Let's Talk

Privacy Policy

This Website is not intended to be used by any person under the age of 16.

The protection of an individual’s personal data is important. How those data are used (and sometimes abused) has long been a topic of discussion. The last data protection legislation was passed in 1998 and the general consensus has been that the law required updating. Technology has moved on exponentially since then.

The General Data Protection Regulations have been introduced to update the law and the UK is required to affect their implementation. This has been achieved by The Data Protection Act, 2018. These Regulations enhance the rights of individuals and protect and defend a person’s rights surrounding their personal data. This Policy and documentation referred to and associated with it, reflect those rights and set out what personal data we hold and what use we make of those data.

More information concerning the GDPR can be found at The Information Commission’s website; https://ico.org.uk/.

Privacy principle

Purple Frog Studios Limited and its wholly owned subsidiary Oxlink Limited collectively referred to as (PF) and everybody involved with it takes privacy and therefore the processing and protection of the personal data provided to it, very seriously. Such data is exclusive and belongs solely to the individual concerned and can only be processed with the consent of that individual. There are in place security measures to protect that personal data and PF only holds and processes the minimum required to fulfil its Retainer.If there is anything that you wish to clarify before or indeed after providing personal data please email: dataprotectionofficer@purplefrog.co.uk. 

What is PF?

PF is two Companies limited by shares and governed by the Laws of England and Wales. The Registered Office of the Companies is; 20-22 Wenlock Street, London N1 7GU and the trading address is; John Eccles House, Robert Robinson Avenue, Oxford OX4 4GP. The telephone number is (01865) 570390. The First Company Purple Frog Studios Limited has been allocated the number 03694025. Its Registration Number at the Information Commissioner’s Office is Z1798640. The Second Company is Oxlink Limited and has been allocated the number 03092332. Its Registration Number at the Information Commissioner’s Office is Z5395042.

What does PF do?

PF is a sales and marketing consultancy. We help clients develop sales and marketing strategies through working with them to set attainable goals which we can help them work towards through developing campaigns and channel strategies and/or educating them to apply them themselves. As part of our offering we also build and host websites and other software solutions.   

How to contact PF's data protection officer

Queries about the processing of your personal data should be addressed to dataprotectionofficer@purplefrog.co.uk. 

What PF requires of it's clients

When a Client and PF enter into a Retainer that Client is confirming that it complies with the terms of the GDPR and the 2018 legislation when those apply to that Client. Therefore any personal data disclosed to PF is done so on a lawful basis. 

Changes to this policy

PF keeps this Policy under review. Updates will appear on the website. PF may also notify the changes via email and/or post and/or by other media platforms (if PF has access to such) providing an individual allows PF to do so. Continuation of the use the services will be deemed acceptance of those changes unless PF believes that actual consent is necessary to allow those changes to occur, as they relate to personal data. 

What is personal data?

Personal data is: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. As examples; name, address, gender, email, IP, location, etc. collectively (and with some, on their own) amount to personal data. This definition is very wide and includes manual filing systems. There are further provisions that relate to issues such as “Sensitive Data” such as genetic information. If any of this data is processed, then the GDPR applies to those that are undertaking that processing. 


The second element to the holding of personal data is “processing”. The criteria for such is twofold. Firstly and in very broad terms it means; the collecting, using, disclosing, retaining or disposing of personal data. The second element is that that processing must be done fairly, lawfully and in a transparent manner. The latter means in accordance with applicable legislation, including the GDPR. The former, means that PF is open and clear as to how it will use those data provided so that an informed decision can be made as to whether personal data is provided in order to take advantage of all our services. It also includes the right to opt-out where an individual may have previously agreed to a certain aspect of processing. 

Legal bases for processing personal data

An individual cannot be forced by PF to provide personal data. However, if a choice is made not to, then we will not be able to provide many services. When personal data is provided PF has to make it clear on what bases it relies to hold and process those data. Further details on these bases can be sourced at The Information Commissioner’s website at; https://ico.org.uk/ and follow the links to the GDPR and then Lawful Processing. The details of what PF does with personal data and the legal bases can be found at the end of this Policy but in summary, we process those data based on the following:

  • Consent

  • Performance of a Contract

  • Legitimate interest

  • Legal obligation

How long does PF retain personal data?

