Privacy Policy
Last updated: 13 July 2026
1Who we are
DropZone Digital Ltd is a digital product, software development and business transformation studio.
For the purposes of UK data protection law, DropZone Digital Ltd is the controller of the personal information described in this Privacy Policy.
- Company name
- DropZone Digital Ltd
- Company number
- 17335360
- Website
- dropzone.digital
- hello@dropzone.digital
- Registered office
- 100 North Parade, Grantham, NG31 8AU
In this Privacy Policy, references to “DropZone Digital”, “we”, “us” and “our” mean DropZone Digital Ltd.
2Scope of this Privacy Policy
This Privacy Policy explains how we collect, use, store and disclose personal information when you:
- visit our website;
- submit a project enquiry;
- contact us by email, telephone, video call or another communication channel;
- discuss, purchase or receive our services;
- work with us as a client, prospective client, supplier, contractor or professional contact;
- apply to work or contract with us; or
- otherwise interact with DropZone Digital.
This Privacy Policy applies to information for which DropZone Digital acts as a controller.
Where we process personal information on behalf of a client through a platform, application or service we have built or operate for that client, the client will usually be the controller and DropZone Digital will act as its processor. In those circumstances, the client’s own privacy notice will primarily govern the processing.
3Personal information we collect
The personal information we collect depends on how you interact with us.
3.1 Information you provide through our website
When you submit a project enquiry, we may collect:
- your name;
- your email address;
- the name of your company or organisation;
- your anticipated project budget or budget range;
- information about the product, platform, application, website or service you want to build;
- any other information you include in your enquiry; and
- subsequent correspondence relating to your enquiry.
Please avoid including unnecessary sensitive or confidential information in the initial enquiry form.
3.2 Client and prospective-client information
When we discuss or provide services, we may collect:
- your name, role and professional contact details;
- details of your company or organisation;
- project requirements, technical requirements and business objectives;
- notes from meetings, calls and workshops;
- proposals, statements of work and contractual information;
- billing and payment information;
- records of approvals, decisions and project communications;
- user account details where access to a project platform is required;
- information needed to provide support or investigate an issue; and
- information relating to the security, operation and performance of services we provide.
3.3 Supplier and contractor information
If you supply services to us or work with us as a contractor, we may collect:
- your name and contact details;
- business and professional information;
- contractual information;
- payment and bank details;
- tax and invoicing information;
- work records and correspondence; and
- information required to assess your suitability, availability or performance.
3.4 Technical and website information
When you use our website, our systems and service providers may automatically collect limited technical information, including:
- your IP address;
- browser type and version;
- device type and operating system;
- the date and time of your visit;
- pages viewed and links used;
- referring website information;
- approximate location derived from your IP address;
- server logs, error logs and security events; and
- information used to identify and prevent malicious or automated activity.
We do not use this information to make decisions about you that produce legal or similarly significant effects.
3.5 Information obtained from other sources
We may receive personal information from:
- your employer, colleague or organisation;
- a mutual business contact;
- publicly available professional sources, such as company websites, Companies House or professional networking platforms;
- technology, hosting, payment or communications providers;
- fraud-prevention and security services; and
- advisers or other parties involved in a prospective or existing commercial relationship.
4How and why we use personal information
We only process personal information where we have a lawful basis for doing so.
4.1 Responding to enquiries
We use enquiry information to:
- review and respond to your request;
- assess whether we are suitable for the proposed work;
- arrange an introductory call or meeting;
- understand your requirements;
- prepare an estimate, proposal or statement of work; and
- maintain a record of our discussions.
Our lawful basis is normally our legitimate interests in responding to business enquiries and developing our business.
Where you are requesting services personally or asking us to take steps before entering into a contract with you, we may also rely on the lawful basis that the processing is necessary to take steps at your request before entering into a contract.
