Privacy Policy

Last updated: Oct 10, 2025

1. Introduction

Unknown Studio Ltd. ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website, engage our services, or interact with us.

We are a branding, UX/UI design, and Webflow development agency specialising in intelligent experiences that combine design, technology, and automation.

Company Details:

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect and process the following types of personal data:

2.1 Information You Provide Directly

Contact Forms:

  • Name
  • Email address
  • Subject line
  • Message content

Newsletter Subscriptions:

  • Email address
  • Subscription preferences

Client Project Work:

  • Business information
  • Brand assets and files
  • Project specifications and requirements
  • Communication records

Payment Information:

  • Billing details (processed securely via Stripe or bank transfer)
  • We do not store full payment card details on our servers
2.2 Information Collected Automatically

Website Usage Data:

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and time spent
  • Referring website
  • Geographic location (country/city level)

Cookies and Tracking Technologies:

  • Google Analytics cookies (to analyse website traffic and user behaviour)
  • Meta (Facebook) Pixel (to measure advertising effectiveness)

We use both session cookies (temporary) and persistent cookies (remain after you close your browser).

2.3 Communication Records
  • Email correspondence
  • Slack messages
  • WhatsApp Business communications
  • Zoom meeting recordings (stored on Zoom's cloud infrastructure)

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Delivery
  • To provide branding, UX/UI design, and Webflow development services
  • To deliver intelligent experiences including automation and AI-enhanced solutions
  • To communicate about projects and deliverables
  • To manage project workflows and timelines
3.2 Business Operations
  • To respond to enquiries and provide customer support
  • To process payments and maintain financial records
  • To improve our website and services
  • To manage client relationships through our CRM systems
3.3 Marketing and Communications
  • To send newsletters (with your consent)
  • To share relevant updates about our services
  • To send occasional marketing communications (you can opt out at any time)
3.4 Legal and Compliance
  • To comply with legal obligations
  • To protect our rights and interests
  • To prevent fraud and ensure security
3.5 Analytics and Improvement
  • To analyse website traffic and user behaviour
  • To understand how visitors interact with our content
  • To optimise user experience and website performance

Legal Basis for Processing:

  • Contract performance (when providing services)
  • Legitimate interests (business operations, analytics, marketing)
  • Consent (newsletter subscriptions, non-essential cookies)
  • Legal obligation (tax records, regulatory compliance)

4. AI and Intelligent Experiences

As part of our intelligent experiences services, we may use artificial intelligence tools and automation platforms to enhance our work and your project outcomes.

AI Tools We Use:

  • ChatGPT (OpenAI)
  • Claude (Anthropic)
  • Gemini (Google)

Automation Platforms:

  • Make
  • Zapier
  • n8n

How We Use AI:

  • To generate design concepts and variations
  • To analyse user research and data
  • To optimise workflows and processes
  • To enhance content creation and copywriting

Your Data and AI:

  • We may input project briefs and requirements into AI tools to generate ideas and solutions
  • We do not train AI models on your confidential or proprietary data
  • Any AI-generated outputs are reviewed and refined by our team before delivery
  • We maintain human oversight of all AI-assisted work

If you have specific concerns about AI usage in your project, please contact us to discuss alternative approaches.

5. Third-Party Services and Data Sharing

We work with trusted third-party service providers to operate our business. Your data may be processed by:

Analytics and Tracking:

  • Google Analytics (website analytics)
  • Meta/Facebook Pixel (advertising measurement)

Communication and Collaboration:

  • Google Workspace (email and file storage)
  • Slack (team communication)
  • WhatsApp Business (client communication)
  • Zoom (video meetings and recordings)

Project Management:

  • ClickUp (project tracking and workflow management)

Payment Processing:

  • Stripe (card payments - see Stripe's privacy policy)
  • UK bank transfers (processed through our bank)

Website Infrastructure:

  • Webflow (website hosting and forms)

CRM Systems (when implemented):

  • HubSpot or Pipedrive (customer relationship management)

Client File Storage:

  • Google Drive (secure cloud storage)

These third parties are contractually obligated to protect your data and use it only for the purposes we specify. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

6. International Data Transfers

We work with clients globally. Some of our service providers (such as Google, Stripe, Zoom, Slack, and AI platforms) are based in the United States and other countries outside the UK and European Economic Area (EEA).

