Wordbird Privacy Notice

Your privacy matters to us

Company information


We are Wordbird Ltd (“Wordbird”). We help businesses understand insights, develop strategies and communicate clinical data by transforming it into strategic, emotive creative content with multichannel engagement. Wordbird is a private limited company registered in England C Wales 08062765. Our registered address is Studio 2.2, Battersea Studios 2, 82 Silverthorne Road, London, England, SW8 3HE. We are registered with the Information Commissioner’s Office under registration number 00016318597.


General information


We have a moral and legal responsibility to respect your privacy and take care of any personal data we hold about you, in compliance with the data protection legislation.


We are the data controller for the personal data we process about our clients, enquirers, client leads, subscribers, employees, contractors, job applicants and visitors to our website. This privacy notice tells you what to expect when we handle personal data as a data controller.


We sometimes process personal data as a ‘data processor’. This is when handle personal data on behalf of our clients. In these cases, we process this information upon our clients’ written instructions under a contract. Any collection or use of that information is limited to the purpose of providing the service to our clients.


Contact us


If you have any queries about this privacy notice or the services we offer, please email us at flock@wordbird.london


Our privacy promise to you

Transparency

We are committed to protecting and respecting your privacy. We will always tell you what data we are collecting about you and how we use it and will never ask for more information than we need to. We will not share your data with any third parties, unless you have consented to this; they are a trusted partner working on our behalf; or the laws allow us to, and we will never sell your data.


Security

We hold ISO 27001 certification and are committed to following industry best practices to ensure your data is stored safely and securely. We will protect the information we process about you from accidental or unlawful access, disclosure, loss, damage or destruction.


Control

We will always give you control over the communications you receive from us and you can stop or tell us you no longer wish to receive these, at any time, by unsubscribing or emailing flock@wordbird.london

How we obtain your personal data

Personal data means any information that can be used to identify you directly or indirectly, for example by your name, an identification number, your location data, an online identifier or any factors relating to your physical, physiological, genetic, mental, economic, cultural or social identity.


Most of the personal data we process is provided to us directly by you, for example when you:


  • make an enquiry by email, telephone, through our website or via social media

  • provide us with information about yourself during the course of our relationship with you

  • attend a Wordbird event or webinar

  • sign up to our newsletters, blogs and promotions

  • work with us as an employee or contractor

  • visit our website


    We may also collect personal information about you indirectly, for example through:


  • public sources e.g. websites professional networking and social media sites

  • via other clients that refer us to you

  • recruitment agencies

  • modelling or acting agencies

  • referees to support your job application (at your request)

  • cookies and tracking technologies operating on our website


What information we collect and how we use it

Enquirers


When someone contacts us asking about our services through our website, via social media, by email or over the telephone; we collect their name, contact details and the nature of their enquiry. We collect this information for our legitimate interests as a company, to be able to respond to their enquiry and keep a record of our communications with them.


Clients


We collect the name and email address of our clients and information about the service they have purchased. We need this information so we can fulfil our contract with our clients, or take steps at their request, prior to entering into a contract with them. We also collect this information for our legitimate interests in maintaining records for accounting, legal and insurance purposes.


To contribute to the delivery of our services to our clients and in pursuit of our legitimate business interests, the meetings that we have with clients are recorded. We use the meeting recordings to assist us in the creation of materials for our clients. Recording the meetings allows us to revisit the discussions and ensure that the materials we create meet the client brief and exceed client

expectations. We use a range of video and voice recording software to record both in-person and remote meetings.


We strive to deliver an exceptional service including remembering our clients food and drink preferences so that we may accommodate them during client meetings or at any events they may attend. This contributes to our legitimate business interest of providing our clients with exceptional service and encouraging repeated client contracts.


To deliver a personalised client experience, from time to time we may choose to send clients gifts or cards in recognition of celebratory events. To ensure that our clients who work remotely receive these, we may send these to a client’s home address, given to us by the client themselves or their employer. Clients who do not wish to receive celebratory gifts or cards can opt-out at any time by contacting flock@wordbird.london


We have a legitimate business interest to market our services. We use online advertisements to reach prospective clients whilst they are using social media sites including Facebook, Instagram, X and Linkedin. To reach the most relevant prospects, we share existing client names and email addresses with these social media sites to allow them to identify our clients’ social media profiles. The social media sites then identify similar users of their platforms who are not already our clients and surface our advertisements to them whilst they are using their social media account. To enhance the success of this activity within the Linkedin platform, we also share the name of our clients employers. Clients who do not wish for us to include their personal data within this activity can opt-out at any time by contacting flock@wordbird.london


Subscribers


We collect the name and work email address of clients and potential clients who we believe will benefit from receiving our newsletters, resources, blogs and promotions. We collect this information to meet our legitimate business interests of marketing our services and products.