4.2 Providing our services
We use personal information to:
- deliver contracted services;
- manage projects and client relationships;
- communicate with client personnel and stakeholders;
- create, configure, test and support digital products;
- manage access to project systems;
- monitor delivery, performance and security;
- manage changes, incidents and support requests;
- maintain project documentation and audit records; and
- fulfil our contractual obligations.
Our lawful bases are:
- performance of a contract, where the contract is with you personally; and
- our legitimate interests in providing services to, and administering our relationship with, the organisation you represent.
4.3 Administration, payments and record keeping
We use personal information to:
- issue quotations and invoices;
- receive and reconcile payments;
- maintain accounting and tax records;
- administer contracts;
- manage suppliers and contractors;
- obtain professional advice;
- respond to audits; and
- establish, exercise or defend legal claims.
Our lawful bases are compliance with legal obligations and our legitimate interests in running and protecting our business.
4.4 Security and fraud prevention
We may use technical, account and communications information to:
- secure our website and systems;
- authenticate users;
- prevent unauthorised access;
- identify suspicious or malicious activity;
- investigate security incidents;
- protect our clients, personnel and service providers; and
- maintain backups, logs and disaster-recovery arrangements.
Our lawful basis is our legitimate interests in protecting our business, systems, clients and users. In some cases, processing may also be necessary to comply with a legal obligation.
4.5 Improving our website and services
We may use limited technical, enquiry and project information to:
- diagnose faults;
- analyse how our website and services are used;
- improve performance, accessibility and usability;
- improve our internal processes;
- develop new capabilities; and
- maintain service quality.
Our lawful basis is our legitimate interests in maintaining and improving our website, operations and services.
Where non-essential cookies or similar technologies require consent, we will request that consent before using them.
4.6 Business-to-business communications and marketing
We may use professional contact information to:
- maintain relationships with clients, prospective clients and industry contacts;
- provide information about relevant services or capabilities;
- follow up on a previous enquiry or discussion; and
- communicate with corporate subscribers or professional contacts where permitted by law.
Our lawful basis will normally be our legitimate interests in promoting and developing our business.
Where consent is required by the Privacy and Electronic Communications Regulations 2003, we will rely on consent.
You may object to direct marketing at any time by contacting hello@dropzone.digital or by using any unsubscribe option included in the communication.
We will not sell your information to third parties for marketing purposes.
4.7 Legal and regulatory purposes
We may process personal information to:
- comply with laws, regulations, court orders or lawful requests;
- respond to regulators, law-enforcement bodies or public authorities;
- protect our legal rights;
- enforce our agreements; and
- manage complaints or disputes.
Our lawful basis is compliance with a legal obligation or our legitimate interests in protecting our rights and business.
4.8 Corporate transactions
If DropZone Digital is involved in a proposed investment, financing, restructuring, merger, acquisition or sale of assets, we may disclose relevant personal information to professional advisers, investors, lenders or prospective purchasers.
Our lawful basis is our legitimate interests in conducting and managing a legitimate corporate transaction.
5Our legitimate interests
Where we rely on legitimate interests, those interests may include:
- responding to enquiries;
- developing commercial relationships;
- providing and improving our services;
- managing client, supplier and contractor relationships;
- protecting our systems and confidential information;
- preventing fraud and misuse;
- maintaining appropriate business records;
- promoting relevant services to professional contacts; and
- establishing, exercising or defending legal rights.
We consider whether the processing is necessary and balance our interests against your rights, interests and reasonable expectations.
You may object to processing based on legitimate interests. Further information is provided in section 12.
6Special category and highly sensitive information
Our website and general enquiry process are not intended to collect special category information, such as information concerning:
- health;
- racial or ethnic origin;
- religious or philosophical beliefs;
- political opinions;
- trade union membership;
- genetics or biometrics used for identification; or
- sex life or sexual orientation.
Please do not provide this information unless it is genuinely necessary and we have agreed an appropriate method for receiving it.
