This privacy policy explains how Whale and Wave Digital Ltd ("we", "us", "our") collects, uses, and protects personal data when you visit whale.design or contact us by email.
Whale and Wave Digital Ltd is a company registered in England and Wales (company number 17188418), with its registered office at 66 Paul Street, London EC2A 4NA. We are the data controller for the personal data described below.
We take your privacy seriously. This policy explains what we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have any questions, email us at hello@whale.design.
1. What we collect and why
Information you send us
When you email us at hello@whale.design or otherwise contact us, we receive the content of your message, your email address, and any other information you choose to include (for example, your name, company, or phone number).
Legal basis: Legitimate interest (responding to enquiries about our services and products).
Cookies and browser storage
Our marketing website does not use advertising cookies, tracking cookies, or any third-party marketing cookies. We do not build profiles of visitors or share data with advertising networks.
The only thing we store on your device is a single entry in localStorage (key: ww_consent_v1) that records you've seen our cookie notice, so we don't show it on every page load. It stays on your device, is never sent to a server, and contains no personal data.
You can clear it at any time through your browser, or re-open the notice from the "Cookie preferences" link in the footer of any page. If we ever add analytics or other non-essential storage, we'll ask for your consent here first.
Analytics
If we use analytics on this site, we use a privacy-focused, cookieless analytics provider (currently [CONFIRM PROVIDER — e.g. Plausible or Fathom]) that provides aggregate, anonymous usage statistics (page views, referral sources) with no individual tracking, no cookies, and no personal data collected.
Legal basis: Legitimate interest (understanding which pages are useful so we can improve the site).
Server logs
Our hosting provider automatically records technical request data including:
- IP address
- Requested URL and HTTP status code
- Timestamp and user agent string
Logs are retained for 30 days for security monitoring and debugging, then permanently deleted. We do not use log data for profiling or marketing.
Legal basis: Legitimate interest (security and service reliability).
2. How we use your data
We use your personal data to:
- Reply to enquiries you send us.
- Discuss potential products or client engagements with you.
- Maintain the security and reliability of the website.
- Understand aggregate usage of the site so we can improve it.
We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for their own marketing purposes. We do not send marketing emails unless you have explicitly opted in.
3. Third-party services
We share data with the following third parties, solely to operate the website and communicate with you:
| Service | Data shared | Purpose |
|---|---|---|
| [HOSTING PROVIDER] | All site traffic (IP, request data) | Website hosting and delivery |
| [EMAIL PROVIDER — e.g. Google Workspace / Fastmail] | Email content and metadata | Sending and receiving business email |
| [ANALYTICS PROVIDER] | None (cookieless, anonymous) | Aggregate usage analytics |
Where processors are located outside the UK or EEA, transfers are made under appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.
4. Data retention
| Data type | Retention period |
|---|---|
| Email correspondence | Up to 3 years after the last interaction, then deleted unless required for contractual or legal reasons |
| Client contract records | 7 years (UK tax and accounting obligations) |
| Server logs | 30 days |
| Aggregate analytics | Retained anonymously, no personal data |
You can ask us to delete your correspondence earlier by emailing hello@whale.design.
5. Your rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — ask us to limit how we process your data.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interest.
- Withdraw consent — where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, email hello@whale.design. We will respond within one calendar month.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
6. Data security
We protect your data with:
- HTTPS (TLS) encryption for all traffic to and from whale.design.
- Access controls on our email and hosting accounts (two-factor authentication).
- Least-privilege access — only the people who need to see correspondence can see it.
No system is 100% secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by law.
7. Children
This website is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
8. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will note them here and update the "last updated" date at the top of the page.
9. Contact
If you have any questions about this privacy policy or your personal data:
- Email: hello@whale.design
- Post: Whale and Wave Digital Ltd, 66 Paul Street, London EC2A 4NA
- ICO registration number: [ICO NUMBER, if registered]