Privacy Policy

Who we are

Threnly (“we”, “us”, “our”) is the international web-design studio operated by CipherShift (Pty) Ltd, the parent company behind the Cipher Shift agency. We design and build bespoke websites and digital experiences for clients worldwide. We operate the website at threnly.com.

We are the data controller for the personal data you provide to us through this site or in the course of receiving our services. For any privacy question or request, contact us at hello@threnly.com.

1. What we collect

We collect only what we need to respond to you and deliver the work you ask for. Depending on how you engage with us, this may include:

1.1 When you enquire or commission work

• Name and the business or brand you represent
• Email address and (optionally) phone or messaging handle
• Country / time zone
• Project details — goals, scope, references, content, brand assets, budget and timeline
• Any message content you choose to send us
• Billing details needed to invoice you (company name, billing address, tax/VAT identifier where applicable)

1.2 Automatic technical information

• IP address (used for security, abuse prevention and rate limiting only)
• Browser type and version, device type and screen size (for error diagnostics and to ensure the site renders correctly)
• Your cookie-consent preference (stored so we don’t ask you again — see our Cookie Policy)

2. Why we use it

• To respond to your enquiry and discuss a possible project.
• To deliver the services you commission — design, development, reviews, handover and any agreed support.
• To invoice you and keep accurate financial records as required by law.
• To communicate with you about your project, quotes, and updates.
• To keep the site secure — IP addresses are used for rate limiting and abuse prevention and are not combined with your identity.

3. Lawful bases (GDPR Article 6)

• Performance of a contract — to deliver the work set out in your engagement, brief or quote.
• Consent — for any optional cookies, analytics or marketing communications. You can withdraw consent at any time.
• Legal obligation — for retaining invoices and financial records for the period required by applicable tax law.
• Legitimate interests — for security monitoring, fraud prevention, and improving our services, balanced against your rights.

4. Who we share it with

We do not sell, rent or trade your personal data. We share it only with the service providers (“processors”) we rely on to operate, and only the minimum needed:

• Netlify — our web host. Processes IP addresses and request logs to serve the site. See Netlify’s privacy policy.
• Email and productivity providers — correspondence to and from our addresses is processed by our email provider under a data processing agreement.
• Payment providers — when you pay an invoice, the payment processor handles your payment details directly. We never see or store full card details.
• Domain and infrastructure registrars — only where a project specifically involves us registering or managing a domain or service on your behalf.

We will disclose information to law enforcement, courts or regulators where legally required, and will notify you first unless prohibited by law.

5. International data transfers

Because we serve clients worldwide and use cloud providers, your data may be processed in countries other than your own — typically in the European Union, the United Kingdom, the United States, or South Africa (where our parent company is established). Where data leaves the EEA or UK, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses or an adequacy decision.

6. How long we keep it

• Enquiries that don’t become projects — kept for up to 24 months from last contact, then deleted.
• Active project data — kept for the duration of the project and any agreed support window.
• Invoices and financial records — retained for the minimum period required by applicable tax law (typically 5–7 years), then deleted.
• Email correspondence — retained for up to 24 months from the last reply, then archived or deleted.

7. How we protect it

• All data in transit is encrypted via TLS (HTTPS).
• The site enforces HTTPS and modern security headers to prevent downgrade and injection attacks.
• Access to email, project files and source repositories is limited to authorised personnel using strong, unique credentials and two-factor authentication.
• Secrets (API keys, passwords) are stored encrypted in our hosting platform’s environment and never committed to source control.

8. Cookies

We currently use only essential cookies — chiefly to remember your consent choice — and we do not run third-party analytics, advertising or retargeting tags by default. If we ever introduce optional analytics, it will load only after you accept on the consent banner. Full detail is in our Cookie Policy.

9. Your rights

Subject to your local law, you have the right to:

• Be informed about how your data is used — this page fulfils that.
• Access a copy of the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”), subject to our legal retention obligations.
• Restrict or object to certain processing.
• Data portability — receive your data in a portable format.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with your local data-protection supervisory authority.

10. How to exercise your rights

Email hello@threnly.com with the subject line “Privacy request”. We will respond within 30 days. We may need to verify your identity before releasing or deleting data, to prevent fraudulent requests.

11. Children

Our services are intended for businesses and are not directed at individuals under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, email hello@threnly.com and we will delete it.

12. Changes to this policy

We may update this policy to reflect changes in our services, the law, or industry practice. The “Last updated” date at the top shows when it last changed. Material changes affecting active clients will be communicated by email.

13. Contact

Threnly — the international arm of CipherShift (Pty) Ltd
hello@threnly.com
threnly.com

This policy is written to align with the EU GDPR, the UK GDPR and comparable international data-protection laws, and is provided for transparency. It does not constitute legal advice.