GDPR Compliance

For the purposes of the UK General Data Protection Regulation (UK GDPR) and applicable data protection laws, the Data Controller is: Company: Forged In Frames Email: info@forgedinframes.com Phone: 07438 532871 Location: United Kingdom We are committed to protecting the privacy and security of your personal data in compliance with the UK GDPR and all applicable data protection laws.

We process personal data under the following lawful bases as defined in Article 6 of the UK GDPR: - Consent: Marketing communications and newsletter subscriptions, non-essential cookies and tracking technologies, portfolio usage of client images. You have the right to withdraw consent at any time. - Contract: Service delivery including photography and videography projects, booking management, payment processing, client communications related to active projects, and delivery of final media products. - Legal Obligation: Tax and accounting record-keeping (retained for 7 years as required by law), compliance with regulatory requests and court orders, and fraud prevention. - Legitimate Interests: Website analytics and improvement, direct marketing to existing clients (soft opt-in), network and information security, and business administration.

Under the UK GDPR, you have the following rights regarding your personal data. We will respond to any request within one (1) month. - Right to Access: Obtain confirmation of whether we process your personal data and, if so, access to that data and information about how it is processed. - Right to Rectification: Request correction of inaccurate or incomplete personal data without undue delay. - Right to Erasure (Right to be Forgotten): Request deletion of your personal data when the data is no longer necessary, you withdraw consent, or the data has been unlawfully processed. - Right to Restrict Processing: Restrict processing of your data in certain circumstances, including when you contest the accuracy of the data or object to processing. - Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit that data to another controller. - Right to Object: Object to processing based on legitimate interests or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds. To exercise any of these rights, contact us at info@forgedinframes.com. We may require proof of identity before processing your request.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected: - Client Project Data: Retained for the duration of the client relationship plus seven (7) years. Retention is necessary for tax, accounting, and legal compliance. After this period, data is securely deleted or anonymised. - Communications: Email and inquiry records retained for two (2) years after last contact. - Marketing Data: Retained until consent is withdrawn or you request deletion. - Website Analytics: Anonymised analytics data retained for twenty-six (26) months. - Payment Information: We do not store credit card or payment details. Payment processing data is handled by our PCI-compliant payment processor. When the retention period expires, personal data is securely deleted using industry-standard methods.

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: - Encryption of data in transit and at rest - Secure storage with access controls and authentication - Limited access to personal data on a need-to-know basis - Regular security assessments In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours, as required by the UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay.

We may share your personal data with trusted third-party service providers who assist us in operating our business, including: - Stripe for secure payment processing - Hosting providers for website and data storage - Analytics providers for website analysis We require all third-party service providers to implement appropriate data protection measures and process personal data only in accordance with our instructions. We do not sell your personal data to third parties.

Your personal data may be transferred to and processed in countries outside the United Kingdom. When we transfer your data internationally, we ensure appropriate safeguards are in place in accordance with the UK GDPR, including: - Adequacy regulations for certain countries - Standard Contractual Clauses (SCCs) as approved by the ICO - Supplementary measures including technical encryption and access controls You have the right to request a copy of the applicable safeguards by contacting us.

Our website uses cookies and similar tracking technologies for the following purposes: - Functionality: Essential cookies required for the website to operate properly - Performance: Improve website speed and user experience You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect website functionality.

If you have concerns about how we handle your personal data, we encourage you to contact us first so we can resolve the matter directly: Email: info@forgedinframes.com We will investigate and respond to your complaint within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): Website: ico.org.uk Helpline: 0303 123 1113 We will cooperate fully with any regulatory investigation.

This GDPR Compliance Policy is reviewed and updated regularly to ensure ongoing compliance with data protection regulations. Changes to this policy will be communicated via our website. We encourage you to review this page periodically for the latest information on our GDPR compliance practices. This policy was last updated on April 28, 2026. Previous versions of this policy are available upon request.