Who are we
Spotlight Studios is an online Digital & Cloud Services provider operated by Spotlight Studios Ltd, a company based in England and Wales (“we,” “us,” “our,”, “Spotlight” and “Spotlight Studios”). Find out more about our Services by navigating our website. As an organisation that processes business related data, Spotlight Studios has determined “Legitimate Interests” as the most suitable lawful ground for the processing of data for the purposes of our marketing and sales activites.
Privacy for our Clients
This section applies to the Personal Information we collect and process from a Client, Potential Client or Website Visitor. If you are not an active Client, the Potential Clients and Website Visitors section of this policy may be more applicable to you and your data. In this section, “you” and “your” refer to Clients.
The Information we Collect
The Information you Provide to us during any engagement, may be considered Personal Information about you, your organisation and your employees. Personal Information is often, but not exclusively, provided to us when you request a quotation, complete a form on our website, sign up for our services, consult with our customer service team, send us an email, raise a support ticket, provide login credentials, or communicate with us in any other way.
Login Credentials: We will often require login credentials to websites and 3rd party websites to perform integrations. if you’re unable to provide credentials in a “secure way” (i.e. through your password manager). Spotlight Studios request you use our secure form we will then add these credentials to our password manager. Additional security on our account includes dual factor authentication, and a secret key. This key has 128 bits of entropy, combining that with our passwords makes it infeasible to guess no matter how much money or computing power an attacker has available.
The Use of Personal Information
We may use the Information we collect about you through our Services or other sources for a variety of reasons, including:
- To provide quotations
- To invoice and collect money owed to us
- To send account activity messages such as password resets, payment reminders or alerts
- To effectively manage your account and expectations
- To provide customer support
- To enforce compliance with our Terms of Service
- To meet legal requirements
- To provide essential information to external representatives and advisors, including lawyers and accountants, to help us comply with legal, accounting, or security requirements
- To prosecute and/or defend any legal proceedings
- To respond to lawful requests by public authorities
- To analyse data
- To provide suggestions to you
- Other purposes. To carry out other legitimate business purposes, as well as other lawful purposes about which we will notify you.
Privacy for our Potential Clients and Website Visitors
This section applies to Personal Information that we collect and process through our Websites and in the usual course of our business. Examples of such may be in association with events, networking opportunities or sales and marketing activities. In this section “you” and “your” refers to Potential Clients and Website Visitors.
- To optimise and maintain our Websites
- To send you information for marketing purposes, in accordance with your marketing preferences
- To provide quotations
- For recruitment purposes if you have applied for a role with Spotlight Studios.
- To respond to your online inquiries and requests
- To improve the navigation and content of our Websites
- To process transactions and to set up a new online account
- Identify any server problems or other IT or network issues
- Analyse data about site usage to better understand the preferences of our Potential Clients and Website Visitors
- To carry out research and development to improve our products and services
- To carry out other legitimate business purposes, as well as other lawful purpose
Cookies, Analytics & Tracking
We and our partners may use various technologies to collect and store information when you use our Services, and this may include using cookies and similar tracking technologies, such as pixels and web beacons. For example, we use web beacons in the emails we send. These web beacons track certain behaviour such as whether the email sent through the Services was delivered and opened and whether links within the email were clicked. They also allow us to collect information such as the recipient’s IP address, browser, email client type and other similar details. We use this information to measure the performance of your email campaigns, and to provide analytics information and enhance the effectiveness of our Services. Reports are also available to us when we send email to you, so we may collect and review that information.
Google Analytics: Our website uses Google Analytics, a service which transmits website traffic data to Google servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and webpage usage.
Spotlight Studios uses are 3rd-party tool integrated with Google Analytics to translate anonymous IP data into tangible information. The information provides us with a business name and lookup we then use to determine a legitimate business interest in the services you viewed on our website. No personal information is obtained by Spotlight Studios at this stage but we may use this to establish connections on social media channels such as LinkedIn to obtain such information
Social media platforms and widgets.
Our Websites includes reviews and social media features, such as the Facebook Like button. These features may collect information about your IP address and which page you are visiting on our Website, and they may set a cookie to make sure the feature functions properly.
Links to third-party websites.
