Privacy
Policy

OWEO ("we," "us," or "our") is a design agency and, for the purposes of applicable data-protection legislation, acts as the data controller in respect of personal data collected through this website and our client-engagement processes.

Primary point of contact for all privacy matters: privacy@oweo.design.

This Privacy Policy applies to all visitors, prospective and current clients, job applicants, newsletter subscribers, and any other individuals whose personal data we process. It does not apply to data we process on behalf of clients as a data processor — that is governed by individual data-processing agreements.

We collect personal data only to the minimum extent necessary (data minimisation principle). Categories include:

Data you provide directly:

• Identity data — name, job title, company name
• Contact data — email address, phone number, postal address
• Communication data — messages sent via contact form, email correspondence, meeting notes
• Financial data — billing details processed through PCI-DSS-compliant processors; we do not store raw card numbers
• Professional data — information provided in project briefs, discovery calls, or onboarding
• Recruitment data — CVs, portfolios, references, interview notes

Data collected automatically:

• Technical data — IP address, browser type, OS, device identifiers
• Usage data — pages visited, time on page, referring URLs, click paths
• Cookie and tracking data — see Section 5

Data from third parties:

• Analytics providers (e.g., Google Analytics) — aggregated behavioural data
• Professional networks (e.g., LinkedIn) — where you connect via these platforms

We do not intentionally collect special-category (sensitive) personal data such as health, biometric, or political data. If inadvertently provided, we will delete it promptly.

• Providing and managing services — project delivery, invoicing, client communication, post-project support
• Responding to enquiries — contact-form responses, scheduling consultations, providing proposals
• Marketing and communications — newsletters and service updates where you have opted in or legitimate interest applies
• Website improvement — analysing usage patterns to enhance functionality and content
• Legal and compliance — meeting statutory obligations, enforcing contracts, defending legal claims
• Recruitment — evaluating applications, conducting interviews, onboarding
• Security and fraud prevention — monitoring for malicious activity, protecting system integrity

For individuals in the EEA, UK, or Switzerland, we process personal data only where we have a valid legal basis under Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)) — processing necessary to perform a contract with you
• Legal obligation (Art. 6(1)(c)) — processing required by applicable law
• Legitimate interests (Art. 6(1)(f)) — business interests not overridden by your rights (e.g., fraud prevention, website improvement)
• Consent (Art. 6(1)(a)) — freely given, specific, informed consent. You may withdraw at any time without affecting prior lawful processing.

Where we rely on legitimate interests, you have the right to object. Contact: privacy@oweo.design.

We use cookies and similar tracking technologies in the following categories:

• Strictly necessary cookies — essential to website function. Cannot be disabled.
• Performance / analytics cookies — aggregated, anonymised usage data (e.g., Google Analytics with IP anonymisation). Require consent.
• Functionality cookies — remember your preferences. Require consent.
• Marketing cookies — we currently do not use these. If introduced, we will update this Policy and obtain fresh consent.

Manage preferences via the cookie banner or browser settings. We honour Global Privacy Control (GPC) and Do Not Track (DNT) signals where technically feasible.

We do not sell, rent, or trade your personal data to third parties for commercial purposes.

We may share data with the following categories, strictly on a need-to-know basis with appropriate contractual safeguards:

• Service providers (data processors) — cloud hosting, email delivery, analytics, payment processing. All bound by Data Processing Agreements (DPAs).
• Professional advisers — lawyers, accountants, insurers for legal compliance or dispute resolution.
• Regulatory authorities — where required by law, court order, or government authority.
• Business transfers — in the event of merger, acquisition, or asset sale, with continuity of protection assured.

Where we transfer personal data from the EEA, UK, or Switzerland to a third country, we ensure appropriate safeguards including:

• European Commission Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs)
• Transfers to countries with an adequacy decision from the European Commission or UK Secretary of State
• Binding Corporate Rules (BCRs) where applicable for intra-group transfers

For California residents: we do not sell personal information of California residents to foreign buyers.

We retain personal data only for as long as necessary. General retention periods:

• Client project data — 7 years after project completion (statutory accounting obligations)
• Prospect / enquiry data — 2 years from last meaningful contact
• Marketing / newsletter data — until you unsubscribe, or 3 years of inactivity
• Website analytics data — 14 months (Google Analytics default)
• Unsuccessful applicant recruitment data — 6 months after the relevant role is filled
• Financial / billing records — minimum 7 years under applicable tax legislation

At the end of each retention period, data is securely deleted or anonymised.

Depending on your location and applicable law, you may have all or some of the following rights:

To exercise any of these rights, contact privacy@oweo.design. We will respond within 30 days (extendable to 90 days for complex requests, with prior notice).

Our website and services are directed exclusively at individuals aged 18 years and over. We do not knowingly collect personal data from anyone under 18.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, contact us at privacy@oweo.design. We will delete such information promptly upon verification.

This commitment extends to compliance with COPPA in the United States and equivalent legislation in other jurisdictions.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest for sensitive data
• Access controls and role-based permissions — data accessible only to those who need it
• Regular security assessments and penetration testing
• Staff training on data-protection obligations and incident response
• Third-party processor vetting and contractual security requirements
• Incident response plan with defined breach-notification timelines

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours in line with GDPR Art. 33.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Display a prominent notice on our website homepage for at least 30 days
• Where required by law or where changes significantly affect your rights, notify you directly by email

For previous versions of this Policy, contact privacy@oweo.design.

For questions, concerns, or requests regarding this Privacy Policy:

• Email: privacy@oweo.design
• Subject line: "Privacy Request — [Your Name]" for expedited handling
• Postal: OWEO Design, Attn: Privacy Team, [Registered Address]

We aim to acknowledge all correspondence within 5 business days and provide a full response within 30 days. If you are located in the EEA or UK, you also have the right to lodge a complaint with your local Data Protection Authority (DPA).