PRIVACY POLICY

Privacy Policy

1. Introduction

This privacy policy (hereinafter “Policy”) explains how Treefrog Limited as data controller, collects, uses and protects your personal data in accordance with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (as amended) and the Data Use and Access Act 2025 (DUAA 2025). If anything is unclear, please contact our DPO/data protection lead at info@treefrog.uk.com

We respect your privacy and take our obligations very seriously and are registered with the ICO under registration number ZB932430.

2. The Data We Collect & How

a) Data provided directly by you

• Contact data (name, address, email, phone)
• Organisation/company details, job title, role
• Any other information you volunteer (e.g. in forms or communications, competitions, or surveys)

b) Data obtained indirectly

• From public sources (e.g. websites, referrals etc.)
• From third‑party partners if you are referred to us

c) Technical / analytical data

• IP address
• Browser and device type
• Website use statistics via cookies, in line with PECR guidelines

3. Legal Bases & Lawful Purposes

We rely on the following lawful bases under UK GDPR and applicable legislation:

  • Contract performance: where processing is necessary to provide services you’ve requested

  • Legal obligation: where required by statutory or regulatory duties (e.g. DUAA 2025 access requests)

  • Legitimate interests: for improving services, internal administration, compliance, and marketing (provided your rights are not overridden)

  • Consent: for direct marketing emails, cookies, or sensitive processing. Consent is freely given, specific and can be withdrawn at any time.

We will only process your personal data for specified, explicit and legitimate purposes, and not further process it in a manner incompatible with those purposes.

4. Use of Special Category Data

We do not collect Special Category Data (e.g. health, race, union membership). If we do so, we will rely on a permitted condition under UK GDPR (e.g. explicit consent or substantial public interest) and will inform you of our intent and reasoning in advance.

5. Cookies & Electronic Communications

Our website uses cookies. Under PECR, we obtain your consent before placing non‑essential cookies, which you can withdraw at any time. Essential cookies required for site functionality are strictly necessary and may not be disabled. You may control cookies via your browser settings.

For marketing emails, we will only send to you if we have your consent (opt‑in), or where the soft opt-in under PECR applies (i.e. where you are an existing customer and the message relates to similar services). Every message offers you the right to opt‑out at any time. For more detailed information please see our cookie policy here https://www.treefrog.uk.com/cookies-policy-

6. Data Sharing & Third Parties

We will only share your personal data:

  • with your consent for specific purposes

  • when required by law or legal process (e.g. court orders, DUAA 2025 data access requests, ICO enquiries)

  • with service providers acting on our behalf, under contract and appropriate safeguards

  • or in the event of a merger or business transfer. In such cases, you will be notified and your data will remain protected in accordance with this policy.

7. Data Security

We apply technical and organisational safeguards to protect your data, including secure UK‑based servers, encrypted transmissions, and restricted staff access. While we make every effort to protect your data, transmission via the internet carries inherent risks.

All data remains processed within the UK unless otherwise agreed in writing.

8. Data Retention

We retain your personal data only as long as necessary to fulfil the purposes for which it was collected, or as legally required - typically two years from last contact unless law dictates otherwise. After that it is securely deleted or anonymised.

Backup copies may be retained securely for a limited period for legal, regulatory, or archival purposes, as permitted by the UK GDPR and the Data Use and Access Act 2025. These are stored with safeguards in place and not used for any new or incompatible purpose.

9. Your Rights

Under UK GDPR, DPA 2018 and DUAA 2025 you have the following rights:

  • Right to be informed (via this Policy and notices)

  • Right to access your personal data

  • Right to rectification of inaccurate or incomplete data

  • Right to erasure (“right to be forgotten”) in certain circumstances

  • Right to restrict processing

  • Right to object to processing, including for direct marketing or legitimate interests

  • Right to data portability (where data is processed based on your consent)

  • Rights in relation to automated decision‑making and profiling

  • Right to lodge a complaint with the ICO if unhappy with our response

You can exercise these rights by writing to our DPO at info@treefrog.uk.com. We will respond to your request without undue delay and, in any event, within one calendar month. If your request is complex or involves numerous items of data, we may extend this period by a further two months, but we will inform you of this within the initial month.

