How this site handles personal data in its current form.

This policy describes the data the current website actually collects or processes. It is written to match the implementation that is live in this repository, not a generic template.

Contact DJM Group Ltd Review the terms

Last updated: 4 April 2026.

1. Who this policy applies to

This policy applies to visitors who browse the public website, submit the contact form, or interact with the private administrator sign-in area.

DJM Group Ltd is the organisation operating the site. If you need to ask a privacy question about the site, use the contact page so the request reaches the right internal owner.

2. What data the site collects

The public site currently collects or processes the following categories of data:

Contact form details: name, email address, selected enquiry subject, and the message you submit.
Security and anti-abuse data: IP address and request header information used to rate-limit sign-in attempts and contact submissions.
Administrator account data: name, email address, role, and password hash for authorised internal users of the private admin area.
Technical request data generated by normal hosting and server operation, such as logs required to keep the service running and investigate faults.

3. How the data is used

To review and respond to valid business enquiries.
To store enquiries in the internal lead pipeline that sits behind the admin dashboard.
To send internal lead notification emails when the optional email configuration is enabled.
To protect the site against spam, abusive form traffic, and repeated unauthorised sign-in attempts.
To operate the private administrator area used to triage and manage inbound leads.

4. Cookies and similar technologies

The public marketing pages do not intentionally set analytics, advertising, or personalisation cookies at the time of writing.

The private administrator area does use essential authentication and session cookies so authorised administrators can sign in and stay signed in securely. Those cookies are necessary for the admin feature to work and are not used for advertising.

If non-essential analytics, advertising, or personalisation tooling is added later, the cookie disclosure and consent approach should be updated before that change goes live.

5. Third-party services involved in delivery

The current implementation can involve third-party services in a limited way:

PostgreSQL is used to store contact enquiries and administrator records.
Resend may be used for internal lead notification emails if `RESEND_API_KEY`, `CONTACT_FROM_EMAIL`, and `CONTACT_TO_EMAIL` are all configured together.

This site does not currently expose a public newsletter, payments flow, public user accounts, or third-party analytics dashboard.

6. Retention and deletion

The site stores enquiry records and administrator records so the business can operate the lead workflow and the protected admin area.

A formal retention schedule is not yet published in the codebase or on the site. Until one is formally adopted, records should be reviewed against operational need, security, and legal obligations, then deleted when they are no longer required.

7. Your choices and rights

If you have submitted a contact enquiry and want to request access, correction, or deletion, use the contact page and describe the request clearly enough for the record to be identified.

8. Changes to this policy

This page should be updated whenever the site adds new data collection, introduces non-essential cookies, changes hosting or messaging providers, or formalises retention periods and contact details.