If a person unsubscribes, we remove them from our mailing list but retain their contact details in a separate database. We need to retain this information for our ‘legitimate interests’ to ensure we do not contact them again in the future. We keep subscriber data until they unsubscribe, if the email address becomes invalid or if we believe they no longer want to receive communications from us.


Visiting our Offices


When someone visits our offices, our building management company, CBRE records the visitor’s name, company they work for and the date of their visit.


CCTV operates within the Battersea Studios buildings and is managed by CBRE. Wordbird has no control over the CCTV system and is not responsible for it. Enquiries about CCTV or visitor information should be made directly to Battersea Studios.


Webinars and event attendees


We collect the name and contact details of individuals who enquire about or book to attend a webinar or event hosted by us. We also collect the name and contact details of any speakers invited to take part in a webinar or event. We process this information to pursue our legitimate

interests, i.e. to run the event or webinar, confirm attendance, and to let the attendee know about future events which we believe they may be interested in attending.


Events held in-person are sometimes held at our Battersea office. Where we have chosen to hire an event space, it is possible that the owner of the event space may require us to share personal data with them relating to attendees in order to manage the event sign-in. The building owner may also operate CCTV which Wordbird is not responsible for. Where this is the case, we strongly advise event attendees to read the privacy notice relating to the owner of the building in which the event is being held.


We may choose to record webinars and take photographs or videos during our events to create promotional material or for internal review purposes so that we may learn from webinars and events and improve them. We do this in pursuit of our legitimate business interests of growing our business. Attendees can opt-out of being recorded or captured within photographs or videos at any time by contacting us in person during the event or emailing flock@wordbird.london


We keep contact details relating to those who have registered for an event or webinar for as long as we believe they may be interested in receiving communications about our webinars and events, or until they unsubscribe. Attendees can opt-out from receiving communications about future events and webinars at any time by emailing flock@wordbird.london.


Client leads


We collect the name, job role and work email address and phone numbers of employees working for potential clients, who we think would be interested in receiving information about our company’s services; this is known as ‘B2B’ or ‘business to business’ marketing. This information is only collected either from the individuals themselves, via a third-party where the individual has given consent for their data to be shared, or from public sources, such as company websites or where the employee has published their name, and contact details on a networking site (such as LinkedIn) and therefore would have a reasonable expectation that companies like us, may contact them to make introductions and market their services.


We collect this information to pursue our legitimate interests, to be able to promote and market our services to potential new clients. Contact leads can opt-out from receiving communications from us at any time, by unsubscribing or emailing flock@wordbird.london


Job applicants


We receive Curriculum Vitae (CVs) and application forms from people who apply for jobs with us. This will often include the individual’s name, contact details, experience, education and a personal statement to support their application. We collect this information with the person’s consent and for our legitimate interests to be able to assess the suitability of the individual and where relevant, invite them to interview.


Employees


We collect information about our employees, such as their name, date of birth, contact details, recruitment information, evidence of their right to work, contract, bank details and other employment information. We collect this information to enable us to fulfil our contract with the employee or to take steps at the request of the employee, prior to entering into a contract with

them. For example, to ensure they are paid; make pension and tax contributions on their behalf and provide employee services and benefits to them. We also collect this information to pursue our legitimate interests, for example to recruit employees, maintain a register of our employees (past and present) for insurance, legal, tax and pension purposes and to assist in the prevention or detection of crime (including fraud).


During the course of employment, we collect information about the employee’s performance including training sessions completed, appraisals, one-to-one notes, reasons for absence and information relating to any disciplinaries or grievances. We also publish images of our employees on our website and information about the roles they do to allow prospective clients to understand more about our business and how our employees contribute to our success. It also allows prospective clients to reach out to the individual that they feel best suits their needs.


We sometimes collect ‘special category data’ about our employees, for example information about their disabilities, health and dietary needs or religious beliefs. Our lawful bases to process this type of data falls under contract and employment. We need this information so we can make reasonable adjustments in the workplace and carry out our legal obligations under employment (such as the Equality Act and Health and Safety Act), as well as safeguarding the welfare of the employee and where relevant colleagues.


Our building management provider, CBRE, manages the building access control system which allows employees to gain access to the building by presenting their employee ID card on entry and exit. This system is not managed by Wordbird. Further information about the access control system should be directed to CBRE.

Wordbird employees are provided with company-owned devices to fulfil their roles. Wordbird uses Apple provided devices which use facial detection and fingerprint sensors to log-in to the devices. Employees that choose to enable these features do so with their explicit consent.