PF can only retain personal data so long as it has a legitimate reason to do so or as is required by law.Where PF has an ongoing Retainer with a Client it will retain any personal data supplied for the duration of that Retainer. Where that Retainer involves an annual or occasional function (rather than continuing and/or ongoing function) on behalf of a Client, for example website hosting and maintenance, then the Retainer, for the purposes of the retention of personal data, will not be terminated simply by the completion of the annual or other occasional process. It will be dormant, but still in existence until the next process occurs, even though a Client may then receive a fresh Retainer to enter in to. That new Retainer will supersede the old and will confirm the accuracy of those data and that PF may continue to retain them.  When a Retainer ends, those data held will be dealt with in accordance with the provisions of this Policy. Upon termination PF believes that, in general terms, to keep personal data for the period to the end of the PF financial year in which the termination occurred, is a minimum length of time. This is subject to what is contained below in the section entitled Deleting Personal Data.However, PF may decide, at its absolute discretion, that those data should be retained for a longer period for example to comply with PF’s legal obligations.When PF decides that it should delete personal data it will do so without notifying the person concerned, unless it is requested so to do in writing sent by post to the address given above and clearly marked; “Notification Upon Personal Data Deletion”. 

Deleting personal data

At any time an individual can contact PF and ask us to delete their personal data. Simply contact; dataprotectionofficer@purplefrog.co.uk. However, if this is done then it is possible that not all services would be available. As an example we couldn’t send proofs to be approved by a Client. Further, where PF has any non-commercial reason to retain your details (for example it is legally required to do so) then it will BUT those details and data will not be processed except for the purposes for which they are retained. When there is no justifiable reason to retain your details PF will delete them completely.

If an employer or other third party requests the deletion of an individual’s personal data, PF cannot do this without that individual’s consent. This must be obtained in writing from the individual concerned and the original (not scanned or copied) authority supplied to PF. In the absence of such authority, PF can only remove those data from the employer’s details and would retain in archive, a record of all personal data it holds as it relates to that individual. PF would be obligated, at a cost to the employer/third party to seek the individual’s authority to delete. Such cost would then be deemed to be included as an extra fee within the Retainer.

PF operates a CRM system and personal data contained within such will be deleted two years after the last activity, of whatever nature, related and linked to those data occurs.Where personal data is to be deleted, other than by request, this will occur at the next Data Deletion Review and such occur every six months, currently in November and May.  

Obtaining details of personal data from PF

This is known as a Subject Access Request (SAR). An individual can request PF to provide details of what personal data it holds and processes, which directly relates that individual. PF may only provide personal data to the person to whom it relates. A company, for example, cannot make an SAR about an employee, even if those data were provided by the company in the first instance.To make a SAR the individual should email the Request to dataprotectionofficer@purplefrog.co.uk. PF is required to provide a response as quickly as possible, but in any event, within a month. Alternatively a request may be sent by post. If this method is used the request will have deemed to have arrived two working days after the date of posting.All SARs must be marked SUBJECT ACCESS either in the “Subject” box of the email or at the head of the letter. All that is required generally is the full name of the individual, post code and confirmation should be given that there are not two people of the same name at the property or business. Details of alternate names used by an individual should also be given, for instance, a maiden name or “nickname”. If an individual is an employee and is making a request in that capacity, that person should provide details of the employer’s name and address. No notice will be given to the employer of the SAR. If PF requires further information it will contact the individual concerned in sufficient time in order that we may fulfil our obligations. The time for the provision of the response to the SAR will begin to run when we have all the information we deem necessary. Where we request further information, we will nevertheless endeavour to complete the process within a month of receipt of the SAR.A SAR is free unless the amount of data to be supplied and/or investigated is beyond what PF would reasonably expect to produce or look at or multiple requests are or have been made (multiple means more than two). 