When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by UK authorities
  • Adequacy decisions recognising equivalent data protection standards
  • Service provider certifications and security commitments

These measures ensure your data receives equivalent protection regardless of where it's processed.

7. Cookies and Tracking Technologies

7.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us understand how you use our site and improve your experience.

7.2 Types of Cookies We Use

Essential Cookies (Always Active):

  • Required for basic website functionality
  • Enable core features like security and accessibility
  • Cannot be disabled without affecting site performance

Analytics Cookies:

  • Google Analytics (tracks visitor behaviour and site performance)
  • Helps us understand which content is most valuable
  • Allows us to improve user experience

Marketing Cookies:

  • Meta/Facebook Pixel (measures advertising effectiveness)
  • Helps us understand which marketing channels drive website visits
  • Enables retargeting to show relevant ads
7.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

  • View and delete cookies
  • Block third-party cookies
  • Block all cookies (may affect website functionality)

Browser Cookie Settings:

  • Chrome: Settings > Privacy and Security > Cookies
  • Firefox: Settings > Privacy & Security > Cookies
  • Safari: Preferences > Privacy > Cookies
  • Edge: Settings > Privacy & Security > Cookies

To opt out of Google Analytics: Google Analytics Opt-out Browser Add-on

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this policy.

Retention Periods:

  • Contact form submissions: 2 years from last contact
  • Newsletter subscriptions: Until you unsubscribe
  • Client project files: 3 years after project completion (industry standard for portfolio and reference purposes)
  • Email correspondence: 5 years (for business records and dispute resolution)
  • Payment records: 7 years (UK tax law requirement)
  • Website analytics: 26 months (Google Analytics default)
  • Meeting recordings: 90 days (Zoom cloud storage default)

After these periods, data is securely deleted or anonymised. You may request earlier deletion by contacting us.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of the personal data we hold about you.

9.2 Right to Rectification

Request correction of inaccurate or incomplete data.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data in certain circumstances.

9.4 Right to Restrict Processing

Request that we limit how we use your data.

9.5 Right to Data Portability

Receive your data in a structured, commonly used format.

9.6 Right to Object

Object to processing based on legitimate interests or for direct marketing.

9.7 Rights Related to Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

To Exercise Your Rights:Email us at hello@madebyunknown.com with your request. We will respond within one month.

10. Marketing Communications

10.1 Newsletter and Updates

If you subscribe to our newsletter, we will send you:

  • Design insights and articles
  • Company updates and announcements
  • Relevant industry news

Unsubscribe: Click the "unsubscribe" link in any email or email hello@madebyunknown.com with "UNSUBSCRIBE" in the subject line.

10.2 Client Communications

Occasionally, we may contact existing or past clients with:

  • Service updates
  • New offerings that may interest you
  • Industry insights relevant to your business

Opt Out: Reply to any email with "OPT OUT" or contact hello@madebyunknown.com to update your preferences.

We do not share your email address with third parties for their marketing purposes.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

Security Measures Include:

  • Encrypted data transmission (SSL/TLS)
  • Secure password-protected systems
  • Regular security assessments
  • Access controls and authentication
  • Secure cloud storage (Google Drive with encryption)
  • Regular backups
  • Staff training on data protection

Payment Security:

  • Payment card details are processed securely via Stripe (PCI DSS compliant)
  • We do not store full card details on our servers
  • Bank transfers are processed through secure banking infrastructure

While we strive to protect your data, no internet transmission is completely secure. You share information at your own risk.

12. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover we have inadvertently collected data from a child, we will delete it promptly.

If you believe we have collected information from a child, please contact us immediately.

