Laventus Digital

GDPR Compliance

 

Last updated: June 2026

Laventus Digital Ltd (“we”, “us”, or “our”) is a UK-based digital marketing agency registered in England and Wales (Company No. 14583571). We are committed to processing personal data responsibly, transparently, and in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This GDPR Compliance Statement sets out the measures and principles we apply, both as a data controller (for our own business activities) and as a data processor (when handling personal data on behalf of our clients). It should be read alongside our Privacy Policy, which provides further detail on how we handle personal data collected via our website.

1. Our Roles Under UK GDPR

As a Data Controller

We act as a data controller when we collect and process personal data for our own purposes, including:

  • Responding to enquiries and managing client relationships
  • Running our own marketing and business development activities
  • Managing our website, analytics, and advertising campaigns
  • Fulfilling our legal and regulatory obligations

 

As a Data Processor

We act as a data processor when we handle personal data on behalf of our clients as part of delivering our services, such as:

  • Managing paid advertising campaigns (Google Ads, Meta Ads, LinkedIn Ads)
  • Running email marketing campaigns using client contact lists
  • Accessing CRM, analytics, or marketing automation platforms owned by the client
  • Managing client social media accounts or audience data

 

In all cases where we act as a processor, we do so only on documented instructions from our clients (the data controller), and we ensure appropriate Data Processing Agreements (DPAs) are in place as required by UK GDPR Article 28.

2. The UK GDPR Principles We Apply

We process personal data in accordance with the six data protection principles set out in UK GDPR Article 5:

  • Lawfulness, fairness, and transparency – we only process data on a valid lawful basis and are transparent about how it is used.
  • Purpose limitation – data is collected for specified, explicit, and legitimate purposes and not used in ways incompatible with those purposes.
  • Data minimisation – we collect only what is necessary for the stated purpose and nothing more.
  • Accuracy – we take reasonable steps to ensure data is accurate and kept up to date.
  • Storage limitation – we retain data only for as long as necessary and apply defined retention periods.
  • Integrity and confidentiality – we apply appropriate technical and organisational measures to protect data against unauthorised access, loss, or destruction.

 

As data controller, we maintain accountability for compliance with these principles and can demonstrate compliance upon request.

3. Lawful Bases for Processing

We identify and document a lawful basis before processing any personal data. The bases we rely on include:

  • Consent (Article 6(1)(a)) – where individuals have given clear, specific, informed, and unambiguous consent. For example, marketing email subscriptions or non-essential cookies. Consent is always freely given and can be withdrawn at any time.
  • Contract (Article 6(1)(b)) – where processing is necessary to perform a contract with the individual, such as delivering our services to a client contact.
  • Legal obligation (Article 6(1)(c)) – where processing is required to comply with a legal or regulatory requirement.
  • Legitimate interests (Article 6(1)(f)) – where we have a legitimate business interest in processing data and that interest is not overridden by the individual’s rights. We conduct and document a Legitimate Interests Assessment (LIA) before relying on this basis.

 

We do not process special category data (such as health, ethnicity, or biometric data) in the ordinary course of our business. If this ever becomes necessary, we will identify an appropriate condition under Article 9 and document it accordingly.

4. Data Subject Rights

We respect and facilitate the rights of individuals under UK GDPR. These rights include:

  • Right of access (Article 15) – individuals may request a copy of the personal data we hold about them (a Subject Access Request or SAR). We respond within one calendar month.
  • Right to rectification (Article 16) – individuals may ask us to correct inaccurate or incomplete data.
  • Right to erasure (Article 17) – individuals may request deletion of their data where there is no longer a lawful basis for holding it.
  • Right to restriction of processing (Article 18) – individuals may ask us to pause processing of their data in certain circumstances.
  • Right to data portability (Article 20) – individuals may request their data in a structured, machine-readable format where processing is based on consent or contract.
  • Right to object (Article 21) – individuals may object to processing based on legitimate interests or direct marketing at any time.
  • Rights in relation to automated decision-making (Article 22) – individuals have the right not to be subject to solely automated decisions with significant effects on them. We do not currently make such decisions.
  • Right to withdraw consent (Article 7(3)) – where processing is based on consent, individuals may withdraw it at any time without penalty.

 

To exercise any of these rights, individuals should contact us at [email protected] or write to us at our registered address, marking correspondence “Data Rights Request”. We will verify identity before processing the request and will not charge a fee for reasonable requests.

Where we are acting as a data processor on behalf of a client, we will promptly direct any data subject requests to the relevant client controller and assist them in responding as required.

5. Consent Management

Where we rely on consent as our lawful basis, we ensure that consent is:

  • Freely given – not conditional on receiving a service
  • Specific – obtained for a clearly defined purpose
  • Informed – individuals are told who is collecting their data and how it will be used
  • Unambiguous – indicated by a clear positive action (no pre-ticked boxes)
  • Documented – we maintain records of when and how consent was obtained
  • Easily withdrawable – we provide simple, accessible opt-out mechanisms in every marketing communication

 

Our website uses a cookie consent management platform to obtain and record consent for non-essential cookies before any tracking scripts are loaded. Users can update their consent preferences at any time via the Cookie Settings link in our website footer.