Other Data Protection Rights
PECR (Privacy and Electronic Communications Regulations)
We primarily focus our B2B data acquisition around businesses as they are what are classed as “corporate subscribers” under PECR if they are a corporate body with separate legal status (e.g. companies, limited liability partnerships, Scottish partnerships, and some government bodies). However sole traders and other types of partnerships are classed as “individual subscribers” and PECR treats them the same as individuals. In general the marketing rules in PECR apply equally to corporate subscribers and individual subscribers. The main difference is that the rule on marketing by electronic mail (eg email or text message) doesn’t apply to corporate subscribers.
If we are not sure whether a business is a corporate subscriber, we ensure that we have their consent to receive our electronic mail (unless contacting previous customers about our own similar products, and we offered them an opt-out when they gave us their details).
The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means we can send B2B direct marketing emails or texts to any corporate body. We do not need your consent under PECR to send such messages.
However, we will comply with the regulations by:
- not disguising or concealing our identity; and
- providing a valid address for business to opt-out or unsubscribe from our messages.
Unless otherwise requested we keep your details in a ‘do not email or text’ list to ensure we can screen any new B2B direct marketing lists against it.
However, where we are processing personal data for direct marketing purposes, even in a business context, the UK GDPR applies (see below).
When we acquire personal data and intend to send you direct marketing messages, we will inform you about this along with a lawful basis under the UK GDPR for the processing.
So, when does the UK GDPR apply to business-to-business marketing?
The UK GDPR applies to the processing of personal data. If we can identify an individual either directly or indirectly it will constitute personal data even if they are acting in their business capacity.
For example we will be processing personal data if:
- we have the name and number of a business contact on file; or
- the email address we are using to communicate with the business identifies an individual (eg email@example.com).
IMPORTANT: If we do not know the name of the person we are sending direct marketing to at a business, then we are not processing personal data and the UK GDPR does not apply to our marketing. For example, if we are sending your direct marketing by post addressed simply to ‘the IT department’ or by emailing ‘firstname.lastname@example.org’.
Right to be Informed
If your personal data (i.e. name & direct company email) has been sourced publicly or via a 3rd party you will receive the below information when we add you to our database:
- The name and contact details of our organisation.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
- The legitimate interests for the processing (if applicable).
- The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
- The recipients or categories of recipients of the personal data.
- The details of transfers of the personal data to any third countries or international organisations (if applicable).
- The retention periods for the personal data.
- The rights available to individuals in respect of the processing.
- The right to withdraw consent (if applicable).
- The right to lodge a complaint with a supervisory authority.
- The source of the personal data (if the personal data is not obtained from the individual it relates to).
- The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- The details of the existence of automated decision-making, including profiling (if applicable).
To ensure our compliance:
☐ We display our telephone number when making direct marketing calls to businesses.
☐ If we are not sure whether a business is a corporate subscriber, we ensure that we have their consent to receive our electronic mail (unless contacting previous customers about our own similar products, and we offered them an opt-out when they gave us their details).
☐ If we are processing personal data of our business contacts, we ensure that we have a lawful basis to do so.
☐ We tell our business contacts if we want to use their personal data for direct marketing purposes.
☐ We screen against our suppression lists and ‘do not contact’ lists before sending any direct marketing to businesses.
☐ We act on withdrawals of consent from businesses and business contacts.
☐ We don’t send direct marketing to any business or business contact that has asked us not to.
Spotlight Studios records all personal data in a GDPR compliant CRM system. We have a compliance module for full accountability and traceability of every record alongside the ability to update contact preferences and opt-in/out of communications. Our team continually cleanse the data held within the CRM, completing a full cleanse cycle at least once every 12 months. Any records found to be out of date or no longer relevant are placed into a deletion queue which are securely purged periodically throughout the year.
Our service is not available to children under the age of 18, and we will not intentionally maintain information about anyone under the age of 18.
Data Protection Rights
To access, correct, update or request the removal of Personal Information
Spotlight Studios takes reasonable steps to ensure that the data we collect is reliable for its intended use, accurate, complete and up to date. As a Client, you can manage many of your individual account and profile settings within our client portal (https://portal.spotlightstudios.co.uk) or you my contact us directly via phone (0800 689 3652) or emailing email@example.com.
Withdraw of consent
If Personal Information is collected or processed on the basis of consent, as the data subject you can withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.
The right to complain to a data protection authority
For more information, please contact your local data protection authority.
Processing a request
We will endeavour to respond to all requests in a timely manner. Any individuals wishing to exercise their data protection rights in accordance with applicable data protection law will need to verify their identity in order to help us respond efficiently to your request.