Darikwa logodarikwa
Legal

Privacy Policy

darikwa.com · Last updated: 18 May 2026

1. Who we are

This website (darikwa.com) is operated by Edward Madziwa, trading as Elizabeth Gracie Ltd (Company No: 15027873, registered at 128 City Road, London, England, EC1V 2NX).

When we say "we", "us", or "our" in this policy, we mean Elizabeth Gracie Ltd. When we say "you" or "your", we mean you as a visitor to this website or a client of our services.

Our data protection contact is: edward@darikwa.com

2. What data we collect

We collect the following personal data:

Through the chatbot and contact forms:

  • Your name
  • Your email address
  • Your phone number (if provided)
  • Details of your project or enquiry
  • Files you upload (documents, images)

Through the client portal:

  • Account login details (email address)
  • Signed contracts and engagement terms
  • Project communications (messages)
  • Documents shared between you and us

Automatically when you visit the site:

  • Your IP address
  • Browser type and version
  • Pages visited and time spent
  • Referring website
  • Device type

When signing contracts electronically:

  • Your printed name
  • Your IP address at time of signing
  • Your browser/device information at time of signing
  • Timestamp of signature

3. How we use your data

We use your personal data to:

  • Respond to your enquiries
  • Provide the services you have engaged us for
  • Create and manage your client portal account
  • Generate and manage contracts and agreements
  • Send you project updates and communications
  • Send you invoices and manage payments
  • Improve our website and services
  • Comply with legal obligations

We do not use your data for marketing unless you have specifically opted in.

4. Legal basis for processing

We process your data under the following legal bases (UK GDPR Article 6):

  • Contract: processing is necessary to fulfil our contract with you or to take steps before entering into a contract
  • Legitimate interest: to improve our services, maintain security, and manage our business
  • Consent: where you have given explicit consent (e.g., chatbot GDPR checkbox)
  • Legal obligation: where we are required by law to retain certain records

5. AI and automated processing

Our website uses AI-powered tools including:

  • A chatbot that processes your enquiry and generates a summary for our review
  • Translation features that convert text between languages for your convenience
  • Document analysis tools that extract text from uploaded files

AI-generated content (including translations of contracts) is provided for comprehension purposes only and is clearly labelled. No automated decisions with legal or significant effects are made solely by AI without human review.

6. Who we share your data with

We may share your data with:

  • Supabase Inc: our database and authentication provider (data stored in the EU)
  • Email service providers: for sending notifications and communications
  • Payment processors: if and when payment is processed through the site
  • HMRC: if you use our GraftApp platform for Making Tax Digital submissions (only the data you explicitly submit)

We do not sell your personal data to third parties. We do not share your data with third parties for their marketing purposes.

7. International transfers

Your data is primarily stored in the EU (Supabase EU region). Where data is transferred outside the UK/EU (e.g., to AI service providers in the US), we ensure appropriate safeguards are in place including Standard Contractual Clauses or adequacy decisions.

8. How long we keep your data

  • Enquiry data: 2 years from last contact, unless you become a client
  • Client project data: 6 years after project completion (UK tax and contract law)
  • Contracts and signed documents: 6 years after expiry or termination
  • Website analytics: 26 months
  • Chat conversations: 2 years from conversation date

You can request deletion of your data at any time (see section 10).

9. How we protect your data

  • Encrypted database connections (TLS/SSL)
  • Row-level security on all database tables (users can only access their own data)
  • Private storage buckets for uploaded files (accessed only via time-limited signed URLs)
  • Authentication via secure magic links (no passwords stored)
  • HMRC tokens encrypted at rest using pgcrypto
  • Regular security reviews of our infrastructure

10. Your rights

Under UK GDPR, you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: ask us to correct inaccurate data
  • Erasure: ask us to delete your data (subject to legal retention requirements)
  • Restriction: ask us to limit how we use your data
  • Portability: request your data in a machine-readable format
  • Object: object to processing based on legitimate interest
  • Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, email edward@darikwa.com. We will respond within 30 days.

11. Cookies

We use essential cookies only for:

  • Authentication (keeping you logged into the client portal)
  • Session management

We do not use advertising or tracking cookies. If we add analytics in the future, we will update this policy and request your consent.

12. Children

Our services are not directed at individuals under 18. We do not knowingly collect data from children.

13. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top will change. Significant changes will be communicated to active clients via email.

14. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

We would appreciate the chance to address your concerns before you approach the ICO. Please contact edward@darikwa.com in the first instance.

Elizabeth Gracie Ltd · Company No: 15027873 · 128 City Road, London, England, EC1V 2NX