We treat your data the way we’d want ours treated. Collect only what we need, use it only for the purpose we collected it for, keep it secure, and let you control it. This document explains how in operational terms.
Our commitment to data protection
Konvertable is committed to protecting the personal data of clients, prospects, employees, and any other individuals whose information we process. We treat data protection as an ongoing operational discipline, not a one-time legal exercise. This page sets out the policies and procedures we follow, and complements our Privacy Policy.
Core data-protection principles
We process personal data in line with the principles set out in Article 5 of the GDPR/UK GDPR — widely adopted as the global standard:
Lawfulness, fairness, transparency
Processed lawfully, fairly, and in a transparent manner.
Purpose limitation
Collected for specified, explicit, legitimate purposes only.
Data minimisation
Adequate, relevant, and limited to what is necessary.
Accuracy
Kept accurate and, where necessary, up to date.
Storage limitation
Kept only as long as needed for the stated purpose.
Integrity & confidentiality
Protected by appropriate technical and organisational measures.
Accountability
We can demonstrate compliance, on request and on audit.
Controller and processor roles
- As controller — for personal data of our website visitors, prospects, clients (their contact and billing information), and our own employees, Konvertable determines the purpose and means of processing.
- As processor — when we manage advertising accounts on behalf of a client and process personal data contained in those accounts (e.g. customer-list audiences, conversion data), the client is the controller and Konvertable processes on their documented instructions under a Data Processing Agreement.
A Data Processing Agreement (DPA) is available on request and is provided by default for clients in the EEA, UK, and other regulated regions.
Categories of data we process
- Contact data — name, email, phone, role, business name, country.
- Engagement data — project briefs, audit findings, ad-account access metadata, campaign performance.
- Billing data — billing address, tax IDs, invoice history. Card numbers are processed by our payment processor; we do not store full card details.
- Audience & conversion data — customer lists, pixel data, and CAPI events — processed only on the client’s documented instructions.
- Website analytics — IP address, device, browser, pages viewed, where lawful and proportionate.
We do not intentionally collect special category data (such as health, biometric, or political data). If a client asks us to process such data, we will only proceed under appropriate safeguards and a written DPA.
Lawful basis for processing
We rely on the following lawful bases under Article 6 GDPR / UK GDPR:
- Performance of a contract — to deliver the Services you’ve engaged us for.
- Legitimate interests — to operate, secure, and grow our business, where these interests are not overridden by your rights and freedoms.
- Consent — for non-essential cookies, marketing emails to individuals, and any sensitive processing.
- Legal obligation — to keep tax, accounting, and other statutory records.
Security measures
We apply layered technical and organisational measures appropriate to the risk:
- Encryption — TLS 1.2+ for data in transit; encryption at rest for sensitive systems.
- Access control — least-privilege access, role-based permissions, and prompt revocation when access is no longer needed.
- Authentication — strong passwords and multi-factor authentication (MFA) on all critical platforms.
- Endpoint & network security — up-to-date operating systems, full-disk encryption, anti-malware, and secure remote access.
- Vendor due diligence — we review security and privacy practices before onboarding sub-processors and revisit annually.
- Backups — routine, encrypted backups for systems holding client data, with periodic restore tests.
- Awareness — recurring data-protection training for personnel handling client data.
Sub-processors
We use a small set of trusted sub-processors to deliver our Services. We perform due diligence on each, contract them under written terms equivalent to those imposed on us, and remain responsible for their performance under data-protection law.
| Category | Purpose | Region |
|---|---|---|
| Cloud hosting & storage | Website hosting, file storage, document collaboration | EU / US |
| Email & productivity | Business email, calendars, meeting notes | US (with SCCs where applicable) |
| CRM & project management | Engagement records, project tracking, internal notes | EU / US |
| Analytics | Website usage analytics in line with cookie consent | US (anonymised where possible) |
| Payment processing | Invoicing and payment of fees | Region of processor |
| Ad platforms (under client instruction) | Campaign delivery as processors of client data | Global |
A current named list of sub-processors is available on request. We provide reasonable advance notice of any new or replacement sub-processor for clients with active DPAs.
International data transfers
Konvertable is a globally distributed studio. Where we transfer personal data outside the EEA or UK to a country without an adequacy decision, we rely on a recognised transfer mechanism such as the Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or another lawful safeguard, and supplement them where needed with technical and contractual measures.
Data subject rights
Individuals whose personal data we process may have the right to:
- Access a copy of their personal data.
- Rectify inaccurate or incomplete data.
- Erase personal data, subject to legal exceptions.
- Restrict processing in certain circumstances.
- Port data in a structured, machine-readable format.
- Object to processing based on legitimate interests or direct marketing.
- Withdraw consent for any consent-based processing.
- Lodge a complaint with the relevant supervisory authority.
Where Konvertable acts as a processor on behalf of a client, requests are routed to the client (the controller); we will assist in fulfilling them.
Personal data breach response
If we become aware of a personal data breach:
- We assess the nature, scope, and likely impact within hours of discovery.
- We contain and remediate the incident as quickly as practicable.
- Where Konvertable is the controller, we notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to individuals, and notify affected individuals where the risk is high.
- Where Konvertable is a processor, we notify the affected client without undue delay so they can meet their own notification obligations.
- We log every confirmed incident, including remediation steps and lessons learned.
Retention schedule
- Enquiries / prospects — up to 24 months from last interaction.
- Active client records — for the term of the engagement.
- Closed engagement records — up to 6 years after last interaction (for contractual, tax, and legitimate business purposes).
- Billing & tax records — as required by applicable tax law (typically 5–10 years).
- Marketing data — until you unsubscribe or object, then minimal suppression-list data is retained.
- Backups — rotated on a defined schedule; deletion requests propagate to backups within the next reasonable cycle.
Staff, contractors & access
Personnel who handle personal data are bound by written confidentiality obligations and complete data-protection awareness training. Access to client data is granted on a need-to-know basis, reviewed regularly, and revoked promptly when no longer required.
Contact our data-protection desk
For data-protection enquiries, DPA requests, sub-processor lists, or to report a concern:
- Email — hello@konvertable.com (subject line: “Data Protection”)
- Phone — +880 1303 966686