knock. Help me pick
no. 01 Small print

Privacy and security

Last updated 26 May 2026.

Plain-English summary of what we collect, who handles it, how long we keep it, and the things we will never do with it. Reviewed quarterly, will be reviewed by a UK solicitor before formal trading.

The short version

  • HTTPS-only with a Let's Encrypt TLS certificate, auto-renewed.
  • Newsletter signup: we hold your email, the page you signed up on, and the date.
  • We don't sell phones, take payments, take card details or ship anything. That happens at the UK retailer you click through to.
  • Site analytics via Google Analytics and Microsoft Clarity, loaded only if you accept the cookie banner. Decline and nothing is set or sent.
  • Transactional email via Resend, EU-hosted, 30-day log retention.
  • We never sell your data. We never share it with marketers. We never use it to train AI.
  • You can ask us to delete everything we hold on you, any time, at hello@knockphone.co.uk. We do it within 30 days.

What we will never do

  • Sell your email address to anyone.
  • Rent the newsletter list to a marketing partner.
  • Use your email or order data to train any AI model.
  • Send you more than one marketing email a fortnight.
  • Sign you up for anything you didn't tick a box for.
  • Use your data for third-party advertising, or sell it to ad networks.
  • Load any analytics or recording tool before you've said yes to the cookie banner.
  • Hand your data to law enforcement without a UK court order.

Who is responsible

Knock (the editorial brand) is the data controller. A UK limited company is being set up; the registration number will be added here when Companies House registration completes. Trading from the UK. The editor day-to-day is reachable at: hello@knockphone.co.uk.

Security at the layer below

  • HTTPS everywhere. Let's Encrypt TLS certificate, issued by certbot, auto-renewed by a scheduled task on our Ionos UK VPS. We force 80 → 443 redirection at the nginx layer.
  • No card data, ever. We don't process payments. When you click a buy button, you leave knockphone.co.uk and complete your purchase at the UK retailer (Amazon UK, Pinwheel UK, Light, Back Market UK or a SIM provider). Your card details never touch our infrastructure.
  • Hashed IPs. Affiliate-click logging stores a salted SHA-256 hash of the visitor IP, not the IP itself. The salt is stored in the server's environment variables and rotated annually.
  • Database access. The Postgres database is only reachable from inside the VPS. Direct SSH access is restricted to our keys. There is no public DB port.
  • Backups. Nightly pg_dump to Backblaze B2, 30-day retention. Encrypted at rest by Backblaze.

Every third-party service we use, named

  • Resend, transactional email. EU-hosted. They see your email address and the content of the welcome email we send you. Log retention 30 days. Privacy policy: resend.com/legal/privacy-policy.
  • Google Analytics 4 (Google), page and event analytics. Loaded only if you accept the cookie banner. Sets cookies and measures pages viewed, referrers, country, device and browser. Google processes this internationally under its standard contractual clauses. Decline, and it never loads. Change your mind any time via cookies. Privacy policy: policies.google.com/privacy.
  • Microsoft Clarity (Microsoft), session replay and heatmaps. Loaded only if you accept the cookie banner. Sets cookies and records on-page interactions (clicks, scrolls, mouse movement) so we can see where people get stuck. Form fields and text you type are masked by default. Decline, and it never loads. Privacy statement: privacy.microsoft.com.
  • Ionos UK, VPS hosting. The server lives in their UK data centre. They see the server's existence but not the application data. Privacy policy: ionos.co.uk/terms-gtc/terms-privacy.
  • Fonts, self-hosted. Every typeface on Knock (Bricolage Grotesque, Hanken Grotesk, IBM Plex Mono and VT323) is served from our own UK server. Visiting Knock makes no font request to Google or any other third party, so no one sees your IP for a font.
  • Unsplash, placeholder photography. Visiting Knock loads photos from images.unsplash.com. Unsplash sees your IP for that request. Will be replaced with self-hosted commissioned photography in due course.
  • Amazon Associates, only relevant when you click an Amazon UK buy button on /best-simple-phones or a phone review. Amazon then sets its own cookies on the destination retailer page. See Amazon's privacy policy for detail.

That is the list. No data goes anywhere else.

What we collect, in detail

Newsletter sign-up. Your email, optionally your name, the source page (e.g. "footer", "switching-kit"), and the date you consented. Stored in a Postgres database on our UK VPS. Lawful basis: consent (Article 6(1)(a) UK GDPR).

