Policy Last Updated 07 Feb. 21
It’s Design understands your concerns over the privacy of Personal Data you may provide to us as part of our day to day dealings with you. We will only collect and use information in ways that are useful to you and in a manner consistent with your rights and our obligations under the law.
This policy provides you with information about what types of information are collected, retention periods and other elements to comply with the EU Wide - General Data Protection Regulation and the UK’s Data Protection Bill 2018.
If you are dissatisfied with this response you may request that your complaint be escalated, in which case it will be escalated to Imogen Sandbach who will review your complaint and the initial response and provide a further response within 28 days of your request to escalate the matter.
If we are unable to resolve your complaint, you may make a complaint to the Information Commissioner’s Office (if based in the UK, otherwise to your local Supervisory Body). Please see for more information.
Who we are
Imogen Sandbach - Founder of It's Design
The following terms are used or referred to in this privacy notice – as such it helps to be familiar with these core terms (amended version based on GDPR – Article 4): -
‘Data Subject’ – The individual about who the data is held (you, or your employees in the case of a Company who have asked us to provide services on their behalf)
‘Data Controller’ – company/individual that determines the purposes and means of the processing of personal data (typically this refers to us when we market to you, and your employer when they provide personal details about you)
‘Data Processor’ – Company/Individual which processes personal data on behalf of the controller. This is typically a company that provides services to your employer e.g. IT company.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes signifies agreement to the processing of personal data relating to him or her. This is typically used by us to provide marketing services to you.
How and Where we store your data
We only keep your data for as long as we need to in order to use it as described in this policy, typically per statutory requirements/ and or as long as you are an active client.
Data security is of great importance to Us, and to protect your data, We have put in place suitable physical, electronic and organisational procedures to safeguard and secure data your personal data as detailed in our IT Security Policy.
Some of your data may be stored outside of the EU in the case of information within emails transiting, or at rest on Google’s Gmail mail servers. Google has confirmed that their operations take place within the EU-US Privacy Shield Framework. ()
Data security is of great importance to Us, and to protect your data, We have put in place suitable physical, electronic and organisational procedures to safeguard and secure data your personal data.
Some examples of steps we have taken to secure your data include (but are not limited to) :-
• Ongoing cloud based backup
• Physical access control. Studio access limited to approved personnel.
• Secure destruction of worksheets containing PII.
Data Retention Policy
We only keep your data for as long as we need to in order to use it, and/or for as long as we have your permission to keep it. In any event, We will conduct an annual review to ascertain whether we need to keep your data. Your data will be deleted if we no longer need it in accordance with the terms of our Data Retention Policy.
Some of your personal data will need to be kept to meet either contractual or legal requirements – please contact us if you have any detailed queries.
Personal Data and Retention Period:
Direct Client Name, Address & Contact Details - 5 Years
Company Financial records which may include client/supplier invoicing transactions - 6 Years + Current Tax Year
User/Site Name, Address & Contact Details supplied by 3rd parties - 2 Years
Name & Contact details acquired in the normal course of business. Suppliers, trade contacts, business networking contacts etc. - Whilst Active. Otherwise 2 Years. Requires re-consent if relying on ‘Consent’ as Lawful Basis.
Client Contact Details - 6 Years
Client Payment Details - 1 Year
The information we collect and the reasons why
Personal Data is anything which identifies you as an individual, either on its own or by reference to other information. If you are engaging with us to provide services, this also applies to any information you share with us. In some cases, the collection of data may be a statutory or contractual requirement, and we will be limited in the products and services We can provide you without your consent for Us to be able to use such data. We collect information from you in order to be able to supply you with brand identity design services. Where the data is generic business contact information then we may – with subsequent consent – seek to use that data for ongoing marketing and informational contact.
We have a website which also collects details about you including your IP address and we may also use a technical feature called a cookie to record your visits.
We will only use your personal data for providing and managing access to our website and if appropriate tailoring your experience whilst visiting.
What Cookies Do We Use and What For?