Data correction

PF can undertake the changes to personal data if so requested. This request can be by email dataprotectionofficer@purplefrog.co.uk or by post. Any such communication should be marked “DATA CORRECTION”. PF may contact the person or entity to confirm any changes and such will be via a medium(s) contained in our records; email and/or telephone and/or post.If it is discovered that personal data or indeed any data has been changed without appropriate authority, contact PF immediately at dataprotectionofficer@purplefrog.co.uk putting “POTENTIAL FRAUD” in the “Subject” box. 

What data does PF collect?

The only personal data that PF requests, holds and processes is the minimum necessary for the services that it provides. If more is provided than is necessary, PF will accept such on the basis that individuals have consented to the provision of those data. Such data will also only have been provided by an individual either directly or an employer or contractor or related business. These data will be provided at the time of initial instruction and thereafter, during the currency of the Retainer, through email, postal service letters, telephone, through our website, other businesses or individuals which have a connection (perhaps through contract), connected social media or data that PF can infer from the use of our services or those connected to them. The minimum personal data that is required is dependent upon the function PF is performing and the service provided pursuant to a Retainer. As examples;

Proof of Identification
PF will require a minimum of; driving licence and/or passport and a domestic bill for any unincorporated business; for incorporated businesses a credit check and confirmation of personnel PF will be engaging with will suffice.

Building a website
PF will require as a minimum; names, email addresses, IP addresses and potential access to domain servers. If PF requests personal data then it is necessary and an individual and/or an employer is always at liberty to ask us why such data is required.  

Consent to provide personal data

Where an employer provides the personal data of an individual, then this must be based on the consent of the individual concerned. On occasion it is necessary and required that those data are supplied pursuant to the law or that it is necessary to fulfil contractual obligations thereby avoiding a breach of contract.

In some cases PF has to be provided with personal data to fulfil its Retainer.

There are other instances where PF has to receive personal data to ensure lawful payment is made or otherwise to comply with the law. Examples of such would be; a sub-contractor (who is an individual) cannot be paid or PF cannot be paid for work undertaken.It is undoubtedly the case that it is necessary to confirm to an individual that their personal data will be passed to PF.

PF does not consider that it is a duty set upon it to confirm this. Each and every business must comply with the GDPR and legislation so must have sought the necessary consents from those individuals concerned. There may be instances where the processing of personal data is necessary to an individual to fulfil their obligations under a contract (whether employment or otherwise). In such circumstances PF would be at liberty to process those data to ensure a contract was not breached.

Any individual who instructs PF, provides their personal data themselves. However, they are under a duty only to pass over the personal data of others if they have permission from that person. PF will ask for confirmation of this and reserves the right to confirm such consent, especially in situations where those other data are not directly required for PF to fulfil any legal obligation.An individual may provide personal details via Social Media. As such, the individual is responsible for what data is provided.

Notwithstanding the foregoing, PF is entitled to require confirmation from the individual that they are content for us to receive, hold and process their personal data and the context for such. In such a situation PF will require that it contacts the individual directly. 

How does PF use personal data?

PF will use personal data to provide services under the Retainer that it has with a Client. A Client, in providing instruction under that Retainer, may necessarily disclose the personal data of individuals. The nature of the Retainer is confidential, but a term of it is that the Client complies with the GDPR and legislation, where such applies to that Client. Therefore that disclosure is lawful because the Client has taken all necessary steps before disclosing any third party personal data. Such personal data will only be processed in order that the terms of the Retainer can be fulfilled.   

PF may use personal data to contact an individual whether that be the Client or otherwise. This may be by email and/or telephone and/or post to provide, for example, information or to remind that individual of an upcoming event.   

WEBSITE; www.purplefrog.co.uk

The website provides details of the services that PF offers, its personnel, allows for enquiry to be made, downloads, access to social media and blogs.  If an enquiry is made, PF will hold the details provided, which may include personal data, but will only reply or respond to any query or enquiry raised. At this time PF does not operate its website on any other basis.

The Website does use Cookies and we have a Cookie Policy which can be accessed here.

