Legal

Privacy Policy

Effective 28 March 2026 · Last updated 28 March 2026

Privacy PolicyTerms of Service Licence Agreement

This privacy policy explains how Halbon Labs Ltd (Company No. 16608971), trading as Template Empire, collects, uses, stores, and protects your personal data when you use our website at templateempire.io and purchase our products.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

1. Data Controller

The data controller responsible for your personal data is:

Halbon Labs Ltd

71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Company No. 16608971 · Registered in England & Wales

ICO Registration: ZB957293

Email: support@templateempire.io

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. Account authentication and session management are handled by Supabase Auth, which stores password hashes (never plaintext) and issues HTTP-only session cookies scoped to templateempire.io.

2.2 Payment Information

When you make a purchase, payment processing is handled entirely by Stripe. We do not store your full card number, CVV, or bank details on our servers. We receive from Stripe a transaction reference, the last four digits of your card, and billing address details necessary to fulfil your order and comply with tax obligations.

2.3 Usage Data

We automatically collect certain information when you visit our website, including:

Pages visited and time spent on each page
Browser type, operating system, and device category
Referring website or source
Country-level location (derived from IP address, not stored at city level)
Interactions with site features (e.g. filters used, templates viewed)

This data is collected via Vercel Analytics and Plausible Analytics — both privacy-friendly, cookieless analytics services that do not track users across websites. Plausible (operated by Plausible Insights OÜ in Estonia) never stores raw IP addresses; instead it derives an anonymous one-way hash using a salt that rotates every 24 hours, after which the hash can no longer be tied back to the originating IP. No persistent identifiers are stored on your device.

2.4 Communications

If you contact us via email or a support form, we retain the content of your message, your email address, and any attachments to resolve your enquiry.

3. How We Use Your Information

We use your personal data for the following purposes:

Fulfil orders — process purchases, deliver licence keys, and provide download access
Manage your account — authenticate you, display purchase history, and manage licence keys
Customer support — respond to enquiries and resolve technical issues
Improve our products — analyse usage patterns to improve templates, the website, and user experience
Legal compliance — comply with tax, accounting, and regulatory obligations
Security — detect and prevent fraud, abuse, and unauthorised access

We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Legal Bases for Processing

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

Purpose	Legal Basis
Processing purchases and delivering digital content	Performance of a contract (Art. 6(1)(b))
Account creation and management	Performance of a contract (Art. 6(1)(b))
Tax records and financial reporting	Legal obligation (Art. 6(1)(c))
Website analytics and product improvement	Legitimate interest (Art. 6(1)(f))
Fraud prevention and security	Legitimate interest (Art. 6(1)(f))
Marketing emails (if opted in)	Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

We share your personal data only with trusted third-party processors who act on our instructions under data processing agreements compliant with Article 28 UK GDPR:

Processor	Purpose	Data Shared
Stripe	Payment processing	Name, email, billing address, payment details
Supabase	Authentication, database hosting, file storage	Name, email, password hash, order history, licence keys
Vercel	Website hosting & analytics	Usage data, IP address (anonymised, no cookies)
Plausible Insights OÜ (Estonia)	Privacy-friendly, cookieless website analytics	Aggregated page-view data, browser, OS, and country. Raw IP never stored — only a one-way hash whose salt rotates every 24 hours.
Microsoft Clarity	Session replay & heatmaps (loaded only after you Accept on the cookie banner)	Anonymised interaction events, viewport size, scroll behaviour
Google Fonts	Font delivery	IP address (via browser request)

We do not share your personal data with any other third parties except where required by law (e.g. in response to a lawful court order or regulatory request).

6. International Transfers

Some of our third-party processors are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

The UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses
The processor's participation in recognised certification frameworks
Binding corporate rules where applicable

You may request a copy of the relevant transfer safeguards by contacting us at the address above.

7. Data Retention

We retain your personal data only for as long as necessary:

Data Category	Retention Period	Basis
Account information	Duration of account + 2 years after deletion	Contract
Transaction records	7 years from transaction date	HMRC requirements
Licence keys	Indefinite (tied to purchase)	Contract
Support correspondence	2 years from resolution	Legitimate interest
Analytics data	12 months (anonymised)	Legitimate interest

After the retention period, personal data is securely deleted or anonymised so it can no longer be associated with you.

8. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

Right of access (Art. 15) — obtain a copy of the personal data we hold about you
Right to rectification (Art. 16) — correct inaccurate or incomplete data
Right to erasure (Art. 17) — request deletion of your data where there is no compelling reason for continued processing
Right to restrict processing (Art. 18) — limit how we use your data in certain circumstances
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interest, including direct marketing
Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, email support@templateempire.io. We will respond within one calendar month of receiving your request, as required by Article 12(3) UK GDPR. We may extend this by a further two months for complex requests, but will inform you within the first month.

We will not charge a fee for exercising your rights unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

9. Cookies

A cookie is a small text file placed on your device by a website. We use the following categories of cookies:

9.1 Strictly Necessary Cookies

These are essential for the website to function and cannot be disabled. They include the Supabase Auth session cookie (HTTP-only, signed) and our cookie consent state. No consent is required under PECR Regulation 6 for strictly necessary cookies. See our Cookie Policy for the full list with retention periods.

9.2 Analytics Cookies

Vercel Analytics is our primary analytics tool. It is privacy-friendly and does not use cookies for tracking purposes — it collects aggregated, anonymous usage statistics via request-level fingerprinting that does not persist client-side state.

Plausible Analytics is our secondary aggregate analytics tool. It is also fully cookieless and stores no persistent identifier on your device. Plausible never stores the raw IP; visitors are aggregated via a one-way hash derived from IP plus a salt that rotates every 24 hours, after which the hash cannot be correlated with the originating IP. Because no cookies are set, no consent is required and Plausible loads on every page regardless of cookie banner state.

Microsoft Clarity is our session-replay analytics tool. It records anonymised session replays and heatmaps using cookies (_clck and _clsk). Clarity loads only after you click Accept on the cookie banner, and is disabled entirely if your browser sends the Global Privacy Control signal. See our Cookie Policy for retention periods.

9.3 Third-Party Cookies

Third-party services (such as Stripe for payment) may set their own cookies during the checkout process. These are governed by the respective provider's cookie policy. We do not control these cookies.

You can manage cookies through your browser settings. Blocking strictly necessary cookies may prevent parts of the website from functioning correctly.

10. Children's Privacy

Our products are intended for professional software developers and businesses. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. We will post the updated policy on this page with a revised “Last updated” date. For material changes, we will notify you via email or a prominent notice on our website before the changes take effect.

12. Contact & Complaints

If you have any questions about this policy or wish to exercise your data protection rights, contact us at:

Privacy Enquiries

Halbon Labs Ltd