Privacy Policy

Last updated: 20 February 2026

UnderWorks Art is committed to protecting your privacy and ensuring your personal data is handled responsibly in accordance with UK GDPR and the Data Protection Act 2018.

Data Controller

Kristiina Isabelle Nimmo
Founder, UnderWorks Art
creative@underworksart.com

UnderWorks Art is an unincorporated entity founded by Kristiina Isabelle Nimmo, who is the data controller responsible for your personal information.

What Information We Collect

1. Information You Provide

  • Contact Information: Email address and name when you opt in to receive updates, newsletters, or contact us
  • Correspondence: Messages and communications you send to us
  • Preferences: Your communication preferences and interests

2. Information Collected Automatically

  • Usage Data: Pages visited, time spent on site, navigation patterns (via Google Analytics, if consented)
  • Device Information: Browser type, device type, operating system, IP address (anonymized)
  • Cookies: See our Cookie Policy for detailed information

How We Use Your Information

We process your personal data only when we have a lawful basis to do so:

Consent

For marketing communications, analytics tracking, and social media pixels – you can withdraw consent at any time

Legitimate Interests

For website functionality, security, and improving our services – balanced against your rights

Legal Obligation

For compliance with legal requirements and responding to lawful requests

Specific Uses

  • Sending newsletters and updates about UnderWorks Art events and initiatives (with your consent)
  • Responding to your inquiries and providing support
  • Improving our website and understanding how visitors use our services
  • Protecting against fraud, abuse, and security issues
  • Complying with legal obligations

Third-Party Services & Data Sharing

We use the following third-party services that may process your data:

Google Analytics (with consent)

  • Website usage analytics with IP anonymization enabled.
  • Data transferred to: United States (adequacy decision and standard contractual clauses)
  • Google Privacy Policy

Facebook Pixel (with consent)

  • Social media engagement and advertising analytics
  • Data transferred to: United States (adequacy decision and standard contractual clauses)
  • Facebook Privacy Policy

Supabase

  • Database hosting and backend services (essential functionality)
  • Data location: EU data centers with encryption at rest and in transit
  • Supabase Privacy Policy

We do not sell, rent, or trade your personal information to third parties. Data is only shared with processors necessary to provide our services and only under appropriate data processing agreements.

International Data Transfers

Some of our service providers (Google, Meta/Facebook) are based in the United States. We ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework adequacy decision
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Additional technical and organisational security measures

Data Retention

We retain your personal data only as long as necessary:

  • Contact Information: Until you unsubscribe or request deletion, or after 3 years of inactivity
  • Consent Records: 12 months from consent date, then require renewal
  • Analytics Data: Anonymised after 26 months (Google Analytics default)
  • Correspondence: Up to 2 years for support and inquiry records
  • Legal Requirements: As long as required by law

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access
    • Request a copy of all personal data we hold about you
  • Right to Rectification
    • Correct inaccurate or incomplete personal data
  • Right to Erasure (‘Right to be Forgotten’)
    • Request deletion of your personal data in certain circumstances
  • Right to Data Portability
    • Receive your data in a structured, machine-readable format
  • Right to Object
    • Object to processing based on legitimate interests or for direct marketing
  • Right to Restrict Processing
    • Request limitation of processing in certain situations
  • Right to Withdraw Consent
    • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please visit our Data Subject Rights page or contact us at creative@underworksart.com. We will respond to your request within 30 days.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption of data in transit (HTTPS/TLS) and at rest
  • Regular security assessments and updates
  • Access controls and authentication for administrative systems
  • Secure data processing agreements with all third-party processors
  • Regular backups and disaster recovery procedures

Children’s Privacy

Our services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal data, please contact us immediately.

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

  • We will update the “Last updated” date at the top of this policy
  • For significant changes, we will notify you via email (if we have your contact information)
  • You may be asked to re-consent to certain types of processing

Contact & Complaints

For privacy-related questions or concerns:

Kristiina Isabelle Nimmo

creative@underworksart.com

Right to Lodge a Complaint:

If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

Website: ico.org.uk

Helpline: 0303 123 1113