Legal

Privacy Policy

Last updated: 21 April 2026

1. Who we are

This website (onsync.co.uk) is operated by Creative M LTD, a company registered in England and Wales. onSync is a trading name of Creative M LTD. In this policy "we", "us" and "our" refer to Creative M LTD trading as onSync.

We are the data controller for any personal data you provide to us through this website, email, or during service delivery.

Contact: hello@onsync.co.uk

2. What personal data we collect

  • Enquiry data — name, email address, company name (optional), and the content of your message when you submit the contact form.
  • Client data — business contact details, project scope information, invoicing details, and any data you share with us during paid engagements.
  • Technical data — IP address, browser type, operating system, timestamps, and pages visited. Most of this is anonymised or hashed.
  • Consent records — a hashed record of your cookie and marketing preferences, including timestamp, so we can demonstrate the consent you gave.

We do not knowingly collect data from anyone under 18.

3. Why we collect it and our lawful basis

  • Responding to enquiries — lawful basis: legitimate interests (running our business) and, where you submit a contact form, your consent.
  • Delivering paid services — lawful basis: performance of a contract.
  • Keeping financial records — lawful basis: legal obligation (HMRC requires us to keep records for at least 6 years).
  • Analytics (Google Analytics 4) — lawful basis: your consent. Off by default. Only loaded if you opt in via the cookie banner.

4. Who we share it with

We do not sell your data. We share it only with service providers we need to operate the business:

  • Website hosting provider (UK/EEA-based).
  • Email delivery provider for transactional email.
  • Accounting software for invoicing and HMRC compliance.
  • Analytics provider (Google) — only if you have consented to analytics cookies. Data sent is anonymised where possible (IP anonymisation enabled).

Where any provider is based outside the UK/EEA, we rely on UK-approved safeguards (such as the UK addendum to EU Standard Contractual Clauses).

5. How long we keep it

  • Contact form enquiries that do not convert into a paid engagement — deleted after 24 months.
  • Client records and project deliverables — retained for 7 years from the end of the engagement (HMRC and limitation period).
  • Financial records (invoices, payments) — retained for 7 years.
  • Cookie consent log — retained for 12 months, then anonymised.

6. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you (a Subject Access Request).
  • Ask us to correct data that is inaccurate or incomplete.
  • Ask us to delete your data ("right to erasure") where we no longer have a lawful basis to hold it. Financial records we are legally required to keep are an exception.
  • Ask us to restrict processing while a dispute is resolved.
  • Ask us for a portable copy of your data in a common format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time (this does not affect the lawfulness of processing before you withdrew).

To exercise any of these rights, email hello@onsync.co.uk. We will respond within one month.

7. Making a complaint

If you believe we have mishandled your data, please contact us first so we can put it right. You also have the right to complain to the Information Commissioner's Office (ICO):

Website: ico.org.uk · Helpline: 0303 123 1113

8. Security

We use TLS encryption for all data in transit. Data at rest is stored on UK/EEA infrastructure with industry-standard access controls. Admin access is protected by unique passwords and session timeouts.

9. Cookies

See our Cookie Policy for detail on cookies and how to manage your preferences.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the current version. Material changes will be announced on this page.