FortyTwo Studio’s data protection and security measures are governed by the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data (Use and Access) Act 2025 where applicable, and any associated regulations, amendments, updates or successor legislation from time to time (“Data Protection Legislation”).

Where we process personal information relating to individuals in the European Economic Area, the EU General Data Protection Regulation ((EU) 2016/679) may also apply.

For the purpose of Data Protection Legislation

Where personal information is provided directly to FortyTwo Studio through use of our website, general enquiries, account management & communications, job vacancies or any other means where FortyTwo Studio is determining the way in which that personal data is processed for its own use, then we will be the Data Controller of such information.

Where FortyTwo Studio provides services to its business clients (under Performance of Contract) including making decisions on hosting, software platforms and technology for clients to use in their business operations, FortyTwo Studio will be a Data Processor. As part of our Data Processor obligations, appropriate technical and organisational measures to ensure processing meets Data Protection Legislation requirements and protect Data Subjects’ rights will be implemented at all times.

Where FortyTwo Studio is provided personal information in its capacity of providing services to its Clients, then we will only process that personal information in accordance with the instructions of our Clients. FortyTwo Studio will act as a Data Processor in respect of such personal information with our Client(s) as the Data Controller of that personal information for that purpose. Our Clients therefore will be responsible to individuals for the way in which personal information is processed. Individuals who have contracts with our Clients should therefore check that Client’s own Privacy Policy, to ensure they understand how their personal information may be processed.

How to contact us

If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us using the details below:

FortyTwo Studio Limited
35 Mid Stocket Road
Aberdeen
AB15 5JL

Email: info@fortytwo.studio
Telephone: 01224 593827

For data protection requests, please email info@fortytwo.studio with the subject line “Data Protection Request”.

This policy includes:

• What is Personal Information?
• What Personal Information we collect
• How we use your Personal Information
• Use of Artificial Intelligence and Automated Tools
• Data Security
• Visitors to our Website
• Direct Marketing including Social Media
• How long we hold your Personal Information
• Your Rights
• Data Protection Complaints
• Changes to this Privacy Policy
   

What is Personal Information?

Personal information means data that relates to an identified or identifiable individual. For example, it can be as simple as a name or a number or could include other identifiers such as an IP address, cookie identifier, payment details, or other factors. It does not include information where a person’s identity has been removed (anonymous data).

What Personal Information we collect

Where FortyTwo Studio is acting as a Data Controller, we may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

• Identity Data includes first name, last name, username or similar identifier, title, job title and date
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Technical & Usage Data includes information about how you use our website and social media channels, internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
• Enquiry Data includes information you provided us with when you contact us
• Recruitment Data includes information you provide when you apply for a job with FortyTwo Studio. This can include your CV, work history, educational details, qualifications, skills, projects, references, proof of entitlement to work in the UK, NI number, your passport or other identity document details, your current level of remuneration (including benefits), the role you’re applying for and any other similar information that you provide to us

FortyTwo Studio does not process any Special Category personal data as defined by Data Protection Legislation about you nor do we collect any information about criminal convictions and offences. We may however process Special Category personal information about individuals on behalf of our clients, in which case our client’s own Privacy Policy will explain the Special Category data being processed and the purposes for which it will be processed.

How we use your Personal Information

We will only use your personal information when the law allows us to, i.e., if we have a legal basis for doing so, as outlined in this Policy or as notified to you at the time we collect your information, and for the purposes for which it was collected for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where we act as the Data Controller, we have set out below a description of all the ways we use your personal information, and which of the legal bases we rely on to do so.

Where we act as a Data Processor of personal data on behalf of our clients, we will process personal data under the lawful basis of Performance of Contract, in accordance with our clients’ instructions or in order to comply with a legal or regulatory obligation. Our Sub-Processors (as outlined below) are subject to comprehensive due diligence and security checks and bound by contractual obligations in-line with the Data Protection Legislation.

Use of Artificial Intelligence and Automated Tools

FortyTwo Studio may use approved artificial intelligence, machine learning or automated tools to support our work, improve efficiency, assist with administration, and help us deliver services to our clients. This may include supporting research, summarising notes, structuring information, drafting or editing content, reviewing technical information, quality checking, project administration, marketing analysis, or assisting with creative, web and digital workflows.

Where we use AI-assisted tools, we do so in line with our internal AI Charter and our data protection responsibilities. AI is used to support our team, not to replace human judgement. Any AI-assisted output that is used in our work will be reviewed by a member of the FortyTwo team before it is relied upon, shared externally or used in client work.
We will not knowingly enter confidential personal information, special category personal data, personnel information, client trade secrets, proprietary client data, login details, financial information, private business information or other sensitive material into public or unapproved AI tools.

We will only use AI tools that have been reviewed and approved by FortyTwo’s management team for the relevant purpose. Where an AI tool processes personal information on our behalf, we will take appropriate steps to assess the supplier, the security of the tool, the contractual terms, the location of processing, retention arrangements, and whether the information entered into the tool may be used to train public or third-party models.

