Privacy Policy
Last updated: 7 May 2025
This privacy policy explains how Design For Online Ltd (“DFO“, “we“, “our“, or “us“) collects, uses and protects your personal information when you visit www.designforonline.com (the “Website“) or otherwise interact with us. If you do not agree with this policy, please discontinue use of the Website.
1. Who we are
- Legal entity: Design For Online Ltd (company no. 10328553 ), registered in England & Wales.
- Registered office: ASK House 2 Northgate Avenue Bury Saint Edmunds IP32 6BB United Kingdom
- Data Protection Registration (ICO): 00015433851
- Data Protection Officer / contact: Email hello@designforonline.com or write to the address above.
2. Which laws apply
- UK GDPR (retained Regulation (EU) 2016/679)
- Data Protection Act 2018 (DPA 2018)
- Privacy and Electronic Communications Regulations 2003 (PECR)
- Upcoming Data Use & Access Act 2025 (once in force)
3. Key terms
Term | Meaning |
---|---|
Personal data | Information that identifies or can identify a living individual. |
Processing | Any action performed on personal data (collection, storage, transfer, etc.). |
Cookies | Small text files placed on your device by websites. |
4. What data we collect, why, and how long we keep it
Purpose / Activity | Categories of personal data | Lawful basis (UK GDPR Art 6) | Typical retention |
Essential cookies & security (session management, load balancing) | Online identifiers, IP addresses | Legitimate interests (Art 6 (1)(f)) – running a functional, secure site. | Session + up to 30 days in server logs. |
Analytics (Google Analytics 4 via Google Tag Manager) | Online identifiers, usage data (pages viewed, events) | Consent (Art 6 (1)(a)) obtained via Cookiebot CMP. | 14 months (Google default) |
Advertising & remarketing (Google AdSense, Google Ads remarketing tags via GTM) | Online identifiers, browsing behaviour | Consent (Art 6 (1)(a)) via Cookiebot | Up to 13 months (Google policy) |
Live chat (Tidio) | Name (if provided), email, chat transcript, IP, browser metadata | Consent when you initiate chat; Legitimate interests to answer enquiries (Art 6 (1)(f)). | 6 months from last interaction (confirm) |
Contact‑form enquiries / quotations | Name, email, phone, company, message details | Consent (Art 6 (1)(a)) and pre‑contract steps (Art 6 (1)(b)). | 24 months after last correspondence |
Newsletter & direct marketing | Name, email, marketing preferences, interaction data | Consent (Art 6 (1)(a)); PECR Sch 1 pt 1. | Until you withdraw consent or 24 months after last open/click |
Client account & billing | Name, company, address, email, invoices, payment records | Contract (Art 6 (1)(b)); legal obligation for tax (Art 6 (1)(c)). | 7 years post‑tax year |
We do not carry out automated decision‑making producing legal or similarly significant effects on you, nor do we profile visitors beyond the analytics/advertising activities listed above.
5. How we obtain consent
We use the Cookiebot Consent Management Platform (CMP). On your first visit you will see a banner that:
- Explains that we use non‑essential cookies for analytics and advertising.
- Presents equally prominent Accept and Reject buttons.
- Provides a Preferences link where you can toggle cookie categories.
You can change or withdraw consent at any time by clicking the floating Cookie Settings icon.
Essential cookies cannot be disabled, as the site cannot function without them.
6. Third‑party recipients & international transfers
Service | Location of processing | Safeguards |
Google LLC (GA4, AdSense, Ads, GTM) | USA / worldwide | EU‑US & UK‑US Data Privacy Framework; UK Transfer Addendum and SCCs as fallback. |
Cookiebot (Cybot A/S) | Denmark / EU | Covered by EU GDPR adequacy. |
Tidio LLC | USA / EU | UK‑US DPF + SCCs. |
MailPoet | UK & USA | UK‑US DPF + SCCs. |
Where adequacy expires (e.g., EU‑UK decision renews on 27 June 2025), we will apply Standard Contractual Clauses with the UK Transfer Addendum or any successor mechanism.
7. Your rights
Under the UK GDPR you have the right to:
- be informed about our processing;
- access your data;
- rectify inaccurate data;
- erase data (“right to be forgotten”);
- restrict processing;
- data portability;
- object to processing;
- withdraw consent at any time;
- not be subject to automated decision‑making including profiling.
You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). If you live in the EEA, you may complain to your local supervisory authority as well.
8. Children’s privacy
Our services are not directed to children under 18 and we do not knowingly collect their data. If you believe we have collected personal data from a child, please contact us and we will delete it.
9. Data security
We store personal data on ISO‑27001 certified servers, enforce TLS 1.3 encryption in transit, restrict employee access on a need‑to‑know basis, and conduct annual penetration testing.
10. How to contact us
- Email: hello@designforonline.com
- Post: Eldo House, Suffolk Business Park, Kempson Way, Bury St Edmunds, Suffolk, IP32 7AR, UK
- Tel: 01284 245170
If you have any questions about this policy or wish to exercise your rights, please get in touch.
11. Changes to this policy
We may update this notice to reflect legal or operational changes. The “Last updated” date at the top will be amended accordingly.