Legal

Privacy Policy

Last updated: 26 April 2026

Short version: we use Google Analytics 4 to understand how visitors use this site, but only if you've given consent. Without consent, no analytics cookies are set and no personal data is sent to Google. You can change your mind anytime via "Manage cookie preferences" at the bottom of any page. We don't run advertising cookies, we don't sell or share your data, and you can ask us to delete anything we hold on you by emailing hello@pangandchiu.com.

Who we are

This website is operated by Pang and Chiu Company Limited, a private limited company registered in England and Wales. We are the data controller for any personal data described in this policy.

Company number: 06922982
VAT number: 972 2985 78
Registered office: 70 Hutton Grove, London, N12 8DR
Contact for privacy: hello@pangandchiu.com

What we collect, and why

When you visit this site

This website is hosted on Vercel and serves static HTML. Vercel records standard server logs (IP address, request time, user agent) for security and performance — these logs are retained by Vercel for up to 30 days and are not used by us for marketing or profiling.

If you consent via the cookie banner, we also load Google Analytics 4. GA4 sets two first-party cookies (_ga and _ga_<ID>) and sends events about your visit (pages viewed, time on page, clicks on key buttons, country) to Google. We have configured GA4 with IP truncation enabled and Google Signals disabled, so no cross-site advertising profile is built from your visit. If you do not consent, no GA4 cookies are set and no events are sent — Google still receives an anonymous "denied ping" so they can model aggregate trends, but no individual data leaves your browser.

When you email us

If you email hello@pangandchiu.com or any other Pang and Chiu address, we keep your message in our inbox. We use this to reply to you and to manage any subsequent professional relationship.

Information we may end up holding about you includes: your name, email address, employer or company, the contents of your message, and any information you choose to share with us during a conversation.

When we cold-email you for business development

We sometimes contact decision-makers at UK companies whose business profile suggests we could be useful to them. We rely on the legitimate interests lawful basis under UK GDPR Article 6(1)(f) for B2B outreach. Where we contact you, we will identify ourselves clearly, explain why we're writing, and stop contacting you if you reply asking us to. Our interest in marketing our services is balanced against your reasonable expectations as a senior decision-maker in your role.

Lawful bases we rely on

Consent (Article 6(1)(a)) — for non-essential cookies (Google Analytics). You can withdraw at any time via "Manage cookie preferences"
Legitimate interest (Article 6(1)(f)) — for replying to enquiries, B2B cold outreach to decision-makers, and operating this website
Contract (Article 6(1)(b)) — when you engage us for client work, we process information necessary to deliver that engagement
Legal obligation (Article 6(1)(c)) — for tax, accounting, and other statutory record-keeping

How long we keep your data

Email enquiries — retained while in active discussion and for 12 months after last contact, then deleted
Client engagement records — retained for the duration of the engagement plus 6 years (UK statutory tax/accounting period)
Server logs — Vercel retention, typically up to 30 days

Cookies

We use two categories of cookies. The first time you visit, a banner asks for your choice. You can change it any time via "Manage cookie preferences" at the bottom of any page.

Essential — always on

pc_consent_v1 — first-party. Stores your cookie choice (analytics on/off) and the date you made it. 12-month duration. Required for the site to remember your preference; you can't switch this off because it's how we honour the choice you made.

Analytics — only with consent

If you consent, the following cookies are set by Google Analytics 4:

_ga — first-party (set on .pangandchiu.com). Distinguishes unique visitors. 24-month duration.
_ga_<ID> — first-party. Maintains the analytics session state. 24-month duration.

No advertising cookies are set. We do not use Google Ads, retargeting, or third-party marketing pixels.

Third parties that process data on our behalf

Vercel Inc. — website hosting and edge logs (United States, with EU data processing agreements in place)
Google LLC (Workspace) — email delivery and storage for hello@pangandchiu.com and related addresses
Google LLC (Analytics 4) — only when you consent via the cookie banner. Receives anonymous events about your visit (pages viewed, key clicks, country, device) with IP truncation enabled. Google's privacy policy applies: policies.google.com/privacy
Google Fonts — fonts delivered from fonts.googleapis.com when you load the site (your IP address is visible to Google during that request)
jsDelivr — delivers the WebGL library used for the homepage orb (your IP is visible to jsDelivr's CDN during that request)

We do not sell or rent personal data to third parties.

Your rights under UK GDPR

You have the right to:

Access the personal data we hold about you
Have it corrected if it's wrong
Have it deleted ("right to erasure")
Restrict or object to how we process it
Receive a copy of it in a portable format
Withdraw consent at any time, where consent is the lawful basis

To exercise any of these rights, email hello@pangandchiu.com. We will respond within one calendar month.

Complaints

If you're unhappy with how we've handled your data, please email us first so we can put it right. You also have the right to complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. Material changes will be flagged on the homepage for at least 30 days.