Introduction
Welcome to The Evergreen Agency’s privacy notice.
We respect your privacy and are committed to protecting your personal data. This notice explains how we collect, use, and safeguard your information when you visit our website, contact us, or engage with our services. It also outlines your rights under UK data protection law and how you can exercise them.
Navigating this privacy notice
We’ve structured this privacy notice in a layered format so you can easily navigate to the areas that matter most to you. If you’re unsure about any terms used, you can refer to the Glossary at the end of the notice (Section 10).
- IMPORTANT INFORMATION AND WHO WE ARE
- THE DATA WE COLLECT ABOUT YOU
- HOW IS YOUR PERSONAL DATA COLLECTED?
- HOW WE USE YOUR PERSONAL DATA
- DISCLOSURES OF YOUR PERSONAL DATA
- INTERNATIONAL TRANSFERS
- DATA SECURITY
- DATA RETENTION
- YOUR LEGAL RIGHTS
- GLOSSARY
1. Important information and who we are
Purpose of this privacy notice
This privacy notice explains how the Evergreen Agency collects, uses and protects your personal data when you visit our website, contact us, or engage with our services. It also outlines your legal rights and how the law protects you.
Our services are intended for business clients, and our website is not designed for or directed at children. We do not knowingly collect data relating to anyone under the age of 18.
It’s important that you read this privacy notice together with any other privacy notices or fair processing notices we may provide on specific occasions. This notice supplements those notices and is not intended to override them.
| Who this notice is for: Our services are designed for businesses. Most of the personal data we collect relates to clients, prospective clients, or visitors to our website typically limited to names, contact details, and basic usage data. We do not target or provide services to individuals acting in a personal or consumer capacity, nor do we knowingly collect data relating to children. |
Our website: https://theevergreenagency.co.uk/ (referred to in this notice as our ‘site’)
Controller
The Evergreen Agency is the controller responsible for your personal data (referred to as “we“, “us” or “our” in this privacy notice).
Note on client representatives: In the course of delivering services, we may process personal data about individuals working for or on behalf of our clients such as names, job titles, business contact details or social media profiles. We do this to support service delivery and relationship management. This data is used solely for our own business purposes and is not shared or repurposed for unrelated use.
Contact details
If you have any questions about this privacy notice or how we handle your personal data, including any requests to exercise your legal rights, please contact us at:
- Legal entity name: The Evergreen Agency Ltd
- Email address: privacy@theevergreenagency.co.uk.
The above email inbox is monitored for all privacy-related matters, including data subject access requests (DSARs), potential data incidents, and general privacy queries.
- Postal address: Unit 1 and Unit 2, Willows Gate, Stratton Audley, Oxfordshire, OX27 9AU
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). However, we’d welcome the opportunity to resolve your concerns first, so please contact us in the first instance.
Changes to this privacy notice
We keep this privacy notice under regular review and may update it from time to time. When we do, we will update the “Last updated” date at the end of this document.
Third-party links
Our website may include links to third-party websites, plug-ins or applications. Clicking on those links or enabling those features may allow third parties to collect or share personal data about you. We are not responsible for those third-party websites and encourage you to read their privacy notices before providing them with your data.
2. The data we collect about you
Personal data” (or “personal information”) means any information that relates to an identifiable individual. It does not include data where your identity has been removed (anonymous or aggregated data).
We may collect, use, store and transfer different kinds of personal data, grouped as follows:
- Identity Data – includes first name and last name.
- Contact Data – includes email address, phone number, and business-related contact details (e.g. if you fill in our website contact form).
- Technical Data – includes IP address, browser type and version, time zone setting and location, browser plug-in types, operating system and platform, and other technology on the devices you use to access our site. This is collected automatically via tools such as Google Analytics and Meta Pixel.
- Usage Data – includes information about how you navigate and interact with our site, including pages visited, time spent, clickstream data, and referral source.
- Marketing and Communications Data – includes your preferences in receiving marketing from us and your communication preferences.
How this data is collected: We collect most of this data directly from you for example, when you submit a contact form or sign up for updates. Some data, like Technical and Usage Data, is collected automatically through cookies and similar tracking tools (e.g. Meta Pixel, Google Ads, Google Tag Manager). For more detail, please refer to our Cookie Policy available at https://theevergreenagency.co.uk/cookie-policy/.
