Privacy Policy

We respect your privacy and aim to minimise data collection on our website. This policy explains how we process user data and how we meet the EU General Data Protection Regulations (GDPR).

Who we are

We are Studio 24, a user-focused digital design and technology agency. We are an independent UK Limited company, our company number is 3971500 and our registered address is Allia Future Business Centre Guildhall, Market Square, Cambridge, CB2 3QJ. Simon R Jones, Managing Director, is our nominated Data Protection Officer. If you have any questions about this policy please contact us on [email protected]

What information do we collect from you?

Enquiries

We collect your name, telephone number and email address via our enquiry form. This data is only used to process your enquiry and is kept until your enquiry is completed. We store data on internal systems and use the third-party service Nutshell CRM to store prospective customer data. We collect this data under the “consent” lawful basis.

Newsletter

We collect your email address if you request to sign up to our newsletter. You can unsubscribe at any time using links provided at the bottom of all emails. We collect this data under the “consent” lawful basis.

Customers and suppliers

We store personal data including name, telephone number and email address for all customer and supplier contacts with current contracts with Studio 24. You can request to remove contact details or change details at any time. We collect this data under the “contract” lawful basis.

Analytics

We use Google Analytics to track and analyse web traffic in order for us to improve our website and provide us with essential marketing data (e.g. number of page views to our site in a month). Only anonymous data is stored and we take care to avoid any personal data being sent to Google Analytics. We collect this data under the “legitimate interest” lawful basis.

Website logs

We store the user’s IP address and web browser user agent string as part of our standard website logs, these are kept for 30 days after which time they are deleted. We use these logs for IT security and to ensure the smooth running of our website. We collect this data under the “legitimate interest” lawful basis.

Third parties we share data with

Limited user data is shared with third parties as detailed below. No other user or customer data is shared with third parties.

Google Analytics

We use Google Analytics for analysing website traffic to improve our site. Only anonymous data is stored in Google Analytics. See Google Analytics privacy policy.

MailChimp

We use MailChimp to send marketing emails to users who have opted in. The email address of all subscribers is stored in MailChimp’s systems. See MailChimp’s privacy policy.

Nutshell

We use Nutshell CRM to store customer data. This data is stored in the US using services that are certified to the EU Privacy Shield framework. See Nutshell’s privacy policy and Nutshell’s GDPR page.

Transfer of information outside of the European Union (EEA)

We use some hosted services that store data outside of the EU. For those that process personal data, for example, MailChimp and Nutshell, these all comply with the EU Privacy Shield framework.

How you can access and update your information

If you want to update or remove any personal data held by Studio 24, or if you have any other privacy concerns, please let us know. You can email us at [email protected]

If you wish to unsubscribe from Studio 24 marketing emails please follow the unsubscribe link at the bottom of all emails.

Data security

We take data security seriously and have the following procedures in place to help meet data security laws and best practices in our work:

  • Cyber Essentials Plus accredited
  • Staff undergo DBS checks and sign confidentiality agreements to keep client data safe
  • We use encrypted hard drives for storing client data locally, use 1Password (encrypted password manager) to store sensitive data, and use virus and malware scanners on all staff computers.
  • We follow the OWASP top ten security issues and implement practices to mitigate these, for example, filter input, escape output to avoid XSS issues.
  • We have regular staff training on data security issues and Privacy by Design
  • We commit to highlighting and discussing privacy issues with our clients on projects we work on and advising the best way to meet data privacy best practises for your users, for example:
    • Advice on the use of customer data in regards to current Data Protection best practise and law (e.g. we encourage our clients to collect as little data as possible, and where it is not necessary not to collect data at all. This is better for usability and data protection)
    • Advice on the use of third-party tracking on a client site
    • We commit to regularly reviewing our suppliers and data protection standards

Hosted services

All third-party hosted services we use are, wherever possible, hosted within the EU. Services hosted outside the EU are accredited to the EU Safe Harbour framework.

Rackspace Dedicated, Rackspace Cloud and Rackspace Email

Rackspace hosting services are hosted within the EU (London, UK). Rackspace are accredited to ISO / IEC 27001, ISO 9001 and the PCI Data Security Standard. Rackspace Email is hosted within the US. Rackspace is accredited to to the EU Safe Harbour framework. See Rackspace’s privacy policy and GDPR statement.

AWS Cloud

AWS hosting services are hosted within the EU (London, UK, and Ireland), AWS is accredited to to the EU Safe Harbour framework. See the AWS privacy policy and GDPR statement.

Azure Cloud

Microsoft Azure Cloud services are hosted within the EU. See Microsoft Azure privacy policy and GDPR statement.

Atlassian Bitbucket and JIRA

We use Atlassian Bitbucket as a code repository and JIRA for task management. Atlassian is accredited to to the EU Safe Harbour framework. See Atlassian’s privacy policy and statement on privacy at Atlassian.