Privacy Policy

Crimson Social Data Protection Policy

Last Updated: 09 January 2026

1. Introduction

Crimson Social is committed to respecting and protecting personal data. This Privacy Policy explains how we collect, use, store, share, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. We aim to be transparent about our data practices and your rights.

Safeguarding personal data is crucial to maintaining your trust. Please read this policy carefully to understand how we handle your information and the measures we take to keep it secure.

2. Who We Are

Company Name: Crimson Social Marketing Ltd (“Crimson Social”)

Registered Address: 167-169 Great Portland Street, Fifth Floor, London, Greater London, England, W1W 5PF

Data Protection Contact: dpo@crimsonsocial.co.uk

Crimson Social is a London-based real estate marketing agency. We provide social media marketing and advertising services primarily for the real estate industry, helping estate agents and property businesses promote their services on platforms including Facebook (Meta), Instagram, TikTok, Pinterest, LinkedIn, and Google.

3. Scope and Definitions

This policy applies to all personal data processed by Crimson Social in the context of our website and services.

  • Personal Data: Any information relating to an identified or identifiable individual (such as name, email, phone number, etc.).
  • Processing: Any operation performed on personal data (e.g. collection, use, storage, disclosure, deletion).
  • Data Subject: The individual whose personal data is processed.
  • Controller: The entity that determines the purposes and means of processing personal data (generally Crimson Social for data described in this policy).
  • Processor: A third party that processes personal data on behalf of a controller (e.g. our service providers or subcontractors).

4. Crimson Social’s Role as Controller and Processor

Crimson Social acts as a data controller for personal data that we collect through our own website, marketing activities, and client onboarding (determining why and how this data is processed). For example, we are the controller of data you submit via our website contact forms or when you sign up for our newsletter.

When we provide services to our clients (estate agencies and property businesses), we may also handle personal data on their behalf – for instance, managing advertising campaigns that collect leads or using client-provided contact lists for ads. In those cases, the client is the primary controller of that data, and Crimson Social acts as a data processor following the client’s instructions and a data processing agreement. We will only use such client data for the purpose of delivering the agreed services and will not use it for our own purposes.

Additionally, when using Meta’s Business Tools (such as the Meta Pixel on a client’s website), Meta Platforms and the client may be considered joint controllers for the data collected via those tools. Meta will act as an independent controller for any data it receives once transferred to its platform. (See Section 9 of this policy for more details on Meta Business Tools.)

5. Personal Data We Collect

We only collect personal data that is relevant and necessary for legitimate business purposes or as required by law. The types of personal data we may collect include:

  • Contact Information: Name, email address, telephone number, and other contact details you provide (for example, when you fill out a form on our website or contact us).
  • Business Details: Information about your company or role (such as business name, job title) if you are our client or a business contact.
  • Inquiry and Lead Data: Information you submit through website forms or landing pages (e.g. messages, property listing details, preferences) and data obtained via marketing campaigns. This includes data collected through forms on our website as well as lead generation forms on social media platforms (for example, if you respond to a Facebook Lead Ad, the contact details you provide – like name, email, phone – will be transmitted to us by Meta).
  • Technical and Usage Data: When you visit our website, we collect certain technical information via cookies and similar tools, with your consent. This includes your IP address, browser type, device identifiers, cookie IDs, and information about how you navigate or interact with our site (pages viewed, buttons clicked, etc.). This data helps us analyze site usage and improve performance. (See Section 9 and our Cookie Policy for more details on cookies and tracking.) 
  • Social Media Account Info: If you engage with us via social media or become a client, we might collect your social media handle or public profile information in order to manage accounts or content with your permission.
  • Account Credentials (Clients Only): For clients, we may handle login credentials or access tokens for advertising and social media accounts you authorize us to manage. Such credentials are stored securely (e.g. in an encrypted password manager) and used only for providing our services.

We do not intentionally collect any special categories of personal data (such as health, religion, etc.) through our website. We ask that you refrain from sharing sensitive personal information unless necessary for the services, in which case we will ensure appropriate safeguards.

