Privacy Policy

Effective date: 9 October 2025
Website: https://www.whiterosedigital.uk
Controller: White Rose Digital ("we", "us", "our"). (If you are a limited company, replace with the full legal name and company number.)
Registered office / trading address: Office 1, Izabella House 24-26 Regent Place, City Centre, Birmingham, B1 3NJ
Contact for privacy matters: support@whiterosedigital.uk

This Privacy Policy explains how we collect, use, disclose and protect personal data when you visit our website, contact us, or use our services. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as the Privacy and Electronic Communications Regulations (PECR) for cookies and electronic marketing.

1. Who we are and scope of this Policy

We are a UK‑based digital consultancy specialising in web services, conversion rate optimisation (CRO), search engine marketing (SEM), and design. This Policy applies to:

• visitors to whiterosedigital.uk and associated subdomains;
• prospective, current and past clients and their representatives;
• suppliers and partners;
• individuals who communicate with us by email, phone or via our contact forms; and
• candidates who apply for roles with us.

We act as controller for personal data we collect and determine the purposes and means of processing. In some engagements we may act as a processor for certain client‑provided data (e.g., analytics implementations). Where we act as processor, we process only on the client’s documented instructions under a separate data processing agreement.

2. Personal data we collect

The personal data we collect depends on the relationship and interactions you have with us. We may collect the following categories:

A. Identity and contact data
Name, job title, company, business email, business phone, postal address.

B. Communications and enquiry data
Messages you send via forms or email, meeting notes, proposals, statements of work and feedback.

C. Commercial and transactional data
Engagement history, services purchased, invoices, payments (amount, timing, last four digits where relevant—we do not store full card numbers), contract terms.

D. Marketing preferences
Subscription status, opt‑in/out choices, interaction with our campaigns and events.

E. Technical and usage data
IP address, device identifiers, browser type and settings, operating system, pages viewed, time on page, referring URLs, clickstream data, approximate geolocation, and performance metrics captured via cookies and similar technologies. See Cookie Policy.

F. Recruitment data (when applicable)
CVs, portfolios, references, interview notes, right‑to‑work information.

Sources may include: directly from you; your employer/colleagues; publicly available sources (e.g., LinkedIn, Companies House); referral partners; analytics and advertising platforms; payment and invoicing providers; anti‑spam/anti‑abuse tools.

3. Purposes and lawful bases

We process personal data only where a lawful basis applies under UK GDPR. Below are our primary purposes and bases:

• Responding to enquiries; providing proposals and statements of work — lawful basis: Legitimate interests (to operate our consultancy and respond to requests), or Contract where you ask us to take pre‑contract steps.
• Performing our services, project management, onboarding, and client communications — lawful basis: Contract.
• Invoicing, accounting, tax and regulatory compliance — lawful basis: Legal obligation.
• Operating and securing our website (diagnostics, fraud/spam prevention, security logging) — lawful basis: Legitimate interests.
• Analytics and performance measurement (e.g., GA4 or similar) — lawful basis: Consent for non‑essential cookies under PECR.
• Advertising/remarketing and measurement — lawful basis: Consent for non‑essential cookies under PECR.
• Direct B2B marketing by email to corporate subscribers — lawful basis: Legitimate interests under PECR with an opt‑out provided.
• Managing events, webinars and downloads (e.g., gated content) — lawful basis: Consent where required, or Legitimate interests.
• Recruitment and hiring — lawful basis: Legitimate interests and Contract (pre‑contractual steps).
• Asserting or defending legal claims — lawful basis: Legitimate interests.

Legitimate interests test: When we rely on legitimate interests, we balance our interests with your rights and freedoms and implement safeguards (e.g., opt‑out mechanisms, data minimisation, security measures).

4. Cookies and similar technologies

We use cookies, pixels and local storage to operate the site, understand usage, and (where enabled) support advertising. Non‑essential cookies are used only with your consent via our cookie banner/preferences tool. Details of each cookie category, purpose and lifetime are provided in our Cookie Policy and/or cookie preference centre. You can change your preferences at any time.

