Privacy & Cookies Policy


Last updated on 24th May 2018.

Compliance Overview

With the new General Data Protection Regulation (“GDPR”) regulating how individuals and organisations may collect, use and retain personal data and PECR (communicating with users using their data) coming into effect on 25th May 2018, we’ve been working hard to consult with businesses to provide guidance to them on how they should best work towards compliance with these two EU regulations. 

We’s also been working in the background to bring ourselves into compliance because we take the responsibility of our clients’ data very seriously.



We are required to inform you of any other processors involved in the processing of your data. With our daily operations, the vast majority of information is stored on our internal systems here in our studio. We have sought and recorded assurances from other processors, where they are used, and further information can be found here:

We store some sales and leads data, client contact information, server and database information and technical information required to work on client sites using Secure Sockets Layer (SSL) software provide by Siteground to encrypt the information you send us in order to protect its security during transmission to and from us. You can read more about Siteground’s security measures here.

This includes recording and tracking client tasks. Information related to specific tasks and associated sites is stored alongside a project number along with any additional information that may be required to help complete the tasks. 

  • We use GoogleDocs to share joint project documents;
  • We use Dropbox to back up some project related information and files;
  • We use WeTransfer to transfer large format files between us and our clients and, upon our clients' request, to their clients and suppliers;
  • We use Vimeo for online video hosting; and
  • We use MailChimp to send news and announcements to our clients and on behalf of clients (for their business). Client names and emails are stored on their secure servers. If you use us and our system for your own email newsletters, we will have contacted you to make sure you have requested GDPR compliant ‘opt-in’ permissions from your subscribers to continue to contact them. This action is your responsibility. 

For our hosted services we use the following processors:

Hosted Services
Where we provide hosting services to our clients we act as Data Processors on the behalf of our client who are Data Controllers under the terms of the regulation.

Data Controllers are required to seek assurances from Data Processors that data processing is being carried out in a manner where “reasonable technical and organisational measures” are being taken to secure the data being processed. Data Processors are required to provide this information on request. To this end, please see below the following series of statements to satisfy this requirement.

Technical Measures
All hosted services are protected by multiple layers of protection. Every server is protected by a hardware firewall that only passes genuine traffic destined for specific services. Access to critical services are disabled and restricted as necessary.

Each server is further protected by an additional software firewall and physical DDOS appliance. The software firewall is configured to only allow relevant network services.

Website files, databases and other data relating to the website, underlying content management system files, version and so on are the sole responsibility of the customer. We are responsible for the security of the Operating System and firewall configurations alongside updating the WHM/CPanel software on the servers only.


Website Design and Development Services

Where you have contracted us to design or build a website for you, we are neither data controllers nor data processors with respect to the function and data collection that you provide for on your website.

In these circumstances the client is acting as a Data Controller and the company hosting the site is acting as a Data Processor. The Controller should seek written assurances from the processor around the measures being taken to secure the data.

3rd Party Hosted Services
Where you have taken advice from us, recommending and/or referring you to a 3rd party processing service, such as MailChimp, Big Cartel or Squarespace, we act as neither processors nor controllers with respect to these data processing systems. As the Data Controller, you should seek written assurances from the processor around the measures being taken to secure the data. 

For clients using our fully managed, cloud hosted WordPress service, please know we automatically back up and upgrade all client sites (although the frequency of backups does vary depending on client requirements). For this we use Siteground, officially recommended by as one of the best hosting providers. Siteground are GDPR compliant. To provide services around your hosting account, we share some of your data with external providers like domain registrars, SSL providers, and content delivery network (CDN) providers. All such partners are either natively GDPR-compliant themselves or have signed a special contract with Siteground to meet data protection standards;

As the Data Controller, it is your responsibility to regularly maintain your WordPress website to ensure any installed plugins are GDPR compliant and up-to-date. If you need our help, please just ask.


Our Internal Systems

Organisational Measures
We are a small team. Access to the administrative portions of the hosting infrastructure are restricted solely to those within it requiring access. We already have the foundations of compliance pre-built as the technical and organisational measures required to meet the test of “reasonable technical and organisational measures” required under the regulation.

Technical Measures
Whilst digital content is held in different secure online locations (see Sub-processors), physical copies of client details are stored in a single physical location, with physical and logical security in place. The location is secured with multiple layers of key-based access with one key holder. The building is secured and populated almost 24/7, 365 days a year.