On occasion the Office of National Statistics may ask us to complete business feedback forms to contribute to UK-wide economic analysis reporting. Whilst the nature of these forms is to provide information about our business, we recognise that they may sometimes include the sharing of personal data relating to employees. We only do this when we are legally obliged to do so


Contractors


We collect information about our contractors, such as their name, contact details, experience, outcome of their criminal record check (DBS) (where required), service contract and bank details. We collect this information for our legitimate interests, to be able to assess the suitability of the individual and to enable us to fulfil our contract with them or to take steps at their request, prior to entering into a contract with them.

Children


We sometimes collect personal data relating to actors or models who participate in the creation of materials for our clients. This can include personal data relating to children, for example where a client specialises in child skincare products and has appointed us to create marketing materials on their behalf. We collect the name of the child’s accompanying parent or guardian as well as the child’s name and age and any personal data relating to them that contributes to the creation of the creative materials e.g. their image in photographs or videos and or their voice if they have been asked to help create video or audio creative materials. All personal data relating to the actor or model is provided to us by the actor or model’s agent. We collect this information for our legitimate interests, to be able to assess the suitability of the model or actor and for the purposes of fulfilling our contract with them or to taking steps at their request, prior to entering into a contract with them.


Website visitors


We use cookies and similar tracking technologies across our website and within our emails. This technology helps you to navigate around our site, tells us how well our website is performing and allows us to present relevant advertisements to specific website users.


Cookies are small text files placed on the devices of visitors to websites and applications. They are used to enhance the visitor’s experience and to allow us and other third parties to understand more about how the website is being used and to deliver relevant marketing messages. For more information on how we use cookies and similar technologies, please contact us at flock@wordbird.london


Who we share information with

We respect your privacy and confidentiality and will not share your personal data with third parties, unless you have consented to this; the recipient is a trusted partner working on our behalf (a data processor); or the UK laws allow us to.


Where we use ‘data processors’ to help us manage and store our clients’ data, we have Data Processing Agreements in place to protect any personal data they may have access to on our behalf. To find out who are data processors are, see section ‘Where we store your data’.


Our data processors only act on our instructions and are carefully selected to ensure they have robust security measures in place and comply with the UK data protection legislation when processing personal data.


There may be times when we need to disclose personal data to other data controllers, for example:


  • In the event that we sell our company or its assets

  • If you provide us with your consent

  • If we are under a duty to disclose your personal data, for example in response to a court order, request from law enforcement agencies or where we consider sharing to be in your vital interests

  • To enforce or apply our terms and conditions and other agreements.

  • To protect the rights, property, or safety of our company and its employees, our Clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.


    We will never sell your personal data or share it in ways you would not reasonably expect.


    Our lawful basis and data retention

    Personal data

    When we collect, use and retain personal data, the data protection laws require us to have a valid lawful basis for doing so. These are set out in Article 6 of the UK GDPR and relate to consent; contracts; legal obligations; vital interests; public tasks and legitimate interests. When we process more sensitive information (Special Category Data) such as health information, we are required to have additional lawful bases to handle that information. These are set out in Article 9 of the UK GDPR.

    The table below outlines which lawful bases we rely on when we process your personal data and how long we keep your information for:


    Data Subject

    Lawful bases

    Retention period

    Enquirers

    Legitimate Interests (Article 6(1)(f))

    2 Years for enquiries made that do not lead to a client contract.

    Where an enquiry leads to a client contract, the enquiry information will form part of your clients file and will be held inline with client retention periods.

    Clients

    Legitimate Interests (Article 6(1)(f))

    4 years after the contract has ended unless a different retention period is agreed

    within the client contract.

    Subscribers

    Legitimate Interests (Article 6(1)(f))

    We keep subscriber data until you unsubscribe; if the email address becomes invalid, or if we no longer believe you want to hear from us.

    We retain the contact details of those who have unsubscribed indefinitely, so we know not to contact them again.

    Visitors to our office

    Wordbird is not the Data Controller for this information and does not store it.

    n/a


    Webinar and event

    attendees

    Legitimate interests

    (Article 6(1)(f))

    2 years after the event or

    webinar.

    Client leads

    Legitimate Interests (Article 6(1)(f))

    2 years after the enquiry.


    Where an enquiry leads to a client contract, the enquiry information will form part of your clients file and will be held inline with client

    retention periods.

    Job applicants

    Legitimate interest (Article 6(1)(f))

    6 months after the application unless the applicant has given permission for us to retain

    their details for longer.