13. Links to Other Websites

Our website may contain links to third-party websites, social media platforms, or external resources. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify you via email (if you're subscribed to our communications)
  • Display a notice on our website

We encourage you to review this policy regularly to stay informed about how we protect your data.

15. Contact Us and Complaints

15.1 Privacy Questions

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@madebyunknown.com
Company Name: Unknown Studio Ltd.
Company Registration Number: 16823705

15.2 Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

We would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first if possible.

16. Legal Framework

This Privacy Policy is governed by and operates under:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)

Consent and Acknowledgment

By using our website and services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

17. Data Processing Agreement

17.1 Introduction to Data Processing

When Unknown Studio Ltd. provides services that involve processing personal data on behalf of our clients (the "Data Controller"), this Data Processing Agreement ("DPA") governs our relationship and responsibilities under UK GDPR.

This DPA applies when we:

  • Build or maintain systems that collect end-user data for clients
  • Access client customer databases or CRM systems
  • Implement analytics, tracking, or automation that processes customer information
  • Handle any personal data belonging to the client's customers, employees, or users
17.2 Definitions

For the purposes of this DPA:

"Data Controller" means the client who determines the purposes and means of processing personal data.

"Data Processor" means Unknown Studio Ltd., who processes personal data on behalf of the Data Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party appointed by Unknown Studio Ltd. to process personal data on behalf of the Data Controller.

"Data Subject" means the individual whose personal data is being processed.

17.3 Roles and Responsibilities

Data Controller Responsibilities:

  • Determine the lawful basis for processing personal data
  • Ensure data subjects are informed about data processing activities
  • Obtain necessary consents from data subjects where required
  • Provide clear instructions to Unknown Studio Ltd. regarding data processing
  • Ensure compliance with data protection laws in their jurisdiction

Data Processor Responsibilities (Unknown Studio Ltd.):

  • Process personal data only on documented instructions from the Data Controller
  • Ensure staff processing personal data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Data Controller in responding to data subject requests
  • Notify the Data Controller of any personal data breaches without undue delay
  • Delete or return all personal data at the end of service provision (unless legally required to retain)
17.4 Data Processing Instructions

Unknown Studio Ltd. will process personal data only:

  • As necessary to provide the agreed services
  • In accordance with written instructions from the Data Controller
  • In compliance with applicable data protection laws

Any processing outside these instructions requires prior written authorisation from the Data Controller.

17.5 Security Measures

Unknown Studio Ltd. implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

  • Encryption of data in transit and at rest
  • Secure access controls and authentication
  • Regular security testing and vulnerability assessments
  • Secure backup and disaster recovery procedures
  • Firewalls and intrusion detection systems

Organisational Measures:

  • Staff training on data protection and security
  • Confidentiality agreements with all personnel
  • Access limitation on a need-to-know basis
  • Regular review and update of security policies
  • Incident response and breach notification procedures
17.6 Sub-processors

Unknown Studio Ltd. may engage the following categories of sub-processors:

Current Sub-processors:

  • Google Workspace (email and cloud storage)
  • Webflow (website hosting)
  • ClickUp (project management)
  • Stripe (payment processing, when applicable)
  • Zoom (video conferencing and recordings)
  • Slack (team communication)
  • Make, Zapier, or n8n (automation platforms)

AI and Machine Learning Sub-processors:

  • OpenAI (ChatGPT)
  • Anthropic (Claude)
  • Google (Gemini)

The Data Controller provides general authorisation for Unknown Studio Ltd. to engage these sub-processors. Unknown Studio Ltd. will:

  • Enter into written agreements with sub-processors imposing equivalent data protection obligations
  • Remain liable for the acts and omissions of sub-processors
  • Notify the Data Controller of any intended changes to sub-processors with reasonable notice (minimum 14 days)
  • Provide the Data Controller the opportunity to object to new sub-processors
17.7 Data Subject Rights

Unknown Studio Ltd. will assist the Data Controller in fulfilling data subject rights requests, including:

  • Right of Access: Providing information about data processing
  • Right to Rectification: Correcting inaccurate data
  • Right to Erasure: Deleting personal data when requested
  • Right to Restriction: Limiting processing in certain circumstances
  • Right to Data Portability: Providing data in a structured format
  • Right to Object: Stopping certain types of processing

Unknown Studio Ltd. will respond to such requests within 5 business days of receiving instructions from the Data Controller.

