Privacy Policy
Last updated: 9 July 2025
1. Who We Are
Flwstate Media ("we", "us", "our") is a remote digital studio providing web design, AI & automation consultancy, content creation, app development, SaaS development, social media marketing, financial modelling, business planning, and go-to-market strategy services to clients worldwide.
Data Controller:
Flwstate Media
Email: hello@flwstatemedia.com
Website: flwstatemedia.com
For all data protection enquiries, contact us at: hello@flwstatemedia.com
We are a business-to-business and business-to-consumer digital services provider. The majority of personal data we process relates to prospective and active clients, website visitors, and business contacts, not end-consumer audiences on behalf of clients (see Section 10 for how client projects are handled).
2. Scope of This Policy
This Privacy Policy applies to:
- Personal data collected through our website at flwstatemedia.com (and any subdomains)
- Personal data collected through our contact forms, booking systems, and direct communications
- Personal data processed as part of our service delivery to clients
- Personal data collected via our social media profiles (Instagram: @flwstate_media; LinkedIn: /company/flwstate)
This policy does not govern the privacy practices of third-party websites, tools, or client websites that we build, those are governed by their own separate privacy policies.
3. The Data We Collect and Why
We only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose (the data minimisation principle under GDPR Article 5(1)(c)).
3.1 Data You Provide Directly
| Data | How Collected | Purpose | Legal Basis |
|---|---|---|---|
| Full name | Contact form, booking system | To identify you and address you appropriately | Legitimate interests (Art. 6(1)(f)) |
| Email address | Contact form, booking system, direct email | To respond to enquiries, deliver services, send project communications | Legitimate interests / Contract (Art. 6(1)(b) & (f)) |
| Company name | Contact form | To understand the nature of your business and scope services | Legitimate interests (Art. 6(1)(f)) |
| Service interest | Contact form dropdown | To route your enquiry to the appropriate service offering | Legitimate interests (Art. 6(1)(f)) |
| Budget range | Contact form dropdown | To understand project scope and prepare appropriate proposals | Legitimate interests (Art. 6(1)(f)) |
| Message content | Contact form / email | To understand your needs and respond meaningfully | Legitimate interests (Art. 6(1)(f)) |
| Preferred meeting time | Cal.com booking widget | To schedule a discovery call | Contract performance (Art. 6(1)(b)) |
3.2 Data Collected Automatically
When you visit our website, the following may be collected automatically by us or our technology providers:
| Data | Source | Purpose | Legal Basis |
|---|---|---|---|
| IP address | Web server / hosting provider | Security, fraud prevention, geographic analytics | Legitimate interests (Art. 6(1)(f)) |
| Browser type & version | Server logs / analytics | Performance optimisation and compatibility | Legitimate interests (Art. 6(1)(f)) |
| Pages visited & session duration | Analytics tools | Understanding how visitors use our site so we can improve it | Legitimate interests (Art. 6(1)(f)) |
| Referring URL | Analytics tools | Understanding traffic sources | Legitimate interests (Art. 6(1)(f)) |
| Device type | Analytics tools | Mobile/desktop optimisation | Legitimate interests (Art. 6(1)(f)) |
| Timezone | Cal.com widget | To display available booking slots in your local time | Functional necessity |
3.3 Data We Do NOT Collect
We do not collect or process:
- Special category data (health, biometric, genetic, racial, religious, political, or sexual orientation data), Article 9 GDPR
- Data from individuals we know to be under 16 years of age
- Payment card or banking details (all billing is handled via third-party invoicing tools; we do not store financial credentials)
- Data through any covert tracking, fingerprinting, or surveillance methods
4. Legal Bases for Processing
Under GDPR Article 6, we rely on the following lawful bases:
4.1 Legitimate Interests (Article 6(1)(f))
We process most enquiry and contact data under legitimate interests, specifically, our interest in responding to business enquiries, managing client relationships, and operating our business effectively. We have conducted a legitimate interests assessment (LIA) and concluded that:
- The data subjects (prospective clients and website visitors) have a reasonable expectation that a digital agency will process their submitted enquiry data
- The data is limited in scope and sensitivity
- Processing does not override data subjects' rights or freedoms
4.2 Performance of a Contract (Article 6(1)(b))
Where you have engaged us for services, we process your personal data to the extent necessary to perform the contract, including project delivery, communication, invoicing, and handoff.
