Privacy policy

1. Who we are

Prism Labs is a digital marketing and software development agency. We help businesses with marketing and growth, brand and design, and technology and development services.

For the purposes of applicable data protection law, Prism Labs Ltd is the data controller responsible for personal data collected through this Website and through initial business enquiries, unless we agree otherwise in writing when delivering client services.

Contact email: hello@prismlabs.ltd Website: https://prismlabs.io

2. What personal data we collect

We may collect and process the following categories of personal data, depending on how you interact with us:

• Identity and contact data: name, email address, company or organisation name, job title, and other details you choose to provide.
• Enquiry and communications data: messages, project requirements, goals, and any other information you include in contact forms, emails, or calls with us.
• Technical and usage data: IP address, browser type and version, device type, operating system, referring URLs, pages viewed, time spent on pages, and general interaction data collected through analytics tools.
• Booking data: if you use our external booking link, the third-party provider may collect scheduling and contact information according to its own policy.
• Client and project data: where you become a client, we may process additional business contact details, billing information, brand assets, campaign data, access credentials, and other information necessary to deliver our services. That processing is usually governed by our client agreement as well as this policy.

3. How we collect personal data

We collect personal data in the following ways:

• Directly from you when you complete our contact form, email us, book a consultation, or communicate with us during a project.
• Automatically when you browse our Website, including through cookies, analytics technologies, and server logs.
• From third-party service providers that help us operate the Website, deliver emails, host content, or measure performance.
• From publicly available sources or referrals, where relevant to a business enquiry.

4. How we use personal data

We use personal data for the following purposes:

• To respond to enquiries and communicate with you about our services.
• To schedule and manage consultations or discovery calls.
• To provide, administer, and improve our marketing, design, branding, and development services for clients.
• To operate, maintain, secure, and improve our Website and internal systems.
• To analyse Website traffic and understand how visitors use our content.
• To comply with legal, regulatory, tax, and accounting obligations.
• To establish, exercise, or defend legal claims.
• To send relevant business communications where permitted by law and, where required, with your consent.

We do not sell your personal data.

5. Legal bases for processing

Where UK GDPR or similar laws apply, we rely on one or more of the following legal bases:

• Consent: where you have given clear consent, for example to receive marketing communications or where cookies require consent.
• Contract: where processing is necessary to respond to your request, prepare a proposal, or perform services under a client agreement.
• Legitimate interests: to operate and improve our Website, understand demand for our services, protect our business, and communicate with prospective clients in a proportionate way. We balance these interests against your rights.
• Legal obligation: where we must process data to comply with applicable law.

6. Cookies and similar technologies

Our Website uses cookies and similar technologies to function properly and to understand usage.

• Strictly necessary cookies: required for basic Website operation and security.
• Analytics cookies: we use Google Analytics 4 to understand how visitors use our Website. This may involve cookies and similar identifiers that collect usage data such as pages visited, session duration, and general device information.
• Hosting and performance data: we use Vercel Analytics and hosting infrastructure, which may process limited technical information to monitor performance, reliability, and security.

You can control cookies through your browser settings and, where available, through third-party opt-out tools such as Google’s analytics opt-out browser add-on. Blocking some cookies may affect Website functionality.

We do not currently use advertising or remarketing cookies on this Website.

7. Third-party service providers

We use trusted third parties to help us run our Website and business. These providers may process personal data on our behalf or as independent controllers, depending on the service.

Current categories include:

• Contact form processing: Google Apps Script and Google Sheets, used to record enquiry submissions in an administrative spreadsheet; Gmail (via Google) to send notification emails to our business inbox.
• Analytics: Google Analytics (Google LLC / Google Ireland Limited).
• Hosting and infrastructure: Vercel, which hosts the Website and related logs.
• Booking: Topmate or similar scheduling platforms when you book a call through links on our Website.
• Content management: Keystatic and related Git-based tooling for internal content administration.

We require service providers handling data on our behalf to protect personal data appropriately and to process it only according to our instructions where applicable.

8. Client marketing work and data roles

When we deliver digital marketing, CRM, analytics, email, or related services for clients, we may process personal data belonging to our clients’ customers, leads, or users. In those cases:

• Our client is usually the data controller for that end-user data.
• Prism Labs usually acts as a data processor or service provider, processing data only on the client’s instructions and in line with the relevant client agreement.
• Clients remain responsible for having a lawful basis to collect and share such data with us, providing appropriate privacy notices to their users, and honouring data subject rights.

If you are an end user of one of our clients and have a privacy question about how your data is used in a campaign, CRM, or website we manage, please contact that client in the first instance.

9. International data transfers

We and our service providers may process personal data in the United Kingdom, the European Economic Area, the United States, and other countries where our providers operate.

Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards where required by law, such as adequacy regulations, standard contractual clauses, or equivalent transfer mechanisms offered by our providers.

10. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including to:

• Respond to enquiries and maintain a record of communications.
• Deliver services and manage client relationships.
• Meet legal, tax, and accounting requirements.
• Resolve disputes and enforce agreements.

Retention periods vary depending on the type of data and our relationship with you. Enquiry records are typically retained for a reasonable period after our last interaction unless a longer period is required by law or needed to establish, exercise, or defend legal claims.

11. Data security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures include access controls, secure hosting, and careful selection of service providers.

No method of transmission over the internet or electronic storage is completely secure. While we work to protect your personal data, we cannot guarantee absolute security.

12. Your rights

Depending on your location and applicable law, you may have some or all of the following rights:

• Access to the personal data we hold about you.
• Correction of inaccurate or incomplete data.
• Erasure of personal data in certain circumstances.
• Restriction of processing in certain circumstances.
• Objection to processing based on legitimate interests or for direct marketing.
• Data portability, where processing is based on consent or contract and carried out by automated means.
• Withdrawal of consent at any time, where processing is based on consent.
• Complaint to a supervisory authority.

In the UK, the supervisory authority is the Information Commissioner’s Office (ICO). If you are in the EEA, you may contact your local data protection authority.

To exercise your rights, contact us using the details below. We may need to verify your identity before responding.

13. Marketing communications

If we send you marketing emails or business updates, we will do so in accordance with applicable law. You may opt out at any time by using the unsubscribe link in a marketing email or by contacting us directly.

Submitting a contact form or booking a call does not automatically mean you will receive ongoing marketing communications unless you have agreed to that or we are otherwise permitted to contact you.

14. Children’s privacy

Our Website and services are intended for businesses and adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

15. Changes to this policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or data practices. The "Last updated" date at the bottom of this page shows when it was most recently revised.

If we make material changes, we will post the updated policy on this page and, where appropriate, provide additional notice.

16. Contact us

If you have questions about this privacy policy or how we handle personal data, please contact us at hello@prismlabs.ltd or through our

contact page