We will not use personal information to train public AI models.

We will not use AI to make decisions about individuals that have legal or similarly significant effects without meaningful human involvement. If this changes, we will update this Privacy Policy and provide further information about the decision-making process, the lawful basis for processing, and the rights available to individuals.

Where AI-assisted processing involves personal information, we will only process the minimum amount of personal information needed for the relevant purpose and will rely on an appropriate lawful basis under Data Protection Legislation. This may include performance of a contract, legitimate interests, legal obligation, or consent where required.

We will continue to review our use of AI as technology, regulation and best practice evolve.

Data Security

We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed and have various data protection and information security policies in place to which we adhere to. In addition, we limit access to your personal information to those employees, sub-processors, agents, contractors and any other third parties who have a business need to know. They will only process your personal information under the performance of a contract, on our instructions (and those of our clients) and are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and taking into account the nature of the processing and the information available, FortyTwo Studio will assist our Clients in meeting their GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments. 

Our data security measures also apply to AI-assisted tools. Team members must not upload, paste or otherwise input personal information into unapproved AI systems. Where AI-assisted tools are approved for a particular purpose, we will apply appropriate access controls, supplier checks, contractual safeguards and internal guidance.

We will take reasonable steps to ensure that personal information processed through approved AI-assisted tools is handled securely, used only for the approved purpose, retained only as necessary, and not used to train public AI models unless we have clearly told you and have a lawful basis for doing so.

Visitors to our Website

Like most websites, we use cookies and similar technologies to help our website work properly, understand how visitors use it, improve performance and support our marketing activity where applicable.

Some cookies are necessary for the website to function. Other cookies, such as analytics or marketing cookies, will only be used where required consent has been obtained through our cookie banner or consent management process.

We may use analytics tools, such as Google Analytics, to understand website usage, visitor numbers, traffic sources and website performance. Where possible, we use settings that help reduce the amount of personal information collected.

You can manage your cookie preferences through our cookie banner where available, and you can also control cookies through your browser settings.

Social Media

When you use a social media platform and interact with FortyTwo Studio, you do so by consenting to the terms & conditions of such platforms. This can include Facebook, Twitter, Instagram, LinkedIn, Pinterest, and YouTube. For more information, please see their individual Terms & Conditions and Privacy Policies.

Direct Marketing

Currently, we do not store any of your personal information for direct marketing purposes.

We’d like to reassure you that we have not and will not retain your information in an unauthorised way nor share, sell or pass on your details to any other 3rd party for the purposes of marketing. We will only ever share your data in other circumstances if we have your explicit and informed consent.

How long will we hold your data?

We will only retain your personal information for as long as reasonably necessary to enable us to provide you with the services that you have requested from us, fulfil any other purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

We operate a data retention policy and look to find ways to reduce the amount of information we hold and the length of time that we need to keep it. For example:

• We try to adopt a paperless approach wherever possible and securely destroy any paper correspondence we receive on a regular basis unless we are required to retain it for evidential or legal purposes
• We carry out regular audits to ensure data is up-to-date, practice data minimisation where possible and ensure purpose limitation is practiced
• We delete or return all personal information to the Data Controller (at the Controller’s choice) at the end of the contract

Your rights

Under certain circumstances, you have rights under Data Protection Legislation in relation to your personal information. These may include:

The right to be informed — to be told how and why we use your personal information.

The right of access — to request copies of the personal information we hold about you.

The right to rectification — to ask us to correct information that is incomplete or inaccurate.

The right to erasure — to ask us to delete personal information we hold about you, subject to legal exceptions.

The right to restrict processing — to ask us to restrict how we use your personal information in certain circumstances.

The right to data portability — to receive certain personal information in a structured, commonly used and machine-readable format.

The right to object — to object to our processing of your personal information in certain circumstances, including where we rely on legitimate interests.

The right to withdraw consent — where we rely on consent, you can withdraw that consent at any time.

Rights relating to automated decision-making — we do not use solely automated decision-making that has legal or similarly significant effects on individuals. If this changes, we will provide further information about the processing, safeguards and your rights.

To exercise any of the above rights, please email info@fortytwo.studio with the subject heading “Data Protection Request.”

Data Protection Complaints

If you have a concern about how we have used your personal information, please contact us first so that we can try to resolve it.

You can contact us at:

Email: info@fortytwo.studio
Subject line: Data Protection Complaint

Post: FortyTwo Studio Limited, 35 Mid Stocket Road, Aberdeen, AB15 5JL

We will acknowledge receipt of your complaint and take appropriate steps to investigate and respond. We may need to ask you for further information so that we can understand your complaint and verify your identity where required.
If you are not satisfied with our response, you have the right to raise your concern with the Information Commissioner’s Office.

Changes to this Privacy Policy

We may change this Privacy Policy from time to time. If we make any significant changes in the way we treat your personal information, we will make this clear on our website or by contacting you directly.

This policy was last updated June 2026.