In the course of providing marketing services to clients, we may also access client-side third-party tools such as Google Analytics, Google Ads, Meta Ads, and related dashboards. We do this solely for the purpose of delivering services under a contract and do not use this information for our own purposes.
We also collect, use and share aggregated data, such as statistical or demographic data, for internal purposes (e.g. website performance or marketing analysis). Aggregated data may be derived from personal data but does not directly or indirectly identify you and is not considered personal data in law.
Special Category Data. We do not collect any Special Category Data (also known as “sensitive data”) about you (this includes details about race, religion, health, sexual orientation, political opinions, or union membership), and we do not collect data relating to criminal offences or convictions.
If you fail to provide personal data. In some cases, we may need to collect certain personal data by law or under the terms of a contract we have with you. If you do not provide that data when requested, we may not be able to perform the contract or provide services and we will let you know at the time if this applies.
3. How is your personal data collected?
We use different methods to collect personal data from and about you, including:
- Direct interactions
You may provide us with Identity and Contact Data when you:
- Fill in a contact form on our website.
- Correspond with us by email, phone or social media.
- Subscribe to receive content or updates from us.
- Respond to surveys or provide feedback.
4. Automated technologies or interactions
As you interact with our website, we may automatically collect Technical and Usage Data about your device, browsing patterns and interaction with the site. We collect this data using cookies, pixels and similar tracking technologies, including:
- Google Analytics
- Meta Pixel
- Google Ads
- Google Tag Manager
- Third-party sources
We may receive business contact details (such as name, job title, and work email address) from:
- Publicly available sources, such as LinkedIn or your company website
- Referrals or business directories
- Third-party marketing or CRM tools (if in use)
How can I control what data is collected? Most of the data we collect through our site (like IP address or usage info) happens automatically via tools like Google Analytics and Meta Pixel. You can control how cookies are used through your browser settings or by adjusting your preferences in our Cookie Policy.
- How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use it in the following circumstances:
- Where we need to perform a contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
- With your consent, where required by law (e.g. for certain marketing activities).
You have the right to withdraw consent at any time by contacting us using the details in Section 1.
- Purposes for which we will use your personal data
We have set out below a summary of how we use personal data, the types of data involved, and the lawful bases we rely on:
| No. | Purpose/activity | Type of data | Lawful basis for processing |
|---|---|---|---|
| 1 | To respond to enquiries or contact requests. | Identity, Contact | Legitimate interests
(to respond to business opportunities or potential clients) |
| 2 | To deliver our marketing services to clients, including planning, reporting, and account management. | Identity, Contact, Usage, Marketing and Communications | Performance of a contract; Legitimate interests
(to deliver and manage services effectively) |
| 3 | To manage our relationship with you (including updates, contract changes, billing or feedback). | Identity, Contact, Marketing and Communications | Performance of a contract; Legal obligation; Legitimate interests
(to keep records up to date and maintain client engagement) |
| 4 | To analyse how users interact with our website. | Technical, Usage | Legitimate interests
(to improve our site and user experience) |
| 5 | To deliver targeted advertising or track marketing campaign effectiveness. | Technical, Usage, Marketing and Communications | Legitimate interests
(to grow our business and measure success of marketing); Consent where required (e.g. via cookies) |
| 6 | To comply with our legal obligations (e.g. record-keeping, data rights management). | Identity, Contact | Legal obligation |
| 7 | To manage email marketing and relationship data using third-party tools (e.g. ActiveCampaign, Monday.com). | Identity, Contact, Marketing and Communications | Consent; Legitimate interests
(to manage client and contact engagement efficiently) |
| 8 | To create and publish visual content (e.g. videos or photos for marketing or social media) | Image, video (may include individuals incidentally or directly) | Legitimate interests (to promote our brand and services); Consent where filming is planned and individuals are asked to participate. |
Note:
- You may receive marketing emails or digital ads from us if you’ve requested information, engaged with our services, or given your consent. We manage these using tools such as ActiveCampaign and Meta Ads.
