knock The phone we recommend

Small print

Privacy and security

Last updated 26 May 2026.

Plain-English summary of what we collect, who handles it, how long we keep it, and the things we will never do with it. Reviewed quarterly, will be reviewed by a UK solicitor before formal trading.

The short version

  • HTTPS-only with a Let's Encrypt TLS certificate, auto-renewed.
  • Newsletter signup: we hold your email, the page you signed up on, and the date.
  • Orders: we hold name, shipping address, email and Stripe's payment reference. We never see your card.
  • Site analytics via Plausible, cookie-free, IP-anonymised, EU-hosted.
  • Transactional email via Resend, EU-hosted, 30-day log retention.
  • We never sell your data. We never share it with marketers. We never use it to train AI.
  • You can ask us to delete everything we hold on you, any time, at hello@knockphone.co.uk. We do it within 30 days.

What we will never do

  • Sell your email address to anyone.
  • Rent the newsletter list to a marketing partner.
  • Use your email or order data to train any AI model.
  • Send you more than one marketing email a fortnight.
  • Sign you up for anything you didn't tick a box for.
  • Track you across the web with third-party cookies or pixels.
  • Hand your data to law enforcement without a UK court order.

Who is responsible

Knock Ltd is the data controller. Registered in England and Wales. Trading from Sheffield, UK. The team responsible day-to-day is reachable at: hello@knockphone.co.uk.

Security at the layer below

  • HTTPS everywhere. Let's Encrypt TLS certificate, issued by certbot, auto-renewed by a scheduled task on our Ionos UK VPS. We force 80 → 443 redirection at the nginx layer.
  • No card data on our servers. Stripe handles every payment. Card details never reach our infrastructure. We see only a Stripe payment reference and the order amount.
  • Hashed IPs. Affiliate-click logging stores a salted SHA-256 hash of the visitor IP, not the IP itself. The salt is stored in the server's environment variables and rotated annually.
  • Database access. The Postgres database is only reachable from inside the VPS. Direct SSH access is restricted to the Knock team's keys. There is no public DB port.
  • Backups. Nightly pg_dump to Backblaze B2, 30-day retention. Encrypted at rest by Backblaze.

Every third-party service we use, named

  • Resend, transactional email. EU-hosted. They see your email address and the content of the welcome email we send you. Log retention 30 days. Privacy policy: resend.com/legal/privacy-policy.
  • Plausible Analytics, page-view tracking. EU-hosted. Cookie-free. IP-anonymised. We see aggregate page views, referrers, country, browser family. No individual visitor identifiers. Privacy policy: plausible.io/privacy.
  • Stripe, payments. Operates as the merchant of record for the card transaction. PCI-DSS compliant. They see your name, billing address, card details and email. We never see card details. Privacy policy: stripe.com/gb/privacy.
  • Ionos UK, VPS hosting. The server lives in their UK data centre. They see the server's existence but not the application data. Privacy policy: ionos.co.uk/terms-gtc/terms-privacy.
  • Google Fonts, Fraunces and Inter typefaces. Visiting Knock makes a font request to fonts.gstatic.com. Google sees your IP for that request. We are evaluating self-hosting the fonts to remove this.
  • Unsplash, placeholder photography. Visiting Knock loads photos from images.unsplash.com. Unsplash sees your IP for that request. Will be replaced with self-hosted commissioned photography in due course.
  • Affiliate networks (Awin, Amazon, Tradedoubler, Impact, Sovrn, Tapfiliate), only relevant when you click a buy button on /best-simple-phones or a phone review. They then set their own cookies on the destination retailer. Each has its own privacy policy.

That is the entire list. We do not pass your data to anyone else.

What we collect, in detail

Newsletter sign-up. Your email, optionally your name, the source page (e.g. "footer", "switching-kit"), and the date you consented. Stored in a Postgres database on our UK VPS. Lawful basis: consent (Article 6(1)(a) UK GDPR).

Order data. Once we begin trading: your name, shipping address, email, optional phone number for delivery problems, the Knock Phone colour you chose, the Stripe payment reference and amount. Stored for six years per HMRC tax record-keeping requirements. Lawful basis: contract (Article 6(1)(b) UK GDPR).

Affiliate clicks. When you click a buy button on /best-simple-phones, we log the affiliate programme name (e.g. "awin"), the retailer name (e.g. "Argos"), the product slug, the source page, the user-agent string, the timestamp, and a salted SHA-256 hash of your IP. We do not store your raw IP. Click logs are kept for 24 months then aggregated to totals and the row-level data is deleted. Lawful basis: legitimate interest in measuring commercial performance.

Site analytics. Plausible records aggregate page views, referrers, country, browser family, screen-size buckets. No cookies, no IP storage, no individual identifiers. Lawful basis: legitimate interest.

How long we keep it

  • Newsletter subscriptions: until you unsubscribe.
  • Order records: six years (HMRC).
  • Affiliate-click logs: 24 months, then aggregated and row-level data deleted.
  • Resend transactional email logs: 30 days, then purged by Resend.
  • Plausible analytics: indefinitely in aggregate, no individual data.
  • VPS access logs: 90 days then rotated out.

Your rights under UK GDPR

You can ask to:

  • See what we hold on you (subject access).
  • Correct anything wrong.
  • Delete everything we hold (right to erasure).
  • Take a copy in a portable format.
  • Object to processing on legitimate-interest grounds.
  • Withdraw consent to the newsletter at any time, with one click in any email.

Email hello@knockphone.co.uk with the request. We respond within 30 days. If you think we have got it wrong, you can complain to the Information Commissioner's Office at ico.org.uk.

Privacy FAQ

Is my information safe with Knock?

The site is HTTPS-only with a Let's Encrypt TLS certificate, auto-renewed. Form submissions go directly to our Node server over TLS. We do not store payment card details, Stripe handles those entirely. Newsletter emails are stored in a Postgres database on our Ionos UK VPS, accessible only by the Knock team over SSH. We hash IP addresses before storing them.

Do you sell or share my data with marketers?

No. We never sell data, never rent the email list, never share it with marketers, and never give it to any third party other than the operational services listed below (Resend, Plausible, Stripe, the affiliate networks when you click a buy button).

Do you use cookies?

Knock sets no cookies of its own. Plausible Analytics is cookie-free. Stripe sets its own cookies on checkout pages it controls. The site stores a small amount of localStorage on your device to remember whether you have dismissed the affiliate-disclosure bar, and nothing else.

Where is my data stored?

Newsletter subscriptions and order data live on our Ionos UK VPS in the UK. Email logs at Resend live in Resend's EU infrastructure (purged after 30 days). Analytics data lives at Plausible in the EU. No data leaves the EU or UK.

How do I get my data deleted?

Email hello@knockphone.co.uk with the subject "Delete my data" and the email address you signed up with. We confirm within 24 hours and complete deletion within 30 days. We do not keep a "deleted" record, once gone, it is gone.

Are you GDPR compliant?

Yes. Knock Ltd is the data controller. Lawful bases: consent for newsletter, legitimate interest for affiliate-click logging (anonymised), contract for order fulfilment. You have the right to access, rectification, erasure, portability and to object. Complaints go to the ICO at ico.org.uk.