Privacy policy.

Effective Date: June 2025

This Privacy Policy ("Policy") explains how The Iconology Agency ("we", "us", "our") collects, uses, shares, and protects your personal data when you visit or use the website www.sarahbennettnash.com (the "Website" or "Service"). This Policy should be read in conjunction with our Terms of Website Use and any other documents referred to within it.

We are committed to respecting your privacy and protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) ("Applicable Data Protection Laws").

1. Data Controller

For the purposes of Applicable Data Protection Laws, the data controller is:

The Iconology Agency

If you have any questions regarding this Policy, our use of your personal data, or if you wish to exercise any of your data protection rights, please contact us:

  • Email: sarah@sarahbennettnash.com

2. Personal Data We Collect

We may collect and process the following categories of personal data about you:

  • Identity Data: Including your full name, job title, gender, date and place of birth, and a personal description.

  • Contact Data: Including your postal address, email address, and telephone number(s).

  • Professional Data: Including your curriculum vitae (CV), employment history, educational background, and professional qualifications, particularly when you submit a CV, apply for a job, or use our career-related services.

  • Transaction Data: Including details about payments to and from you, and other details of products, services, event tickets, or directory listings you have purchased from us.

  • Technical Data: Including your Internet Protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website. (Please also see our Cookie Policy at www.sarahbennettnash.com/cookies).

  • Profile Data: Including your username and password (if you register on our Website), purchases or orders made by you, your interests, preferences (such as favourite listings, books, films, sports, music, and food, where you choose to provide this), feedback, and survey responses.

  • Usage Data: Including information about how you use our Website, products, and services.

  • Marketing and Communications Data: Including your preferences in receiving marketing from us and our third parties, and your communication preferences.

  • Social Media Data: Including your Twitter, Facebook, Instagram, and LinkedIn profile details if you provide them or interact with our social media pages.

  • Visual Data: Including photographs, if you provide them or they are taken at our events (subject to appropriate notices and consents).

We collect this information when you:

  • Register on our Website.

  • Purchase a ticket for an event.

  • Purchase a listing on our Business Services Directory.

  • Advertise a job vacancy.

  • Subscribe to our newsletter or other marketing communications.

  • Submit your CV or apply for a job vacancy, whether via email or our Website.

  • Enter information on our Website (e.g., through contact forms or surveys).

  • Correspond with us by phone, email, or otherwise.

3. Lawful Basis for Processing Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Consent: Where you have given us clear consent to process your personal data for a specific purpose (e.g., subscribing to newsletters, specific marketing activities, some cookie usage).

  • Contract: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract (e.g., processing a ticket purchase, providing a directory listing).

  • Legitimate Interests: Where processing is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests (e.g., improving our Website, internal administration, network security, responding to your enquiries where not covered by contract).

  • Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject.

4. How We Use Your Personal Data
5. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Specific retention periods:

  • CVs: CVs submitted to us for identifying and matching candidates to job opportunities will be held on file for no longer than 18 months from the date of submission or last update, unless you request an earlier deletion or provide consent for a longer period.

  • Marketing Data: Personal data held for marketing purposes will be retained until it is no longer needed for such purposes, or you withdraw your consent or request its deletion.

6. Disclosure of Your Personal Data

We may share your personal data with the following categories of third parties for the purposes set out in this Policy:

  • Service Providers: Third-party processors acting on our behalf who provide services such as IT and system administration, website hosting, payment processing, email delivery, marketing automation, customer relationship management (CRM), data analytics, survey tools, event management and ticketing, courier/delivery services, printing, and distribution. Our current key service providers include:

    • Universe (event management and ticketing)

    • Eventbrite (event management and ticketing)

    • AppointmentCore (scheduling)

    • Stripe (online payment processing)

    • Zoho (newsletter and marketing communications)

    • Typeform (online form building and surveys)

    • SurveyMonkey (online form building and surveys)

    • [Add any other relevant website hosting partners or operational assistants here] These parties are contractually bound to keep personal data confidential and use it only for the purposes for which we disclose it to them.

  • Professional Advisers: Including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.

  • Potential Employers: If you use our Careers Services, we may disclose your personal data to potential employers with your consent or as necessary to take steps at your request prior to entering into an employment contract.

  • HM Revenue & Customs, Regulators, and Other Authorities: Who require reporting of processing activities in certain circumstances.

  • Third Parties in a Business Transaction: If we sell, transfer, or merge parts of our business or assets, your personal data may be disclosed to the prospective buyer. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

  • Legal and Regulatory Compliance: We may disclose your personal data where required by applicable law, governmental body, or law enforcement agency, or to enforce our Terms of Website Use or other agreements, or to protect the rights, property, or safety of The Iconology Agency, our customers, or others. This may include exchanging information with other companies and organisations for fraud protection and credit risk reduction.

We do not sell your personal data to third parties. We will only share your personal data with third parties for their own direct marketing purposes if you have explicitly opted-in to such sharing (e.g., when purchasing a ticket to an event, if this option is clearly presented).

7. International Data Transfers

Some of our external third-party service providers may be based outside the United Kingdom (UK) or the European Economic Area (EEA), so their processing of your personal data may involve a transfer of data outside these territories.

Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Secretary of State (for transfers from the UK) or by the European Commission (for transfers from the EEA).

  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK (such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses).

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EEA. By using our services and agreeing to this Privacy Policy, you acknowledge that your personal data may be transferred, stored, and processed as described herein.

8. Data Security

We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include [briefly mention types of measures, e.g., access controls, encryption where appropriate, staff training].

In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

However, please note that no transmission over the Internet can ever be guaranteed entirely secure. Consequently, we cannot guarantee the security of any personal data that you transfer over the Internet to us.

9. Cookies

Our Website uses cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you browse our Website and also allows us to improve our site. For detailed information on the cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please see our Cookie Policy at www.sarahbennettnash.com/cookies. You can also find further general information about cookies at www.allaboutcookies.org.

10. Your Data Protection Rights

Under Applicable Data Protection Laws, you have the following rights in relation to your personal data:

  • Right of Access: You have the right to request a copy of the personal data we hold about you (commonly known as a "data subject access request").

  • Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

  • Right to Erasure (Right to be Forgotten): You have the right to request that we delete or remove your personal data where there is no good reason for us continuing to process it.

  • Right to Restrict Processing: You have the right to request that we suspend the processing of your personal data in certain circumstances.

  • Right to Data Portability: You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format, in certain circumstances.

  • Right to Object: You have the right to object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the absolute right to object to your personal data being processed for direct marketing purposes.

  • Right to Withdraw Consent: Where we are relying on consent to process your personal data, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

  • Rights Relating to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except under certain conditions.

To exercise any of these rights, please contact us using the details provided in Section 1 of this Policy.

We do not charge a fee for exercising your rights, unless your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).

You also have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

11. Third-Party Websites

Our Website may contain links to other websites operated by third parties. This Privacy Policy applies only to the personal data that we collect through our Website. We cannot be responsible for, and do not accept any liability in relation to, personal data that third parties may collect, store, and use through their websites. You should always carefully read the privacy policy of each website you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Effective Date" at the top. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions about this Privacy Policy, our data protection practices, or if you wish to exercise any of your rights, please contact us:

  • Email: sarah@sarahbennettnash.com