This policy explains how we collect, use, store, share, and protect your personal information when you visit our website at www.imaginedesignorchestrate.com or otherwise interact with us. It includes our retention schedule and explains your rights. It should be read alongside our Cookie Policy and our Terms and Conditions, both available on the website.
1
Who we are
Imagine. Design. Orchestrate. is a trading name of Ian McLellan, a sole trader in England. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), Ian McLellan is the data controller responsible for your personal information.
Registered business address: 28 Sunset Drive, Ilkley, West Yorkshire, LS29 8LS.
Data protection contact: data@imaginedesignorchestrate.com.
ICO registration number: to be added on registration.
If you have any questions about this policy, please contact us using the details above or in Section 14 below.
2
How we collect your personal information
2.1 Directly from you
When you submit the contact form on our website, when you request a video review of your diagnostic results, and when you sign up for our monthly newsletter.
2.2 Automatically
When you use the website, our hosting provider records limited technical data, such as your IP address and standard server log information, to keep the site available and secure. We do not run analytics and we do not track you across the web.
2.3 From third parties
We do not buy contact lists or collect your personal information from third parties or publicly available sources.
3
What personal information we collect
We collect or use the following categories of personal information:
- Identity and contact information: your first name, last name, and email address, provided when you use the contact form, request a video review, or subscribe to the newsletter.
- Contact form content: anything you write in a message to us through the contact form.
- Video review request: the email address you provide and the shareable results link you paste when requesting a video review. The link contains your diagnostic results in encoded form. We see it only because you chose to send it to us.
- Technical information: your IP address and standard server log data, recorded by our hosting provider to run and secure the site.
- Marketing preferences: whether you have chosen to receive or opt out of our communications.
We do not collect the following:
- Your diagnostic answers. They are processed inside your own browser to produce your results. They are anonymous, are never sent to us, and we do not store them.
- Payment or financial information.
- Special category information, such as health, race, religion, or beliefs.
- Criminal offence information.
- Information about children.
4
How and why we use your personal information
Under the UK GDPR, we must have a valid lawful basis for collecting and using your personal information. We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for a compatible purpose. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis.
4.1 Legitimate interests (Article 6(1)(f) UK GDPR)
We rely on legitimate interests where the processing benefits you, our organisation, or someone else, without causing an undue risk of harm to anyone. We rely on this basis to:
- respond to enquiries you send through the contact form;
- deliver the video review you have requested, including viewing the results link you shared with us and sending you the video;
- send you occasional follow-up communications about our own similar services after you have requested a video review, where you have not opted out (the soft opt-in under Regulation 22 of the Privacy and Electronic Communications Regulations 2003); and
- keep the website available, functioning, and secure through standard server logging by our hosting provider.
Our legitimate interest assessment for each of these purposes:
Responding to contact form enquiries. You submit the form knowingly, providing your name, email, and message for the purpose of starting a conversation with us. We use it only to reply. The processing is necessary to respond to your request, is within your reasonable expectations, and we do not use this information for any other purpose unless you separately opt in. Your interests do not override ours.
Delivering the video review. You request the review yourself, providing your email and your results link for the express purpose of receiving a personalised video. The full diagnostic report is shown to you on screen and is downloadable as a PDF for free, without providing any personal information. You share your results with us only when you choose to request the review. The processing is necessary to provide what you asked for, is within your reasonable expectations, and we do not combine your results with any other personal information. Your interests do not override ours.
Follow-up communications after a video review. Where you have requested a video review, we treat this as a negotiation for our consulting services. Under the Privacy and Electronic Communications Regulations 2003, the soft opt-in allows us to send you communications about our own similar services, provided we gave you a clear opportunity to opt out when you made the request and in every communication. We offer an opt-out at the point of request and an unsubscribe link in every email. You have an absolute right to object to direct marketing at any time. We do not share your information for anyone else's marketing.
Server logging. Our hosting provider records IP addresses and standard request data in server logs to keep the site available and to detect and prevent misuse. This is a standard and necessary part of running a website. The logs are retained by our hosting provider for a limited period and are not used by us for any other purpose.
For more information on our use of legitimate interests, contact us using the details in Section 14.
All of your data protection rights apply to processing based on legitimate interests, except the right to data portability. Your right to object, including the absolute right to object to direct marketing, is set out in Section 10.
4.2 Consent (Article 6(1)(a) UK GDPR)
We rely on your consent to send you our monthly newsletter, where you have actively opted in by ticking the checkbox provided.
Your consent is freely given, specific, informed, and unambiguous. We do not pre-tick the checkbox, and your decision to subscribe or not has no effect on any other service, including access to the diagnostic, the PDF download, or the video review.
You have the right to withdraw your consent at any time by clicking the unsubscribe link in any newsletter email or by contacting us at data@imaginedesignorchestrate.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
All of your data protection rights apply to processing based on consent, except the right to object (because you have the right to withdraw consent instead).
4.3 Legal obligation (Article 6(1)(c) UK GDPR)
We keep certain records to meet tax and accounting duties under applicable law, including HMRC requirements. This applies to records of client engagements and associated financial records, retained for six years after the end of the engagement.
5
Marketing communications
We send follow-up communications about our own similar services to people who have requested a video review and have not opted out. We do this under the soft opt-in provision of the Privacy and Electronic Communications Regulations 2003, with a clear opt-out at the point of request and in every email.
We send our monthly newsletter to people who have actively opted in.
We never sell, rent, or share your personal information for anyone else's marketing purposes.
You can stop receiving our communications at any time by clicking the unsubscribe link in any email or by contacting us at data@imaginedesignorchestrate.com. We will act on your request promptly.
6
Who we share your personal information with
We share your personal information only with the following providers, who process it on our instructions under written terms that require them to protect it:
- Vercel, Inc. (USA) — website hosting.
- Zoho Corporation B.V. (Netherlands, EU data centre) — email marketing and customer relationship management.
We may also share information with our professional advisers where necessary, and with regulators or law enforcement where the law requires it.
We do not allow our providers to use your personal information for their own purposes. We do not sell, rent, or trade your personal information to any third party. We do not use your information for advertising.
7
International transfers of personal information
Some of our providers are based outside the United Kingdom. Where your personal information is transferred outside the UK, we make sure appropriate safeguards are in place as required by the UK GDPR.
Vercel, Inc. (USA): the transfer relies on the UK Extension to the EU-US Data Privacy Framework, of which Vercel is an active participant.
Zoho Corporation B.V. (Netherlands): your information is stored in Zoho's EU data centre. Storage within the EEA is covered by UK adequacy regulations. For any access from Zoho entities outside the EEA, the UK Addendum to the EU Standard Contractual Clauses applies through Zoho's data processing terms.
For more information about these safeguards, or to obtain a copy of the relevant documentation, contact us at data@imaginedesignorchestrate.com.
8
How long we keep personal information
We keep personal information only for as long as we need it for the purpose we collected it, or for as long as the law requires. When a retention period ends, we delete or anonymise the information. We review what we hold at regular intervals so that nothing is kept longer than it needs to be. We do not retain personal information on a just-in-case basis.
| Information | How long we keep it | Why |
|---|---|---|
| Your diagnostic answers | Not retained. They are processed in your browser and are never sent to us or stored. | No purpose requires us to keep them. |
| The shareable results link | Not retained. The link is generated in your browser and contains your results in encoded form. It is not sent to our server or recorded in our logs. | You hold the link. We see it only if you choose to share it with us. |
| Your email address and results link when you request a video review | Kept for the duration of the review, then retained as a client enquiry for 24 months. If you do not become a client, deleted after 24 months. | We need your email to send the video and your link to see what you saw. The 24-month period allows time for the enquiry to develop into a conversation. |
| Your email address when you sign up for the monthly newsletter | Kept while you remain subscribed. Reviewed and removed after 24 months without engagement. | Held on your consent, for as long as you want to receive the newsletter. |
| Contact enquiries that do not become client work | 24 months from your last contact, then deleted. | A senior enquiry takes time to develop. |
| Records relating to clients we work with | 6 years after the end of the engagement. | Tax and accounting duties, and the six-year limitation period for contract claims. |
You can ask us to delete your personal information sooner. Where we are not holding it to meet a legal duty, we will.
