Privacy policy
Last updated: June 2025
Welcome to Salt Thinking Limited’s Privacy and Data Protection Policy (“Privacy Policy”).
At Salt Thinking Limited (“we”, “us”, or “our”) we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“GDPR”), the Data Protection Act 2018 and all other mandatory laws and regulations of the United Kingdom.
This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.
The individuals from which we may gather and use data can include:
- Business contacts and any other people that the organisation has a relationship with or may need to contact.
- This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.
1. About us
Company name: Salt Thinking Ltd
Registered office: Exmouth House, 3-11 Pine Street, London, EC1R 0JH, UK
Company number: 10857725
Website: www.saltthinking.com
Contact email: hello@saltthinking.com
Data Protection Lead: Kath Cotton
We act as a "data controller" for the personal data we process.
Salt Thinking does not have a Data Protection Officer (DPO) because we do not meet the criteria under UK GDPR that require the appointment of a DPO. Specifically, we are not a public authority, our core activities do not involve large-scale regular and systematic monitoring of individuals, and we do not process large amounts of sensitive personal data. As a result, we are not legally required to appoint a DPO at this time.
2. Children's privacy
Our services and website are not directed at children under 13. We do not knowingly collect data from minors.
3. Information we collect
A. Directly provided data
We collect information when you:
- Request services or quotes via our website/email
- Subscribe to newsletters (if applicable)
- Attend meetings or events with us
- Correspond via phone/email
This may include:
- Contact details: Full name, work email, phone number, job title, company name
- Professional information: Project requirements, creative briefs, or feedback
- Billing details: Invoice addresses/payment information (for clients)
Automated decision-making statement:
We do not use automated decision-making processes (including profiling) that have a legal or similarly significant effect on individuals. All decisions regarding your personal data are made by our staff.
4. How we use your data
| Type of Personal Data | Purpose of Processing | Lawful Basis for Processing |
|---|---|---|
| Contact Data | To communicate with clients and prospects | Legitimate Interest, Contractual Obligation |
| Client Preferences | To tailor marketing strategies and campaigns | Legitimate Interest |
| Transaction Data | To process payments and manage accounts | Contractual Obligation, Legal Compliance |
| Marketing Data | To send promotional materials and updates | Consent |
We never:
- Sell your data to third parties
- Use your data for unrelated marketing without consent
5. Data sharing
We may share information with:
- IT/service providers: Secure cloud storage, website hosting, IT security and email providers
- Professional advisors: Accountants, Banks or legal consultants (under confidentiality)
- Regulatory bodies: HMRC, ICO, or law enforcement if legally required
- Investors/Acquirors: Potential investors or purchasers of our business or assets.
All third parties must meet UK GDPR standards. If Salt Thinking is sold or makes a sale or transfer, we may, in our sole discretion, transfer, sell or assign your Personal Data to a third party as part of or in connection with that transaction. Upon such transfer, the Privacy Policy of the acquiring entity may govern the further use of your Personal Data. In all other situations your data will still remain protected in accordance with this Privacy Policy (as amended from time to time).
6. INTERNATIONAL TRANSFERS
We primarily store your personal data in the UK. If we ever need to transfer your data outside the UK, we will ensure that appropriate safeguards are in place as required by UK data protection law. This may include using standard contractual clauses approved by the UK government or ensuring the recipient country has been granted an adequacy decision by the UK authorities.
7. Data retention
| Data Type | Retention Period |
|---|---|
| Client records | 6 years after contract ends |
| Prospect enquiries | 2 years after last contact |
| Website analytics | 26 months |
| Financial records | 7 years (for HMRC compliance) |
We securely delete/anonymise data when no longer needed.
8. Your rights
You have the right to:
- Access: Request a copy of your data (free of charge, unless the request is manifestly unfounded or excessive or we have already supplied the data)
- Rectification: Correct inaccurate information
- Erasure: Ask us to delete your data (where legally permitted)
- Restrict processing: Limit how we use your data
- Object: Challenge processing based on legitimate interests
- Portability: Receive your data in a machine-readable format
To exercise these rights, email hello@saltthinking.com with "Data Request" in the subject line. We respond within 30 days and may ask for proof of identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. However, if your request is clearly unfounded, we could refuse to comply with your request.
9. Security measures
We protect your data through:
- Encrypted website connections (HTTPS/SSL)
- Password-protected systems with limited staff access
- Regular security audits of third-party providers
- Staff GDPR training programmes
However, no transmission of data over the internet is guaranteed to be completely secure. It may be possible for third parties not under the control of Salt Thinking to intercept or access transmissions or private communications unlawfully. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any Personal Data you transmit to us. Any such transmission is done at your own risk. If you believe that your interaction with us is no longer secure, please contact us.
10. Cookies
Our website uses Plausible Analytics, a privacy-focused analytics service that does not use cookies and does not collect any personal data about our visitors. All site measurement is carried out in a fully anonymous way, with no persistent identifiers, cross-site or cross-device tracking. Because Plausible does not use cookies and does not process personal data, there is no need for you to set or manage cookie preferences when visiting our website. This approach ensures compliance with privacy regulations such as GDPR, CCPA, and PECR, and means your browsing experience remains private and uninterrupted. For further details of Plausible Analytics privacy friendly approach see its data policy here and our Cookie Policy here: https://www.saltthinking.com/cookie-policy.
11. Data breach notification
What we do in the event of a data breach:
If a personal data breach occurs, we will assess the likely risk to your rights and freedoms. If a breach is likely to result in a risk to your rights, we will report it to the Information Commissioner’s Office (ICO) without undue delay, and where feasible within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to you, we will also inform you directly and without undue delay, so you can take steps to protect yourself. We will keep a record of all personal data breaches, regardless of whether notification is required.
12. Complaints
Contact us first at hello@saltthinking.com to resolve issues. You may also complain to:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 ico.org.uk
13. Policy updates
We may update this policy from time to time. The latest version will always be available on our website. We recommend that you review this policy periodically to stay informed about how we use your personal data.