The GDPR Studio

Trading name of Chic Digital Ltd (Company No. 13546270)
Last Updated: May 2025

Who We Are

The GDPR Studio (“we”, “us”, or “our”) is a trading name of Chic Digital Ltd, a company registered in England and Wales (Company No. 13546270). We provide GDPR compliance consultancy, audits, training, toolkits, and related services to business clients.

• ICO Registration Number: ZB733543

• Registered Office: Athena House, 612–616 Wimborne Road, Bournemouth, England, BH9 2EN

• General Enquiries: letstalk@thegdprstudio.co.uk

• Data Protection Contact: frankie@thegdprstudio.co.uk

We are registered with the Information Commissioner’s Office (ICO) and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

What This Policy Covers

This Privacy Policy explains:

• What personal data we collect and process

• How we use and store data

• Your rights under UK data protection law

• How we protect your data

• The tools and systems we use

• Who we may share information with

The Personal Data We Process

We may collect and process the following categories of personal data:

• Full name

• Email address

• Postal address

• Telephone number

• Company/employment details

• IP address, device, browser, and interaction data

• Preferences, enquiries, and correspondence history

We process this information as a data controller in relation to our clients, prospective clients, suppliers, and website users.
Where we handle personal data solely on behalf of a client (e.g. reviewing client datasets for compliance), we act as a data processor, strictly under their written instructions.

How We Collect Data

We collect personal data through:

• Direct interactions – when you contact us, make an enquiry, or purchase a product/service

• Subscriptions – when you sign up to our newsletters, toolkits, or resources

• Website interactions – through forms, cookies, or analytics tools (see Cookies below)

• Client instructions – where we process personal data on behalf of a client under contract

We do not purchase or resell third-party marketing data.

Why We Process Your Data

We use personal data only for:

• Delivering services, toolkits, audits, and consultancy to clients

• Responding to enquiries and providing customer support

• Managing our relationship with clients, prospects, and suppliers

• Maintaining accurate records for contracts, compliance, and financial purposes

• Improving our services and website functionality

• Meeting legal or regulatory requirements (e.g. ICO, HMRC obligations)

We do not use or retain client datasets for any independent marketing purposes.

Lawful Basis for Processing

We rely on the following lawful bases under the UK GDPR:

• Contractual necessity – to provide products and services as agreed

• Legal obligation – for record-keeping, accounting, and regulatory compliance

• Legitimate interests – for business development, client communications, and maintaining secure operations, provided these interests do not override your rights

• Consent – where required, for optional marketing subscriptions or cookie preferences

Who We Share Data With

We may share data, only where necessary, with:

• Service providers / sub-processors – including:

  • Microsoft 365 (email, storage, security, collaboration)

  • Zoho (CRM and client management)

  • Tidio (website live chat)

  • Plausible (privacy-friendly website analytics)

• Legal or regulatory authorities – where required by law

We do not sell or trade personal data under any circumstances.

International Data Transfers

Some of the tools we use (e.g. Microsoft 365, Zoho, Tidio) may involve the transfer of personal data outside the UK or EEA.

Where this occurs, we ensure that:

• The destination country benefits from a UK or EU adequacy decision; or

• Standard Contractual Clauses (SCCs) or equivalent safeguards are in place; or

• The provider has adopted other ICO-approved mechanisms to ensure data remains protected to UK standards.

Data Retention

We retain personal data only for as long as necessary:

• Client and enquiry records – for the duration of our relationship and a reasonable period thereafter

• Financial and contractual records – typically 6–7 years (for statutory requirements)

• Data processed as a processor – only for as long as required by the client contract, after which it is securely deleted or returned

Data Security

We take appropriate technical and organisational measures to protect personal data, including:

• Microsoft 365 Business Premium with encryption in transit and at rest

• Multi-factor authentication (MFA) on all staff accounts

• Role-based access controls and least-privilege principles

• Regular reviews of access logs and permissions

• Endpoint protection and threat detection via Microsoft Defender

• Secure email handling and document sharing

Your Rights

Under UK data protection law, you have the right to:

• Access the personal data we hold about you

• Request correction of inaccurate information

• Request erasure of your data (subject to legal obligations)

• Restrict or object to processing

• Request data portability

• Withdraw consent (where applicable)

• Lodge a complaint with the ICO (www.ico.org.uk)

To exercise these rights, please contact: frankie@thegdprstudio.co.uk

Cookies

Our website uses cookies and similar technologies to:

• Enable essential website functions

• Provide website analytics via Plausible (no personal data, IP addresses anonymised)

• Support tools like live chat (Tidio)

For more details, please see our Cookie Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes. The latest version will always be available on our website.