10. Compliance with DUAA 2025 & Data Use Requests

Under the DUAA 2025, you may request access to or deletion of your data at any time. We will process such requests in line with statutory deadlines and provide you with clear outcomes. We do not usually charge a fee. If a fee is required under the law, we will explain the reason and amount to you in advance.

11. Photographs and Videography

Treefrog Limited may capture photographs and video footage for use in marketing, promotional content, training, documentation, or social media activity. Where Treefrog is the data controller (for example, when we use content on our own website, printed materials, or digital platforms), we will seek your informed consent in advance unless another lawful basis applies, such as legitimate interests in documenting a public event where there is no reasonable expectation of privacy. Consent will always be sought for staged or posed imagery, and particularly where individuals are the focal point. You may withdraw your consent at any time by contacting us.

Please note, however, that withdrawal of consent cannot retroactively remove materials that have already been distributed in hard copy, shared on public platforms, or re-shared by third parties. While we will take reasonable steps to remove or restrict access where feasible, we cannot guarantee full deletion once content has entered the public domain.

Where Treefrog is engaged by a client to capture or process photographs or videos on their behalf, we function as a data processor only. In such cases, the client remains the data controller and is responsible for ensuring all necessary consents or lawful bases are obtained, particularly where images include identifiable individuals, children, or vulnerable persons. We will process such content solely on instruction and in line with our contractual and legal obligations.

Where children under the age of 13 may be involved, we will only capture or publish images with the express prior consent of a parent or legal guardian, except where the child is incidental in a crowd scene and no identifying information is used.

For further details on how we manage consent, image use, and social sharing, please see our Photographs, Videography and Social Media Policy.

12. Social Media

Treefrog Limited maintains an active presence on social media platforms such as Facebook, Instagram, LinkedIn, X (formerly Twitter), and YouTube. We use these platforms to communicate, promote our services, share news, and engage with our audience.

If you choose to share personal data with us via these platforms, including in messages, comments, tagging, or reviews, we will process that information for the purposes of responding to your enquiry, managing our pages, or interacting with you in a business context. In doing so, we function as the data controller for any personal data you provide directly to us.

You should be aware that social media platforms are public forums. Any information you post in public comments or visible interactions may be accessed and reused by others outside of our control. We advise you not to share sensitive or confidential information via these channels unless using direct messaging, and even then only where necessary.

We do not harvest or scrape personal data from social media for profiling or marketing purposes unless we have a lawful basis to do so. Any personal data collected through social media is processed in line with our general data protection obligations under the UK GDPR, the Data Protection Act 2018, PECR 2003, and the Data Use and Access Act 2025.

For further information, please refer to our Photographs, Videography and Social Media Policy.

13. Changes to this Policy

We reserve the right to update this policy when legislation changes (including UK GDPR, DPA 2018, PECR, DUAA 2025), or when our practices evolve. Amendments will be published on our website and take effect immediately. Continued use after updates implies acceptance.

 

14. Contact Details

Data Controller:         Treefrog Limited, registered in England and Wales

under number 13316234

 

Registered office:       Unit 10 Chapman Way, Hethel, Norwich, Norfolk, England, NR14 8FB

DPO / Data Lead:        Michael Bramford

ICO registered number:  ZB932430

 

Further Questions or Complaints

If you have any questions or complaints about how we process your data, please contact us in the first instance at info@treefrog.uk.com

If we are unable to resolve your concern, you may also contact:

The Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
0303 123 1113 or via their website ico.org.uk

15. Updates

This Privacy Policy is a live document and may be updated at any time to reflect changes in our practices, services, or legal obligations. We do not guarantee prior notice of updates. However, where a change materially affects how we process your personal data, we will notify you as required by law. The date shown below indicates when this policy was last reviewed and updated.

Last updated 7th July 2025.