Privacy Policy
Last updated: 20 February 2026
UnderWorks Art is committed to protecting your privacy and ensuring your personal data is handled responsibly in accordance with UK GDPR and the Data Protection Act 2018.
Data Controller
Kristiina Isabelle Nimmo
Founder, UnderWorks Art
creative@underworksart.com
UnderWorks Art is an unincorporated entity founded by Kristiina Isabelle Nimmo, who is the data controller responsible for your personal information.
What Information We Collect
1. Information You Provide
- Contact Information: Email address and name when you opt in to receive updates, newsletters, or contact us
- Correspondence: Messages and communications you send to us
- Preferences: Your communication preferences and interests
2. Information Collected Automatically
- Usage Data: Pages visited, time spent on site, navigation patterns (via Google Analytics, if consented)
- Device Information: Browser type, device type, operating system, IP address (anonymized)
- Cookies: See our Cookie Policy for detailed information
How We Use Your Information
We process your personal data only when we have a lawful basis to do so:
Consent
For marketing communications, analytics tracking, and social media pixels – you can withdraw consent at any time
Legitimate Interests
For website functionality, security, and improving our services – balanced against your rights
Legal Obligation
For compliance with legal requirements and responding to lawful requests
Specific Uses
- Sending newsletters and updates about UnderWorks Art events and initiatives (with your consent)
- Responding to your inquiries and providing support
- Improving our website and understanding how visitors use our services
- Protecting against fraud, abuse, and security issues
- Complying with legal obligations
Third-Party Services & Data Sharing
We use the following third-party services that may process your data:
Google Analytics (with consent)
- Website usage analytics with IP anonymization enabled.
- Data transferred to: United States (adequacy decision and standard contractual clauses)
- Google Privacy Policy
Facebook Pixel (with consent)
- Social media engagement and advertising analytics
- Data transferred to: United States (adequacy decision and standard contractual clauses)
- Facebook Privacy Policy
Supabase
- Database hosting and backend services (essential functionality)
- Data location: EU data centers with encryption at rest and in transit
- Supabase Privacy Policy
We do not sell, rent, or trade your personal information to third parties. Data is only shared with processors necessary to provide our services and only under appropriate data processing agreements.
International Data Transfers
Some of our service providers (Google, Meta/Facebook) are based in the United States. We ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework adequacy decision
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Additional technical and organisational security measures
Data Retention
We retain your personal data only as long as necessary:
- Contact Information: Until you unsubscribe or request deletion, or after 3 years of inactivity
- Consent Records: 12 months from consent date, then require renewal
- Analytics Data: Anonymised after 26 months (Google Analytics default)
- Correspondence: Up to 2 years for support and inquiry records
- Legal Requirements: As long as required by law
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access
- Request a copy of all personal data we hold about you
- Right to Rectification
- Correct inaccurate or incomplete personal data
- Right to Erasure (‘Right to be Forgotten’)
- Request deletion of your personal data in certain circumstances
- Right to Data Portability
- Receive your data in a structured, machine-readable format
- Right to Object
- Object to processing based on legitimate interests or for direct marketing
- Right to Restrict Processing
- Request limitation of processing in certain situations
- Right to Withdraw Consent
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, please visit our Data Subject Rights page or contact us at creative@underworksart.com. We will respond to your request within 30 days.
Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption of data in transit (HTTPS/TLS) and at rest
- Regular security assessments and updates
- Access controls and authentication for administrative systems
- Secure data processing agreements with all third-party processors
- Regular backups and disaster recovery procedures
Children’s Privacy
Our services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal data, please contact us immediately.
Data Breach Notification
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the “Last updated” date at the top of this policy
- For significant changes, we will notify you via email (if we have your contact information)
- You may be asked to re-consent to certain types of processing
Contact & Complaints
For privacy-related questions or concerns:
Kristiina Isabelle Nimmo
Right to Lodge a Complaint:
If you are not satisfied with our response or believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113