Privacy Policy

1. Who We Are

Invincible Media is a digital marketing and web design agency registered in England and Wales. Our registered office is at Portland House, 113–116 Bute Street, Cardiff CF10 5EQ.

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO Registration Number: ZB653818.

If you have any questions about this policy or how we handle your personal data, contact us at:

• Email: info@invinciblemedia.co.uk
• Phone: 029 2168 0800
• Post: Portland House, 113–116 Bute Street, Cardiff CF10 5EQ

2. What This Policy Covers

This privacy policy explains how Invincible Media collects, uses, stores, and protects your personal data when you:

• Visit our website at invinciblemedia.co.uk
• Submit an enquiry or contact form
• Book a discovery call
• Sign up for our free trial
• Become a client and use our services
• Subscribe to our blog or email communications

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025, which introduced significant updates to UK data protection law from February 2026 onwards.

3. What Data We Collect

We collect the following categories of personal data:

Contact and identity data

Name, business name, email address, phone number, and postal address.

Business information

Website URL, business type, trading history, and goals — provided via our contact form or during onboarding.

Technical data

IP address, browser type, device type, pages visited, time spent on site, and referring URLs — collected automatically via cookies and analytics tools.

Communication data

Emails, call recordings (where consent is given), and messages sent through our contact form or directly.

Financial data

Billing name, address, and payment reference. We do not store full card details — payments are processed by third-party providers.

Client data provided to us for service delivery

Customer lists, contact databases, and business records provided by you for the purposes of our review automation, database reactivation, and marketing services.

4. How We Collect Your Data

We collect data through:

• Our website contact and enquiry forms
• Calendly booking system
• Direct email and phone communication
• Our client onboarding process
• Automatically via cookies and analytics when you visit our website
• Data you provide as part of our service delivery (e.g. customer lists for review automation)

5. Why We Use Your Data — Lawful Basis

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

Contract performance

To deliver the services you have engaged us for, process payments, and fulfil our obligations under our service agreement.

Legitimate interests

To respond to enquiries, improve our services, send relevant marketing to existing clients and warm prospects, and protect our business from fraud or misuse. Where we rely on legitimate interests, we have assessed that our interests do not override your rights.

Recognised legitimate interests (DUAA 2025)

For certain processing activities that fall within the defined list of recognised legitimate interests introduced by the Data (Use and Access) Act 2025, we may rely on this basis without conducting a separate balancing test, whilst maintaining full accountability obligations.

Consent

For marketing emails sent to new contacts who are not existing clients, and for non-essential cookies on our website. You may withdraw consent at any time.

Legal obligation

To comply with applicable laws, including tax and financial record-keeping obligations.

6. How We Use Your Data

We use your personal data for the following purposes:

• Responding to enquiries and booking discovery calls
• Delivering our services — website builds, SEO, review automation, AI chatbot setup, and database reactivation campaigns
• Processing payments and managing billing
• Sending service updates, reports, and account communications
• Sending marketing communications where you have consented or where we have a legitimate interest as an existing client
• Improving our website and services using aggregated analytics data
• Complying with legal and regulatory obligations
• Preventing fraud and protecting our business

We will never sell your personal data to third parties. We will never share your data with advertisers or data brokers.

7. Data We Process on Your Behalf

As part of our service delivery — particularly review automation and database reactivation — you may provide us with personal data relating to your own customers (names, phone numbers, email addresses).

In this context, you are the data controller and we act as your data processor. We process this data only on your documented instructions, in line with our Data Processing Agreement (available on request), and in accordance with UK GDPR Article 28.

We do not use your customers' data for any purpose other than delivering the specific service you have engaged us to provide. We delete or return this data at the end of the engagement.

8. Who We Share Your Data With

We share your data only with trusted third-party service providers who help us deliver our services. All third parties are required to handle your data securely and in accordance with UK GDPR.

We do not transfer your personal data to any country that does not provide an adequate level of data protection without appropriate safeguards in place.

9. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes it was collected, and to comply with our legal obligations.

10. Your Rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

Right to access

You can request a copy of the personal data we hold about you.

Right to rectification

You can ask us to correct inaccurate or incomplete data.

Right to erasure

You can ask us to delete your personal data where there is no legitimate reason for us to continue holding it.

Right to restrict processing

You can ask us to pause processing your data in certain circumstances.

Right to data portability

You can request a copy of your data in a structured, commonly used format.

Right to object

You can object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop immediately.

Rights related to automated decision-making

We do not make solely automated decisions that significantly affect you. If this changes, you will have the right to request human review.

Right to complain

From 19 June 2026, you have a statutory right to lodge a complaint with us directly. We will acknowledge your complaint within 30 days and respond without undue delay.

To exercise any of these rights, contact us at info@invinciblemedia.co.uk. We will respond within one month. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the ICO at any time:

11. Cookies

Our website uses cookies to improve your experience and help us understand how visitors use the site.

Essential cookies

Required for the website to function. These cannot be disabled.

Analytics cookies

We use Google Analytics to understand how visitors interact with our site. These are only placed with your consent.

Marketing cookies

Used to track the effectiveness of our marketing. These are only placed with your consent.

Under the Data (Use and Access) Act 2025, analytics and functionality cookies may benefit from relaxed consent requirements in certain circumstances. Where we rely on this, we will update this policy accordingly. In the meantime, we continue to seek consent for all non-essential cookies.

You can manage your cookie preferences at any time via the cookie banner on our website, or by adjusting your browser settings.

12. Marketing Communications

We may send you marketing emails if:

• You are an existing client (legitimate interests basis), or
• You have explicitly consented to receive marketing from us

You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email, or by contacting info@invinciblemedia.co.uk.

We do not send unsolicited cold marketing emails to individuals (B2C). Our outbound prospecting is directed at businesses and business contacts only, in line with applicable PECR rules.

13. Data Security

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, destruction, or alteration, including:

• SSL encryption across our website
• Secure, access-controlled systems for client data
• Regular security reviews and software updates
• Restricted staff access on a need-to-know basis
• Secure deletion of data at end of retention period

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

14. Children's Data

Our services are directed at businesses and business owners. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@invinciblemedia.co.uk and we will delete it promptly.

15. Changes to This Policy

We review and update this privacy policy regularly to reflect changes in our business, services, or applicable law. The date at the top of this page shows when it was last updated. Where changes are material, we will notify existing clients directly.

16. Contact Us

If you have any questions, concerns, or requests relating to this privacy policy or your personal data, please contact us: