Privacy Policy

Effective date: 1 November 2023

The Online Studio 24 Limited is the entity ("us", "we", or "our") which operates the theonlinestudio.co.uk website (the "Service").
We take your privacy and the law around data protection very seriously. This Privacy Policy informs you of our policies regarding the collection, use, and disclosure of personal data.

In terms of the relevant laws that apply to our business and your Personal Data, the Online Studio adheres to 1. Regulation (EU) 2016/679 (the “EU GDPR”) as it continues to apply to Personal Data belonging to persons who are located in the EU today, but also 2. The retained version of the EU GDPR as it applies from 1 January 2021 in the UK (plus any bespoke UK data protection law which comes into being) (the “UK GDPR”).

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.


  • Service
    means the suite of services and communications that we provide you with (from website access, to blogs, case studies, provision of creative design or agency services, information via social media channels, hosting or organising events online or in person)
  • Personal Data
    Personal Data means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
  • Usage Data
    Usage Data is data collected automatically either generated by the use of the Service (for example, the duration of a page visit).
  • Cookies
    Cookies are small pieces of data stored on your device (computer or mobile device).
  • Data Controller
    Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your Personal Data.
  • Data Processors (or Service Providers)
    Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers (such as Google Analytics or Stripe) in order to process your data more effectively.
  • Data Subject
    Data Subject is any living individual who is using our Service and is the subject of Personal Data. These may include our clients’ employees who engage with our design team on a particular project or individual visitors to our website for example.

Information Collection and Use

We, as a Data Controller, may gather, collect, use, store or otherwise process any personal data (within the meaning of the GDPR) provided by or about a Data Subject.

We collect several different types of information for the various purposes we’ve listed in this policy to provide and improve our Service to you. We will take every reasonable step to ensure that personal data is accurate and, where necessary, is kept up to date.

Types of Data Collected

Personal Data

While using our Service, we may ask you to provide us with Personal Data. This may include, but is not limited to: - Email address - First name and last name - Social media handle/ID - Phone number - Usage data such as Internet Protocol (IP) address / Device data - Address, State, Province, ZIP/Postal code, City - Cookies

We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by contacting us.

Usage Data

We may also collect Usage Data. This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

Tracking & Cookies Data

We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. Further information in relation to our use of cookies is contained in our Cookies Policy.

Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device.

Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service. We also use web beacons on our websites and in email communications. For example, we may place web beacons in marketing emails that notify us when you click on a link in the email that directs you to one of our websites. Such technologies are used to operate and improve our websites and email communications.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Examples of Cookies we use:

  • Session Cookies. We use Session Cookies to operate our Service.
  • Preference & Persistent Cookies. We use Preference Cookies to remember your preferences and various settings.
  • Security Cookies. We use Security Cookies for security purposes.

We use both session-based and persistent cookies on our websites. Session-based cookies exist only during one session and disappear from your computer when you close your browser or turn off your computer. Persistent cookies remain on your computer or device after you close your browser or turn off your computer.

Use of Data - Our Purposes and Rationale for Processing It

The Online Studio uses the collected data for various purposes: - To provide and maintain our Service - To notify you about changes to our Service - To allow you to participate in interactive features of our Service when you choose to do so - To provide customer support - To gather analysis or valuable information so that we can improve our Service - To monitor the usage of our Service - To detect, prevent, and address technical issues - To provide you with news, special offers, and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information

Legal Basis for Processing Personal Data Under GDPR

We only hold and process Personal Data when the law allows us to. Below is a summary of the most relevant legal bases for processing under the UK GDPR and EU GDPR:

Processing Personal Data under Data Protection Law: The 6 Lawful Bases - Consent, Contractual necessity, Legal obligations, Vital interests, Legitimate interests, Public interest.

Our Most Relevant Legal Bases

  • Providing our Services under contract: We process your Personal Data to perform our contract with you for the use of our Services and to fulfill our obligations under applicable terms of use/service; where we have not entered into a contract with you, we base the processing of your Personal Data on our legitimate interest to operate and administer our websites and to provide you with suitable content and information about us and the sectors we are active in.
  • Promoting the security of our Services: We process your Personal Data by tracking the use of our websites and services and enforcing our terms and policies.
  • Managing projects and creative design work in our “Creative Hub”: If you have registered an account with us, we process your Personal Data by managing your user account for the purpose of performing our Creative Hub service which is separately and privately accessed on our website.
  • Handling contact and support enquiries: If you fill out a “Contact us” web form or request user support, or if you contact us by other means including via a phone call or social media, we process your Personal Data to perform our contract with you and to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you.
  • Assessing and improving user experience (UX): We process device and usage data, which in some cases may be associated with your Personal Data, to analyze trends and assess and improve the overall user experience of the Online Studio.
  • Sending marketing communications: We process your Personal Data to send you marketing information, design ideas, and potentially other recommendations about us and our affiliates and partners, including information about our products, promotions, or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
  • Complying with legal obligations: We may have to disclose your information if required to do so by law or in response to a valid request from the Information Commissioner’s Office or other competent authority such as a Court, or to enforce our terms and conditions of business.