17.8 Data Breach Notification

In the event of a personal data breach, Unknown Studio Ltd. will:

  1. Notify the Data Controller without undue delay and within 24 hours of becoming aware
  2. Provide the following information:
    • Nature of the breach
    • Categories and approximate number of data subjects affected
    • Categories and approximate number of personal data records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  3. Cooperate with the Data Controller in investigating and mitigating the breach
  4. Document all data breaches and make this documentation available to the Data Controller
17.9 Data Protection Impact Assessments and Audits

Data Protection Impact Assessments (DPIAs):Unknown Studio Ltd. will assist the Data Controller in conducting DPIAs where processing is likely to result in high risk to data subjects' rights and freedoms.

Audits:The Data Controller has the right to audit Unknown Studio Ltd.'s compliance with this DPA:

  • Audits may be conducted annually or following a data breach
  • The Data Controller must provide 14 days' notice
  • Audits must be conducted during normal business hours
  • The Data Controller will bear the cost of audits (unless a breach is discovered)
  • Unknown Studio Ltd. will make all relevant information available and cooperate fully
17.10 International Data Transfers

When Unknown Studio Ltd. transfers personal data outside the UK or EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use UK-approved SCCs with international sub-processors
  • Adequacy Decisions: We rely on adequacy decisions where applicable
  • Additional Safeguards: We implement supplementary measures as required by UK GDPR

The Data Controller acknowledges that certain sub-processors (including AI platforms and cloud services) may process data outside the UK/EEA.

17.11 Data Retention and Deletion

Retention:Unknown Studio Ltd. will retain personal data only for as long as:

  • Required to provide the agreed services
  • Instructed by the Data Controller
  • Required by law

Deletion or Return:Upon termination of services or at the Data Controller's request, Unknown Studio Ltd. will:

  • Delete or return all personal data to the Data Controller
  • Delete existing copies (unless legal retention is required)
  • Certify in writing that deletion has been completed
  • Complete deletion within 30 days of termination or request

Exceptions:Data may be retained where required by applicable law, provided it is securely isolated and protected from further processing.

17.12 Limitation of Liability

Unknown Studio Ltd.'s total liability under this DPA is limited to the fees paid for services in the 12 months preceding the claim, except for:

  • Gross negligence or wilful misconduct
  • Breaches of confidentiality obligations
  • Data breaches resulting from failure to implement appropriate security measures
  • Liability that cannot be limited by law
17.13 Term and Termination

This DPA:

  • Commences when Unknown Studio Ltd. begins processing personal data on behalf of the Data Controller
  • Continues for the duration of the service agreement
  • Survives termination regarding data deletion and confidentiality obligations

Either party may terminate if the other materially breaches this DPA and fails to remedy within 30 days of written notice.

17.14 Governing Law

This DPA is governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the courts of England and Wales.

17.15 Contact for Data Processing Matters

For all matters relating to this DPA, please contact:

Unknown Studio Ltd.Email: hello@madebyunknown.com

17.16 Amendments

This DPA may be amended:

  • To reflect changes in data protection laws
  • With mutual written agreement of both parties
  • With 30 days' written notice from Unknown Studio Ltd. for administrative updates

Material changes require the Data Controller's written consent.

17.17 Acknowledgement

By engaging Unknown Studio Ltd. for services involving personal data processing, the Data Controller acknowledges:

  • They have read and understood this DPA
  • They authorise Unknown Studio Ltd. to process personal data as described
  • They accept the terms and obligations outlined herein
  • They will provide clear processing instructions and lawful basis documentation

Unknown Studio Ltd. | Company Registration Number: 16823705

START YOUR PROJECT