Where a project requires DropZone Digital to process sensitive information on behalf of a client, that processing will be governed by the relevant client agreement, data-processing terms and security requirements.
7Automated decision-making and artificial intelligence
We do not use personal information collected through the DropZone Digital website to make solely automated decisions that produce legal or similarly significant effects.
We may use software-assisted tools, including artificial intelligence tools, to support internal activities such as summarisation, drafting, coding, testing, document review or project administration.
We will apply appropriate confidentiality, security and contractual controls when using such tools. We will not intentionally submit confidential client information or personal information to a public artificial intelligence service unless this is authorised, appropriately protected and lawful.
Material commercial, contractual or project decisions remain subject to human review.
8Who we share personal information with
We may share personal information with carefully selected third parties where necessary, including:
- website hosting and infrastructure providers;
- cloud storage and database providers;
- email and business communications providers;
- project-management and collaboration platforms;
- customer relationship management providers;
- payment processors and banking providers;
- accounting, tax and bookkeeping providers;
- security, monitoring, backup and fraud-prevention providers;
- analytics providers, where enabled and permitted;
- professional advisers, including lawyers, accountants and insurers;
- contractors and specialist delivery partners working under appropriate confidentiality obligations;
- clients, where information relates to work carried out for that client;
- regulators, courts, government bodies or law-enforcement authorities where required; and
- parties involved in a corporate transaction or business reorganisation.
Our service providers may only process personal information in accordance with our instructions and applicable contractual obligations where they act as processors.
We do not sell personal information.
9International transfers
Some of our service providers may process or store personal information outside the United Kingdom.
Where personal information is transferred to a country that is not covered by UK adequacy regulations, we will use an appropriate safeguard where required. This may include:
- the UK International Data Transfer Agreement;
- the UK Addendum to the European Commission’s Standard Contractual Clauses;
- another legally recognised transfer mechanism; or
- an applicable exception permitted by data protection law.
We may also undertake appropriate transfer-risk assessments and require technical and contractual security measures.
You may contact us for further information about the safeguards used for relevant international transfers.
10Data security
We use appropriate technical and organisational measures designed to protect personal information against:
- accidental or unlawful destruction;
- loss or alteration;
- unauthorised disclosure;
- unauthorised access; and
- other unlawful processing.
Depending on the information and service involved, these measures may include:
- access controls and authentication;
- encryption in transit and, where supported, at rest;
- secure hosting and development practices;
- least-privilege access;
- system and security logging;
- backups and recovery arrangements;
- confidentiality obligations;
- supplier due diligence; and
- incident-management procedures.
No internet transmission or storage system can be guaranteed to be completely secure. You should therefore avoid sending highly sensitive information through the general website enquiry form.
11How long we retain personal information
We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, including legal, accounting, security and reporting requirements.
Our usual retention periods are:
Unsuccessful or inactive project enquiries
Normally up to 24 months after our last meaningful contact, unless:
- you ask us to delete the information sooner;
- we need to retain it to deal with a complaint or legal issue; or
- a longer relationship develops.
Client and project records
Normally for the duration of the client relationship and for up to seven years after the relevant project or relationship ends.
Some technical records may be retained for a shorter period, while information relevant to intellectual property, security, contractual obligations or legal claims may be retained for longer where reasonably necessary.
Contracts, invoices and accounting records
Normally for at least six years after the end of the relevant financial period or transaction, or for any longer period required by law.
Website and security logs
Normally for between 30 days and 12 months, depending on the type of log and its security or operational purpose.
Logs associated with a security incident, dispute or investigation may be retained for longer.
Marketing information
Until you unsubscribe or object, or until we determine that the information is no longer accurate or useful.
We may retain a minimal suppression record after an opt-out so that we can respect your preference and avoid contacting you again for marketing purposes.
Supplier and contractor records
Normally for the duration of the relationship and for up to seven years after it ends, subject to applicable legal and tax requirements.