6. Data Processing Agreements

Where we act as a data processor for clients, we enter into a Data Processing Agreement (DPA) that complies with UK GDPR Article 28. Our DPAs set out:

  • The subject matter, duration, nature, and purpose of the processing
  • The type of personal data being processed and the categories of data subjects
  • Our obligations as processor, including confidentiality, security, and sub-processor controls
  • The client’s rights as controller, including audit rights and the right to give instructions
  • Our obligations to assist the controller in meeting their UK GDPR obligations

 

We also require any sub-processors we engage to enter into equivalent data processing agreements, ensuring the same level of protection applies throughout the processing chain.

7. Sub-Processors

In delivering our services, we may engage trusted sub-processors who process personal data on our behalf or on behalf of our clients. Current categories of sub-processors include:

  • Cloud infrastructure and hosting providers
  • Email marketing and CRM platforms
  • Analytics and reporting tools (including Google Analytics GA4)
  • Advertising platforms (Google Ads, Meta Ads, LinkedIn Ads)
  • Project management and collaboration tools
  • Accounting and invoicing software

 

We carry out due diligence on all sub-processors before engagement and ensure appropriate contractual safeguards are in place. We will notify affected clients of any intended changes to sub-processors where required under our DPA.

8. International Data Transfers

Some of our sub-processors may process personal data outside the United Kingdom or European Economic Area (EEA). In all cases where data is transferred internationally, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V. These safeguards include:

  • UK adequacy regulations, where the recipient country has been designated as providing equivalent protection
  • UK Standard Contractual Clauses or the UK International Data Transfer Agreement (IDTA)
  • The UK Addendum to EU Standard Contractual Clauses, where applicable

 

We maintain a record of all international transfers and the mechanisms used to safeguard them. Further information is available on request.

9. Data Security Measures

We have implemented appropriate technical and organisational security measures (TOMs) to protect personal data against unauthorised access, accidental loss, destruction, or alteration. These include:

 

Technical measures:

  • SSL/TLS encryption for all data transmitted via our website and client platforms
  • Access controls and role-based permissions across all internal systems
  • Two-factor authentication on key business accounts and platforms
  • Regular software updates and vulnerability patching
  • Secure, encrypted storage for sensitive data

 

Organisational measures:

  • Staff training on data protection obligations and best practice
  • A defined process for handling data subject requests
  • Supplier due diligence and contractual data protection requirements
  • Regular review of this statement and associated policies

 

We are committed to reviewing and improving our security measures as technology and threats evolve.

10. Data Breach Response

We have a documented data breach response procedure. In the event of a personal data breach:

  • We will assess the breach promptly to determine its nature, scope, and likely impact on data subjects.
  • Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it.
  • Where a breach is likely to result in a high risk to individuals, we will notify those affected without undue delay, providing clear information about the breach and steps they can take.
  • We will document all breaches in our internal breach register, regardless of whether notification is required.

 

Where we are acting as a data processor, we will notify the relevant client controller without undue delay upon becoming aware of a breach, to enable them to fulfil their own notification obligations.

11. Data Retention

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law. Our standard retention periods are set out in our Privacy Policy. When data is no longer required, it is securely deleted or anonymised.

Where we process data on behalf of clients, we retain and delete data in accordance with the client’s instructions and the terms of our DPA.

12. Privacy by Design and Default

We embed data protection into our business processes and systems from the outset, rather than as an afterthought. In practice, this means:

  • We conduct a data protection impact assessment (DPIA) before undertaking any processing likely to result in a high risk to individuals, including the deployment of new technologies or large-scale processing activities.
  • We apply data minimisation by default, collecting only the minimum data needed.
  • We implement appropriate access controls so personal data is not made available to more people than necessary.
  • We review new tools, platforms, and processes before adoption to assess their data protection implications.

13. Staff Awareness and Training

All staff and contractors at Laventus Digital who handle personal data receive appropriate data protection training and are made aware of their responsibilities under UK GDPR. We ensure that:

  • New team members are briefed on our data protection policies as part of their onboarding
  • All staff understand the importance of handling personal data securely and confidentially
  • Staff know how to recognise and report a potential data breach
  • Staff understand how to handle data subject requests appropriately

14. Contact and Complaints

If you have any questions about our GDPR compliance, wish to exercise a data subject right, or have concerns about how we are handling personal data, please contact us:

  • Email: [email protected]
  • Phone: 03308 081 933
  • Post: Laventus Digital Ltd,1 The Heywoods, Chester, United Kingdom, CH2 2RA, England

 

Please mark any data protection correspondence “Data Protection Enquiry”.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15. Review and Updates

We review this GDPR Compliance Statement at least annually, and following any significant changes to our processing activities, applicable law, or ICO guidance. The most current version is always available on our website.

Material changes will be communicated via our website or, where appropriate, directly to affected individuals or clients.

Contact Us