6. Why and How We Use Personal Data

We process personal data for the following purposes:

  • Service Delivery: To provide our social media marketing and advertising services to clients. This includes creating and managing social media content, running ad campaigns, and delivering results. For example, if you are a client, we use your data and your customers’ data (as permitted) to set up and target advertising campaigns on platforms like Facebook and Instagram.
  • Communication: To communicate with you. We use contact information to respond to inquiries, schedule meetings or discovery calls (via tools like Calendly), send proposals, and provide customer support. We may also notify you about updates to services or our policies.
  • Marketing Our Services: With appropriate consent or under legitimate interest, we may use your contact details to send you newsletters, industry updates, or information about our services. You can opt out of marketing communications at any time. We also use analytics data about website visitors and email interactions to understand the effectiveness of our marketing efforts (only with consent for non-essential cookies/emails).
  • Website Experience: To personalize and improve your experience on our website. Technical and usage data (collected via analytics cookies or similar) help us understand which content is most useful to visitors and to troubleshoot issues. This processing is done only as allowed by law (e.g. based on consent for analytics cookies).
  • Account Management: For clients, to set up and maintain your accounts on advertising or social platforms, administer subscriptions or payments, and manage our business relationship.
  • Legal and Compliance: To fulfil legal obligations and exercise our rights. For instance, keeping records for tax/audit purposes, complying with a court order, or handling any complaints or disputes. We may also process data to detect or prevent fraud or security issues.
  • Meta Advertising Purposes: In cases where we run advertising campaigns on Meta platforms, we may use tools that collect and process personal data (see Section 9). This data is used to create target audiences, optimize ad delivery, and measure ad performance, in compliance with data protection laws and Meta’s policies.

We will not use your personal data for new purposes that are incompatible with the original purposes described above without first notifying you or obtaining additional consent as required.

7. Lawful Basis for Processing

Under the UK GDPR, we ensure that each instance of personal data processing has a valid lawful basis. Depending on the context, we rely on one or more of the following bases:

  • Consent: We will ask for your consent to process your data in certain cases – for example, to send marketing emails or to use non-essential cookies/trackers on our website. Where we rely on consent, you have the right to withdraw it at any time. (For instance, we seek your consent via the cookie banner before setting analytics or marketing cookies.)
  • Contract: If you are a client (or taking steps to become one), we process personal data as necessary to enter into and fulfill our contract with you. This includes using your information to provide our services, communicate with you, and bill for our services. Without this data, we may not be able to perform the contracted services.
  • Legitimate Interests: We may process data as needed for our legitimate business interests, provided those are not overridden by your data protection rights. Examples include: improving our website’s functionality and content, ensuring IT security, preventing fraud, or communicating with our existing customers about similar services. We always consider your rights and expectations – for instance, we perform Legitimate Interests Assessments for activities like certain analytics or direct marketing to ensure fairness. You have the right to object to processing based on legitimate interests (see Section 13).
  • Legal Obligation: Where processing is necessary for us to comply with a legal obligation, we will do so. This may include retaining records as required by law, or disclosing information to authorities if lawfully demanded (for example, for law enforcement or regulatory compliance).

We do not typically rely on “Vital Interests” or “Public Task” as bases for processing in the context of our services. If we ever need to process data under those bases, we will communicate it.

8. How We Share Your Data

We do not sell or rent your personal data to third parties. However, we may share personal data with selected recipients in order to run our business and provide our services, under strict conditions:

