Privacy Policy


The privacy and security of your information is extremely important to us. This policy is intended to give you a clear view of what data we collect, how we use it, how long we keep it for and how we get rid of it, so you can be confident in submitting data when dealing with us.

We’ll keep this page updated to show you what we do with your personal data. This policy applies to you if you visit our website, use any of our services, email us, contact us or visit our premises.

We will never sell your personal data and we will only share it with other organisations we work with to deliver the services we provide where they have shown they’ll respect your privacy and security.

Who are We?

Throughout this document when you see the words ‘us’, ‘we’ and ‘our’ this is referring to Design33 Ltd.

We are a limited company, registered in Scotland, our registration number is SC520101 and our registered office is 24a Ainslie Place, Edinburgh, Scotland, EH3 6AJ. Our place of business is The Breakfast Mission, 15 Old Fishmarket Close, Edinburgh, Scotland, EH1 1AE.

We have a secondary office at Office 3.3, The Flour Mill, 34 Commercial Street, Dundee, DD1 3EJ

Our ICO Data Controller registration number is ZA271843

We are a web design company who carries out the design and development of websites, web apps and related services. We collect personal data to allow us to maintain our own records and accounts and to also support our staff.

If you have any questions regarding this privacy policy you should contact The Data Protection Officer, Design33 Ltd, The Breakfast Mission, 15 Old Fishmarket Close, Edinburgh, EH1 1RW.

What Personal Data do we collect?

Personal data is any data which may identify you, or be identified as relating to you. For example, your name, address, phone number and email address. We will sometimes need to collect this information. We will only collect the personal data we need.

We collect data in connection with projects we might be working on, services you have hired us to deliver or projects we are working on with others.

You can give us personal data in various ways. You can submit personal data through forms on our website, you can phone us, you can email us or you can visit our premises.

This personal data may include name, title, address, date of birth, age, gender, employment status, email address, phone numbers, personal description, photographs, usernames, passwords, databases.

Personal Data that is provided by you

This data includes information you give us when interacting with us, for example, you filling out a contact form, a Needs Analysis form, registering as a client with us, placing an order or communicating with us. For example :

  • Personal details – name, address, phone number, email address and so on
  • Financial details – bank name, bank address, bank account number and SORT code
  • Technical information used in projects – usernames, passwords, databases, concepts, logos, drawings, designs, documents, spreadsheets and so on
  • Technical information about your visit – Internet protocol address, login information, browser type and version, time zone settings, operating system and version, platform used to access the website
  • Information about your visit – full URL and query string, pages you viewed on our website, length of visit to pages on our website and any search terms you used to find our website.

Personal Data created by your involvement with us

Your activities and involvement with us will generate personal data being created. This could include project details, documentation and so on.

During the course of a web design project we will generate a great deal of personal data. Depending on the project, we may be generating company branding, personas, designs, websites, login systems, membership platforms, e-commerce systems, database systems and content management systems.

How we use your Personal Data

We will only use your personal data on relevant lawful grounds, as permitted by the EU General Data Protection Regulation (from 25th May 2018)/UK Data Protection Act and Privacy of Electronic Communication Regulation.

Personal data provided to us will be used for the purposes of carrying out our business as web designers, in a transparent manner, in accordance with any preferences you express. Below we have listed the main uses of the data we collect from you :


We deliver services associated with web design and web development. If you have hired us to provide these services, we will need to collect personal data from you to carry out these services. This may include name, address and phone number, but also more technical data like databases, usernames, passwords and previous versions of systems.


We are required by law to keep accurate and up to date accounts of our business transactions. When you interact with us you may be added to our accounting system.


We occasionally run marketing campaigns. We will always ask for your consent before sending you any marketing material.

Recruitment and Employment

If you become employed by us, we will ask you for personal data, perhaps including ‘sensitive personal data’. Such data may include but is not limited to health information or information relating to criminal convictions. We store this data in a third-party HR system. As employers we have sets of responsibilities to your data. We have contractual responsibilities which arise from our contract of employment with you, outlining data relating to payroll, bank details, addresses, sickness and absence. We also have statutory responsibilities imposed upon us by law relating to tax, national insurance, work permits and equal opportunities monitoring. Internally, we also have management responsibilities, which are necessary for the functioning of the business. This includes data relating to employment, training, absence, disciplinary matters, email and phone number.

Disclosure of Personal Data to other bodies

In order to carry out the running of our business day to day and fulfil the requirements of the projects we work on, we sometimes need to disclose your data to other bodies or third party suppliers.

These other bodies may be sub contractors, systems we use, online applications allowing us to meet project requirements and so on. You can find a list of third-party suppliers here.

How can I change my preferences

You can contact us at any time to change or discuss your privacy preferences. Contact us using the details below:

Call us: 0131 605 3833 (hours are 9.30am to 5.30pm Monday to Friday)

Write to us:


The Breakfast Mission

15 Old Fishmarket Close



Email us : [email protected]

Your Rights under GDPR

Under the GDPR, where we are using your data under consent, you have the right to withdraw that consent at any time. You also have the right to ask us to stop using your personal data for marketing purposes. Please contact us using the details above if you would like to do this.

Subject Access Requests

If you would like to make a Subject Access Request, you can do so using this form. Please note, there is no charge for making this request, although you will be asked to verify your identity. We will respond within 30 days of receiving your request and verifying your identity.

What to do if you’re not happy

Please contact us in the first instance if you feel unhappy regarding any issues around the use of your personal data. We would welcome the opportunity to resolve any problem or query you have. You also have the right to contact the Information Commissioners Office (ICO). You can contact them via their website here :

Keeping your information

If you have submitted any information through our website forms, we will keep this data for 30 days, then automatically delete it from our website and website database. We keep email data and project files for 7 years, keeping us in line with any potential audit by HMRC where we may need to produce evidence of work carried out. You can read more about how we store and delete your personal data by asking for a copy of our data retention policy and data deletion policy.

How we secure your data

Information systems and data security is imperative to us to ensure that we are keeping your data safe. We operate and implement robust procedures for managing your data, the hardware it is present on. We only host your personal data with suppliers who have confirmed that they take your personal data security as a priority and we regularly assess these suppliers as the threat landscape changes.

Staff are given mandatory annual, information security training.

Internally we utilise password managers so your passwords can be shared securely, we use and enforce strong passwords and where we store your data we encrypt it if possible and make sure that the suppliers we use have robust attitudes to privacy and data security.

Disclosure of Information

Sometimes, when working on projects, we have to share your data with sub-contractors or other people working on the project. When we are sharing the data, we will always do so in such a way that access can be revoked again.

Who will see your data?

When you submit your data to us, we might disclose it to parties as part of our normal project workflow. These parties may include :

  • Our employees
  • Contractors we work with
  • Service providers providing services to us
  • Advisors
  • Agents

We may also disclose your information to third parties if we are compelled to by law or to comply with any legal obligation.

Storage of Information

Design33 is based in the UK and as such, the majority of our hosting services are also based in the UK. Some of the other data storage services we use are located in the European Union region. We do not collect or store payment information and we do not transmit your data outside the European Union.


To process payments, we use Stripe, which is connected to our accounting software Xero. We do not store your card details and we use an off-site version of Stripe. When you input your card details, you are communicating directly with our payment provider, Stripe.


Our office premises are covered by CCTV and you may have been recorded when you visited them. CCTV is used to provide security and protect both our staff and visitors. CCTV is only viewed when required and footage is stored for a set period of time, then over-written.

The UK Leaving the EU In a No Deal Brexit Scenario

In preparation for the UK leaving the EU without a deal, we have contacted Google Cloud, as we store data on their servers – specifically Google Drive data in the form of project work and project archives. Your data, when handled by us continues to be covered this privacy policy and our other relevant data protection documents, but the links below outline how your data is handled by Google, when acting as Processor, and transmitting your data back from the EEA to our computers in the UK.

We have requested that Google only host our data on their European data storage facilities.

In a communication to us on 23.10.2019 Google Cloud Support said :

Currently, some G Suite data storage facilities are located in countries [1] outside the European Economic Area. Google offers a data processing amendment[2] and EU model contract clauses[3] in order to facilitate customer compliance with applicable regulatory requirements regarding international data transfers.

You may opt-in to these agreements via an online process described here [4]:

The G Suite agreement is designed to be applicable worldwide. Google makes available a data-processing amendment [2] and model contract clauses [3] as a further means of meeting the adequacy and security requirements of the [General Data Protection Regulation, GDPR] European Parliament and the Council of the European Union Data Protection Directive [5]






In line with item number [4] in their communication, we have opted in to Google’s Data Processing Amendment to G Suite and/or Complementary Product (e.g. Cloud Identity) Agreement and EU Model Contract Clauses for G Suite.

Changes to this policy

We will amend this privacy policy from time to time, ensuring that it stays up to date. Please visit our website to keep up with any changes we make. The most up to date version will always be posted on our website.

This privacy policy was last updated on 24th October 2019.