An individual is free to browse the website without providing any personal data. The IP address which, by itself and in this context, does not identify you, will be collected and retained by PF. In the future PF intends to allow Client access via the Website to Client Accounts. In such circumstances clients will be requested to provide a username and password to maintain secure access to the relevant account. Such, as a matter of course will probably be linked to personal data provided by that Client. It is solely a Client’s responsibility to keep the username and password secure. PF is not liable for any loss, howsoever occurring as a result of unauthorised access to any account. Further, PF may itself suffer loss or damage as a result of unauthorised access. If such were to occur, PF would seek recovery of any loss or damage (to include costs) from that Client. The user name and password if matched to personal data, would not be disclosed in a SAR. 

Other websites

This Website contains links to other websites operated by other businesses. PF cannot be responsible in any way for the way those sites are run or controlled nor whether they may be infected by viruses or other malware of whatever nature. Further, PF has no responsibility for the privacy policies of those businesses and their websites. However, PF can say that all businesses that process personnel data must comply with the GDPR and the Data Protection Act, 2018. Unless PF has specific concerns to the contrary, it believes that it is entitled to rely on this fact.PF will not share personal data with these sites.Where the link takes a user of this site to another which may be co-branded with PF, though not operated by it, we have, notwithstanding what is said above, specifically asked and been told that these websites and businesses have the appropriate policies and procedures in place to protect personal data.

PF may share personal data with such sites as these which are co-branded where this is appropriate and is in accordance with this Policy. (YES?)

The best advice is, when you leave this Website via a link from it, check the privacy provisions of it before providing personal data. 


It is not intended that children under the age of 16 should use this site and PF certainly does not target or seek to attract such an age group. PF will never solicit personal information from individuals under that age. However, it cannot prevent such children accessing the site or maintaining that they are of an age older than 15. All PF is able to do is to say that this site is not to be used by people under the age of 16 and that it will, if it were to discover such use, delete all personal data that it may have been provided with.    

Social Media

PF uses various social media platforms as well as blogs. All personal data obtained from social media will have been provided voluntarily and therefore with the consent of the individual concerned. 


Communication with clients is a fundamental part of the provision of services by PF. Email, telephone and on-line project management tools are the preferred methods for PF to communicate with clients. Either consent will be contained in the Retainer or will have been agreed separately with the client. However, PF is obliged to offer all individuals the right to opt out after they have indicated, either directly or through a third party that they consent to such communication.Certain of our email communications contain unsubscribe buttons to prevent further contact in those contexts.

As is maintained in the Retainer, but is highlighted here; if an individual choses to opt-out of communication with PF, it may not be able to provide the services for which it has been contracted. If such occurs, PF cannot be responsible for any losses, whether those are directly or indirectly incurred, as a result of the inability to communicate with an individual or otherwise fulfil its Retainer whether instructed by that individual or not.

Information that we are required to give you by law.

We are obliged to communicate these.

Those that result from the Retainer.

We are obliged to communicate these. However, an individual may elect to receive that communication by post. An individual can ask PF not to communicate at all, through any medium. If so, then the warnings that appear in this Policy and elsewhere as to the provision of services apply. To change the method of communication or to opt-out of any communication please email to; dataprotectionofficer@purplefrog.co.uk.

If the individual is not the Client, notice of the opt-out must be given as a breach of contract is possible. An individual can opt-out; dataprotectionofficer@purplefrog.co.uk.

Security information relating to the website.

PF believe that this is always essential, however an individual can opt-out using the unsubscribe button

Technical Newsletters and Marketing messages whether from PF or our partners and affiliates.

You can opt out via the unsubscribe button

.Important information containing alerts relating to the website, for example when the site will not function for a specific reason or updates to this Privacy Policy.

Again, PF consider this to be important but an individual can opt-out via the unsubscribe button

Social Media We will communicate by social media if an individual wishes to subscribe to such of PF’s accounts as may operate from time to time. At any time an individual can elect to unsubscribe to such.

Website CHAT and Chatbot

We will only respond to any conversation and an individual can stop that conversation at any time and cannot take it further. The details of the conversation will be stored in our CRM and may contain personal data. To delete see above under Deletion of Personal Data.  

Who does PF disclose personal data to?

