Privacy Policy

1. Who we are

majaco is a trading name of Maillot Jaune Consulting Ltd, a company registered in England and Wales (company number 12210721), with registered office at 6th Floor, 9 Appold Street, London, EC2A 2AP.

This policy covers the websites we operate:

• majaco.co — our corporate marketing site
• majiai.co — the maji product site, tools, and public documentation
• Client-specific subdomains such as wbv.majiai.co, hitchcox.majiai.co, and becketts.majiai.co, which are restricted to authorised users from the relevant client organisation

For questions about this policy, or to exercise any of your rights under UK GDPR, email makeitpossible@majaco.co. Requests are handled by Toby Parnell, founder.

2. When majaco is the controller vs processor

Under UK GDPR a controller decides why and how personal data is processed; a processor acts on the controller's instructions. majaco wears both hats depending on the activity.

majaco as controller

We are the controller for:

• Visitors to majaco.co and majiai.co (server logs, optional analytics)
• People who contact us via the contact form or email
• Prospective and current client contacts at organisations we do business with
• Job applicants, contractors, and suppliers

majaco as processor

When we deliver an engagement that involves processing personal data about a client's own staff, customers, or contractors — for example operator time logs on hitchcox.majiai.co, dealer rotas on wbv.majiai.co, or shift-level performance data on becketts.majiai.co — the client is the controller and majaco is the processor. That processing is governed by the data processing agreement (DPA) in the Letter of Agreement or Master Services Agreement signed with the client.

If you are an employee or contractor of one of our clients and want to exercise your rights in relation to data about you on one of our client portals, please contact your employer in the first instance. Your employer will pass the request to us if needed, and we will assist them in responding within the statutory timeframe.

3. What personal data we collect

When you visit a majaco website

• Server logs (IP address, browser type, pages requested) — held transiently by our hosting providers (GitHub Pages, Cloudflare, Webflow) to deliver the site and detect abuse.
• Analytics — majaco.co uses Google Analytics 4, loaded only if you accept the cookie banner. majiai.co and all client portals do not use analytics.
• Authentication metadata for client portals — the email address you sign in with and the timestamp of each access. Recorded by Cloudflare Access to enforce the allowlist.

When you contact us

• Your name, email, company, role, phone (if given), and the content of your message.

When you become a client contact

• Business name, job title, email, phone, company, and any notes from meetings or calls relevant to the engagement.

When you apply for a role or work with us

• CV, references, contact details, right-to-work documents where relevant, and records of work performed.

4. Why we use it and our lawful basis

Purpose	Data	Lawful basis (UK GDPR Art. 6)
Responding to enquiries	Contact-form submissions, emails	Legitimate interests — running the business
Managing the sales pipeline	Prospective client contacts	Legitimate interests
Delivering client engagements	Client contact records, project data	Contract performance
Invoicing and tax records	Contact records, order records	Legal obligation (HMRC, Companies Act)
Marketing emails (newsletter, updates)	Contact details, preferences	Consent (opt-in)
Analytics on majaco.co	Anonymised usage metrics	Consent (cookie banner)
Enforcing portal access	Cloudflare Access sign-in logs	Legitimate interests — protecting confidential client information
Recruitment	CVs, references	Legitimate interests; contract; consent where sensitive data is involved

5. Who we share your data with

We use the following processors to run the business. Each is under a written data processing agreement (or equivalent contract terms) that requires them to protect your data and only act on our instructions.

Processor	What they do for us	Location
Microsoft (Microsoft 365 — Outlook, Teams, SharePoint, OneDrive)	Email, messaging, document storage and collaboration	UK / EU
Microsoft (GitHub)	Source-code hosting; GitHub Pages for majiai.co and client subdomains	US (UK-US Data Bridge)
Cloudflare	DNS, CDN, and Zero Trust access control for client portals	Global edge network; primary EU / UK
Notion Labs	Knowledge base, internal documentation, CRM records	US (UK-US Data Bridge)
Google (Workspace, Fonts, Sheets, Analytics)	Web fonts, one client back-end (Google Sheets via a service account), optional analytics on majaco.co	UK / EU; some US (UK-US Data Bridge)
Webflow	Hosting for majaco.co corporate site	US (Standard Contractual Clauses)
Railway	Managed PostgreSQL database supporting one client engagement	US (Standard Contractual Clauses)
Finsweet	Cookie-consent banner on majaco.co	US (Standard Contractual Clauses)

We do not sell your personal data. We do not share it with third parties for their own purposes except where required by law (for example, responding to a lawful request from HMRC or law enforcement).