In some circumstances, we may anonymise your personal information so that it is no longer identifiable. Anonymised information is not personal data and we may use it for service improvement without further notice.
9
Data security
We use appropriate technical and organisational measures to protect your personal information. These include encryption in transit, limiting access to personal information to those who need it, using reputable providers with their own security obligations, and having a procedure for responding to any suspected breach.
We will notify you and the Information Commissioner's Office about a personal data breach where the law requires it, in accordance with Articles 33 and 34 of the UK GDPR.
No method of transmission over the internet or method of electronic storage is completely secure. We take all reasonable precautions, but we are not able to guarantee absolute security.
10
Your data protection rights
Under UK data protection law, specifically the UK GDPR and the DPA 2018, you have the following rights. Some rights apply only in certain circumstances, and exemptions may apply. You can find out more about your rights and the exemptions on the ICO's website.
Your right of access. You have the right to ask us for copies of your personal information. You can also request other information, such as details about where we get personal information from and who we share it with. There are some exemptions, which means you may not receive all the information you ask for.
Your right to rectification. You have the right to ask us to correct or complete personal information you think is inaccurate or incomplete.
Your right to erasure. You have the right to ask us to delete your personal information. We may decline where retention is necessary for legal compliance or the defence of legal claims.
Your right to restriction of processing. You have the right to ask us to limit how we use your personal information in certain circumstances, such as where you contest its accuracy or where you consider our processing to be unlawful but you do not want us to delete it.
Your right to object to processing. You have the right to object to the processing of your personal information where we rely on legitimate interests as our lawful basis. You have an absolute right to object to direct marketing at any time. If you object to direct marketing, we will stop.
Your right to data portability. Where processing is based on your consent and carried out by automated means, you have the right to ask us to transfer the personal information you gave us to another organisation, or to you, in a structured, commonly used, machine-readable format.
Your right to withdraw consent. Where we rely on your consent as our lawful basis, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew. You can withdraw consent by clicking the unsubscribe link in any email or by contacting us at data@imaginedesignorchestrate.com.
We do not make decisions about you based solely on automated processing, including profiling, that produce legal or similarly significant effects. The diagnostic produces information for you to consider. Any decision is yours.
If you make a request, we must respond to you without undue delay and in any event within one month. In complex cases, we may extend this by a further two months, and we will tell you if that is necessary.
To exercise any of these rights, please contact us using the details in Section 14. We may ask you to confirm your identity before we act, so that we do not disclose your personal information to anyone else. There is generally no fee, but we may charge a reasonable fee for manifestly unfounded or excessive requests.
11
Cookies
This website uses only strictly necessary cookies. Because we set no non-essential cookies, we do not show a cookie consent banner. For detail, see our Cookie Policy at www.imaginedesignorchestrate.com/cookies.
12
Children
This website is intended for business leaders and is not aimed at or intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with their personal information, please contact us at data@imaginedesignorchestrate.com and we will delete it.
13
Third-party links
The website may include links to websites, plug-ins, and applications operated by third parties. We do not control those websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.
14
How to contact us
If you have any questions about this policy or wish to exercise your data protection rights, please contact us:
- By email: data@imaginedesignorchestrate.com (data protection matters) or info@imaginedesignorchestrate.com (general enquiries).
- Through the website: www.imaginedesignorchestrate.com/contact-us.
- By post: 28 Sunset Drive, Ilkley, West Yorkshire, LS29 8LS.
The data controller is Ian McLellan, a sole trader in England, trading as Imagine. Design. Orchestrate.
15
How to complain
If you have a concern about how we have handled your personal information, please tell us first at data@imaginedesignorchestrate.com so that we have the opportunity to put it right. We will investigate and respond to you directly.
If you remain unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You do not have to raise it with us first, though it helps if you do.
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk/make-a-complaint.
16
Changes to this policy
We may update this policy from time to time to reflect changes in our practices, our services, or the law. Changes take effect when posted on this page, and we will revise the date at the top.
If we ever introduce processing that needs your consent, such as analytics or non-essential cookies, we will ask for it before that processing begins.