Any third party in the UK, to whom PF discloses such data, is bound by the GDPR and legislation. Please refer to the section entitled: Where Does PF Send Personal Data, which is below.If PF is required by law to disclose your personal data then it must do so and it is not possible to opt out of this process. This could be, for example, to HMRC or via an order of a Court.We also provide personal data to our service providers. These include:

  • Banks and other payment providers: we have to supply personal data to secure payment;

  • Payment card industry: the personal data we supply helps to prevent fraud;

  • Our communications providers: they allow us to deliver emails and other communications;

  • IT and Internet Security: to protect your personal data and provide our services;

  • Licensed Technical Support Providers, Hardware and Software Providers: to provide secure service provision and enable a Client to share documentation as it wishes (in accordance with the GDPR);

  • Analytical tools: see those in our Cookie Policy

If a sale, transfer or restructure of PF and wholly owned subsidiaries were to be proposed in whole or in part, then disclosure of personal data may be a part of that process and, for commercial confidentiality reasons, it would not be possible to seek approval from individuals. PF would however ensure, so far as is reasonably possible, that safeguards are established to preserve the security and integrity of those data pursuant to this Policy. As a result, data may be transferred but PF would ensure that any new entity complies with all relevant legislation.In the case of an emergency if, for example life is at risk, then we reserve the right to disclose personal data. 

Where does PF send personal data?

PF controls your personal data in the United Kingdom but the same is stored in the EU. If personal data is sent to anywhere within the European Union (EU), the recipient is bound by the rules set down by the GDPR. If PF sends those data outside of the EU it has to ensure that the recipient has adequate safe guards in place to protect those data. These can be, for example, specific contract clauses or corporate rules or agreed and stated mechanisms such as exists between the EU and the USA.PF is unable to say what will happen post the United Kingdom leaving the EU. It is likely that, during any transition period, these safe guards will remain in place, but that is not certain. What occurs thereafter (or if there is no such period of transition) and what may happen to your personal data, is undecided. This, however applies to all businesses based in this Country.

Wherever your personal data is sent, PF is not responsible for how that organisation or person processes those data. The GDPR applies equally to all businesses in the EU and all businesses who deal with the EU and hold data concerning EU nationals have to show that they have adequate measures in place to protect individual’s personal data. Unless PF has reason to believe something to the contrary, we are entitled believe that all obligations have been fulfilled and those data are processed lawfully and fairly. If you have queries, then those should be addressed directly to entity that concerns you. Of course, please feel free to notify us at; dataprotectionofficer@purplefrog.co.uk..

Legal bases for processing

The GDPR requires that PF specify what the legal basis is, or bases are to justify requesting, receiving, holding and processing personal data. There are six bases and PF must select one or more and provide notification as to those it selected. These appears above. However, further details have to be supplied as to how lawful processing will take place in each of those bases. Further information is available at; https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing.

There are two bases PF does not rely on. These are; to protect a person’s vital interests and the performance of a task carried out in the public interest or in the exercise a data controller’s official authority. Neither of these are applicable.


  • This is processing with your consent. This includes; sending emails whether they be promotional or otherwise and providing information pursuant to the Retainer.

  • Performance of a Contract. This is activity that happens when you request that we perform certain functions for you. We cannot fulfil our obligations unless we process your personal data.

Included here are:Confirming any and all instructions in relation to a Retainer;Remitting documentation prepared for approval;Create a direct debit or other repeating payment; andSharing or forwarding an email. 

  • Legitimate Interests. These can be the interests of PF or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Included here will be:PF conducting general and specific internal reporting and analysis;Sharing personal data with third party affiliates, companies and partners;Sending individuals surveys connected with PF;Sending individuals emails concerning the operation of PF;Marketing to other organisations;Sending targeted marketing by post;Targeted marketing through advertising PF through places on other websites; andAutomated decision making, for example chatbot. 

  • Legal Obligation. This is where we have to hold and process personal data in accordance with the law. Included is; sending email receipts for payments made, sending payroll information to include pay advices, checking for fraud, identity checks, providing statutory bodies with required information, complying with an order of a competent Tribunal whether in the UK or otherwise, complying with other statutory obligations.