6. International transfers

Several of our processors are based in the United States. Where personal data is transferred outside the UK, we rely on one of the following mechanisms approved under UK GDPR:

• The UK Extension to the EU–US Data Privacy Framework (the "UK-US Data Bridge"), where the receiving organisation is certified; or
• UK International Data Transfer Agreements, or EU Standard Contractual Clauses with the UK Addendum; or
• Limited derogations permitted under UK GDPR Article 49 (for example, where the transfer is necessary to perform a contract you have asked us to enter into).

You can ask us for a copy of the safeguards in place for any specific transfer by emailing makeitpossible@majaco.co.

7. How long we keep your data

Category	Retention period
Contact-form enquiries (where no engagement follows)	2 years from last contact, then deleted
Newsletter subscribers	Until you unsubscribe
Client contact records, proposals, Letters of Agreement, invoices, and supporting records	6 years from the end of the engagement (UK Limitation Act and HMRC requirements)
Website server logs	As per the hosting provider's default (typically 30–90 days)
Analytics data (majaco.co)	Google Analytics 4 default retention — currently 2 months for user-level data, with aggregated reporting retained longer
Cloudflare Access sign-in logs	As per Cloudflare's retention — currently 6 months
Personal data processed on behalf of clients	As agreed with the client in the relevant data processing agreement — typically for the duration of the engagement plus a short handover period
Unsuccessful job applications	12 months from the end of the recruitment process, then deleted

8. Your rights under UK GDPR

You have the right to:

• Access the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — ask us to delete your data, subject to legal retention requirements
• Restrict processing while a dispute is resolved
• Portability — receive a machine-readable copy of data you gave us
• Object to processing based on legitimate interests
• Withdraw consent where consent is the lawful basis
• Not be subject to automated decision-making that has a legal or similarly significant effect. majaco does not make such decisions.
• Complain to the Information Commissioner's Office at ico.org.uk/concerns if you are unhappy with how we have handled your data

To exercise any of these rights, email makeitpossible@majaco.co. We will respond within one calendar month; if a request is particularly complex we may extend this by up to two further months and will tell you why.

9. Cookies and similar technologies

Site	Technology	Purpose	Consent required?
majiai.co (marketing, public tools)	None	—	—
majiai.co client portals (ipl, nineten, pukka, majaco subfolders)	maji_client_auth in browser localStorage	Remembers you have entered the portal password so you don't re-enter it on every page	No (strictly necessary)
Client-portal subdomains (wbv, hitchcox, becketts, redzone)	Cloudflare Access CF_AppSession cookie	Enforces authenticated sign-in	No (strictly necessary)
majaco.co	Finsweet consent preference cookie; Google Analytics 4 (_ga, _ga_*) if consented; Webflow session cookie	Cookie-consent management; opt-in analytics; session handling	Yes for analytics (opt-in via the banner)

You can change your cookie preferences on majaco.co at any time via the cookie settings link in the footer. Most browsers also let you block or delete cookies in their settings.

10. How we protect your data

• All sites are served over HTTPS with modern TLS.
• Client portals are gated by Cloudflare Zero Trust Access with per-domain allowlists.
• Production credentials (API keys, service-account keys, database passwords) are stored as secrets in the relevant platform (GitHub Actions, Cloudflare Workers, local-machine secure storage) and are never committed to source control.
• Access to majaco's own systems (Microsoft 365, Notion, GitHub, Cloudflare) is restricted to named team members and protected by multi-factor authentication.
• We review access quarterly and revoke accounts as people leave.

If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and, where the risk is high, notify you directly without undue delay.

11. ICO registration

Maillot Jaune Consulting Ltd (trading as majaco) is registered with the Information Commissioner's Office as a data controller under registration reference ZC132526. You can verify this on the ICO's public register at ico.org.uk/ESDWebPages/Search.

12. Changes to this policy

We may update this policy from time to time. The date below shows when it was last revised. Material changes will be announced through our usual communication channels.

Last updated: 27 April 2026