Privacy Policy

Last updated: 7 May 2026 · Version 2.0

Weir Digital Media Limited (“Weir Digital Media”, “WDM”, “we”, “us”, “our”) takes your privacy seriously. This Privacy Policy explains what personal data we collect, why we collect it, what we do with it, who we share it with, and what your rights are. It applies to weirdigital.media and to every productised marketing engagement we deliver.

1. Who we are

Data controller: Weir Digital Media Limited
Companies House registration: 14973060 (registered in England and Wales)
Registered office: 18 Beverley Gardens, Bournemouth, BH10 5EF, United Kingdom
Contact for privacy queries: [email protected]

We operate primarily from Bournemouth (UK) and Jávea (Costa Blanca, Spain). All personal data is stored on infrastructure located in the United Kingdom or the European Economic Area, except where this policy explicitly states otherwise.

2. Personal data we collect

2.1 When you visit our website

• Technical data: IP address (anonymised before analytics processing), browser type and version, device type, operating system, time zone, referring URL, pages visited, time on page.
• Cookie data: only if you accept non-essential cookies via our consent banner. Essential cookies (consent state, session, security) are always set. See our Cookie Policy for the full list.
• Analytics data: aggregated and pseudonymised usage data via Google Analytics 4 (with IP anonymisation enabled).

2.2 When you contact us or request a proposal

• Name, business name, work email address, phone number (if provided)
• The pillar, industry, location, or playbook you have shown interest in (passed via URL parameters from our site)
• The content of any message you send us
• Industry, sector, or sub-vertical you operate in (where you provide it)

2.3 When you become a client

• Billing details: company name, billing address, VAT number (where applicable), payment-method identifiers (card last-four / SEPA reference) — we never store full card numbers; payment processing is handled by Stripe and Wise (UK) Ltd
• Authorised contacts at your business (names, work emails, phone numbers, job titles)
• Operational data needed to deliver the service — e.g. access tokens for your Google Analytics, Google Ads, Meta Ads, Search Console, CRM, hosting, or any other system you grant us access to
• Project artefacts — briefs, drafts, deliverables, signed-off documents, dashboards

We never collect special-category personal data (health, ethnicity, political opinions, etc.) unless you proactively send it to us in a brief or message. If you do, we will treat it under the additional safeguards required by Article 9 UK GDPR and contact you to confirm lawful basis before processing.

3. Lawful basis for processing

We process personal data under one of the following lawful bases under Article 6 UK GDPR:

• Contract performance — Article 6(1)(b): when you are a client or have requested a proposal, we process the data needed to deliver the service or respond to your enquiry.
• Legitimate interests — Article 6(1)(f): limited internal analytics, security logging, fraud prevention, and following up on enquiries you have made of your own initiative. Our legitimate interest is running and growing a small productised service business; we balance this against your rights and stop on request.
• Consent — Article 6(1)(a): non-essential cookies, marketing emails, and any future newsletter signups. You can withdraw consent at any time via the cookie banner, by clicking unsubscribe on any email, or by emailing us.
• Legal obligation — Article 6(1)(c): tax records, VAT records, and any other records we are legally required to keep.

4. How we use your data

• Respond to enquiries and prepare written proposals (typically within two business days)
• Deliver the productised marketing services you have engaged us for
• Issue invoices, take payment, and keep accounting records
• Send transactional emails (delivery confirmations, weekly portal reports, project updates)
• Improve the website and our productised offerings using aggregated, anonymised analytics
• Comply with our legal, regulatory, and tax obligations

We do not sell your personal data. We do not use it for automated decision-making with legal effect. We do not run targeted advertising profiles based on your visits to our site.

5. Who we share your data with

We use the following data processors. Each is contractually bound by a Data Processing Agreement (DPA) and only processes data on our written instructions.

• Hosting: DigitalOcean (UK / EU regions). Data location: London / Amsterdam.
• CDN, security and DNS: Cloudflare. Data location: global edge network with EU caching.
• Email delivery: SMTP via SendGrid (Twilio Inc.) for transactional email. Subject to EU–US Data Privacy Framework.
• Payments: Stripe Payments UK Ltd and Wise Payments Ltd. Card data is tokenised and never stored on our systems.
• Analytics: Google Analytics 4 (Google Ireland Ltd) with IP anonymisation enabled. Subject to EU–US Data Privacy Framework.
• Cookie consent: Complianz (Really Simple SSL B.V., Netherlands).
• Accounting: Xero (UK) Ltd for invoicing and bookkeeping.
• Client portal and project management: internally managed on our hosted infrastructure (UK / EU regions).

Where you grant us delegated access to your own marketing tools (Google Ads, Meta Ads, Search Console, your CRM, your hosting), we act as a processor under your control, not as a controller.

We may share data with our professional advisers (legal, accounting), with HMRC for tax purposes, and with law enforcement where legally compelled.

6. International data transfers

Some of our processors (Cloudflare, SendGrid, Stripe, Google) operate global infrastructure that may involve transferring personal data outside the UK and EEA. Where this happens, transfers are protected by one or more of:

• UK adequacy regulations (e.g. UK–EU adequacy)
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
• Participation in the EU–US Data Privacy Framework, where applicable

7. How long we keep your data

• Website analytics: 14 months (Google Analytics 4 default), then auto-deleted.
• Enquiry data (no engagement): 18 months from last contact, then deleted.
• Active client records: for the duration of the engagement plus 6 years (HMRC requirement for VAT-registered businesses).
• Project artefacts (briefs, deliverables, dashboards): for the duration of the engagement plus 12 months, after which they are exported to you and deleted from our systems.
• Marketing email subscribers: until you unsubscribe; we re-confirm consent every 24 months.

8. Your rights under UK GDPR

You have the following rights, free of charge, in relation to your personal data:

• Right to be informed — covered by this Privacy Policy
• Right of access — you can request a copy of all personal data we hold about you
• Right to rectification — you can ask us to correct inaccurate data
• Right to erasure — you can ask us to delete your data, subject to legal retention obligations
• Right to restrict processing — you can ask us to pause processing while a dispute is resolved
• Right to data portability — you can ask us to provide your data in a machine-readable format
• Right to object — you can object to processing based on legitimate interests, including analytics
• Right to withdraw consent — for any processing based on consent, at any time
• Right to lodge a complaint — with the UK Information Commissioner’s Office (ICO) at ico.org.uk

To exercise any right, email [email protected]. We respond within one calendar month, often sooner.

9. Security

We use industry-standard technical and organisational measures appropriate to the risk: TLS 1.2+ for all data in transit; encrypted storage at rest on managed infrastructure; least-privilege access controls; audit logging; documented incident-response procedures. In the unlikely event of a personal-data breach that meets the notification threshold, we will report to the ICO within 72 hours and notify affected individuals without undue delay.

10. Children

Our services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it promptly.

11. Changes to this policy

We update this policy when our processing activities change, when our processors change, or when applicable law changes. The “Last updated” line at the top reflects the date of the most recent change. Material changes are notified to active clients by email.

12. Contact and complaints

For privacy questions, data-subject-rights requests, or complaints, contact us at [email protected] or by post at the registered office above. If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office at ico.org.uk or +44 303 123 1113.