Effective date: 13 July 2025 · Last reviewed: 13 July 2025
This policy explains how Blackwellen (Company No. 16482166) trading as Orbas Agency manages personal data across our digital products, automation programmes and consultancy engagements worldwide.
This Privacy Policy explains how Orbas Agency, operated by Blackwellen (Company No. 16482166), collects, uses and safeguards personal information when you visit our website, engage our services or interact with our team. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where relevant, the Privacy and Electronic Communications Regulations (PECR). This notice covers all websites, platforms, contact forms and communication channels provided by Orbas Agency unless we display an alternative policy.
Jump to the section you need via the quick navigation below, or download a PDF copy for your records. Each section includes plain-language summaries and links to supporting guidance.
Prefer an offline copy? Download the policy as a PDF or request an accessible format by emailing privacy@orbasagency.com.
Blackwellen trading as Orbas Agency is the data controller when we determine the purposes and means of processing your personal data. For certain projects we may act as a processor on behalf of our clients. Where this occurs, we follow their documented instructions and sign data processing agreements.
We collect information directly from you, automatically when you use our services and from carefully selected third parties who help us deliver those services. We minimise collection by using privacy-by-design principles and conducting regular data audits.
| Category | Examples | Primary purposes | Typical retention |
|---|---|---|---|
| Identity & contact | Name, job title, company, email, phone, postal address, preferred pronouns. | Account setup, proposals, project collaboration, event invitations. | Seven years after engagement or until consent withdrawn. |
| Commercial & project | Briefs, statements of work, technical documentation, meeting notes. | Deliver contracted services, improve quality, manage risk. | Seven years after project closure. |
| Financial & billing | Billing contacts, invoicing details, payment references (no full card data stored). | Process payments, comply with tax and audit duties. | Seven years from transaction date. |
| Usage & technical | IP addresses, device identifiers, browser type, referral source, cookie preferences, error logs. | Secure our platforms, analyse performance, personalise experiences. | Up to 26 months depending on cookie settings. |
| Support interactions | Enquiry forms, live chat transcripts, helpdesk tickets, call recordings, email correspondence. | Resolve requests, monitor quality, train staff. | Up to three years after resolution. |
| Recruitment & HR | CVs, portfolios, interview notes, right-to-work documentation. | Assess suitability for roles, onboarding successful candidates. | 12 months post-campaign unless consent to retain longer. |
| Sensitive data (rare) | Accessibility requirements, dietary needs, equality monitoring. | Deliver inclusive experiences and comply with legal obligations. | Deleted once the specific need is fulfilled. |
We collect childrenâs data only when strictly necessary for a specific project and always with parental or guardian consent. All processing undergoes a Data Protection Impact Assessment (DPIA) when high risk is identified.
We use personal information only where we have a lawful basis and a legitimate business purpose. Typical uses include:
We may use aggregated analytics to understand which services are most relevant to you. This profiling does not have legal or similarly significant effects. You can opt out of personalised marketing at any time by using the unsubscribe link or emailing privacy@orbasagency.com.
We rely on the following lawful bases under UK GDPR. We perform Legitimate Interest Assessments where required to balance our objectives with your rights.
Where personal data is transferred outside the UK or European Economic Area, we use lawful safeguards such as adequacy regulations, International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses with the UK addendum, binding corporate rules or another recognised transfer mechanism. We assess the legal environment in the destination country and implement additional controls where necessary.
We retain personal data only as long as necessary to fulfil the purposes outlined in this policy, comply with legal obligations and resolve disputes. Client project files are typically retained for seven years after the end of the engagement. Marketing information is retained for two years after your last interaction unless you opt out sooner. Recruitment records are deleted twelve months after a vacancy closes unless we obtain your consent to keep them longer. In all cases we will securely delete or anonymise data when retention is no longer required.
We use certified destruction providers for physical media and follow NIST 800-88 guidance for digital sanitisation. Retention schedules are reviewed every 12 months.
You have the right to request access, rectification, erasure, restriction of processing, data portability and to object to certain processing activities. You can also withdraw consent for marketing or optional cookies at any time.
We will never discriminate against you for exercising your rights. If your request is manifestly unfounded or excessive we may charge a reasonable fee or refuse to act, in which case we will explain our decision.
We implement layered security measures including encryption in transit and at rest, access controls, multi-factor authentication, intrusion detection, regular vulnerability assessments, secure development practices and staff training. Our systems are monitored 24/7 and access is restricted to authorised personnel on a need-to-know basis. We maintain incident response plans and will notify you and relevant regulators of any notifiable breach.
We align with ISO 27001 controls and maintain policies covering access management, secure coding, vendor management, incident response and business continuity.
When a breach is likely to result in high risk, we inform affected individuals without undue delay and report to the ICO within 72 hours.
We do not conduct solely automated decision-making that produces legal or similarly significant effects. If this changes, we will update this policy and inform affected individuals, explaining the logic involved and potential consequences. Any automated tools we deploy are subject to human oversight, fairness assessments and bias monitoring.
We may update this policy to reflect changes in our services, technology or legal requirements. Significant updates will be communicated via our website or direct notification. The âEffective dateâ at the top of this page indicates when the policy was last revised. Continued use of our services after changes indicates acceptance.
Email privacy@orbasagency.com or write to Blackwellen, 61 Bridge Street, Kington, Hertfordshire, HR5 3DJ, United Kingdom.