Privacy Policy
Updated at June 18th 2026
PRIVACY POLICY
This policy explains how ZARO Digital (“we”, “us”, “our”) collects, uses, and protects personal data when you visit zarodigital.com or otherwise interact with us. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the amendments introduced by the Data (Use and Access) Act 2025 (DUAA), including the provisions that came into force on 19 June 2026.
1. Who we are
ZARO Digital, Sole trader Email: danielle@zarodigital.com Phone: +44 (0) 7912 845 375 ICO registration number: ZB273933
We are the data controller for the personal data described in this policy. As a sole trader, Danielle Mills handles data protection matters directly; we do not currently use a separate Data Protection Officer.
2. What personal data we collect
Based on your current site, we collect:
- Contact details — name, email address, phone number, mailing address (e.g. from contact forms, enquiries, newsletter sign-ups, or booking a discovery call)
- Account data — login credentials, account preferences, if you register with us
- Invoice/billing details — name, address, and invoice records, for clients we work with directly (we do not take payments through the website and do not process or store card details)
- Technical data — IP address, browser type, device information, operating system
- Usage data — pages visited, time on site, referral source, click behaviour (via analytics and cookies)
- Marketing preferences — whether you’ve opted in or out of communications
- Correspondence — records of emails, calls, or support tickets if you contact us
- Social media data — publicly available information you’ve chosen to share if you engage with us via social media or provide a social media profile
We do not currently use any analytics, advertising, or marketing tools beyond Calendly for booking calls.
3. How we use your data, and our lawful basis
UK GDPR requires a lawful basis for every use of personal data. As of February 2026, the DUAA introduced a new, seventh lawful basis — “Recognised Legitimate Interests” — alongside the original six. We rely on the following:
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries, providing services you’ve requested | Contract / Legitimate interests |
| Processing payments and orders | Contract / Legal obligation |
| Sending marketing communications | Consent (you can withdraw this anytime) |
| Improving our website and services through analytics | Legitimate interests |
| Fraud prevention, safeguarding, and security monitoring | Recognised legitimate interests (DUAA) and/or legitimate interests |
| Complying with tax, accounting, and legal obligations | Legal obligation |
| Responding to emergencies or assisting law enforcement where applicable | Recognised legitimate interests (DUAA) |
“Recognised legitimate interests” is a narrower, government-defined category (e.g. safeguarding, crime prevention, responding to emergencies, or assisting public bodies with statutory functions) that does not require us to carry out the usual legitimate interests balancing test. We only rely on it where it genuinely applies — for most everyday processing (marketing, analytics, service delivery), we continue to rely on consent, contract, or ordinary legitimate interests as before.
4. Children’s data
Where our services may be accessed by children, which isn’t anticipated due to the nature of business, we take into account the “children’s higher protection matters” introduced by the DUAA. In practice this means we consider:
- How children using our site can be protected and supported
- That children may be less aware of the risks of how their data is used
- That children have different needs depending on their age and stage of development
Our services are aimed at businesses and business owners, not children. We do not knowingly collect personal data from children under the age of 13, which is the correct UK threshold for digital consent (rather than US-specific standards sometimes seen in generic template policies). If we become aware that we have inadvertently collected data from a child, we will delete it promptly.
5. Automated decision-making
The DUAA broadened the circumstances in which automated decision-making (ADM) is permitted, including in some cases involving special category data, subject to safeguards.
We do not currently use any automated decision-making that produces legal or similarly significant effects on individuals.
If we do not currently use ADM that produces legal or similarly significant effects, you can state: “We do not currently use any automated decision-making that produces legal or similarly significant effects on individuals.”
6. Cookies and similar technologies
The DUAA amended the Privacy and Electronic Communications Regulations (PECR) governing cookie consent. Some limited categories of cookies (e.g. for statistical purposes to improve a website, or for security purposes) may now be exempt from prior consent requirements, subject to clear information and an opt-out being provided. Most marketing, advertising, and non-essential analytics cookies still require your prior consent.
We use the following types of cookies:
- Strictly necessary — required for the site to function (no consent required)
- Third-party booking — Calendly sets cookies when you use our booking widget to schedule a discovery call; see Calendly’s own privacy policy for details
- Functional — to remember your preferences
You can manage your cookie preferences via our cookie banner / settings tool at any time, or through your browser settings.
We do not currently use any analytics or advertising tools.
7. Sharing your data
We may share personal data with:
- Calendly — for booking discovery calls
- Professional advisors (accountant, solicitor) where necessary
- Regulators, law enforcement, or public authorities where required by law, or under the recognised legitimate interests basis (e.g. crime prevention or safeguarding)
- A buyer, if we sell or transfer part of our business
We do not sell personal data to third parties, and we do not currently use any analytics or advertising tools.
8. International transfers
If we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as the UK’s International Data Transfer Agreement (IDTA), adequacy regulations, or Standard Contractual Clauses with a UK addendum.
Calendly, which we use for booking discovery calls, may store data on servers outside the UK (including in the US). Calendly participates in the EU-US Data Privacy Framework / UK extension, which provides an approved safeguard for these transfers. We do not use any other tools that transfer data outside the UK.
9. How long we keep your data
We retain personal data only as long as necessary for the purposes set out in this policy, or as required by law (e.g. tax records are typically kept for 6 years).
Typically, we keep enquiry and client data for 1–2 years after our relationship with you ends, unless a longer period is required by law (for example, financial/tax records, which must be kept for 6 years under UK tax law). After this, data is securely deleted or anonymised.
10. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data in certain circumstances
- Restrict processing in certain circumstances
- Data portability — receive your data in a portable format
- Object to processing based on legitimate interests or direct marketing
- Withdraw consent at any time, where consent is the basis for processing
- Not be subject to decisions based solely on automated processing that significantly affect you, subject to limited exceptions
To exercise any of these rights, contact us at danielle@zarodigital.com. We will respond within one month, as required by law.
11. Complaints procedure
In force from 19 June 2026, the DUAA requires organisations to operate a formal internal complaints process for individuals exercising their data protection rights. Our procedure is as follows:
- How to complain: Send your complaint to danielle@zarodigital.com, including as much detail as possible about your concern and the data involved.
- Acknowledgement: We will acknowledge your complaint within 30 days of receipt.
- Investigation: We will investigate your complaint, which may involve reviewing the data held about you, the processing activity in question, and any relevant records.
- Resolution: We will provide a substantive response setting out our findings and any action taken, normally within 30 days of acknowledgement.
- Escalation: If you are not satisfied with our response, you have the right to escalate your complaint to the Information Commissioner’s Office (ICO): Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline: 0303 123 1113 Website: ico.org.uk
You do not need to complain to us first before contacting the ICO, but we encourage you to give us the opportunity to resolve your concern directly.
12. Security
We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse.
We use standard website security measures, including SSL encryption for data transmitted to and from our website, and the security protections provided by our website hosting provider.
13. Changes to this policy
We may update this policy from time to time, particularly as further DUAA secondary legislation and ICO guidance is issued throughout 2026. The “Last updated” date at the top of this policy shows when it was last revised. We recommend checking back periodically.
14. Contact us
If you have any questions about this policy or how we handle your data, contact us at:
danielle@zarodigital.com 14 Belmont Drive, Bangor, BT19 1NH, United Kingdom +44 (0) 7912 845 375
