Privacy

Privacy Policy

This page explains how personal data is collected, used, stored, shared, and protected on this website and during client communication and service delivery.

Last updated: [DATE]GDPR Art. 13 & 14 compliantVersion 1.0

Data Controller

For the purposes of Regulation (EU) 2016/679 (GDPR), the data controller responsible for processing your personal data is:

We are committed to protecting your personal data and to processing it fairly, lawfully, and transparently.

[YOUR AGENCY NAME] [Full registered address] VAT: [EU VAT number] Email: [privacy@youragency.com] [Data Protection Officer (if applicable): [dpo@youragency.com]]

Data We Collect

Data You Provide Directly

Identity data: first name, last name, job title, company name.
Contact data: email address, phone number, postal address.
Contract and billing data: billing address, VAT number, bank details for invoicing only.
Communication data: content of emails, messages, and meeting notes exchanged with us.
Social media credentials: login access, page roles, and ad account access only where we manage your profiles.

Data Collected Automatically

Technical data: IP address, browser type and version, operating system, device type.
Usage data: pages visited, time spent, referral source, and clicks.
Cookie data: see our Cookie Policy for full details.

Data from Third Parties

Social media platform data such as Meta, TikTok, and LinkedIn when we manage your accounts.
Analytics data from advertising platforms such as Google Ads and Meta Ads Manager.
Business information from public registers or LinkedIn solely for prospecting purposes.

We never collect special categories of personal data such as health, religion, ethnicity, political opinions, or biometric data unless you explicitly provide this in communications. In that case, we treat it with heightened protection.

Legal Basis for Processing

The legal basis depends on the specific processing activity.

Where we rely on legitimate interests, we have assessed that those interests are not overridden by your rights and freedoms. You may request our legitimate interests assessment by contacting us.

Processing Activity	Legal Basis (GDPR Art. 6)
Delivering contracted services and managing projects	Art. 6(1)(b) — Contract performance
Invoicing, accounting, and tax compliance	Art. 6(1)(c) — Legal obligation
Sending marketing emails to existing clients	Art. 6(1)(f) — Legitimate interests
Fraud prevention, security, and portfolio display	Art. 6(1)(f) — Legitimate interests
Marketing emails to prospects and non-essential cookies	Art. 6(1)(a) — Consent
Analytics and website improvement	Art. 6(1)(a) — Consent (cookie) or Art. 6(1)(f)

Purposes of Processing

We use your personal data for the following purposes.

We will not use your data for any purpose incompatible with those listed above without prior notice and, where required, consent.

To provide and manage our social media and web design services.
To communicate with you about your project, proposals, and invoices.
To fulfil our accounting and legal obligations.
To send service updates, newsletters, and relevant marketing where consent is required.
To improve our website and services through analytics.
To protect against fraud and ensure security.
To display completed work in our portfolio with consent or under legitimate interests.

Data Sharing & International Transfers

Sub-Processors

We share data with trusted sub-processors under GDPR-compliant Data Processing Agreements (DPAs). These may include:

Cloud and hosting providers such as OVH, Hetzner, or AWS Europe.
Project management tools such as Notion, Trello, or Asana.
Communication tools such as Google Workspace or Slack.
Accounting software such as Pennylane or QuickBooks.
Payment processors such as Stripe.
Social media platforms such as Meta, TikTok, LinkedIn, and Google as required to manage client accounts.

Legal Disclosures

We may disclose your data to competent legal or regulatory authorities when required by applicable law or court order.

International Transfers

Some of our sub-processors may process data outside the EEA, for example in the USA. Where this occurs, we ensure appropriate safeguards under GDPR Chapter V.

We do not sell your personal data to third parties.

European Commission adequacy decisions under Art. 45.
Standard Contractual Clauses (SCCs) under Art. 46.
Binding Corporate Rules where applicable.

Data Retention

Personal data is retained only for as long as necessary for the relevant purpose and then securely deleted or anonymised.

Data Category	Retention Period	Reason
Client contract and billing data	10 years after contract end	Accounting and legal obligation
Prospect or inquiry data	3 years from last contact	Legitimate interests
Marketing consent records	Until consent withdrawn + 3 years	Legal proof of consent
Website analytics data	13 months maximum	CNIL / EDPB guidelines
Social media credentials	Deleted within 30 days of contract end	Data minimisation
Email communications	5 years from project end	Dispute resolution

Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data.

To exercise your rights, contact [privacy@youragency.com]. We will respond within 30 calendar days. We may request identity verification before processing your request.

Supervisory Authorities

You may also lodge a complaint with your national data protection authority.

Art. 15

Access

Obtain a copy of your personal data we hold.

Art. 16

Rectification

Correct inaccurate or incomplete data.

Art. 17

Erasure

Request deletion where applicable.

Art. 18

Restriction

Restrict processing in certain circumstances.

Art. 20

Portability

Receive your data in a structured, machine-readable format.

Art. 21

Object

Object to processing based on legitimate interests or direct marketing.

Art. 7(3)

Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

Art. 77

Complain

Lodge a complaint with your national supervisory authority.

Data Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access, in accordance with GDPR Art. 32.

In the event of a data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Art. 34.

HTTPS encryption for all data transmitted via our website.
Access controls and role-based permissions for internal systems.
Regular security reviews and staff training.
Two-factor authentication on platforms holding client data.
Secure deletion procedures at the end of retention periods.

Children's Privacy

Our services are not directed at children under the age of 16, or the relevant age of digital consent in your member state.

We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at [privacy@youragency.com] and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

We will notify you of material changes by email or by prominently posting a notice on our website at least 30 days before the change takes effect.

The date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

Contact & Complaints

For any privacy-related questions, requests, or complaints, please use the contact details below.

Privacy & GDPR: [privacy@youragency.com] Data Protection Officer: [dpo@youragency.com] (if applicable) Post: [YOUR AGENCY NAME], [Full address], Attn: Privacy Team Response time: Within 30 calendar days (GDPR deadline)

Before publishing, replace all placeholders such as [DATE], company name, address, VAT number, privacy email, and DPO details. Also verify that the listed tools, processors, retention periods, and legal bases match the services actually used by the live business.