Privacy Policy

Last updated: 8 May 2026

Summary: Duncan Agency takes your privacy seriously. We collect personal data only when you give it to us through forms, bookings, or cookies you have consented to. We process it under the General Data Protection Regulation (Regulation EU 2016/679, "GDPR"). You have full rights to access, correct, export, or delete your data at any time.

1. Who we are

This website (duncanhendy.com) is operated by Duncan Hendy, trading as Duncan Agency, based in Ostrava, Czech Republic. For all privacy enquiries, contact info@duncanhendy.com.

For the purposes of GDPR, Duncan Hendy is the data controller for personal data collected through this website.

2. What data we collect

We only collect data you actively provide, plus minimal technical data needed to run the site.

Data you give us directly

  • Forms and email signups (HubSpot): your name and email address (and any other fields you complete) when you opt in to receive the book, newsletter, or other content.
  • Discovery call bookings (HubSpot Meetings): your name, email, company, and any context you choose to share when you book a call.
  • Contact emails: anything you send to info@duncanhendy.com.
  • Free assessment: if you choose to share your results, the answers you submitted.

Data collected automatically (only with your consent)

  • Analytics cookies via Google Tag Manager and Google Analytics 4: page views, session duration, referral source, anonymised IP, device type. Loaded only after you accept cookies in our consent banner.
  • Functional cookies: a single cookie that remembers your consent choice so we do not ask you again on every page.

If you decline cookies, no analytics or marketing scripts load. The site works fully without them.

3. Why we collect it (legal basis)

  • Consent (GDPR Article 6(1)(a)): for marketing emails, newsletter signups, and analytics cookies.
  • Legitimate interest (GDPR Article 6(1)(f)): for responding to enquiries you initiate, and for basic security and fraud prevention.
  • Contract (GDPR Article 6(1)(b)): if you become a client, to deliver the services you have engaged us for.
  • Legal obligation (GDPR Article 6(1)(c)): for tax, accounting, and regulatory record-keeping where applicable.

4. Who we share it with

We do not sell, rent, or trade your personal data. We use the following processors to operate the website. Each is bound by data processing agreements aligned with GDPR.

  • Vercel Inc. (United States, hosting and edge delivery).
  • HubSpot Inc. (United States and Ireland, forms, email marketing, meeting bookings, and CRM).
  • Google LLC (United States and Ireland, Google Tag Manager and Google Analytics 4, only when you consent).
  • Google Workspace (United States and Ireland, business email).

Where data is transferred outside the European Economic Area, transfers rely on the European Commission's Standard Contractual Clauses or other GDPR-recognised safeguards.

5. How long we keep it

  • Newsletter and marketing contacts: until you unsubscribe or request deletion.
  • Discovery call records: 24 months after the last interaction, unless you become a client.
  • Client records: as required for the engagement, plus 7 years for tax and accounting compliance.
  • Analytics data: aggregated and anonymised at 14 months by default in Google Analytics 4.
  • Email correspondence: typically 24 months unless retention is required for an active matter.

6. Your rights under GDPR

As a data subject, you have the right to:

  • Access (Article 15): request a copy of the personal data we hold about you.
  • Rectification (Article 16): ask us to correct inaccurate or incomplete data.
  • Erasure (Article 17): ask us to delete your data, subject to legal retention obligations.
  • Restriction (Article 18): ask us to pause processing while you contest data accuracy or object to a use.
  • Portability (Article 20): receive your data in a structured, commonly used format.
  • Objection (Article 21): object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent at any time, where processing relies on consent.
  • Lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů) or the supervisory authority in your country of residence.

To exercise any of these rights, email info@duncanhendy.com. We respond within 30 days.

7. Cookies in detail

When you first visit the site, a consent banner asks whether you accept analytics cookies. If you accept, we load Google Tag Manager, which in turn loads Google Analytics 4. If you decline, no analytics or marketing scripts run. The only cookie we set in either case is a single functional cookie storing your consent choice (so we do not re-prompt on every page).

You can change your choice at any time by clearing your browser cookies for this site, which will trigger the consent banner again on your next visit.

8. Children's privacy

This website is intended for B2B audiences and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

9. Security

We use HTTPS across the whole site, restrict administrative access, rely on reputable processors, and apply security best practices for any data we store. No system is perfectly secure, but we take this seriously and review controls regularly.

10. Changes to this policy

We may update this policy as the site, services, or applicable law changes. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the homepage or by email to active subscribers.

11. Contact

For any privacy question, request, or complaint, email info@duncanhendy.com.

Return to home