Data Protection & Privacy Policy

Effective Date: 1 September 2025

Last Reviewed: 1 September 2025

1. Our Commitment to Your Privacy

Fishfinger Creative Agency is an ethically-driven organisation, committed to using business as a force for good. This commitment extends to how we handle your personal data. We believe that a right to privacy is fundamental, and we are dedicated to being transparent, ethical, and responsible custodians of the information you entrust to us.

This policy outlines not only our legal obligations under data protection laws like the General Data Protection Regulation (GDPR) but also our ethical pledge to protect your privacy and build a relationship based on trust.

2. Purpose and Scope

This policy applies to all personal data processed by Fishfinger Creative Agency, including data from our clients, partners, employees, contractors, and website visitors. It governs all our data processing activities and applies to all team members and third-party vendors who handle data on our behalf.

"Personal Data" means any information that can be used to identify a living individual, either directly or indirectly.

3. The Data We Collect and Why

We are committed to data minimisation and only collect information that is necessary to fulfil our services and legal obligations.

  • For Our Clients and Partners: We collect names, email addresses, phone numbers, job titles, and billing information.
  • For Our Website Visitors: We may collect IP addresses, cookie data, and information submitted through contact forms (such as name and email address). For more detail on our use of cookies, please see our Cookie Policy (link to Cookie Policy).
    • Purpose: To respond to enquiries, improve website functionality and user experience, and analyse website traffic.
  • For Marketing Communications: We collect names and email addresses when you voluntarily subscribe to our newsletters or updates.
    •  Purpose: To share agency news, insights, and marketing materials, for which we will always obtain your explicit consent.
  • For Our Team (Employees and Contractors): We collect personal and sensitive information necessary for employment and contractual purposes, which is governed by separate internal policies.

4. Our Data Protection Principles

We adhere to the core principles of the GDPR, enhanced by our own ethical values.

  • Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner. We will always inform you about how and why we are using your data.
  • Purpose Limitation: We only collect data for specified, explicit, and legitimate purposes and will not process it in a manner that is incompatible with those purposes.
    • Data Minimisation: We ensure the personal data we collect is adequate, relevant, and limited to what is necessary for the intended purpose.
    • Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. You have the right to request the correction of inaccurate data.
    • Storage Limitation: We do not keep your data in an identifiable format for longer than is necessary. Our specific retention periods are detailed in Section 8 of this policy.
    • Integrity and Confidentiality (Security): We implement robust technical and organisational security measures—including encryption, multi-factor authentication, access controls, and staff vetting—to protect data from unauthorised access, alteration, disclosure, or destruction.
    • Ethical Use and Accountability: We are accountable for our data processing activities. We do not sell personal data to third parties. We are committed to 'Privacy by Design', meaning we proactively embed data protection into all our projects and processes.

5. Lawful Basis for Processing

Our processing of personal data is always based on a lawful basis as defined by GDPR:

  • Consent: Where you have given us clear, unambiguous consent to process your data for a specific purpose (e.g., signing up for our newsletter).
  • Contract: Where processing is necessary for the performance of a contract to which you are a party (e.g., providing creative services to a client).
  • Legal Obligation: Where we need to process your data to comply with the law (e.g., for tax or employment purposes).
  • Legitimate Interests: Where processing is necessary for our legitimate business interests (e.g., improving our services), provided these interests do not override your fundamental rights and freedoms.

6. Your Rights as a Data Subject

Under GDPR, you have the following rights concerning your personal data. We are fully committed to upholding them.

  • The Right to Be Informed: To be provided with clear and transparent information about our data processing activities.
  • The Right of Access: To request a copy of the personal data we hold about you.
  • The Right to Rectification: To have inaccurate personal data corrected or completed if it is incomplete.
  • The Right to Erasure (The 'Right to Be Forgotten'): To request the deletion of your personal data where there is no compelling reason for its continued processing.
  • The Right to Restrict Processing: To 'block' or suppress the processing of your personal data in certain circumstances.
  • The Right to Data Portability: To obtain and reuse your personal data for your own purposes across different services.
  • The Right to Object: To object to processing based on legitimate interests or for direct marketing.
  • Rights in Relation to Automated Decision Making and Profiling: To be protected against potentially damaging decisions made without human intervention.

To exercise any of these rights, please contact our Data Protection Lead at Richard@fishfinger.me.

7. Data Security & International Transfers

We store data on secure servers within the United Kingdom (UK) and the European Economic Area (EEA).

If it becomes necessary to transfer your data to a third party or location outside of the UK/EEA, we will only do so if appropriate safeguards are in place, such as an Adequacy Decision or by using Standard Contractual Clauses (SCCs) approved by the relevant UK authority. This ensures your data receives the same level of protection as it does within the UK.

8. Data Retention Periods

We retain personal data only for as long as is necessary for the purpose for which it was collected. Our standard retention periods are as follows:

  • Client and Project Data: We retain personal data relating to client projects and contracts for 6 years after the end of our business relationship. This is to comply with our legal, financial, and tax obligations (HMRC requirements) and to handle any potential contractual claims.
  • General Enquiries (e.g., via Contact Form): Data submitted through general enquiry forms on our website is retained for 12 months after our last communication with you regarding that enquiry. This allows us to resolve the enquiry and follow up if necessary.
  • Marketing and Newsletter Lists: We retain your data for as long as you remain subscribed to our communications. If you unsubscribe, we will delete your data promptly. We also periodically review our mailing lists and may remove contacts who have been inactive for over 24 months.
  • Website Analytics Data: Anonymised or pseudonymised analytics data is retained for up to 26 months to allow us to analyse website trends and performance year-on-year.
  • Recruitment Data (Unsuccessful Applicants): Personal data from unsuccessful job applicants is retained for 6 months after the recruitment process has ended. This allows us to respond to any queries about the process and to defend against any potential legal claims. We will only retain your data for longer to consider you for future roles if we have your explicit consent.

9. Data Breach Response

In the unlikely event of a data breach, we have a clear response plan. We will act immediately to mitigate the impact, secure the data, and prevent recurrence. We will notify the Information Commissioner's Office (ICO) and affected individuals in accordance with our legal obligations, without undue delay.

10. Responsibilities

The Data Protection Lead at Fishfinger Creative Agency is responsible for overseeing compliance with this policy. However, every team member has a responsibility to adhere to these principles and report any data protection concerns. All employees and contractors receive regular training on data protection and privacy best practices.

11. Policy Review & Contact Information

This policy will be reviewed annually or as required by changes in legislation. If you have any questions about this policy or how we handle your data, please contact us:

Data Protection Lead

Fishfinger Creative Agency

Email: Richard@fishfinger.me

Address: 102, Wenlock Studios, 50-52 Wharf Rd, London N1 7EU

You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO).

 

Cookie Policy

Fishfinger

Please resize your browser or rotate your phone

Let us know more about your project!

Okay, we’re all set.
Now give us them details!

Thanks for the enquiry!

A member of our team will get back to you as soon as possible.