Discover websites by BLYMP. Get started
Last Updated: November 2025
Company: BLYMP LTD
Registered in England & Wales (No. 15821234)
Registered Office: 25 Cove Road, Bournemouth, Dorset, BH10 4BN, UK
1. Introduction and Scope
1.1 This Data Processing Addendum (“DPA”) forms part of the agreement between BLYMP LTD (“BLYMP”, “we”, “us”, “our”) and the Client (“you”, “your”) for the provision of website and digital services (the “Services”).
1.2 This DPA outlines how BLYMP processes personal data on behalf of the Client in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1.3 The terms “Controller”, “Processor”, “Personal Data”, and “Processing” shall have the same meanings as defined in the UK GDPR.
1.4 This DPA applies whenever BLYMP acts as a Data Processor processing personal data for which the Client is the Data Controller.
2. Roles and Responsibilities
2.1 The Client is the Data Controller and determines the purposes and means of processing personal data collected through their website, forms, or connected services.
2.2 BLYMP is the Data Processor and will process personal data only as instructed by the Client and in accordance with this DPA and the Client’s documented instructions.
2.3 Nothing in this DPA relieves either party of its obligations under the UK GDPR or other applicable data protection laws.
3. Nature and Purpose of Processing
3.1 The processing performed by BLYMP may include:
Hosting, maintaining and updating the Client’s website;
Processing form submissions, registrations, and user accounts on the Client’s website;
Providing analytics, uptime monitoring, and technical support;
Managing payment or subscription information (via Stripe);
Storing or transmitting data securely between systems used by the Client and BLYMP.
3.2 The purpose of the processing is to deliver the Services described in the Client’s main service agreement or plan (Core, Plus or Infinity) and any associated bolt-ons or add-ons.
4. Duration of Processing
4.1 BLYMP shall process personal data for the duration of the Client’s active service or contract with BLYMP and shall retain personal data for no longer than necessary to fulfil contractual or legal obligations.
4.2 Upon cancellation of services, BLYMP shall delete or anonymise Client-related personal data within six (6) months, unless retention is required by law.
5. Types of Personal Data Processed
5.1 The personal data processed may include, but is not limited to:Names, email addresses, and contact details of website users or customers;Communication and support requests;Transactional information (e.g., payment records processed via Stripe);I
P addresses and technical identifiers for analytics purposes.
5.2 No sensitive or “special category” personal data (as defined by UK GDPR Article 9) is intentionally processed by BLYMP.
6. Subprocessors
6.1 BLYMP may engage trusted third-party service providers (“Subprocessors”) to assist in providing hosting, analytics, communications, or payment services.
6.2 Current Subprocessors include, but are not limited to:
Webflow, Inc. – website hosting and CMS;
Pagecloud, Inc. – alternative hosting platform;
Stripe Payments UK Ltd – payment processing;
Google LLC – analytics and productivity tools;
Meta Platforms, Inc. – advertising and analytics;
Cloudflare, Inc. (GuardSpec) – security and content delivery;
Email and communication providers (e.g., Outlook 365, Gmail);
Other subprocessors as may be required for functionality or support.
6.3 BLYMP ensures that all Subprocessors are bound by data-protection obligations that are at least as protective as those set out in this DPA.
6.4 BLYMP shall remain fully responsible for the performance of its Subprocessors.7. Data Security
7.1 BLYMP maintains appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.
7.2 Security measures include (but are not limited to):SSL/TLS encryption across all hosted websites and dashboards;Firewalls and intrusion detection via GuardSpec (powered by Cloudflare);
Secure user authentication and access controls;
Regular software and infrastructure updates;
Staff confidentiality agreements and training;
Backups and recovery systems managed by hosting providers.
7.3 BLYMP regularly reviews these measures to maintain a high level of security in line with industry best practice.
8. Data Subject Rights
8.1 BLYMP shall assist the Client, where possible, in fulfilling its obligations to respond to requests by data subjects to exercise their rights under the UK GDPR (e.g., access, rectification, deletion, restriction, portability).
8.2 The Client is responsible for verifying and authorising all such requests before BLYMP takes action on them.
9. Data Breaches
9.1 In the event of a confirmed personal data breach affecting the Client’s data, BLYMP shall notify the Client without undue delay and provide all available details.
9.2 BLYMP shall take reasonable steps to mitigate the effects of the breach and cooperate with the Client’s investigation or reporting obligations to the Information Commissioner’s Office (ICO).
10. International Data Transfers
10.1 Personal data may be transferred outside the UK or EEA when necessary for providing the Services (e.g., to hosting or analytics providers based in the US).
10.2 BLYMP ensures such transfers comply with UK GDPR standards through mechanisms such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs).
10.3 The Client consents to such international transfers as necessary for the provision of Services.
11. Client Obligations
11.1 The Client warrants that all personal data provided to BLYMP has been collected lawfully and that all necessary consents and notices have been obtained.
11.2 The Client must not transmit or request BLYMP to process any special category or criminal data unless agreed in writing.
11.3 The Client shall maintain its own security measures and ensure data it transmits to BLYMP is accurate and up to date.
12. Return or Deletion of Data
12.1 Upon termination or expiry of the Services, the Client may request a copy of non-personal data (e.g., website files) within 30 days.
12.2 BLYMP will securely delete or anonymise all Client-related personal data within six (6) months unless otherwise required by law.
12.3 Backup data may remain temporarily in secure archives until automatically overwritten.13. Audit and Compliance
13.1 Upon reasonable written request, BLYMP will provide evidence of its data-protection compliance (e.g., security policies or hosting partner certifications).
13.2 Direct audits or inspections may be requested by the Client, subject to reasonable notice and scope, and at the Client’s expense.
14. Liability and Indemnity
14.1 Each party’s liability under this DPA is subject to the limitations set out in the main Service Agreement.
14.2 The Client agrees to indemnify BLYMP against any claims, losses or damages resulting from the Client’s unlawful or unauthorised use of personal data.
15. Governing Law and Jurisdiction
15.1 This DPA and any dispute arising from it shall be governed by and construed in accordance with the laws of England and Wales.
15.2 Both parties submit to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
Questions or requests regarding this DPA can be directed to:
Email: privacy@blymp.co.uk
Post: BLYMP LTD, 25 Cove Road, Bournemouth, Dorset, BH10 4BN, UK