Retention of Data

The Online Studio will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies.

The Online Studio will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of Data

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

Where we engage in international transfers of Personal Data, we ensure that appropriate safeguards are in place. In the UK, this includes the application of the “international data transfer addendum” (UK’s standard contractual clauses approved by the Information Commissioner from March 2022). This applies to our use of tools like Google Drive and Google Analytics, which are US-based service providers.

Your data is shared amongst our teams on a need-to-know basis, most commonly the client delivery team working to supply you with information and services.

We process and store the Personal Data described in this Privacy Policy primarily inside the UK but also in the European Economic Area (“EEA”) and in India where we have an important production team. We take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, EU GDPR, UK GDPR, and any localised data protection laws that apply in specific jurisdictions.

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to any and all such transfers.

Disclosure of Data

Business Transaction

If The Online Studio is involved in a merger, acquisition, or asset sale, your Personal Data may be accessible to the new purchaser as part of any due diligence and sale process. We will provide a general update or notice to all users of our Service when this occurs, subject to confidentiality law as it applies to such corporate legal processes.

Disclosure for Law Enforcement

Under certain circumstances, The Online Studio may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).

Legal Requirements

The Online Studio may disclose your Personal Data in the good faith belief that such action is necessary to: - Comply with a legal obligation - Protect and defend the rights or property of The Online Studio - Prevent or investigate possible wrongdoing in connection with the Service - Protect the personal safety of users of the Service or the public - Protect against legal liability

Security of Data

The security of your data is important to us. We take precautions including organizational, technical, and physical measures to help safeguard against the accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the Personal Data we process or use.

If there is ever an unauthorized use or breach with respect to Personal Data, The Online Studio shall comply with UK GDPR expectations and timelines (including a 72-hour investigation and reporting window where we follow our best-practice data breach response protocol). Through these precautions and quality procedures, we are ready to mitigate the risk to any individuals affected by any particular data incident

You can help us ensure high standards of data security by remembering that no method of transmission over the Internet, or method of electronic storage is 100% secure. We ask you to be careful with your password to our creative hub or any client or project data you hold, including those on mobile/portable media devices and records like logs or screenshots you take from your experiences with the Online Studio. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

“Do Not Track” Signals

We do not support Do Not Track (“DNT”). Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.

You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

Your Data Protection Rights Under General Data Protection Regulation (GDPR)

If you are a citizen of the European Union or a resident located within the European Economic Area (EEA), you have certain data protection rights. The Online Studio aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, or to exercise any of the rights listed below, please contact us in writing. We will action valid requests without undue delay and will respond within one month of receipt of the request. The Online Studio retains the right to extend this period for complex and lengthy requests and will notify you of any required extensions.

The Online Studio will provide the response to your request, including any and all information, communications, and actions free of charge. In circumstances where the request is excessive or determined to be manifestly unfounded, The Online Studio retains the right to charge a reasonable fee or refuse the request.

Data Protection Rights

  • The right to enquire. You have the right to ask whether The Online Studio is processing your Personal Data.
  • The right to access, update or to delete. You can access, update, or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you.
  • The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
  • The right to object. You have the right to object to any processing of your Personal Data carried out on the basis of our legitimate interests.
  • The right not to be subject to a decision based solely on automated processing. This includes profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites or in our services.
  • The right of restriction. You have the right to request that we restrict the processing of your personal information.
  • The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable and commonly used format.
  • The right to withdraw consent. You also have the right to withdraw your consent at any time where The Online Studio relied on your consent to process your personal information.

*Note: In certain circumstances where processing is necessary, The Online Studio may not be required to meet such requests.

Service Providers

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services, or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.


We use servers of different kinds to provide different services to our business. Two of particular note are: - Cloudflare (DNS and image serving) - Cloudflare Privacy Policy - Contabo (Servers) - Contabo Privacy Policy


We may use third-party Service Providers to monitor and analyze the use of our Service. - Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page.

Other Analytics providers:


We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g., payment processors). We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

The payment processors we work with are: - Stripe - Stripe Privacy Policy - Xero - Xero Privacy Policy

Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

Children’s Privacy

Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.

Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.33

Data Protection Leader

Such is the importance of data protection law and best practice to our business, we have selected Corin Fogarty (who is also a key person on our Incidents response team) as our data protection lead for the business. You can reach Corin by emailing [email protected]

Contact Us

If you have any questions about this Privacy Policy, if you wish to exercise your Data Subject rights, or if you wish to raise a complaint with respect to the processing of your Personal Data, please contact Corin on the details above or by using the following contact routes: - By email: [email protected] - By visiting this page on our website: theonlinestudio.co.uk/contact

[email protected]

Postal Address:
The Online Studio, 1 Conduit Street London W1S 2XA

Registered Office:
The Online Studio 24 Limited has its registered office at 18 Brushwood Drive, Chorleywood, Rickmansworth, England, WD3 5RT

You can find out more information about your rights by contacting the data protection regulator in your jurisdiction, the Information Commissioner’s Office, or by searching their website at https://ico.org.uk