Affiliate clicks. When you click a buy button on /phone, /best-simple-phones or /best-sims, we log the network identifier (e.g. "amazon" or "direct"), the retailer name (e.g. "Amazon UK"), the product slug, the source page, the user-agent string, the timestamp, and a salted SHA-256 hash of your IP. We do not store your raw IP. Click logs are kept for 24 months then aggregated to totals and the row-level data is deleted. Lawful basis: legitimate interest in measuring which recommendations are useful enough to click through.

Site analytics. If you accept the cookie banner, Google Analytics records pages viewed, referrers, country, device and browser, and Microsoft Clarity records on-page interactions (clicks, scrolls, mouse movement, with form inputs masked) so we can see where people get stuck. Both set cookies. If you decline, neither loads and nothing is sent. Lawful basis: consent. You can withdraw it any time on the cookies page.

How long we keep it

  • Newsletter subscriptions: until you unsubscribe.
  • Affiliate-click logs: 24 months, then aggregated and row-level data deleted.
  • Resend transactional email logs: 30 days, then purged by Resend.
  • Google Analytics: we set the shortest data-retention Google offers (currently 14 months) for event-level data; aggregate reports persist. Only collected if you accepted cookies.
  • Microsoft Clarity: per Microsoft's retention for Clarity (recordings expire on their schedule). Only collected if you accepted cookies.
  • VPS access logs: 90 days then rotated out.

Your rights under UK GDPR

You can ask to:

  • See what we hold on you (subject access).
  • Correct anything wrong.
  • Delete everything we hold (right to erasure).
  • Take a copy in a portable format.
  • Object to processing on legitimate-interest grounds.
  • Withdraw consent to the newsletter at any time, with one click in any email.

Email hello@knockphone.co.uk with the request. We respond within 30 days. If you think we have got it wrong, you can complain to the Information Commissioner's Office at ico.org.uk.

Privacy FAQ

Is my information safe with Knock?

The site is HTTPS-only with a Let's Encrypt TLS certificate, auto-renewed. Form submissions go directly to our Node server over TLS. We don't handle payments, take card details or ship anything, all of that happens at the UK retailer you click through to. Newsletter emails are stored in a Postgres database on our Ionos UK VPS, accessible only by us over SSH. We hash IP addresses before storing them.

Do you sell or share my data with marketers?

No. We never sell data, never rent the email list, never share it with marketers, and never give it to any third party other than the operational services listed below (Resend, the affiliate networks when you click a buy button, and the analytics providers Google and Microsoft, but only if you accept the cookie banner).

Do you use cookies?

Only if you say yes. Knock sets no cookies until you accept the cookie banner. If you accept, Google Analytics and Microsoft Clarity set cookies so we can see which pages help and where people get stuck. If you decline, or ignore the banner, no analytics cookies are set and nothing is sent to Google or Microsoft. Either way the site keeps a little localStorage on your device to remember your cookie choice and whether you've dismissed the affiliate-disclosure bar, nothing else. When you click a buy button, the affiliate network may set its own cookies on the destination retailer's site, each network has its own policy.

Where is my data stored?

Newsletter subscriptions live on our Ionos UK VPS in the UK. Transactional email logs at Resend live in Resend's EU infrastructure (purged after 30 days). If you accept the cookie banner, Google Analytics and Microsoft Clarity process data on Google's and Microsoft's own infrastructure, which is international, under their standard contractual clauses. If you decline, no analytics data is sent anywhere. Everything we hold ourselves stays in the UK or EU.

How do I get my data deleted?

Email hello@knockphone.co.uk with the subject "Delete my data" and the email address you signed up with. The editor will confirm by email and complete deletion as soon as possible, and within 30 days as required by UK GDPR. We do not keep a "deleted" record, once gone, it is gone.

Are you GDPR compliant?

Yes. Knock (the editorial brand) is the data controller. A UK limited company is being set up; the registration number will be added here when Companies House registration completes. Lawful bases: consent for the newsletter, legitimate interest for affiliate-click logging (anonymised), and consent for site analytics (the cookie banner, which you can change any time). You have the right to access, rectification, erasure, portability and to object. Complaints go to the ICO at ico.org.uk.

knock.
00:00
Knock