5. How we share personal data

We share personal data with carefully selected recipients where necessary and appropriate:

Service providers / processors — hosting and infrastructure, website security and performance (e.g., CDN), analytics, advertising technology platforms, email and CRM systems, document signing, accounting/invoicing, payment processors, and professional advisers (legal, tax, insurance). These providers process data under contracts that require confidentiality and appropriate security, and they only act on our instructions.

Partners and referrals — with your knowledge/consent where we introduce you to a partner or receive a referral related to your enquiry.

Authorities and legal — where required to comply with law or enforce our rights (e.g., fraud prevention, court orders).

Business transfers — if we undergo a reorganisation, merger or sale, your data may transfer to the new owner subject to this Policy.

We do not sell your personal data.

6. International data transfers

Some recipients may be located outside the UK/EEA. Where we transfer personal data internationally, we ensure an appropriate transfer mechanism is in place, such as:

• a UK adequacy regulation for the destination; or
• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), plus any required technical/organisational measures.

You can contact us for details of the specific safeguards for your data.

7. Data retention

We keep personal data only for as long as necessary for the purposes set out above, including to meet legal, accounting, or reporting requirements. Typical retention periods are:

• Enquiries and correspondence: 24 months from last activity.
• Client/project files and contracts: 7 years from project end for legal/accounting purposes.
• Invoices and financial records: 7 years from the end of the financial year.
• Marketing lists: until you unsubscribe or after a reasonable period of inactivity.
• Recruitment data: generally 12 months from decision unless you consent to a longer talent‑pool retention.
• Cookie data: per the lifetimes shown in the Cookie Policy.

We may retain information for longer where necessary to establish, exercise or defend legal claims.

8. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), access controls, least‑privilege permissions, logging and monitoring, vendor due diligence, and regular backups. No method of transmission over the internet is entirely secure; we cannot guarantee absolute security.

9. Your rights

Under UK data protection law you have the right to:

• Access your personal data and receive a copy;
• Rectify inaccurate or incomplete data;
• Erase data in certain circumstances ("right to be forgotten");
• Restrict processing in certain circumstances;
• Object to processing based on legitimate interests and to direct marketing at any time;
• Data portability for data you provided to us where processing is based on consent or contract and carried out by automated means;
• Withdraw consent at any time, where processing is based on consent.

To exercise your rights, email support@whiterosedigital.uk. We may request proof of identity and will respond within one month where possible.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk. We would appreciate the chance to address your concerns first.

10. Children

Our services and website are directed at business users and are not intended for children under 13. We do not knowingly collect children’s personal data.

11. Automated decision‑making

We do not carry out decisions based solely on automated processing that produce legal or similarly significant effects about you. If this changes, we will notify you and explain the logic and consequences, and your rights.

12. Third‑party links and services

Our website may include links to third‑party sites, plug‑ins and applications. Clicking those links may allow third parties to collect data about you. We are not responsible for their privacy practices; please review their policies.

13. Acting as a processor for clients

For certain services (e.g., analytics configuration, A/B testing, CRO instrumentation) we may process personal data on behalf of our clients. In those cases, the client is the controller and we act as processor under a written agreement that sets out subject‑matter, duration, nature and purpose of processing, types of personal data and categories of data subjects, and includes obligations required by Article 28 UK GDPR (confidentiality, security, sub‑processors, assistance with rights requests, audit, deletion/return on termination).

14. Sub‑processors (illustrative)

Depending on your engagement and our current tooling, typical sub‑processors may include:

• Hosting/CDN & security (e.g., Cloudflare, UK/EU hosting providers)
• Analytics (e.g., Google Analytics/GA4; privacy settings configured per client)
• Email & CRM (e.g., Microsoft 365, HubSpot, Mailchimp)
• Project management & collaboration (e.g., Atlassian, Notion, Slack)
• Accounting & billing (e.g., Xero, Stripe/GoCardless)

We will provide a current list of sub‑processors for client processing upon request and notify clients of material changes where required by contract.

15. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated version on this page with a new effective date and, where appropriate, notify you by email or via the website.

16. Contact us

Questions or requests regarding this Policy or our data practices:
Email: support@whiterosedigital.uk
Post: Office 1, Izabella House 24-26 Regent Place, City Centre, Birmingham, B1 3NJ

‍