1. Data Controller Information
Wind Digital Lab is the data controller for the personal data described in this Policy. Our details are:
| Controller | Wind Digital Lab |
|---|---|
| Registered | England and Wales, United Kingdom |
| Headquarters | London, United Kingdom (fully remote operations) |
| Available at winddigitallab.com/contact-us | |
| Phone | +1 (234) 567-890 |
| Website | winddigitallab.com |
| ICO Reg. | Registered with the Information Commissioner's Office (ICO), UK |
2. Scope & Who This Policy Applies To
This Policy applies to:
- Visitors to winddigitallab.com and any WDL-operated web pages or landing pages.
- Prospective clients who submit enquiries, use our budget calculator, or request a proposal.
- Clients who engage WDL for Services under a Service Agreement.
- Contacts who book calls, attend meetings, or communicate with WDL by any channel.
Where WDL processes personal data on behalf of a Client as a Data Processor (for example, processing client customer lists for advertising purposes), that processing is governed by the Data Processing Agreement between WDL and the Client, not by this Policy.
3. Categories of Personal Data We Collect
3.1 Data You Provide Directly
- Identity data: Name, job title, and company name.
- Contact data: Email address, phone number, postal address, and preferred communication channel.
- Business data: Information about your business, budget, advertising goals, and marketing history provided during onboarding or consultations.
- Financial data: Billing name, address, and payment instructions (payment card details are processed by our payment provider and not stored by WDL).
- Communications data: The content of emails, messages, call notes, and other correspondence with WDL.
3.2 Data Collected Automatically (Website)
- Technical data: IP address, browser type and version, device type, operating system, and referral URL.
- Usage data: Pages visited, time spent on pages, clicks, navigation patterns, and interactions with our budget calculator or other tools.
- Cookie data: Data collected through cookies and similar tracking technologies as described in our Cookie Policy.
3.3 Data From Third Parties
- Platform data: Aggregated and anonymised performance data from advertising platforms (Google, Meta, LinkedIn, Microsoft, TikTok, YouTube) relating to your campaigns.
- Analytics data: Aggregated website and conversion data from tools such as Google Analytics.
- Publicly available data: Professional information available from LinkedIn or similar platforms where relevant to providing Services.
3.4 Special Category Data
WDL does not intentionally collect special category personal data (such as health, race, religion, political opinions, biometric, or genetic data). Please do not send us such information unless specifically requested in connection with a regulatory compliance requirement.
4. Purposes & Legal Bases for Processing
We process personal data on the following legal bases under UK GDPR, EU GDPR, and equivalent global legislation:
| Purpose | Legal Basis |
|---|---|
| Responding to enquiries and proposals | Legitimate interests / Pre-contractual steps |
| Providing and managing Services under a Service Agreement | Performance of a contract |
| Processing payments and managing accounts | Performance of a contract / Legal obligation |
| Delivering campaign performance reports and dashboard access | Performance of a contract |
| Communicating about your account, updates, and service changes | Performance of a contract / Legitimate interests |
| Sending marketing communications about WDL services (existing clients) | Legitimate interests (UK: soft opt-in under PECR); Consent (EU/other jurisdictions) |
| Sending marketing communications (prospective clients) | Consent |
| Improving our website, tools, and services | Legitimate interests |
| Complying with legal and regulatory obligations | Legal obligation |
| Fraud prevention and security | Legitimate interests / Legal obligation |
| Resolving disputes and enforcing contracts | Legitimate interests / Legal obligation |
Where we rely on 'legitimate interests' as a legal basis, we have conducted a Legitimate Interests Assessment (LIA) to ensure our interests are not overridden by your rights and freedoms. You may request a summary of our LIA by contacting us.
5. Global Privacy Law Compliance
WDL is headquartered in the UK and operates globally. We are committed to meeting the requirements of all major global privacy frameworks.
5.1 UK: UK GDPR & Data (Use and Access) Act 2025
As a UK-based controller, UK GDPR (as amended by the Data (Use and Access) Act 2025, effective February 2026) is our primary compliance framework. Key obligations include: lawful basis for all processing, transparency, data minimisation, purpose limitation, accuracy, storage limitation, integrity and confidentiality, and accountability. We are registered with the Information Commissioner's Office (ICO).
5.2 European Union: EU GDPR
WDL offers services to clients and processes data of individuals in the EU. EU GDPR therefore applies extraterritorially to our processing of EU residents' data. We maintain dual compliance with UK GDPR and EU GDPR. Where required, we appoint a representative within the EU. International transfers from the EU to the UK are made under EU Standard Contractual Clauses (SCCs) pending any renewed EU adequacy decision.
5.3 United States: CCPA/CPRA & State Privacy Laws
For California residents, we comply with the CCPA as amended by the CPRA. We do not sell or share your personal data for cross-context behavioural advertising without your consent. We support the Global Privacy Control (GPC) signal. Additional US state privacy rights (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and others) are also honoured.
5.4 Canada: PIPEDA
For Canadian residents, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). We obtain meaningful consent, limit collection to stated purposes, provide access rights, and maintain appropriate safeguards.
5.5 Brazil: LGPD
For Brazilian residents, we comply with the Lei Geral de Proteção de Dados (LGPD). We process personal data on a valid legal basis, have appointed a data protection representative (encarregado) as required, and provide the rights set out in Section 7.
