Privacy policy.

This privacy policy applies to Stormborne Studio Ltd ("Stormborne", "we", "us", "our"), a company registered in England and Wales (company number 14829301) with its registered office at 10 York Rd, London SE1 7ND, United Kingdom.

Stormborne is the data controller for the personal data described in this policy. For any privacy-related queries, contact us at [email protected].

We collect the following categories of personal data:

• Contact details you give us — name, email address, company, telephone number, and any other information you choose to include when you complete a form on this site, email us, or speak with us during a project.
• Project information — content, files, credentials, access tokens, and other materials you share with us in order for us to deliver work for you under a signed Statement of Work.
• Technical data — IP address, approximate location (country level), device type, browser, referrer, and pages viewed. This is collected via privacy-respecting analytics that do not set cookies or fingerprint individual visitors.
• Communications — emails, call notes, and any correspondence you exchange with us. We retain these for the purposes of providing our services and for our own records.

We use your personal data to:

• Reply to enquiries you send us via the contact form, email, or phone.
• Provide services under a Statement of Work — including design, development, AI implementation, and ongoing support.
• Send transactional communications (project updates, invoices, scheduling, security notices).
• Send marketing communications, but only where you have explicitly opted in.
• Comply with our legal, accounting, and regulatory obligations.
• Improve our website, services, and operations.
• Detect, prevent, and respond to security incidents.

Under the UK GDPR and the Data Protection Act 2018, we rely on the following lawful bases:

• Contract — to deliver services you have engaged us for and to take steps at your request before entering into a contract (e.g. scoping calls and proposals).
• Legitimate interests — to respond to enquiries, run and protect our business, communicate about ongoing engagements, and improve our services. We balance this against your rights and freedoms and only rely on it where appropriate.
• Consent — for any marketing communications and any optional analytics or features that require it. You may withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, and other statutory duties.

This website does not set tracking cookies. We use Cloudflare Web Analytics, which is cookieless and does not fingerprint visitors. No third-party advertising or behavioural tracking pixels are present on the site.

Some pages may embed media (e.g. video) from third parties. Those services may set their own cookies if you interact with them; their privacy policies apply in that case.

We do not sell your personal data. We share it only with trusted third-party processors that help us run the studio and deliver projects, under written data-processing agreements. Our current sub-processors include:

• Cloudflare — hosting, edge computing, DNS, and analytics.
• Resend — transactional email delivery for the contact form.
• Fastmail — business email.
• Notion — internal documentation and project notes.
• Linear — project tracking.
• Stripe and Xero — invoicing and accounting.
• HubSpot — CRM (only for clients with active engagements).

We can provide a full, up-to-date sub-processor list on request. We may also share your data with law-enforcement or regulators where required by law, court order, or to protect our legal rights.

Some of our sub-processors are based outside the UK and EEA — for example in the United States. Where we transfer your personal data internationally, we rely on appropriate safeguards under the UK GDPR, including:

• UK adequacy regulations where they apply (e.g. EU, EEA, UK Extension to the EU–US Data Privacy Framework where the recipient is certified);
• The International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses where adequacy does not apply.

You may request a copy of the safeguards in place for a specific transfer.

We keep personal data for as long as we need it for the purposes set out above:

• Contact-form submissions — 24 months from your last contact, unless we are still in conversation or engaged.
• Project records — 6 years after the end of the engagement, in line with UK accounting and statutory record-keeping rules.
• Financial records — at least 6 years, as required by HMRC.
• Marketing data — until you unsubscribe or otherwise withdraw consent.
• Analytics data — aggregated and retained for up to 13 months; not tied to individuals.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten") — to have your data deleted in certain circumstances.
• Right to restrict processing — to limit how we use your data in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — at any time, where consent is the basis for processing.
• Right to complain to the ICO — the Information Commissioner's Office is the UK supervisory authority for data protection. You can reach them at ico.org.uk or 0303 123 1113.

To exercise any of these rights, email [email protected]. We will respond within one month and there is no charge in normal circumstances. To unsubscribe from marketing emails you can also use our unsubscribe page or the link at the bottom of any marketing email.

We take the security of your data seriously and apply ISO 27001-aligned organisational and technical measures, including:

• Encryption in transit (HTTPS / TLS) and at rest where supported by our providers.
• Principle-of-least-privilege access controls and audit logs.
• Mutual NDAs with sub-processors and with team members.
• Regular security reviews, dependency scanning, and incident response procedures.

No system is perfectly secure. If we ever discover a personal-data breach that risks your rights and freedoms, we will notify the ICO within 72 hours where required and let you know directly without undue delay.

Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.

We may update this policy from time to time to reflect changes in our practices, services, legal requirements, or to improve clarity. The date at the top of this page shows when it was last updated. Material changes will be communicated by a notice on the site or by email where appropriate.

For any privacy-related queries or to exercise your rights:

• Email: [email protected]
• Post: Stormborne Studio Ltd, 10 York Rd, London SE1 7ND, United Kingdom