- Where we film or photograph content at public or client locations, we take steps to avoid capturing identifiable individuals without a lawful basis. Where possible, signage is used to inform people that filming is in progress. Where individuals participate directly, we obtain their consent. If you appear in any of our media and would like it removed, please contact us using the details in Section 1.
Marketing preferences and tracking.
You may receive marketing emails or digital ads from us if you’ve requested information, engaged with our services, or given your consent.
You can opt out of marketing emails at any time by clicking the unsubscribe link in the received mail or contacting us using the detail provided at Section 1 above.
- Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider we need to use it for another compatible purpose. If we ever need to use your data for an unrelated purpose, we will notify you and explain the legal basis.
- Automated decision-making and profiling
We do not use personal data to make automated decisions that have legal or similarly significant effects.
We may use analytics tools and ad platforms that assess user behaviour (e.g. Google Analytics, Meta Ads), but these do not result in decisions that affect your rights or access to services.
5. Disclosures of your personal data
We may share your personal data with selected third parties where necessary to carry out our business operations, provide our services to you, comply with legal obligations, or pursue our legitimate interests.
These third parties include:
- Service providers
We use the following third-party tools to help deliver our services and manage our operations:
- ActiveCampaign – for marketing emails (their privacy policy can be accessed here: https://www.activecampaign.com/legal/privacy-policy).
- Monday.com – for contact and client relationship management (their privacy policy can be accessed here: https://monday.com/l/privacy/privacy-policy/).
- Google – for analytics, advertising, and cloud file storage (their privacy policy can be accessed here: https://policies.google.com/privacy?hl=en-GB&gl=uk).
- Meta (Facebook/Instagram Ads) – for digital advertising (their privacy policy can be accessed here: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0).
- WeTransfer – for transferring design or campaign files (their privacy policy can be accessed here: https://wetransfer.com/explore/legal/privacy).
We also work with independent contractors or freelancers who assist with our client work. All third-party service providers are subject to strict confidentiality and data protection obligations.
- Professional advisers
Lawyers, accountants, auditors, or insurers who provide professional services to us.
- Regulatory authorities
HM Revenue & Customs, law enforcement, or other regulators where we are legally required to disclose data.
- Business transfers
Third parties in connection with a potential sale, restructuring, merger, or transfer of part of our business. In such cases, we will ensure your personal data is protected and used in accordance with this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your personal data for their own purposes (unless the law permits or requires this) and only permit them to process it on our instructions and for specified purposes.
6. International transfers
Some of our third-party service providers may process your personal data outside the United Kingdom (UK), including in countries that do not have the same data protection laws as the UK. In particular, data may be transferred to the United States through our use of digital marketing, analytics, and advertising platforms.
Where we transfer personal data outside the UK, we ensure a similar level of protection by putting in place one of the following safeguards:
- We transfer to countries that have been formally recognised by the UK government as providing adequate protection for personal data; or
- We use standard contractual clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, approved under UK data protection law.
If you would like more details about these safeguards or copies of the relevant agreements, please contact us using the details in Section 1.
Table: Key international transfers
| Recipient | Service / Purpose | Country | Safeguard | Privacy Policy |
|---|---|---|---|---|
| Google LLC | Analytics, Ads, Tag Manager, Google Drive | United States | SCCs + UK Addendum | https://policies.google.com/privacy?hl=en-GB&gl=uk |
| Meta Platforms Inc. | Meta Pixel / Ads (Facebook and Instagram tracking) | United States | SCCs + UK Addendum | https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0) |
| ActiveCampaign LLC | Marketing emails and campaign management | United States | SCCs + UK Addendum | https://www.activecampaign.com/legal/privacy-policy |
| Monday.com Ltd | CRM and project/contact management | Israel | Adequacy Decision | https://monday.com/l/privacy/privacy-policy/ |
| WeTransfer B.V. | File transfers and creative asset sharing | Netherlands/EU | UK-EU Transfers (adequate) | https://wetransfer.com/explore/legal/privacy |
Note. This table reflects known tools based on our current records. We may update it after completing our internal records of processing and reviewing our suppliers and service providers.