Access to data on our internal systems is restricted according to business need and each user has a unique password and username and all systems are logged and monitored for unusual behaviour 24×7. Furthermore, we employ a full suite of anti-malware systems and all updates and patches are applied and checked regularly by our internal team. Our network is protected by a controlled and monitored hardware firewall. Each computer has software firewalling enabled and controlled.


Data Collection Policy Statement

We collect data in order to provide quotes to prospective clients and to fulfil contractual requirements. This information may be retained for up to 10 years for financial recording reasons as required by regulators. Further, data may be retained for the purposes of client communication, the marketing of similar services, for exercising our rights with regards to Intellectual Property (IP) and for regulatory or legal defence reasons until such time as these details would no longer be relevant or required. If this contractually necessary information is not provided we will be unable to satisfactorily communicate with clients and so be unable to act effectively on any requests from such clients.

This data will be in the form of names, email addresses, telephone numbers and other contact details such as Instant Messaging account names, IP addresses and possibly other online identifiers. 

We do not sell, share or transfer data onwards to other recipients, nor do we transfer data to third countries or international organisations that do not have an adequacy agreement.

If you elect to pay us by credit or debit for our services, we share your the contact data you provided to us with Stripe, who will process your payment on our behalf. We will retain your transaction details for 6 years, as we are required to store this information by law.

To the extent that the legal basis for our processing of your personal data is:

  • (a) consent; or
  • (b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

Your Rights

Under data protection law, you have the following rights in respect of the information we hold about you. 

  • the right to access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to complain to a supervisory authority; and
  • the right to withdraw consent.

You have the right to access the information which we hold about you and you can contact us to request a copy of this. You can make this request by emailing: or writing to us at: Atelier of Alchemy, 50 Middleton Close, Chichester, PO20 8SR. 

If you do not think that the information we hold about you is correct, or you think that we do not have all the information which we should have about you, you can request that we rectify the information so that it is correct and complete. 

You can request that we erase the data which we hold about you, or that we restrict the way that the data is used. This means that we will store your data securely, but it will not be processed in any way. You can also request that we send a copy of the data which we hold about you to another third party. 

If you object to the way we have processed your data, please contact us to tell us why.

Once we have received your request for us to do any of the above, we will contact you within 30 days either to confirm that we have carried out your request or why we have not. In some cases we will not have to process your request, or will not be able to. We will still contact you within 30 days to explain to you why we believe this is the case. 

If you feel that your data has been used inappropriately, you should contact us. You also have the right to complain to the Information Commissioners Officer (ICO) at

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. We do not engage in profiling or automated decision making. Withdrawal will not affect the lawfulness of processing before the withdrawal. 

You may exercise any of your rights in relation to your personal data by written notice to us.


Our Cookie Policy

About cookies
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Cookie Declaration
Cookies currently in use on our website along with their purpose, can be found here. Your consent applies to the following domains:

Cookies that we and our service providers use and their purpose:

  • Authentication – we use cookies to identify you when you visit our website and as you navigate our website;
  • Status – we use cookies to help us to determine if you are logged into our website;
  • Personalisation – we use cookies to store information about your preferences and to personalise the website for you;
  • Security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of  
    login credentials, and to protect our website and services generally;
  • Advertising – we use cookies to help us to display advertisements that will be relevant to you;
  • Analysis – we use cookies to help us to analyse the use and performance of our website and services; and
  • Cookie Consent – we use cookies to store your preferences in relation to the use of cookies more generally.

Our service providers use cookies and those cookies may be stored on your computer when you visit our website.

We use Squarespace to host our website. This service uses cookies for help the website run effectively and provide the best experience for you. You can view the privacy policy of this service provider at

We use Google Analytics to analyse the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google's privacy policy is available at: We only store your usage data for the purposes of analysing our website performance for 26 months, after this time it is deleted and removed from our statistics reports.

Managing cookies
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

Blocking all cookies will have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use all the features on our website.

Cookie Consent
You can opt-in or opt-out of consenting to the use of cookies at any time. When you first visit our website, you will be given the option to opt-in and accept all cookies. Or you can decline. Simply click on the Cookie Policy to bottom of your browser screen to update your preference.


Changes to our privacy & Cookies policy 

We will occasionally update this Privacy Notice. We will tell you about these changes by posting a notification at the top of this page on our website. This policy was last updated on 24th May 2018.

Disclaimer: Nothing on this page constitutes legal advice. Specialist legal advice should be taken in relation to specific circumstances. The contents of this page are for general information purposes only. Whilst we endeavour to ensure that the information on this email is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material. If you have any further questions, please contact us.