  • Meta Platforms: If we are running advertising campaigns on your behalf or using Meta Pixel on our website, certain data is shared with Meta Platforms (Facebook/Instagram). For example, the Meta Pixel on our site sends browsing information (like pages visited, IP, device info) to Meta, and if you submit a Facebook/Instagram Lead Ad form, Meta forwards that lead data to us. This sharing enables ad targeting, conversion tracking, and analytics. Meta may use the data for its own purposes (e.g. improving ad services) as an independent controller. We and Meta have a joint controllership arrangement for Pixel data as per Meta’s terms. (See Section 9 for more details.) We ensure that such tools are only activated with appropriate legal basis (e.g. user consent for tracking cookies).
  • Calendly: We use Calendly (or a similar scheduling service) to facilitate appointment bookings (such as discovery calls). If you choose to schedule a meeting through our scheduling link, you will be providing your name, email, and meeting details to Calendly. That information is used to arrange the meeting and is stored in Calendly’s system. Calendly may send you notifications (e.g. confirmation emails) on our behalf. Calendly acts as a data processor for us, and we have an agreement in place to protect your data. (Calendly may also set functional cookies on our site to enable its widget, see our Cookie Policy.)
  • Hotjar: We use Hotjar on our website for analytics and user experience insights. Hotjar records anonymized information about how users interact with our site (e.g. clicks, scrolling, and basic technical info) to help us improve design and content. Hotjar may collect your IP address (which it stores in anonymized form) and set cookies to track sessions. All data is aggregated, and we do not receive personal identifiers in Hotjar reports. We only run Hotjar with your consent (it will not load if you decline analytics cookies). Hotjar acts as our processor and is GDPR-compliant; it does not share the data it collects with other parties.
  • HubSpot: We use HubSpot as a customer relationship management (CRM) and marketing automation platform. If you fill out forms on our website (such as a contact form or newsletter signup), your information may be stored in HubSpot. HubSpot helps us manage client relationships and send out communications. HubSpot sets analytics cookies on our site to track visitors and link form submissions to website activity (e.g. it uses cookies like __hstc and hubspotutk to recognize you and record visits). This helps us see, for example, if someone who filled a form had visited certain pages. We use such data to follow up on inquiries and tailor our responses. HubSpot operates as a processor for us, and data stored in HubSpot is protected under our Data Processing Agreement with them (including appropriate safeguards for international transfers, as HubSpot is a US-based company with EU data centers).
  • CookieYes: We use CookieYes (a consent management platform) to manage cookie consents on our website. When you visit our site, CookieYes displays our cookie banner and handles your consent preferences. CookieYes itself sets a necessary cookie (cookieyes-consent) to remember what choices you made for future visits. This cookie stores no personal information beyond your consent state. CookieYes may process minimal data (like an anonymized identifier or your IP for location to show the correct language/legal variant) solely for providing the consent service. We do not share your personal data with CookieYes beyond what is needed for the tool’s function.
  • Other Service Providers: We employ certain trusted third-party providers to support our business operations and services. These include:
    • IT and Cloud Services: e.g. Google Workspace for business email and document storage, Microsoft Clarity or other analytics (if used), and Cloudflare for website security and content delivery. Such providers may incidentally process technical data (like IP addresses or email content). Cloudflare, for example, may set security cookies to distinguish legitimate users from bots ; these cookies are necessary for protection and do not store personal details.
    • Payment and Accounting Services: If applicable, accounting software or payment processors to invoice and receive payments from clients (these would process billing details, which typically contain business contact information).
    • Contractors and Consultants: We sometimes use vetted independent contractors (e.g. social media specialists or virtual assistants, possibly located in the Philippines or other countries) to help deliver our services. They may have access to certain personal data under our instruction and only as necessary (for example, a contractor might handle scheduling posts or moderating ads using client account access we provide). Such contractors are bound by confidentiality and data protection obligations.

Each service provider only receives the information necessary for their function and must contractually agree to protect it. We have Data Processing Agreements in place where required, ensuring they handle data with GDPR-level care.

  • Legal Disclosures: We may disclose personal data if required by law or a legal process, or if we believe in good faith that such disclosure is necessary to comply with a legal obligation, protect our rights or the rights of others, or investigate fraud or security issues. For example, we might have to provide information in response to a court order or an Information Commissioner’s Office (ICO) inquiry.

We will always aim to minimize the personal data we share and will never share more than is needed for the purpose. Whenever we share data with processors or third parties, we ensure there is a valid legal basis and, where applicable, appropriate safeguards (see Section 10 on international transfers). If you have questions about specific recipients of your data, you can contact us for more information.

9. Use of Cookies and Meta Business Tools

Cookies & Similar Technologies: Crimson Social uses cookies and similar tracking technologies on our website to provide and improve our services, subject to user consent where required. Cookies are small text files stored on your device when you load a website, which allow the site to recognize your browser and remember certain information. We categorize and manage cookies on our site by purpose (Necessary, Functional, Analytics, Marketing) – full details are provided in our Cookie Policy.

When you first visit our site, you will see a cookie consent banner (powered by CookieYes) that allows you to accept or reject non-essential cookies. We will not set analytics or marketing cookies unless you opt-in (consent). You can also manage your preferences at any time by using the “Cookie Settings” option on our site or clearing cookies in your browser. Please refer to our Cookie Policy for a list of specific cookies in use and their purposes.

Key cookies and tools we use include:

  • Meta (Facebook) Pixel: We utilize the Meta Pixel on our website. The Meta Pixel is a piece of code that, when embedded on a site, collects information about user interactions (such as pages viewed, links clicked, etc.) and sends it to Meta. This helps us measure the effectiveness of our Facebook/Instagram advertising campaigns, optimize ad delivery, and build custom advertising audiences. For example, if you visit key pages on our site or complete a form, the Pixel will report that event to Meta so we can potentially “re-target” you with relevant ads on Facebook/Instagram. Data Collected: The Pixel may collect data such as your device information, browser information, IP address, and browsing actions on our site. Some of this data (like a device ID or IP) could be considered personal data. Legal Basis: We only activate the Meta Pixel on our site with your consent (as a marketing cookie) because it is not strictly necessary. If you decline cookies, the Pixel will not track your visit. Data Sharing and Use: The information collected by the Pixel is shared with Meta Platforms, and Meta may combine it with your Facebook profile if you have one and are logged in. Meta uses the data for its own purposes, including improving its ad targeting and products. Under Meta’s Business Tools Terms, Crimson Social (as the website operator) and Meta are joint controllers for the collection and transmission of this data to Meta. Meta is an independent controller for processing it once received (e.g. associating it with ad performance or user profiles). We have accepted the relevant Controller Addendum with Meta which outlines each party’s responsibilities. In practical terms, Crimson Social is responsible for obtaining your consent for the Pixel and providing you with this notice, and Meta is responsible for its own compliance after the data is in its systems. You can learn more about how Meta processes data in their Privacy Policy and how to opt out of targeted ads in your Facebook/Meta account settings.
  • Meta Conversions API: In addition to the Pixel, we may use Meta’s Conversions API (CAPI) in our advertising operations. The Conversions API allows us to send conversion events directly from our servers to Meta’s servers (rather than via the browser Pixel). This can improve tracking reliability (for instance, capturing a form submission event even if the browser blocked the Pixel). The types of data shared via CAPI can include similar information as the Pixel (event type, user device data, and potentially hashed user identifiers like email or phone if needed for matching). We use CAPI only to the extent necessary for campaign performance measurement, and always in accordance with Meta’s policies and applicable law. The legal and data sharing considerations are similar to the Pixel. If you opt out of the Pixel (marketing cookies), we will also disable corresponding CAPI data transmissions for those events.
  • Facebook Lead Ads: As noted in Section 5, we sometimes run lead-generation ads on Facebook/Instagram. When you (as a consumer) fill out a Facebook Lead Ad form to request information or an offer from us, that form may ask for your name, email, phone, or other details. That data is collected by Facebook and then passed directly to us through a secure interface. We use the information to follow up on your request (for example, contacting you about a property or our services). Lawful Basis: The information you provide in a lead ad is given by your consent (you choose to submit the form), and we receive it under the understanding that we will use it to respond to your inquiry or provide the service requested (which may also be seen as entering into a contract, depending on context). We do not use lead ad data for any purpose other than to contact you as requested and for internal analysis of ad performance. We store that data securely in our systems (or CRM) as we would other inquiry data. Facebook also retains a copy of the lead form submission in your Facebook account activity (for your records) and for their business purposes. Once we have the data, we handle it in line with this Privacy Policy. If you want to revoke a lead request, you can contact us to delete your information, and you may also manage your permissions via Facebook’s settings.
  • Other Third-Party Cookies/Tools: We also use other third-party tools on our site that involve cookies or tracking:
    • Hotjar Analytics: (Discussed above in Section 8) Hotjar sets cookies such as _hjSessionUser_{ID} (which persists a unique user ID for 365 days) and _hjSession_{ID} (which persists data for your current session) to aggregate usage statistics. These cookies help ensure that your site actions are attributed to the same user ID on return visits, enabling features like heatmaps and session recordings. Hotjar cookies are categorized as Analytics and are only set if you consent. All data collected through Hotjar is anonymized and used to improve our website’s usability.
    • HubSpot Cookies: HubSpot, as part of our site, sets several cookies to track visitors and sessions. Key HubSpot cookies include __hstc (the main tracking cookie, 6-month duration) and hubspotutk (keeps track of a visitor’s identity, 6-month duration). These allow us to recognize when a known contact (e.g., someone who has filled a form) returns to the site and to log their site usage in our CRM. We treat these as Analytics/Marketing cookies. They are not set without consent. HubSpot also sets some cookies for its functionality (like __hssc and __hssrc to manage session counts, and messagesUtk if we use a chat widget to remember you). The data from these cookies may be sent to HubSpot’s servers in the USA (with appropriate safeguards in place).
    • Calendly Embed: If we embed a Calendly scheduling widget on our site (for booking calls), Calendly may set cookies to enable that functionality. For example, Calendly uses a cookie like _cfuvid to maintain the consistency of the user’s session and preferences across page loads. We classify Calendly cookies as Functional, since they help provide a service you request (booking a meeting). They do not track you beyond our site and Calendly’s service. If you decline functional cookies, the Calendly widget will be blocked until you allow them (and you can always use the direct Calendly link as an alternative).
    • Cloudflare: Our site uses Cloudflare for security and performance (e.g., protecting against DDoS attacks and caching content). Cloudflare may place a cookie named __cf_bm (bot management cookie) which lasts for about 30 minutes. This cookie helps Cloudflare distinguish between legitimate users and bots to filter malicious traffic. It does not contain personally identifying information and is strictly necessary for security. We also use Cloudflare to serve our CookieYes script, which may involve Cloudflare setting a cookie to remember that you passed a CAPTCHA if one was presented (e.g., cf_clearance). These cookies are categorized as Necessary.

Important: For detailed information on each cookie and script used on our website (including the party setting it, purpose, and duration), please see our Cookie Declaration in our Cookie Policy. We regularly scan and update our cookie list to remain accurate. You can also find more information on how these third-party tools process data in their respective privacy policies (e.g., Meta’s Cookie Policy, HubSpot’s Privacy Policy, Hotjar’s Privacy Policy, etc.). By adjusting your cookie preferences on our site, you can control which of these tools remain active during your visit.

10. International Data Transfers

Crimson Social is based in the UK. However, the personal data we collect may be transferred or stored outside of the UK in certain circumstances, for example:

  • Service Providers Abroad: Some of our third-party processors are located in or use servers in other countries. For instance, Meta Platforms and Google are U.S.-based companies; HubSpot is U.S.-based (with EU data centres); our contractors in the Philippines may access data from their location. Whenever we transfer data internationally, we ensure appropriate safeguards are in place. These may include the UK’s International Data Transfer Agreement or Standard Contractual Clauses (SCCs) with the recipient, along with technical measures like encryption. This contractual framework obliges recipients to handle the data in compliance with UK-equivalent data protection standards.
  • Adequacy and Other Measures: Where a country has been officially recognized by the UK as providing an adequate level of data protection (currently, countries in the EEA are deemed adequate, and others may be added by the UK government), data may be transferred on that basis. For transfers to countries without an adequacy decision (e.g., United States prior to any UK-US adequacy arrangement), we rely on SCCs or the UK International Data Transfer Addendum, combined with risk assessments and security measures. We also monitor developments (such as the new EU-US/UK-US Data Privacy Framework) to update our compliance accordingly.
  • Meta Platforms: Data collected via Meta Pixel or lead ads may be stored on Meta’s servers in the United States or other locations. Meta has entered into the UK’s International Data Transfer Addendum to SCCs for UK data, ensuring a lawful transfer mechanism. Additionally, Meta applies supplemental measures as needed to protect data during transfer.
  • Cloud Services: Any data we store in cloud platforms (e.g., Google Cloud or Microsoft OneDrive) may be replicated to data centers outside the UK (often in the EEA or US). We only use reputable providers that have robust data protection and whose transfer mechanisms meet legal requirements.

You may contact us (see Section 14) if you have questions about our international data transfer safeguards or if you want to obtain a copy of the relevant contractual protections (SCCs/Addendum) in place.

11. Data Retention

We retain personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by law or legitimate business needs. Retention periods will vary depending on the type of data and the context:

  • Client Data: If you are a client, we will keep your personal and business data for the duration of our contractual relationship. After the contract ends, we may retain certain data for a further period as needed for legal, accounting, or reporting requirements. For example, we might keep contract and invoice information for at least 6 years to comply with tax and financial recordkeeping obligations.
  • Lead and Inquiry Data: If you contact us or submit an inquiry (but do not become a client), we will retain your information for as long as necessary to respond and follow up. We periodically review inquiries and purge personal data that is no longer needed. If you have given consent for marketing, we will retain your contact details until you unsubscribe or ask us to delete them. If we haven’t heard from you or seen engagement for a substantial time, we may also delete or anonymize your data as part of our regular clean-up.
  • Marketing Communications Data: Email subscription data is kept until you opt out (unsubscribe) or until it’s clear you’re inactive. Upon unsubscribe, we will stop sending and generally delete or anonymize your email data, except perhaps retaining minimal info on a suppression list to honour no-contact requests.
  • Website Analytics Data: Personal data collected via cookies is retained according to the cookie’s lifespan (see Cookie Policy). For instance, Google Analytics (if used) or Hotjar data may be retained for a certain number of months as configured. We ensure that analytics data is either not personally identifiable or is deleted when no longer needed. You can also clear cookies to remove that data from your own browser.
  • Social Media Account Credentials: Any client-provided credentials (e.g. for Facebook Ad Account access) are kept secure in an encrypted vault (like 1Password) and are accessible only to those who need them. We retain such credentials for as long as you are using our services and delete them if they become outdated or once our engagement ends.
  • Legal Requirements: In some cases, we must keep data for a fixed period by law. For example, records of financial transactions are generally kept for 6 years for tax purposes. Also, if a dispute or investigation is ongoing, we will retain relevant data until it is resolved.

After the applicable retention period, we will either delete the personal data or anonymize it (so it can no longer be associated with an individual). We have procedures to periodically review the data we hold and securely dispose of data that is no longer required. For example, we perform an annual audit to identify old client files or marketing lists that can be purged.

If you have any specific questions about retention for a particular type of data, feel free to contact us.

12. Data Security Measures

We take the security of personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction. Key measures include:

  • Encryption and Access Control: Sensitive data (such as passwords or authentication tokens) is encrypted at rest and in transit whenever possible. We use reputable password management tools (e.g., 1Password) to store credentials securely. Access to personal data is restricted to authorized personnel who need it for their role. Each team member or contractor with access has unique login credentials, and multi-factor authentication is enabled on our critical systems (email, cloud storage, social media accounts, etc.) to prevent unauthorized logins.
  • Secure Infrastructure: Our website is hosted with modern security features – including SSL/TLS encryption (HTTPS) for all traffic, and services like Cloudflare to guard against malicious attacks (as noted, Cloudflare uses cookies and other techniques to mitigate bots and DDoS). We keep our website platform (CMS, plugins) up to date with security patches to reduce vulnerabilities.
  • Data Minimization: We collect and retain only the data that we need. By holding less data, we reduce the risk exposure. For example, we do not store credit card numbers or national ID numbers, etc., as we have no need for them. Any payment processing is handled by third-party providers so we never see full payment details.
  • Contracts and Due Diligence: With all our data processors and service providers, we have agreements that require them to protect your data. We choose reputable vendors with strong security track records. We also educate our staff and contractors on confidentiality and data protection best practices (and include confidentiality clauses in our contracts with them).
  • Backups and Recovery: We maintain secure backups of critical business information to ensure we can recover data in case of accidental loss or technical incidents. Backups are encrypted and stored either in the cloud or offsite. Access to backups is also restricted.
  • Monitoring and Testing: We monitor our systems for suspicious activity and have procedures to respond to potential security incidents. We employ anti-malware tools and firewall rules to protect our devices and accounts. Periodically, we review permissions and remove access that is no longer required. If we implement new technology, we assess its security implications first.

Despite all these measures, no method of transmission over the internet or electronic storage is 100% secure. We therefore cannot guarantee absolute security, but we continually evaluate and enhance our security measures to align with industry best practices.

Data Breach Response: In the unlikely event of a personal data breach (e.g., unauthorized access to our systems or accidental disclosure of personal data), we have a response plan in place. We will act promptly to contain the breach and mitigate harm. This includes identifying and fixing the root cause, informing affected individuals without undue delay if the breach is likely to result in a high risk to their rights, and notifying the ICO (UK Information Commissioner’s Office) within 72 hours when required by law. We will provide information on the nature of the breach, its impact, and what measures we have taken or will take to address it.

