Privacy Policy

Last updated: June 15, 2026

1. Who we are

Refisage.com is an informational and educational content website covering mortgages and home financing for a United Kingdom audience. It is operated by Refisage, the data controller for the purposes of the UK GDPR. For privacy and data protection enquiries, contact us at [email protected].

2. Data we collect

We collect only non-personal data needed to understand site performance and content relevance:

IP address (kept in server logs for a short retention window)
Browser type, operating system, and language
Page visited; referrer classified by category (search, social, direct, internal, external)
Screen resolution, viewport type, and timezone
Browser-level performance metrics (Core Web Vitals)
Aggregated engagement signals: scroll depth, active reading time, article completion, the section that held the most attention, and clicks on links and buttons (we record only the link type, internal/external/affiliate/CTA, and the destination with no personal data, never cursor position or a heatmap)

While browsing the site, we do not collect name, email, phone, address, device fingerprints, or any personally identifiable information; and we do not use persistent cross-session identifiers, with a single exception: the pseudonymous visitor identifier described in section 6, created only if you consent to analytics cookies. The newsletter is suspended: we currently do not collect name, email, or phone through the site (see the section below).

Newsletter sign-up is temporarily unavailable and is not being offered at this time. While it is suspended, we do not collect name, email, or phone through the site, and there is no active sign-up form. If the newsletter is offered again, this policy will be updated beforehand to describe what data would be collected, the lawful basis, and how to unsubscribe. We do not sell your personal data.

Browser notifications (Web Push)

You can choose to receive notifications about new articles directly in your browser. We first show a notice explaining the option; only if you accept does the browser ask for permission (we never trigger the browser permission prompt without your acceptance). When you accept, your browser generates an anonymous technical subscription (an opaque endpoint from the browser’s push service, plus encryption keys) that we keep solely to deliver the notifications. We do not collect or retain any name, email, phone, IP address, or any personal data for the notifications: this subscription does not identify you. You can opt out at any time in your browser’s notification settings, and the subscription stops being used and is removed once the browser invalidates it. Declining the notice has no effect on reading the site.

3. Tracking pixel and telemetry

We load a transparent 1x1 pixel on every article page view. The server records the page view, IP, browser, and referrer in its access log. The pixel path encodes an opaque identifier for the article and its published version, with no reader-level data.

We also send browser performance metrics (Core Web Vitals, JavaScript errors) and aggregated engagement signals to our analytics collector. These are anonymous and used to improve loading speed and editorial quality.

By default this telemetry is anonymous and per-session, with no cookie: the session identifier lives only in the tab’s memory (sessionStorage) and is gone when you close the tab. The use of cookies and a cross-session visitor identifier depends on your consent, as described in section 6.

We honour the Do Not Track (DNT) and Global Privacy Control (GPC) browser signals: when enabled, we suppress optional engagement and context signals, keeping only the aggregated page-view count.

4. Legal basis

The anonymous, per-session telemetry (pixel, Core Web Vitals, aggregated engagement, no cookie) is processed on the basis of our legitimate interests (Article 6(1)(f) UK GDPR) in continuously improving the service, analysing aggregate audience behaviour, and monitoring technical performance, without processing personally identifiable information. Strictly necessary storage on your device is exempt under PECR; any non-essential storage requires your consent.

The cross-session visitor identifier and analytics cookies are based on your consent (Article 6(1)(a) UK GDPR and PECR): they are created only after you enable them in the cookie notice, and you can withdraw at any time.

5. Your rights

Under the UK GDPR and the Data Protection Act 2018, you have the right to:

Be informed about how your personal data is used
Access your personal data
Rectify inaccurate or incomplete data
Request erasure of your data
Restrict or object to processing
Data portability, where applicable

To exercise your rights, email [email protected]. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

6. Cookies and visitor identifier

You control cookies in the consent notice shown on your first visit, and at any time via the Cookie preferences link in the footer.

Necessary (always on): a consent cookie records your consent choice. It is essential and does not track browsing.
Analytics (optional, requires consent): if you enable it, we create a pseudonymous visitor identifier cookie. It stores only a random code (UUID), with no name, email, IP, or any personal data, used to tell new visitors from returning ones and measure retention in aggregate. Lifetime: 90 days. We do not fingerprint your device.
Cloudflare (necessary): our CDN may set strictly necessary security cookies (for example, __cf_bm).

How to withdraw or delete: click Cookie preferences and decline Analytics (this immediately deletes the visitor identifier cookie), or clear cookies in your browser. Data associated with the visitor identifier expires automatically within 90 days. For any erasure request, email [email protected].