When deciding how long to retain information, we consider:
- the amount, nature and sensitivity of the information;
- the purpose for which it is held;
- the risk of harm from unauthorised use or disclosure;
- contractual and legal requirements;
- limitation periods for legal claims; and
- whether the purpose can be achieved in another way.
We may anonymise information so that it can no longer identify an individual. Anonymised information may be retained and used for longer.
12Your data protection rights
Depending on the circumstances, you may have the right to:
Access
Request confirmation that we process your personal information and obtain a copy of that information.
Rectification
Ask us to correct inaccurate or incomplete personal information.
Erasure
Ask us to delete personal information where there is no lawful reason for us to continue retaining it.
This right is not absolute. We may need to retain certain information for legal, accounting, security or evidential purposes.
Restriction
Ask us to restrict how we process your information in certain circumstances.
Objection
Object to processing based on our legitimate interests.
You have an absolute right to object at any time to the use of your personal information for direct marketing.
Data portability
Receive personal information you provided to us in a structured, commonly used and machine-readable format, where the relevant legal conditions apply.
Withdraw consent
Withdraw your consent at any time where our processing is based on consent.
Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.
Rights concerning automated decisions
Request human intervention or challenge a decision where a legally significant decision has been made solely by automated means.
We do not currently make such decisions using information collected through our website.
13Exercising your rights
To exercise a data protection right, contact:
Email: hello@dropzone.digital
Subject line: Data protection request
Please provide enough information for us to identify you and understand your request.
We may ask for reasonable evidence of identity where necessary to protect personal information from unauthorised disclosure.
We will normally respond within one month. Where a request is particularly complex or involves multiple requests, the law may permit additional time. We will inform you if this applies.
You will not normally be charged for exercising your rights. We may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, as permitted by law.
14Cookies and similar technologies
Our website may use cookies or similar technologies that are necessary to:
- deliver the website;
- maintain security;
- manage network traffic;
- remember privacy preferences; or
- provide functionality requested by the user.
We may also use non-essential analytics or performance technologies to understand website use and improve the site.
Where consent is legally required, non-essential technologies will not be used until you have provided consent. You will be able to reject non-essential cookies as easily as accepting them and withdraw your consent later.
Further details of the technologies currently used, their providers, purposes and durations should be set out in our Cookie Policy or cookie settings interface.
Browser controls can also be used to block or delete cookies, although disabling necessary cookies may affect website functionality.
15Third-party websites
Our website may contain links to websites, platforms or services operated by third parties.
We do not control those third parties and are not responsible for their privacy practices. You should review the relevant third party’s privacy information before providing personal information or using its services.
16Children
Our website and services are directed at businesses and professional users. They are not intended for children.
We do not knowingly collect personal information directly from children through the website.
If you believe a child has provided personal information to us, please contact hello@dropzone.digital.
17Confidential client and project information
Information supplied during a project may be subject to additional confidentiality, security and data-processing obligations contained in:
- a non-disclosure agreement;
- a services agreement;
- a statement of work;
- a data-processing agreement; or
- another written contract.
Where there is a conflict between this general Privacy Policy and specific contractual data-processing terms, the specific contractual terms will apply to the relevant processing.
18Complaints
Please contact us first if you have concerns about how we process personal information:
Email: hello@dropzone.digital
You also have the right to complain to the UK Information Commissioner’s Office.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: ico.org.uk
You may also be entitled to complain to another data protection authority if you are located outside the United Kingdom.
19Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- changes to our services or business;
- changes to the technologies we use;
- changes to our suppliers;
- changes in legal or regulatory requirements; or
- improvements to our privacy practices.
The latest version will be published on our website with an updated “Last updated” date.
Where a change is significant, we may provide an additional notice where appropriate.
20Contact us
For questions about this Privacy Policy or our processing of personal information, contact:
DropZone Digital Ltd
Company number 17335360
Email: hello@dropzone.digital