Privacy

Data Protection Policy (GDPR Policy) 2023

It is necessary for the day-to-day running of the business that Friends store and use some personal and business information. Friends (“we” “us” “our”) only hold information that is relevant in order for us to provide the services that you have undertaken with us. This policy outlines what information we collect, how we store it and how we use it in accordance with the General Data Protection Regulation (“GDPR”).

Client Data

A Client is any business, organisation or individual who has enquired about or undertaken any work with Friends.

What data is stored?

Typically the following Client data is held by Friends:

  • Business contact full name
  • Business contact email address and phone number(s)
  • Business address

Additionally the following may be held for some clients:

  • Personal email address and phone number(s)
  • Personal address
  • Web hosting and social media passwords
  • Any other information as is voluntarily provided by the client that is necessary for the reasonable management of the project

How is it stored?

Physically

  • Signed T&Cs, confidentiality agreements, completed Brand Discoveries documents and any other information that is necessary for the undertaking of a project is printed and stored in the client’s assigned box file.
  • Quotes and invoices are printed and stored in box files and ring binders.
  • Business cards are stored on desks by each partner and member of staff.
  • File copies of printed collateral designed by Friends for clients is stored out of sight in assigned drawers of plan chests.

Digitally

  • Signed T&Cs, confidentiality agreements, completed Brand Discoveries documents, quotes, invoices and any other information that is necessary for the effective management and completion of a project may be stored within our email server, our Xero account, Dropbox or on studio computers and external hard-drives.
  • Contact names and email addresses are stored within our email server and Xero account along with any personal data volunteered by the individual, e.g. business address within an email signature.
  • Digital process, visual and artwork files are held by Friends within our email server, Dropbox, on studio computers and external hard-drives.
  • Client passwords and login details are sometimes needed to ensure smooth running of their websites and social media accounts, fixing of technical issues within their website and for launching new Client websites. These details are never shared with anyone other than Studio Director and our digital projects partners.

Who has access?

  • All data is accessible to the Studio Director.
  • Only data that is needed for the reasonable running of the business and provision of its services is accessible to other Partners and permanent Employees. Employees may not share any data outside of the necessary provision of Friends’ service, either during or following employment, as per Section 12 of their Contract of Employment.
  • Only data that is needed for the reasonable running of the business and provision of its services is accessible to Interns and Freelancers, and only following the signing of the studio GDPR Agreement. Interns and Freelancers may not share any data outside of the necessary provision of Friends’ service, either during or following employment.

How long is it kept?

  • Personal data including contact details, signed T&Cs, confidentiality agreements and completed Brand Discoveries documents are held for the duration of a working relationship between the Client and Friends. This data will be held for 12 months after the instance that this working relationship is formally terminated by the Client in writing or via email. Termination will remove Friends’ ability to provide any further services to the Client. It is the client’s responsibility to obtain any data they may need before it is destroyed.
  • Quotes and invoices are physically stored until the project they relate to has been completed by Friends and signed-off, received and paid for in full by the Client. These will be destroyed within 1 month of accountants all completed each quarter by our accountant.
  • Quotes and invoices in Xero are digitally stored indefinitely for future reference by Friends for the job specifications only. No personal data is extracted or used from these documents.
  • Business cards are held indefinitely unless the client requests in writing or via email for the business card to be destroyed. Any such request will be completed within 2 weeks.
  • All physical and digital design work completed by Friends is the property of Friends as per our T&Cs signed by the Client prior to any project being undertaken. This property is kept indefinitely however Friends will never use these files to extract or use any data from.

What is it used for?

  • Contact information is necessary for Friends to maintain a basic working relationship with all Clients, e.g. communicating with the Client, creating quotes, etc.
  • Contact information is often necessary for Friends to create the product which the Client has requested, e.g. designing business cards. Information provided by the Client within content for design will only ever be used for the purpose the Client provided it for.
  • Contact information and delivery/billing addresses may be shared with our suppliers, partners and service providers only where necessary to fulfil the service requested by the Client, e.g. for printed collateral to be delivered direct to the Client. The Client has the right to request the GDPR policy of any of our third party associates at any time.
  • Printed collateral is used as examples of work and for self-promotion. Images of printed collateral featuring contact details may be shared on our website, through social media, or with other current or potential clients physically or via email. We will never share financial information or passwords. We will never share information that the Client has not voluntarily included on public facing materials.
  • Passwords may be held by Friends for the effective management of a project, e.g. web hosting passwords for our web developers, or at the request of the Client, e.g. social media passwords to update avatars, headers, etc.

The Client may at any time request to access a copy of the personal data held by Friends, or request to make a correction or update to any personal data held by Friends. Such requests will only be received in writing or via email and will be completed within a timeframe reasonable to the likely amount of information held by Friends.

Email Subscriber Data

An Email Subscriber is anyone who has voluntarily subscribed to our mailing list.

What data is stored?

Typically the following Email Subscriber data is held by Friends:

  • Full name
  • Email address

Friends may hold additional information that the Email Subscriber has voluntarily shared with us.

How is it stored?

  • Within our Mailchimp account.

Who has access?

  • This information is only accessible to our Studio Director.

How long is it kept?

  • This information is kept until the Email Subscriber opts out of further marketing emails from Friends. At this point the email will be automatically removed from our mailing list by Mailchimp.

What is it used for?

  • Friends will only ever use this information to send the Email Subscriber emails that they (the subscriber) have opted in to. Friends will not be held responsible for any emails sent to an individual who has been opted in by another individual.