7. Data security
We take the security of your personal data seriously.
We have put in place a range of technical and organisational measures designed to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include access controls, internal policies, secure systems and confidentiality obligations for staff and contractors.
We also limit access to your personal data to those employees, contractors, and third parties who have a business need to know. They will only process your data on our instructions and are subject to confidentiality duties.
We have procedures in place to deal with any suspected personal data breach and will notify:
- the Information Commissioner’s Office (ICO), where legally required to do so, and
- You, where the breach is likely to result in a high risk to your rights and freedoms.
Think something’s gone wrong? If you suspect that your personal data may have been compromised or used inappropriately, please let us know as soon as possible by emailing privacy@theevergreenagency.co.uk.
8. Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to comply with legal, regulatory, tax, accounting, or reporting requirements.
We may keep some information for longer where:
- there is a legal obligation to do so (e.g. for audit or tax purposes), or
- we reasonably believe there is a prospect of legal proceedings, complaints, or enquiries that require us to retain relevant data.
9. Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- E.g. Ask us for a copy of the personal data we hold about you.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- E.g. Update your name or contact details if they’ve changed.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it or you are exercising another right. Note, however, that we may not always be able to comply with your request of erasure in accordance with data protection laws.
- E.g. Ask us to delete your details if you no longer use our services.
(We may retain some data where we have a legal obligation or overriding legitimate reason.)
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- E.g. Tell us to stop sending marketing emails or raise concerns where we rely on our legitimate interests.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in certain situations.
- E.g. Ask us to pause processing while a correction or objection is under review.
Request the transfer of personal data provided by you to us, to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
- E.g. Ask us to send your data to another service provider in a structured, machine-readable format.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
- E.g. Unsubscribe from newsletters or marketing you previously opted into. This does not affect the lawfulness of any processing carried out before you withdraw consent.
How to exercise the above rights.
If you wish to exercise any of these rights, please contact us at: privacy@theevergreenagency.co.uk
What we may need from you.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond.
We aim to respond to all legitimate requests as soon as possible and within 1 (one) calendar month from the date of receipt, in line with UK data protection law.
If your request is particularly complex or if you have made a number of requests, we may extend this period by up to 2 (two) additional months. If this happens, we will notify you within the first month and explain the reason for the delay.
10. Glossary
Note: This glossary provides plain-English explanations of key privacy and data protection terms for ease of understanding. These summaries are based on the definitions and principles found in the UK GDPR and related laws. For full legal definitions, you can refer to Article 4 of the UK GDPR and the accompanying guidance published by the UK’s Information Commissioner’s Office (ICO).
🔹 Information Commissioner’s Office (ICO) – UK data protection authority: https://ico.org.uk
🔹 UK GDPR (full text as retained EU law) – from legislation.gov.uk: https://www.legislation.gov.uk/eur/2016/679/contents
Data controller. The organisation that decides how and why personal data is processed. For the purposes of this notice, The Evergreen Agency is the data controller.
Data processor. A third party who processes personal data on behalf of a data controller, in line with documented instructions. Examples include hosting providers, analytics platforms, or marketing tools.
Data subject. The individual whose personal data is being collected, held or used. In this privacy notice, “you” refers to the data subject.
Personal data. Any information that can directly or indirectly identify a person. Examples include names, contact details, IP addresses, and online identifiers.
Special category data. A type of sensitive personal data which includes information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life, sexual orientation, and biometric or genetic data. This data requires a higher level of protection. We do not typically process this data.
UK GDPR. The United Kingdom General Data Protection Regulation, which governs how personal data must be handled in the UK. It sits alongside the Data Protection Act 2018.
DSAR (Data Subject Access Request). A request from a data subject to access the personal data a controller holds about them. Under UK GDPR, you have the right to make such a request and receive a response within one month.
Lawful basis. The legal grounds under UK GDPR that justify why personal data is being processed. Common bases include:
- Consent – where you have given permission
- Contract – where processing is necessary to fulfil an agreement
- Legal obligation – where processing is required by law
- Legitimate interests – where the organisation’s interests do not override your rights
Supervisory authority / Data Protection Authority. The UK’s data protection supervisory authority is the