Our Site uses analytics services provided by Google. Website analytics refers to a set of tools used to collect and analyse usage statistics, enabling Us to better understand how people use Our Site. This, in turn, enables Us to improve Our Site and the services offered through it. You do not have to allow Us to use these Cookies, as detailed below, however whilst Our use of them does not pose any risk to your privacy or your safe use of Our Site, it does enable Us to continually improve Our Site, making it a better and more useful experience for you.
The analytics service(s) used by Our Site use(s) the following Cookies:
Google Cookies: __utma, __utmb, __utmc, __utmt, __utmv, __utmz
You may opt out of Google Cookies globally at
Other First Party Cookies:
You can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all cookies or only third party cookies. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
You can choose to delete Cookies at any time however you may lose any information that enables you to access Our Site more quickly and efficiently including, but not limited to, login and personalisation settings.
It is recommended that you keep your internet browser and operating system up-to-date and that you consult the help and guidance provided by the developer of your internet browser and manufacturer of your computer or device if you are unsure about adjusting your privacy settings.
We will market to existing customers where the information/notification is related to existing services only.
For sales related marketing activities - we will require consent and for you to take an affirmative action, furthermore you will have the option to opt-out (unsubscribe at any point). As per your rights – you may also object to direct marketing and we will cease all related activities (unless they impact our ability to deliver our contracted services to you – if you are an existing customer).
We will also market to you in relation to services and products we offer, where we have a commercial agreement/contract with you.
Data Processing where we are the Data Processor
We process the following personal data where the documented purposes of processing are to provide brand identity design services under the lawful basis of performance of contract: -
Name & contact details of the client to maintain contact throughout project. This is provided by our client.
Data Processing where we are the Data Controller
Lawful Basis - Any personal data that is collected/processed must be processed in a lawful manner, this section informs you of the basis we have selected.
There are two types of personal data, standard data like names/addresses etc, as well as special categories of data which includes medical/biometric etc – to process this type of data we would need to meet an additional legal basis.
We process the following personal data where the lawful basis is Consent where the documented purposes of processing are to provide ongoing newsletter style contact : -
Name & email address
We process the following personal data where the lawful basis is Performance of a Contract where the documented purposes of processing are to provide pre-sales enquiry/quote support or to carry out contracted works : -
Name & business contact information
Data Sharing (where we are the Data Controller)
In certain circumstances We may be legally required to share certain data held by Us, which may include your personal information, for example, where We are involved in legal proceedings, where We are complying with the requirements of legislation, a court order, or a governmental authority. We do not require any further consent from you in order to share your data in such circumstances and will comply as required with any legally binding request that is made of Us.
We may contract with third parties to supply products and/or services to you on Our behalf. These may include payment processing, delivery of goods, services or communications. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, Our obligations, and the obligations of the third party under the law.
We will only share data with the third parties listed below and it is to enable us to provide our services to you (performance of contract), conduct normal business operations and in some circumstances to enable ongoing general communications (by consent)
Email Hosting provided by Google. Data may be stored in encrypted form outside of the EU under the EU-US Privacy Shield Framework.
Website Hosting (data limited to contact form email use) provided by Wix.
If we decide to change the services under our control & influence which process personal data we will request authorisation in advance and undertake a DPIA if appropriate.
What Happens If Our Business Changes Hands?
In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.
As an individual you have rights associated with your data :-
Right of access by the data subject. You (the data subject) shall have the right to obtain from the controllerconfirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and related information.
Right to Rectification – from the controller without undue delay the rectification of inaccurate personal data concerning him or here
Right to Erasure – the right to obtain from the controller the erasure of personal data concerning him or her without undue delay – subject to suitable grounds.
Right to Restriction of Processing– the right to obtain from the controller restriction of processing where certain rules apply
Right to notify any recipients – where share data with in relation to the Articles 16,17 and 18 above.
Right to data portability – to receive personal data concerning him/her which they have provided to a controller
Right to Object – on grounds relating to his/her situation
where the lawful basis is legitimate interests.
applies to direct marketing purposes.