Shop Customer Data

A Shop Customer is anyone who has previously purchased any listing from our online shop.

What data is stored?

  • Full name
  • Contact details: Email address and phone number
  • Billing and delivery address
  • Bank and card details

How is it stored? Who has access? How long is it kept?

  • We do not store this information but it may be held by Etsy/Shopify/etc.

What is it used for?

  • Processing the payment
  • Providing an email receipt 
  • Delivering the item(s) purchased
  • If consent is provided the email address is used to add the Shop Customer to our mailing list.

Employees, Job Applicant, Intern & Freelancer Data

An Employee is anyone who has been employed by Friends on a permanent basis, whether full-time or part-time, as confirmed in their Contract of Employment.

A Job Applicant is anyone who contacts Friends in order to apply for a job; either in response to a job listing on Friends’ website, a recruitment site (e.g. Indeed) or an external recruitment agency, or by contacting Friends on their own initiative to inquire about possible job opportunities.

An Intern is anyone who is employed by Friends on a temporary basis while they (the Intern) are looking for permanent work).

A Freelancer is anyone who is a working professional that is employed by Friends, either in-studio or remotely, on a temporary basis to support the workload of the business.

What data is stored?

Typically the following data is held by Friends on the above persons:

  • Full name
  • Contact details: Email address, phone number and personal address
  • Education and previous employment
  • Names and contact details of 2 references
  • Disability status
  • Ability to legally work in the UK (NI number)
  • Banking details 

Friends may hold additional information that the individual has voluntarily shared with us.

How is it stored?

  • CVs, covering letters, completed applications and references are physically stored in box files and digitally stored in our email server and on studio computers, and externally by recruitment sites.
  • Banking details to make payments to.

Who has access?

  • Within the studio this information is only accessed by our Studio Director.
  • Whyfield accountants
  • Lloyds bank

How long is it kept?

This data is kept throughout the contract of employment, whether temporary or permanent, and indefinitely thereafter unless the individual whose data is being held requests in writing or via email for that data to be destroyed. Following such a request the data will be destroyed within 1 month.

What is it used for?

  • Contacting Job Applicants about their application
  • Contacting Employees for matters relating to work
  • Processing applications
  • Processing payment of wages and reimbursements 

Supplier Data

A Supplier is any business, organisation or sole trader from whom Friends has previously purchased external services (e.g. printing, web development, photography, etc.); any business, organisation or sole trader that has contacted Friends in a marketing or promotion capacity; any business, organisation or sole trader that Friends have had recommended to them or found through research for a specific service.

What data is stored?

Typically the following Supplier data is held by Friends:

  • Contact full name
  • Contact details: Email address and phone number
  • Business address
  • Banking details

How is it stored?

  • Name and email address are stored digitally in our email server if contact has been made via email. Other data may be stored here if it is voluntarily provided by the Supplier, e.g. within an email signature.
  • Name, contact details, address and banking details are stored digitally in our Xero account.
  • Name, contact details and address are stored physically in printed quotes and invoices, as well as on business cards.
  • Name, contact details and address are stored digitally in quotes and invoices in our email server, Dropbox and on our studio computers.

Who has access?

  • Name, contact details and address are accessible to all Partners and Employees who require them for effective provision of Friends’ services.
  • Banking details are only accessible to our Studio Director, our accountants and bank.

How long is it kept?

  • Data is kept for the entirety of a working relationship between Friends and the Supplier and indefinitely thereafter unless the Supplier whose data is being held requests in writing or via email for that data to be destroyed. Following such a request the data will be destroyed within 1 month.

What is it used for?

  • Name, contact details and address are used for communicating with Suppliers in the necessary day-to-day running of the business.
  • Banking details are used for processing payments.

Studio Practice

We carry out additional good practice and training to uphold and update this policy:

Clean Desk Policy

Each Partner and Employee, whether permanent or temporary, is responsible for leaving their desk tidy and organised at the end of each working day with special attention being paid to any physical data being stored out of sight. This policy is overseen by the Studio Director.

Termination of Physical Data

Physical data is destroyed using a paper shredder before being recycled. Recycling is stored securely inside the studio before being left out for recycling on the morning of collection.

Visibility to the Public

As our studio is operated from our home. No data is left in view from the outside of the building.

Recommendations

Friends has the privilege of working with many talented businesses, organisations and individuals, both as Clients and Suppliers. In some instances basic contact information (name, email address, phone number) may be shared with Clients and Suppliers for recommendation purposes. We will only share information when we believe it will be beneficial for both parties and will never share data that is not already publicised by the Client or Supplier.

Training

Initial training was undertaken by the Studio Director as an introduction to the GDPR on 19 February 2018 in preparation for the 25 May 2018 deadline. Regular training will be undertaken and communicated to the entire studio team. This policy will be reviewed following any changes to the GDPR or day-to-running of the business. Additionally an annual review will be undertaken by the Studio Director annually. Any changes or updates will be communicated to all businesses, organisations and individuals whose data is held by Friends.

If you have any concerns about any of the above or wish to request the removal of your personal data from our storage and usage please don’t hesitate to contact us.

If you would like to see the GDPR policy of any of our key service providers please see below:

Heart Internet, Xero, Lloyds Bank, Whyfield Accountants, Shopify, Mailchimp, Dropbox

If you would like to see the GDPR policy of any of our other suppliers please contact us regarding the specific supplier.

Any requests or queries via email should be sent to weare@designbyfriends.co.uk

 
2023