Privacy Policy
Last updated: 23 February 2026
1. Introduction
Quirzy Studio ("we", "us", "our") is a digital design and development studio based in London, United Kingdom. We are committed to protecting the privacy of everyone who interacts with us - whether you're a visitor to our website, a prospective client, or a current client.
This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
The data controller responsible for your personal data is:
Quirzy Studio
London, United Kingdom
hello@quirzy.com
3. What Data We Collect
3.1 Website Visitors
When you browse our website, we may collect:
- Technical data: IP address, browser type and version, operating system, screen resolution, referring URL, pages visited, time spent on pages, and general geographic location (city/country level).
- Cookie data: See Section 7 below for full details on cookies.
We do not use any tracking pixels, retargeting scripts, or social media trackers on our website.
3.2 Prospective Clients
When you contact us via email or a contact form, we collect:
- Name and email address.
- Company or organisation name (if provided).
- Project details and any other information you choose to include in your message.
3.3 Clients
When we enter into a working relationship, we additionally collect:
- Full name and job title of the designated point of contact.
- Company name, registered address, and VAT number (where applicable).
- Billing address and payment details (processed securely through Stripe; we do not store card numbers).
- Project-related correspondence, files, and assets you share with us.
- Access credentials for third-party services (hosting, CMS, etc.) provided for the purpose of project delivery.
4. How We Use Your Data
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Responding to enquiries | Legitimate interest |
| Preparing and sending proposals | Pre-contractual steps at your request |
| Delivering project work | Performance of a contract |
| Issuing invoices and processing payments | Performance of a contract / legal obligation |
| Maintaining accounting and tax records | Legal obligation (HMRC requirements) |
| Understanding website usage and improving our site | Legitimate interest |
| Sending occasional updates about our services (clients only, no more than quarterly) | Legitimate interest (with easy opt-out) |
We will never sell, rent, or trade your personal data to third parties. We do not engage in profiling or automated decision-making.
5. Who We Share Data With
We only share your data with third parties when necessary to deliver our services or meet legal obligations:
- Payment processor: Stripe (for secure payment handling). Stripe's privacy policy is available at stripe.com/privacy.
- Accounting software: Xero (for invoicing and financial records).
- Email provider: Google Workspace (for correspondence).
- Hosting providers: Where we manage hosting on a client's behalf, data may be stored by the relevant hosting provider (e.g., Vercel, Netlify, AWS) as outlined in the SOW.
- Legal and tax authorities: HMRC or other regulatory bodies where required by law.
All third-party processors we use are either UK-based or comply with appropriate international data transfer safeguards (Standard Contractual Clauses or UK adequacy decisions).
6. How Long We Keep Your Data
- Website analytics data: Aggregated and anonymised; raw logs deleted after 90 days.
- Enquiry correspondence: 12 months from last contact if no project proceeds.
- Client project data: Duration of the project plus 2 years, unless a longer retention is agreed.
- Financial records: 7 years from the end of the tax year in which the transaction occurred (as required by HMRC).
- Access credentials: Deleted from our systems within 7 days of project handover unless ongoing maintenance is agreed.
7. Cookies
Our website uses minimal cookies:
- Strictly necessary cookies: Required for the website to function (e.g., session management). These do not require consent.
- Analytics cookies: We use privacy-focused analytics to understand aggregate traffic patterns. No personally identifiable information is collected through analytics. You can opt out by using your browser's built-in cookie controls.
We do not use advertising cookies, tracking cookies, or any third-party marketing cookies.
8. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct any inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data where there is no compelling reason for its continued processing.
- Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format.
- Right to object: Object to processing based on legitimate interest, including any direct marketing.
To exercise any of these rights, email us at hello@quirzy.com. We will respond within 30 days. There is no fee for making a request unless it is manifestly unfounded or excessive.
9. Data Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS/HTTPS) for all website traffic and email communication.
- Encrypted storage for sensitive data such as access credentials.
- Two-factor authentication on all accounts used to process or store personal data.
- Access controls limiting data access to only those who need it for project delivery.
- Regular review and deletion of data no longer required.
No system is perfectly secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.
10. International Transfers
Some of the third-party services we use (such as Google Workspace and Stripe) may process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO or reliance on UK adequacy decisions for the relevant country.
11. Children's Privacy
Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.
12. Complaints
If you are unhappy with how we handle your personal data, please contact us first at hello@quirzy.com so we can try to resolve your concern. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The "last updated" date at the top of this page will always reflect the most recent revision. We encourage you to review this page periodically.