4.3 Compliance with Legal Obligations (Article 6(1)(c))
We process certain data (such as invoicing records) to comply with applicable legal and financial record-keeping obligations.
4.4 Consent (Article 6(1)(a))
Where we rely on consent, for example, for non-essential cookies or optional marketing communications, we will obtain this separately and clearly before processing. You may withdraw consent at any time without detriment by contacting us at hello@flwstatemedia.com.
We do not operate email newsletters or automated marketing campaigns at this time. If we introduce these, we will update this policy and obtain appropriate consent.
5. How We Use Your Data
We use your personal data for the following purposes:
- Responding to enquiries, When you submit our contact form or book a meeting, we use your details to respond promptly and helpfully.
- Service delivery, When you become a client, we use your contact information to manage the project relationship, communicate updates, deliver assets, and provide support.
- Scheduling, Your booking information (name, email, preferred time) is used to arrange and confirm discovery calls via Cal.com.
- Invoicing and financial records, We use business contact details to issue invoices and maintain required financial records.
- Website improvement, Aggregated, anonymised analytics data helps us understand how our website performs and improve it.
- Security and fraud prevention, IP and access logs help us detect and prevent malicious activity.
- Legal compliance, Where required by law, regulation, or a court order.
We do not:
- Sell your personal data to third parties
- Use your data for automated decision-making or profiling that produces legal or similarly significant effects
- Use your data for purposes incompatible with those stated above without informing you and, where required, obtaining your consent
6. Third-Party Services and Data Processors
As a digital studio, we use a number of third-party tools to operate our website and deliver our services. Where these tools process personal data on our behalf, they act as data processors under GDPR Article 28, and we ensure appropriate contractual protections are in place.
| Processor | Purpose | Data Shared | Location | Safeguard |
|---|---|---|---|---|
| Cal.com | Meeting scheduling and booking | Name, email, preferred time, timezone | USA / EU | Cal.com Privacy Policy; Standard Contractual Clauses (SCCs) for international transfers |
| Netlify | Website hosting and deployment | IP address, server logs | USA / global edge network | Netlify DPA; SCCs |
| Netlify Analytics | Website performance analytics | Anonymised/aggregated visitor data | USA | Privacy-preserving analytics; no cookies required |
| Email provider (e.g. Gmail / Workspace) | Communication and enquiry handling | Name, email, message content | USA | Google Workspace DPA; SCCs |
| Instagram / Meta | Social media presence | Data governed by Meta's own privacy policy | USA | Meta GDPR compliance; users subject to Meta's terms |
| Professional social media presence | Data governed by LinkedIn's own privacy policy | USA | LinkedIn GDPR compliance |
Important: When you interact with our social media pages (Instagram, LinkedIn), you are subject to those platforms' own privacy policies. We do not control the data those platforms collect. We only have access to aggregate page insights, not individual user data from these platforms.
6.1 International Data Transfers
Flwstate Media operates globally and some of our processors are based outside the UK/EEA (primarily in the United States). Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place including:
- Standard Contractual Clauses (SCCs) approved by the European Commission / UK ICO
- Transfers to countries with an adequacy decision
- Processor-specific Data Processing Agreements (DPAs)
7. Client Projects, Our Role as a Data Processor
When we build websites, apps, or digital products for clients, we may be given access to our clients' customer data (for example, to set up a database, configure e-commerce functionality, or build CRM integrations). In these circumstances:
- Our client is the Data Controller, they determine the purposes and means of processing their end-customers' data
- We act as a Data Processor, we process that data solely on the documented instructions of our client
- We will always execute a Data Processing Agreement (DPA) with clients where we are handling personal data belonging to their end-customers
- We do not retain, copy, or use any client end-customer data beyond what is strictly necessary to deliver the contracted services
- Upon project completion or contract termination, we securely delete or return all such data as instructed by the client
Clients are responsible for ensuring their own products, websites, and apps are GDPR-compliant. We can advise on technical privacy architecture (privacy-by-design, data minimisation, security) as part of our service, but legal compliance for client-owned products remains the client's responsibility.
8. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account our legal and contractual obligations.
| Data Type | Retention Period | Reason |
|---|---|---|
| Enquiry / contact form submissions | 12 months from last contact | To follow up on genuine business enquiries within a reasonable sales cycle |
| Client project communications | Duration of the project + 3 years | For dispute resolution, warranty, and reference purposes |
| Invoices and financial records | 7 years | Legal requirement for financial record-keeping (UK/EU standard) |
| Website analytics (aggregated) | 26 months (rolling) | Industry standard for trend analysis |
| Booking / calendar data | 6 months post-meeting | To reference discussed project details |
| Security/access logs | 90 days | Standard security monitoring window |
After the applicable retention period, data is securely deleted or anonymised so it can no longer be linked to an individual.
9. Cookies and Tracking Technologies
9.1 What Are Cookies?
Cookies are small text files placed on your device by websites you visit. They are used for a variety of purposes, from remembering preferences to analytics.
9.2 Cookies We Use
Our website is built on Next.js and designed to be privacy-first with minimal cookie usage. We aim to use only:
| Cookie Type | Examples | Purpose | Consent Required? |
|---|---|---|---|
| Strictly Necessary | Session, security tokens | Essential for the website to function | No, these are exempt under GDPR |
| Functional | Timezone preference (Cal.com widget) | Remembering your settings for a better experience | No, strictly functional |
| Analytics | Netlify Analytics | Aggregated, anonymised performance data | No, if truly anonymised and cookie-free |
We do not use third-party advertising cookies, retargeting pixels (e.g. Meta Pixel, Google Ads pixel), or cross-site tracking cookies on our own website at this time. If this changes, we will update this policy and present a cookie consent banner.
9.3 Managing Cookies
You can control and delete cookies through your browser settings. Most browsers allow you to:
- Block all cookies
- Block third-party cookies only
- Delete cookies when you close your browser
- Be notified when cookies are set
Note: blocking strictly necessary cookies may affect website functionality. For browser-specific instructions, visit www.allaboutcookies.org.
10. Your Rights Under GDPR
Under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:
10.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it. We will respond within 30 days of a verified request.
10.2 Right to Rectification (Article 16)
If the data we hold about you is inaccurate or incomplete, you have the right to have it corrected. Contact us and we will rectify it promptly.
10.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request that we delete your personal data. We will comply unless we have a legitimate, overriding reason to retain it (e.g. a legal obligation to keep financial records, or an ongoing contract dispute). We will inform you of any such reason.
10.4 Right to Restriction of Processing (Article 18)
In certain circumstances, you can request that we restrict how we use your data (e.g. while accuracy is contested, or while an objection is assessed).
10.5 Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format (e.g. CSV or JSON).
10.6 Right to Object (Article 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defence of legal claims.
10.7 Right Not to be Subject to Automated Decision-Making (Article 22)
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. This right is therefore not applicable in our current processing activities, but we will inform you immediately if this changes.
10.8 How to Exercise Your Rights
To exercise any of the above rights, contact us at:
Subject line: Data Subject Request, [Your Name]
We may ask you to verify your identity before acting on a request. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you).
There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline the request.
11. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures (TOMs) to protect it, including:
- Encryption in transit: All data transmitted via our website uses TLS/HTTPS encryption
- Access controls: Personal data is accessible only to those who need it to perform their role
- Secure hosting: Our website is hosted on Netlify with enterprise-grade infrastructure security
- Third-party security: We apply Semgrep-backed automated security scans to the code we write and deliver for clients
- Minimal data collection: We collect only what is necessary, reducing the attack surface
- No storage of payment credentials: We do not store credit card or banking details
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.
12. Children's Privacy
Our website and services are directed at businesses and adult professionals. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have received such data, contact us at hello@flwstatemedia.com and we will delete it promptly.
