Privacy Policy.

1. Who we are

Forma Studio Ltd (trading as FORMA) is the data controller for the personal data described here. We are registered in Scotland (company number [COMPANY NO.]), registered office [REGISTERED OFFICE ADDRESS]. For any privacy matter, contact us at [email protected] (our registration with the Information Commissioner's Office is [ICO REGISTRATION NO.]).

2. The information we collect

We collect:

• Enquiry details you send through our contact form: your name, email, company, the type of work you need, an optional budget range and your message.
• Client portal data for active projects: your name, email and company, messages you send us, files and deliverables, milestone approvals and the name you type to sign off work.
• Billing details needed to issue and record invoices.
• Technical data created when you visit, such as your IP address, browser type and pages viewed, used for security and aggregate analytics.

3. How and why we use it

We use your personal data to:

• respond to your enquiry and discuss a possible project (our legitimate interest in answering you, and steps towards a contract);
• deliver projects and run the client portal (performance of our contract with you);
• issue invoices and keep accounting records (legal obligation and legitimate interest);
• keep the site secure and prevent abuse, including the anti-spam check on our form (legitimate interest);
• understand, in aggregate, how the site is used so we can improve it (legitimate interest, using privacy-friendly analytics).

We do not sell your personal data, and we do not use it for third-party advertising.

4. Cookies and analytics

We use a small number of essential cookies and privacy-friendly, cookieless analytics. Full detail, and how to manage your choice, is in our Cookie Policy.

5. Who we share it with

We share personal data only with service providers who help us run the studio, and only as needed. These include:

• Cloudflare, which hosts the site and provides our database, file storage, transactional email and bot-protection (Turnstile) and analytics.
• Google (Google Workspace), which provides our email.
• Our payment processor (for example Stripe), where you pay by card.
• Professional advisers and authorities where we are required to share information by law.

These providers act either as our processors, handling data on our instructions, or as their own controllers under their own privacy policies.

6. International transfers

Some of our providers process data outside the UK. Where they do, we rely on appropriate safeguards, such as UK adequacy regulations or the International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses, so your data stays protected.

7. How long we keep it

We keep enquiry data for up to 24 months after our last contact, unless it becomes part of a project. We keep project and portal data for the life of the engagement and a reasonable period afterwards. We keep billing and accounting records for at least six years to meet our legal obligations. We then delete or anonymise data we no longer need.

8. How we protect it

We use encryption in transit (HTTPS), access controls, signed session cookies and parameterised database queries, and we limit access to those who need it. No system is completely secure, but we take reasonable steps to protect your data and to deal with any incident promptly.

9. Your rights

Under UK data-protection law you have the right to access your data, to have it corrected or erased, to restrict or object to its processing, and to data portability. Where we rely on consent, you can withdraw it at any time.

To exercise any of these, email [email protected]. You also have the right to complain to the Information Commissioner's Office (ico.org.uk), though we would appreciate the chance to put things right first.

10. Other websites

Our site may link to other websites. We are not responsible for their content or privacy practices, so please read their policies when you visit them.

11. Changes to this policy

We may update this policy from time to time. The latest version is always published here, with the date it last changed shown at the top.

12. Contact

For any question about your data or this policy, email [email protected].