    Employees

    Necessary for the performance of a contract (Article 6(1)(b))

    Necessary for compliance with a legal obligation (Article 6(1)(c))


    Legitimate interest (Article 6(1)(f)) Special Category data conditions:

    Necessary for obligations in the field of employment law (Article 9(2)(b))


    The data subject has given explicit consent

    (Article 9(2)(a))

    7 years after the employment has ended.

    Contractors

    Legitimate Interests (Article 6(1)(f)

    Necessary for the performance of a contract (Article 6(1)(b))

    7 years after the contract has ended.

    Children

    Legitimate Interests (Article 6(1)(f)

    Necessary for the performance of a contract (Article 6(1)(b))

    4 years after the associated Worbird client contract has ended unless a different retention period is agreed within the client contract.


    Visitors to our website (information collected via cookies and tracking technologies operating on our website)

    Legitimate Interests (Article 6(1)(f))


    Consent (where legally required)

    (Article 6(1)(a))

    12 months.

    Where we store your data

    We store your data in the UK , however some of our service providers store personal data outside of the UK including our CRM system, Pipedrive, our email management system, Mailchimp and our Payroll provider ADP who all store personal data in the US. Where our service providers store personal data outside of the UK, we have UK International Data Transfer Agreements with them which ensures they process our data securely and in line with our data protection laws.

    We work with the following service providers on a regular basis:


  • Google Cloud


    We use Google’s EU servers (in Dublin, Ireland) to securely store our business information. For more information about Google Cloud, please visit Google Cloud Privacy Notice


  • Pipedrive


    We store all client information within our secure CRM system, Pipedrive. For more information about Pipedrive, please visit Privacy Notice | Pipedrive


  • Mailchimp


    We use our email management platform, Mailchimp to send our weekly newsletter and other client emails. For more information about Mailchimp, please visit Global Privacy Statement | Intuit


    We use Bright HR and ADP to store and process our employee data. For information about the security provided by these services please visit Security | BrightHR and Data Security | ADP


    How we protect your data

    We take our security responsibilities very seriously and have put in place robust measures to protect our data and our clients personal data from accidental or unlawful access, disclosure, loss, damage or destruction.


    Here are some examples of how we achieve this:


  • Data is held on encrypted servers in the EU In the event that personal data is stored outside the UK or EEA, additional contracts (International Data Transfer Agreements) will be in place to ensure the data is secure and protected in line with the UK GDPR, where required.

  • Access to our data and systems is on a strict need to know basis and we ensure our employees and contractors are under an obligation of confidentiality.

  • Employees receive mandatory data protection training and sign up to our Data Protection Policy.

  • We have robust procedures in place to manage and report personal data security breaches, in the unlikely event of a breach occurring.

  • Where we use companies who process personal data on our behalf, we carry out due diligence checks on these companies and have written contracts in place (Data Processing Agreements) which require them to handle personal data in line with the UK data protection laws.

  • We use up to date virus and malware protection software, encryption and we back up data regularly.


Your data protection rights

You have the following rights under the data protection laws:


Right to know


You have the right to be told how your personal data is being processed. This privacy notice tells you how we handle your personal data.


Right of access


You have the right to ask us for a copy of your personal data.


Right to rectification


You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.


Right to erasure


You have the right to ask us to erase your personal data in certain circumstances.


Right to restriction of processing


You have the right to ask us to restrict the processing of your personal data in certain circumstances.


Right to object to processing


You have the right to object to us processing your personal data where we consider this is necessary for our legitimate interests or those of a third party.


Right not to be subject to profiling or automated decision-making that produces legal or similar effects


You have the right to challenge decisions made as a result of us processing your personal data to profile you or make automated decisions that have a legal or similarly serious effect on you.


Right to data portability


You have the right to ask that your personal data is transferred (ported) from us to another organisation or given to you. This applies to information you have given to us where we are

processing your information based on your consent or for contractual purposes and the processing is automated.


Right to complain


We work to high standards when it comes to processing your personal data. We hope you will always be happy with the way we handle your information, however if we have not met your expectations, please let us know so we can put things right. If you remain dissatisfied, you have the right to complain to the Information Commissioner’s Office. Further information about your data protection rights, can be found on the Information Commissioner’s Office website at www.ico.org.uk


To exercise these rights, please contact us by emailing flock@wordbird.london. You are not usually required to pay a fee and can expect to receive a response within one calendar month. Further information about your data protection rights can be found on the Information Commissioner’s Office website at www.ico.org.uk


Contact us

If you have any queries about this privacy notice or the services we offer, please email us at flock@wordbird.london addressing it to the attention of our Data Protection Officer.


Changes to this privacy notice

We may need to update this privacy notice periodically, so we recommend that you revisit this information from time to time. This version was last updated on 22.08.24.