5.6 Asia-Pacific
For residents of Singapore, Australia, Japan, South Korea, and other APAC jurisdictions, we comply with applicable local privacy laws including PDPA (Singapore), the Australian Privacy Act 1988 (APPs), APPI (Japan), and PIPA (South Korea) to the extent applicable. We are committed to providing equivalent rights to all users regardless of jurisdiction.
5.7 Other Jurisdictions
We strive to comply with applicable privacy laws in all jurisdictions in which we operate. If you are in a jurisdiction not listed above and have privacy concerns, please contact us.
6. How We Share Your Personal Data
6.1 Third-Party Service Providers
We share personal data with trusted service providers who assist us in operating our business. These processors act only on our instructions and are contractually bound to protect your data. Categories include:
- Advertising platforms: Google LLC, Meta Platforms Inc., LinkedIn Corporation, Microsoft Corporation, TikTok Inc.
- Analytics providers: Google Analytics and similar tools.
- CRM and business tools: Customer relationship management, project management, and communication tools.
- Cloud infrastructure: Secure cloud storage and hosting providers.
- Payment processors: For processing invoices and payments.
- Calendar and scheduling tools: For booking discovery calls and meetings.
6.2 Legal Disclosures & Business Transfers
We may disclose data where required by law, court order, or to protect WDL's legal rights. In the event of a merger or acquisition, data may be transferred to the successor entity. We will notify affected individuals in advance where legally required.
6.3 No Sale of Data
WDL does not sell, rent, or trade personal data to third parties for their own marketing purposes. We do not engage in cross-context behavioural advertising using your data.
6.4 International Transfers
As a globally operating agency, all international transfers are protected by appropriate safeguards including UK IDTA, UK Addendum to EU SCCs, EU SCCs, or Adequacy decisions.
7. Your Privacy Rights
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal data. |
| Erasure ('Right to be Forgotten') | Request deletion of your personal data in certain circumstances. |
| Restriction | Request that we restrict processing of your data in certain circumstances. |
| Data Portability | Receive your data in a structured, machine-readable format and transfer it to another controller. |
| Objection | Object to processing based on legitimate interests or for direct marketing (absolute right for marketing). |
| Withdraw Consent | Where processing is based on consent, withdraw consent at any time without affecting prior processing. |
| Complaint to Regulator | Lodge a complaint with the relevant supervisory authority (see Section 12). |
| Opt out of Sale/Sharing (US) | California and other US state residents: opt out of sale or sharing of personal data. |
| Limit Sensitive Data Use (US) | California residents: limit the use of sensitive personal information. |
| Non-Discrimination (US) | We will not discriminate against you for exercising your privacy rights. |
| Right to complain to WDL (UK) | From June 2026 under the Data (Use and Access) Act 2025: lodge a complaint directly with WDL. |
To exercise any of these rights, please contact us. We will respond within the timeframe required by applicable law (generally 30 days). We may need to verify your identity before fulfilling your request.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Category | Retention Period |
|---|---|
| Client contact and business data | Duration of engagement + 7 years (for legal and tax compliance) |
| Campaign performance data | Duration of engagement + 3 years |
| Financial records and invoices | 7 years from date of transaction (legal obligation) |
| Enquiry / prospect data (no engagement) | 2 years from last contact |
| Marketing consent records | 3 years from consent or last interaction |
| Website analytics data | 14 months (Google Analytics default) |
| Security and access logs | 12 months |
| Legal correspondence / dispute data | 7 years from resolution |
9. Data Security
Our security measures include: Encryption of data in transit (TLS/SSL) and at rest, Access controls and role-based permissions, Multi-factor authentication (MFA), Regular security assessments, Confidentiality training for staff, Data Processing Agreements (DPAs) with third parties, and Incident response protocols.
10. Children's Privacy
WDL's Services are directed at businesses and professional individuals, not children. We do not knowingly collect personal data from individuals under the age of 18. Consistent with the UK Data (Use and Access) Act 2025 and the ICO Children's Code, we are committed to higher protection standards for children's data in any context where children may access our services.
11. AI & Automated Decision-Making
WDL uses AI systems to optimise advertising campaigns (budget allocation, audience targeting, bid management, and creative testing). These systems operate on aggregate data and do not make decisions that produce legal or similarly significant effects on individuals. Where such effects may occur, we will inform affected individuals, provide logic information, and enable the right to contest and request human review.
12. Supervisory Authority Complaints
| Jurisdiction | Supervisory Authority |
|---|---|
| United Kingdom | Information Commissioner's Office (ICO) — ico.org.uk |
| European Union | Your national Data Protection Authority (DPA) — edpb.europa.eu |
| United States (California) | California Privacy Protection Agency (CPPA) — cppa.ca.gov |
| Canada | Office of the Privacy Commissioner (OPC) — priv.gc.ca |
| Brazil | Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd |
| Australia | Office of the Australian Information Commissioner (OAIC) — oaic.gov.au |
| Singapore | Personal Data Protection Commission (PDPC) — pdpc.gov.sg |
13. Updates to This Privacy Policy
We review and update this Privacy Policy periodically. When we make material changes, we will update the 'Effective Date', notify existing Clients by email, or post a prominent notice on our website. Continued use of our Services following an update constitutes acceptance of the revised Policy.
14. How to Contact Us
- Contact: Wind Digital Lab — Privacy
- Email: Available at winddigitallab.com/contact-us
- Phone: +1 (234) 567-890
- Address: London, United Kingdom
- Supervisory: ICO (UK) — ico.org.uk
- Version: v1.0 | Effective: 1 April 2026