Privacy Policy

1. Introduction

SimonTodd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website simontodd.design or engage our services.

We are registered in Northern Ireland and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and where applicable, the EU GDPR for clients in the Republic of Ireland and European Union.

2. Information We Collect

Information You Provide

We collect information you voluntarily provide when you:

• Complete our contact form (name, email, phone, company, project details)
• Subscribe to our newsletter
• Engage us for services (billing information, project requirements)
• Communicate with us via email or phone

Information Collected Automatically

When you visit our website, we may automatically collect:

• Device and browser information
• IP address and approximate location
• Pages visited and time spent
• Referring website

3. How We Use Your Information

We use collected information to:

• Respond to your enquiries and provide quotes
• Deliver and manage our services
• Send project updates and communications
• Process payments and maintain records
• Improve our website and services
• Comply with legal obligations

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract: To perform services you've engaged us for
• Legitimate interests: To respond to enquiries and improve our services
• Consent: For marketing communications (you can withdraw anytime)
• Legal obligation: To comply with tax and business regulations

5. Data Sharing

We do not sell your personal data. We may share information with:

• Service providers who assist our operations (hosting, email, analytics)
• Professional advisors (accountants, legal counsel)
• Authorities when required by law

All third parties are required to respect your data security and process it in accordance with the law.

6. Meta Platform Data (Facebook, Instagram, ad accounts)

When you connect a Facebook Page, Instagram business account, or Meta ad account to the SimonTodd Portal as part of our social media management service, we receive and store the following data from Meta's APIs.

What we store

• Your Facebook Page metadata (page id, page name, profile picture URL, follower count, category) and corresponding Instagram business account metadata where linked.
• The Page Access Token and User Access Token that authorise the portal's actions, stored encrypted in our database.
• Posts you publish through the portal: the caption text, hashtags, media files, scheduled time, and Meta's returned post id.
• Engagement metrics on those posts (likes, comments, shares, reach, impressions, video views) pulled from Meta's Graph API.
• Inbox messages (DMs and comments) received via the Meta webhooks you opt into, including sender id, sender name where available, message body, and timestamps.
• Ad account metadata (account id, name, currency, status, owning Business Manager id).
• Ad campaign performance data: spend, impressions, reach, clicks, CTR, CPC, CPM, frequency, and conversion events you've configured via your Meta Pixel or Conversions API.

What we do not store

• We do not store Meta credentials such as passwords or session cookies. Authentication is via OAuth tokens only.
• We do not store the body of Meta ad creative beyond what is derivable from the linked organic post.
• We do not store customer-list audience data uploaded directly to Meta — audiences live in your Business Manager, not on our servers.

How we use it

• To deliver the social media management service you've contracted us to provide: posting on your behalf with your approval, replying to messages in your unified inbox, generating reports, optimising your paid campaigns.
• To produce automated weekly digest and monthly PDF reports that we email to you.
• To enable per-business spend caps and approval workflows that protect you from unintended ad spend.

How long we store it

• Active client data is retained for the duration of our service contract plus 90 days for end-of-contract reporting and dispute resolution.
• Post engagement and ad insight data is retained for up to 36 months to support year-over-year reporting.
• Inbox messages are retained for 24 months.
• On request or contract termination, all data linked to your business will be deleted from our production database and backups within 30 days. Email privacy@simontodd.design to make this request.

Sharing

We do not share Meta data with third parties for marketing or advertising. Our infrastructure providers (database hosting, file storage, email delivery) process data on our behalf under contractual data-processing agreements. We use OpenAI and Anthropic for AI-generated draft content; only the text prompts we construct from your brand kit and public website content are sent — never your followers' messages or your private inbox.

Your rights regarding Meta data

• Disconnect at any time from Settings → Connected Accounts in the portal. Disconnection revokes our access tokens at Meta.
• Request a full data export via privacy@simontodd.design.
• Request permanent deletion via privacy@simontodd.design.

Data Controller for Meta platform data: SimonTodd, Armagh, Northern Ireland. Email: privacy@simontodd.design.

7. Data Retention

We retain your personal data only as long as necessary:

• Enquiries (not converted): 2 years
• Client project data: 6 years after project completion
• Financial records: 7 years (legal requirement)
• Marketing preferences: Until you unsubscribe

8. Your Rights

Under data protection law, you have rights including:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data
• Restriction: Request limited processing
• Portability: Request transfer of your data
• Object: Object to processing based on legitimate interests

To exercise these rights, contact us at hello@simontodd.design.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (SSL/TLS), secure hosting infrastructure, and access controls.

10. International Transfers

Your data is primarily stored within the UK/EEA. Where transfers outside this area are necessary, we ensure appropriate safeguards are in place.

11. Cookies

Our website uses cookies. Please see our Cookie Policy for details.

12. Changes to This Policy

We may update this policy periodically. Significant changes will be communicated via our website.

13. Contact & Complaints

For privacy-related enquiries or to exercise your rights:

Email: hello@simontodd.design
Address: Armagh, Northern Ireland

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or, for Republic of Ireland residents, the Data Protection Commission at dataprotection.ie.