platform)
  • Analytics and ad attribution (web analytics, tag management, ad-platform measurement — loaded only with the relevant consent)
  • Automation (workflow tooling such as n8n)
  • AI processing (the URL content and extracted text submitted to the free audit tools is processed by the Claude API and, in the AI Visibility Audit, by Perplexity)

A current list of named vendors, their function, processing location, and applicable international transfer mechanism is maintained at /sub-processors. That page is the canonical, up-to-date source. Existing clients are notified by email at least 30 days before any new sub-processor is engaged or an existing one is replaced.

10. International Data Transfers

I only use vendors that provide GDPR-compliant data protection measures. Contact and enquiry data processed via Twenty CRM is stored on EU/UK-based infrastructure. Where Personal Data is transferred outside the United Kingdom, transfers are governed by the applicable transfer mechanism in each vendor's own Data Processing Agreement, typically one of:

  • An Adequacy decision by the UK government (covers the EEA and a limited list of other countries)
  • The UK International Data Transfer Agreement (UK IDTA)
  • The European Commission's Standard Contractual Clauses (SCCs) with the UK Addendum issued by the ICO

The specific transfer mechanism for each vendor is listed at /sub-processors. Copies of the applicable transfer mechanism for any individual vendor are available on reasonable request.

11. Children's Data

My services and website are aimed at business users and are not directed at children under 13. I do not knowingly collect personal data from children. If you believe a child has provided me with personal data, please contact me and I will delete it.

12. Automated Decision-Making

I do not make decisions about individuals using solely automated processing (including profiling) that produces legal or similarly significant effects under Article 22 of the UK GDPR. The free audit tools score URLs you submit, not individuals.

13. Changes to This Policy

I may update this policy from time to time. The latest version will always be available on my website.

14. Contact Us

If you have any questions or concerns, please contact:

Nathan O'Connor

Email: info@nathanoconnor.co.uk