13. Your Data Protection Rights (UK GDPR)

Under UK data protection law, you have a number of important rights regarding your personal data. You can exercise these rights at any time by contacting us (see Section 14 for how). Your principal rights include:

  • Right to Be Informed: The right to be given clear and transparent information about how we process your data (which is the purpose of this Privacy Policy and related notices).
  • Right of Access: The right to request a copy of the personal data we hold about you, as well as information on how we use it. This is commonly known as a “Subject Access Request”. We will provide a copy of your data, in most cases free of charge, within one month (unless an extension or an exemption applies).
  • Right to Rectification: The right to have inaccurate personal data corrected or completed if it is incomplete. If you believe any information we hold about you is incorrect or outdated (for example, your contact details), please let us know and we will rectify it.
  • Right to Erasure: The right to request that we delete your personal data, also known as the “right to be forgotten”. You can ask us to erase data in certain circumstances – for instance, if it’s no longer needed for the purpose it was collected, or if you withdraw consent and we have no other lawful basis, or if you object to processing and we have no overriding legitimate grounds. Note that this right is not absolute; we may retain certain information if required (e.g., we cannot delete data we must keep by law, or we might decline a deletion request if the data is needed to establish or defend a legal claim). But we will inform you of the reason if we cannot fulfill a deletion request in full.
  • Right to Restrict Processing: The right to request that we restrict (pause) the processing of your data in certain situations. For example, if you contest the accuracy of the data, you can request we stop processing it (aside from storing it) until we verify its accuracy. Or if you object to our processing based on legitimate interests, you may request restriction while we consider your objection. When processing is restricted, we can store the data but not use it.
  • Right to Data Portability: The right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. This right applies when processing is based on your consent or a contract and carried out by automated means. For example, if you requested, we could export data you gave us to a CSV file for your reuse.
  • Right to Object: The right to object to certain types of processing. You have an absolute right to object to direct marketing – if you object, we will stop using your data for marketing purposes immediately. You also have the right to object to any processing based on legitimate interests or public task, on grounds relating to your particular situation. In such cases, we will stop processing unless we have compelling legitimate grounds that override your rights or the processing is for the establishment or defence of legal claims. For example, you can object to analytics tracking – if you do, we will disable such tracking for you (e.g., through our cookie management tool or other means).
  • Right to Withdraw Consent: If we rely on your consent for any processing, you have the right to withdraw that consent at any time. For instance, you can unsubscribe from our emails (withdraw consent to marketing), or adjust your cookie settings to withdraw consent for analytics/marketing cookies. Withdrawing consent will not affect the lawfulness of any processing done before the withdrawal. If you withdraw consent, we will cease the relevant processing activities.
  • Rights related to Automated Decision-Making: We do not make any decisions about you that have legal or similarly significant effects based solely on automated means (with no human involvement). In the event we ever implement automated decision-making or profiling, you would have rights to request human intervention, express your point of view, and contest the decision.

Exercising Your Rights: You can exercise any of these rights by emailing us at dpo@crimsonsocial.co.uk. We may need to verify your identity to ensure we do not disclose data to an unauthorized person (we might ask for certain information or identification as confirmation). We will respond to your request as soon as possible, and within one month at most. For complex or numerous requests, we may extend the period by up to two further months, but we will inform you and explain why if an extension is needed. In general, we will not charge a fee for handling your request. However, if a request is manifestly unfounded or excessive (for example, repetitive), we may charge a reasonable fee or refuse to act on it – but we will provide an explanation in such cases.

We encourage you to contact us to address any concerns or questions about how we handle your data. Your rights are important to us, and we will facilitate their exercise to the fullest extent possible.

14. Contact Us and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer (DPO):

Email: dpo@crimsonsocial.co.uk

Postal Address: Data Protection Officer – Crimson Social Marketing Ltd, 167-169 Great Portland Street, Fifth Floor, London, Greater London, England, W1W 5PF

We will do our best to address and resolve any issues you bring to our attention. Your feedback is welcome and helps us improve our practices.

Complaints: If you are dissatisfied with our response or have concerns about how we are handling your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), which is the supervisory authority for data protection in the UK. You can contact the ICO or find more information on their website. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please consider reaching out to us first.

  • ICO Website: https://ico.org.uk/make-a-complaint/
  • ICO Telephone: +44 (0)303 123 1113

The ICO can provide guidance and may investigate your complaint if appropriate. There is no charge for filing a complaint with the ICO.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we update the policy, we will revise the “Last Updated” date at the top. For significant changes, we may also provide a more prominent notice (such as a statement on our website or an email notification). We encourage you to review this Policy periodically to stay informed about how we are protecting your data.

If we intend to process your personal data for a new purpose that is not covered by this Policy, we will provide you with a new notice explaining those purposes and lawful basis prior to commencing the processing, and any other relevant information.

Thank you for reading our Privacy Policy. We value your trust and are committed to protecting your personal data. If you have any questions or need further clarification, please do not hesitate to contact us.

For platform-specific advertising terms, see our Meta Advertising Service Terms.