Privacy Policy
Last updated: March 2026
This Privacy Policy explains how EXPRE Digital Limited ("EXPRE", "we", "us", "our") collects, uses, and protects personal data when you visit our website or use our services.
About Us and Our Legal Obligations
EXPRE Digital Limited is a company registered in England and Wales (company number 10595290). Our registered office is at Kingfisher House, 21–23 Elmfield Road, Bromley, BR1 1LT. We are registered with the Information Commissioner's Office (ICO) as a data controller. For data protection queries, contact us at da**@******co.uk.
We process personal data in accordance with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). This policy explains what data we collect, why we collect it, how we use it, how long we keep it, and your rights in relation to it.
Data We Collect
Information you provide directly: Your name, email address, phone number, company name, and any other information you submit through our contact forms, enquiry submissions, or newsletter sign-up.
Information collected automatically: When you visit our website, we collect technical information including your IP address (anonymised before storage), browser type and version, pages visited, time on site, and referring URL. This data is collected through Google Analytics 4 and is subject to your cookie consent choices.
Cookies and tracking technologies: We use cookies in accordance with PECR. See the Cookies section below for full details.
Business contact data: When you contact us as a representative of a business, we process your business contact information in connection with potential or active commercial relationships. We rely on legitimate interests as our lawful basis for this processing.
Client project data: For active client projects, we process data required to deliver the agreed services. This may include website data, marketing data, and business information depending on the scope of the project.
Lawful Basis for Processing
| Purpose | Lawful Basis |
|---|---|
| Responding to enquiries and contact form submissions | Legitimate interests |
| Delivering contracted services | Contract performance |
| Sending newsletter and marketing emails | Consent |
| Website analytics (GA4) | Legitimate interests (subject to cookie consent) |
| Maintaining client records and accounts | Contract performance / legal obligation |
| Complying with legal and regulatory obligations | Legal obligation |
Cookies
We use cookies in accordance with PECR. Cookies that are not strictly necessary require your prior consent, which you can provide or withdraw at any time using the cookie preferences link in the footer of this website.
We use the following categories of cookies:
| Category | Name(s) | Purpose | Consent required |
|---|---|---|---|
| Essential | wordpress_*, wp-settings-* |
Core website functionality and security | No |
| Analytics | _ga, _ga_XXXXXXXX |
Google Analytics 4 — understand how visitors use the site. IP anonymisation enabled. | Yes |
| Marketing | _gcl_au, _fbp |
Advertising and conversion tracking | Yes |
Withdrawing cookie consent will not affect the lawfulness of processing based on consent before withdrawal, and will not affect core website functionality.
Third-Party Services
We use the following third-party services that may process personal data on our behalf or in connection with our website. Each is subject to a data processing agreement with EXPRE:
- Google Analytics 4 — website analytics. Data processing agreement in place. IP addresses anonymised.
- Google Tag Manager — tag management and deployment.
- Google Workspace — email, document storage, and collaboration.
- HubSpot — CRM and marketing automation for managing client and prospect relationships.
- WP Mail SMTP — email delivery for contact form submissions.
For client projects, we may additionally use AI services including OpenAI, Anthropic (Claude), and Google Cloud AI. See the AI Tools section below.
AI Tools and Data Processing
EXPRE uses AI tools in the delivery of some services, including content generation, analysis, SEO automation, and marketing workflows. Our approach to AI and data:
- We operate under enterprise API agreements with AI tool providers (OpenAI, Anthropic, Google). These agreements include data processing commitments and explicit confirmation that data submitted via API is not used to train AI models.
- We minimise personal data in AI prompts. Where personal data must be processed, it is pseudonymised where possible.
- Where AI tools process personal data on behalf of a client, we put in place appropriate data processing agreements and inform the client of which tools are used.
- We do not use client personal data to fine-tune or train any AI models.
International Data Transfers
Some of our third-party providers are based outside the UK, including in the United States. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
- Transfers to the US rely on the UK-US Data Bridge (for certified organisations) or the ICO's International Data Transfer Addendum to the EU Standard Contractual Clauses.
- Google (Analytics, Workspace, Cloud) and HubSpot participate in frameworks providing adequate safeguards for UK data transfers.
You can request details of the specific safeguards in place for any transfer by contacting da**@******co.uk.
How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Enquiry data (non-clients) | 12 months from last contact |
| Client project data and contracts | Duration of project plus 6 years (UK business record-keeping) |
| Financial and invoice records | 7 years (HMRC requirement) |
| Newsletter subscribers | Until you unsubscribe |
| Website analytics (GA4) | 26 months in Google Analytics |
| Security logs and access records | 12 months |
Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted connections (HTTPS across all pages), access controls limiting data access to authorised personnel only, regular security assessments and patching, and data minimisation practices.
We hold Cyber Essentials certification, covering the baseline technical security controls required to protect against common cyber threats.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
Your Rights Under UK GDPR
You have the following rights in relation to personal data we hold about you:
- Right to be informed — this policy provides the required information.
- Right of access — to obtain a copy of your personal data (Subject Access Request).
- Right to rectification — to have inaccurate data corrected promptly.
- Right to erasure — to have data deleted where we no longer have a lawful basis to hold it.
- Right to restrict processing — in certain circumstances.
- Right to data portability — to receive data you have provided to us in a structured, machine-readable format.
- Right to object — to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects.
To exercise any of these rights, email da**@******co.uk with "Data Rights Request" in the subject line, including your name, the email address associated with your data, and a description of your request. We will respond within 30 days and do not charge for rights requests.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.
Marketing Communications
We send marketing emails only where you have given explicit consent. You can unsubscribe at any time using the unsubscribe link in any marketing email or by emailing da**@******co.uk. Opting out of marketing will not affect the delivery of service-related communications.
Third-Party Links
Our website contains links to third-party websites. These websites have their own privacy policies and we do not accept responsibility for their practices. We recommend reviewing the privacy policy of any third-party site before submitting personal data.
Changes to This Policy
We review this Privacy Policy periodically and update it when our data practices change or when legislation requires. The "last updated" date at the top reflects the most recent revision. Material changes will be communicated to newsletter subscribers and active clients.
Contact Us
For privacy-related questions or to exercise your data rights, contact us at da**@******co.uk or write to: Data Protection, EXPRE Digital Limited, Kingfisher House, 21–23 Elmfield Road, Bromley, BR1 1LT.
Questions About Our Privacy Practices?
We are committed to transparency. If you have any questions about how we handle your data, we’re happy to help.
Contact Us