Privacy, data & security

Clear data boundaries. Systems that stay in the right hands.

Tecknomancy protects its own house and builds client systems so that business data, payment accounts, and operational control remain clear.

Privacy notice

Who is responsible?

Tecknomancy is operated by Piergiulio Bariatti, trading as Tecknomancy. For the Tecknomancy website, enquiries, and Tecknomancy account area, Tecknomancy is the data controller.

For privacy questions or requests, use the . Last updated: 24 June 2026.

The important distinction

Your client data is not Tecknomancy’s customer list.

When we build or manage a client system, the client normally decides why and how their customers’ information is used. The client remains the data controller for that business data; Tecknomancy provides agreed technical services and support.

Information we handle

Only what the work needs.

We minimise what is collected and do not ask for sensitive information in a first project enquiry.

Project enquiries

Contact and project details

Name, email, optional phone number, the requested work, timing, and the message you choose to send. We use this to assess and reply to the enquiry.

Tecknomancy accounts

Login profile and security data

Username, email, optional phone number, password hash, account-verification details, and security-related timestamps. Where a registration security event needs investigation, we may also record the remote IP address supplied by the web server, the event type, and its time. Passwords are never stored in readable form.

Client systems

Business data by scope

Bookings, orders, customer records, staff access, or reporting information only where a client system needs it and the client has agreed the scope and responsibilities.

Why information is used

A lawful, practical reason each time.

We use information to reply to an enquiry, create and protect an account, deliver or support agreed work, keep necessary business records, prevent misuse, and meet legal or accounting duties.

Depending on the work, the lawful basis is usually steps toward a contract or performance of a contract, legitimate interests in operating and securing the service, consent for optional communications where required, or a legal obligation.

We do not sell personal information or use a project enquiry as a licence to add someone to marketing.

Access

Need-to-know access

Access is limited to the people and suppliers needed to run, support, secure, or legally account for the service.

Suppliers

Only for the service

Hosting, email, database, backup, and payment providers may process data only as needed to provide their part of the service.

International processing

Checked before use

Where a provider processes information outside the UK, the relevant safeguards and provider terms are considered before that provider is used for the agreed service.

How information is protected

Security is part of the build.

The Tecknomancy account and enquiry flows use encrypted transport on the live site, password hashing, verification and reset controls, CSRF checks, secure cookie settings, session rotation and expiry, server-side rate limiting, protected configuration, and access-controlled runtime data. Registration safeguards may create a limited account-security record where there is a failed security check or a completed registration, so we can prevent and investigate misuse. We continue to review the controls as the system grows.

Accounts

Passwords are hashed, email confirmation is required, reset links are single-use and time-limited, and account attempts are throttled.

Operations

Secrets, credentials, and operational runtime data stay outside public pages or behind server-side access rules.

Incident response

If an issue is identified, we investigate, contain it, and work with affected clients on the steps required for their system and legal responsibilities.

Ownership & payments

Your system should support your business, not trap it.

A payment-enabled system is designed around the client’s own merchant relationship and operational needs.

Business ownership

Your records, your customers

Client content, customer records, orders, and permissions belong to the client’s business. Tecknomancy keeps reusable, non-client-specific TecknoCore components and development methods.

Merchant accounts

Payments in your name

Where payments are in scope, the client opens and owns the provider account. SumUp, Stripe, PayPal, Square, or another suitable provider can be assessed against the project—not selected by hidden default.

Safe payment routes

Provider-hosted checkout

Systems are designed so card details go to the chosen payment provider rather than being sent to Tecknomancy. Orders, payment status, refunds, and fulfilment rules are built and tested as agreed.

Important: a payment connection is never just a button. Provider approval, merchant-account terms, delivery or refund rules, tax handling, webhooks, testing, and the client’s operating process are agreed before a payment feature goes live.

Your rights

Access, correction, deletion, and more.

Subject to applicable law, you can ask for access to personal data, correction, erasure, restriction, objection, or portability, and withdraw consent where consent is the basis. Tecknomancy account holders can download their profile information and delete the account from their account page.

For information in a client’s own system, the client business is normally the right first contact. We assist that client under the agreed support arrangement where appropriate.

Retention & cookies

Kept only as long as needed.

Account data remains until deletion or a lawful reason requires limited retention. Enquiries and client-service records are kept only for as long as needed to respond, deliver work, resolve issues, and meet legal or accounting duties. Essential cookies support login, security, and form operation. We keep daily aggregate totals of public-page visits and the pages being reached so we can improve the site; this contains no IP address, user agent, account identifier, or individual browsing record.

Account-security records are separate from those anonymous visit totals. When a registration security event occurs, the record may include the remote IP address supplied by the web server, the event type, and time. It is restricted to the configured administrator, used to prevent, investigate, or respond to suspected misuse, fraud, unauthorised access, or service interference, and normally deleted after 90 days. We may retain a relevant record longer only where reasonably necessary for an active investigation, a legal claim, a compliance duty, or to establish, exercise, or defend legal rights. We do not use these records for marketing or visitor analytics.

We do not add advertising or analytics cookies without updating this notice and providing any required choice.