Version 1.3 – Updated May 2026
1.0 About this Policy
1.1 Document Control
This document is reviewed annually and updated as required.
1.2 Policy Purpose
North Product Design Limited & NPD London Limited, trading as “npd”, are committed to protecting the privacy and personal data of everyone we work with — whether you’re a prospective customer, an existing client, a supplier, or a member of our team.
This Privacy Policy explains how we collect, store and use your personal data, and how we meet our obligations under GDPR legislation. If you have any questions, we’re always happy to help — just get in touch:
By Email: hello@npd.studio
Online: www.npd.studio
1.3 Distribution
This policy is published on our website and is available to existing customers and suppliers at any time.
2.0 The Policy
2.1 Introduction
The UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR) require all companies to handle personal information securely and maintain accurate records of how that information is stored and used. At npd, we take this seriously.
We will always process personal data in line with the following principles — it shall be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes only
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date, with inaccuracies corrected or erased promptly
- Retained only for as long as necessary for the purposes for which it was collected
- Processed securely, with appropriate protection against unauthorised access, loss or damage
2.2 How We Collect Personal Information
We collect personal information through the following means:
- Personal meetings
- Telephone calls
- Online, web and printed forms
- Research or referrals
- Transfer by a third party in relation to services we provide (e.g. logistical fulfilment)
- Employee details during induction and employment
2.3 The Type of Personal Information We Collect and Store
Information collected directly by npd may include:
- Name and work title
- Email address
- Employer and employer’s address
- Telephone number
- Bank account details (account name, sort code and account number only)
- Additional personal information such as hobbies, interests or family details — used solely to build a positive working relationship
Information transferred to npd by third parties (which may be a subset of a larger dataset) can include:
- Name, work title and home address
- Family details and income details
- Email address, telephone and mobile numbers
2.4 How We Use Personal Information
We may use your personal information to:
- Administer and pay our employees
- Contact customers in relation to past, present and future work
- Collect payments and issue invoices and statements
- Administer and personalise our website and email communications
- Send relevant marketing information (where you have opted in)
- Supply products and services
npd operates a ‘need to know’ policy when sharing information with employees, agents or subcontractors. We only share what is necessary for the task at hand, and all parties are obligated to use that information in line with this privacy statement.
We may also disclose personal information where required by law, in connection with legal proceedings, or to establish, exercise or defend our legal rights.
Non-Disclosure Agreements (NDAs)
Before approaching any supplier to discuss your project, npd operates a clear NDA policy. All relevant suppliers will be asked to sign a non-disclosure agreement before we share any project-relevant or personal information. We will also ask for your consent before sharing your information with any third party in order to fulfil our services.
Direct Marketing Communications
We only send marketing communications that we believe are genuinely useful and relevant to you, and you can opt out at any time.
If you’ve chosen to opt in to our marketing communications, we’ll use your information to keep you informed about products and services from npd, and occasionally from selected partner businesses.
To help us improve the relevance of our emails, we may receive a read confirmation when you open an email from us, where your device supports this.
To opt out at any time, simply follow the unsubscribe link at the bottom of any communication.
2.5 How We Keep Your Personal Information Secure
The security of your data is something we take very seriously at npd. We hold Cyber Essentials Plus certification, which means our systems and controls are independently assessed and verified against the UK government’s Cyber Essentials framework — providing you with confidence that we maintain robust, up-to-date protections against cyber threats.
In addition to our certification, we take the following technical and organisational measures to protect your information:
- All employee information is stored securely on protected servers, accessed only via password-protected payroll, accounting and time-recording software
- All customer and supplier details are held on secure servers, accessed via password-protected CMS and accounting software
- Our website and internal Customer Management System (CMS) are encrypted using SSL/TLS (Secure Sockets Layer / Transport Layer Security) connections — the industry standard for protecting data online
- All data access takes place through encrypted connections, supported by up-to-date firewall systems
- All passwords and usernames must be kept confidential and must not be shared without our prior written authorisation
Client Website Data
All npd client data for hosted websites is held on the secure servers of our hosting partners. Whilst the data within a client’s website is owned and remains the responsibility of the client, npd has controlled access to this data and will never use it for any purpose other than in the client’s interest.
If you’d like to know which hosting company holds your data, where it is stored, or who has access to it, please email hello@npd.studio and our team will provide the details you need.
If you wish to delete data from your website, this is your responsibility as the website owner. If you’d like to task npd with this work, an hourly charge of £150 will apply to book and action the request.
2.6 What We Will Do in the Event of a Data Breach
If we become aware at any time that your data has been compromised, or that a breach of our systems has occurred that affects the security of your personal information, we will notify the Information Commissioner’s Office (ICO) and you directly, without undue delay.
2.7 Our Lawful Basis for Processing Your Data
Where personal information has been collected directly by npd, we will ensure we have your permission to use it in connection with the fulfilment of our services or in order to pursue further work.
Where personal information is transferred to npd by a third party for the purposes of fulfilling a service, we will obtain written confirmation from the transferring party that they have the consent of all individuals to whom the information relates, prior to entering into a contract.
2.8 Data Retention
We handle data retention as follows:
- Data transferred to us by third parties is stored in a restricted area and retained only until it is no longer required or until the transferring party requests its destruction. Unused data is securely destroyed after no more than 12 months.
- Employee data is held for a minimum of 5 years after employment ceases, for archiving purposes, unless we are requested to do otherwise.
- Customer and prospect data is held for as long as it remains relevant or until a request for deletion is received. All data is reviewed at least annually.
Data disposal is carried out using an electronic shredder or equivalent secure means.
2.9 Your Rights
Anyone whose personal data npd holds has the following rights:
- The right to be informed about the data we hold
- The right to access the information we hold about you
- The right to rectification of any errors in your information
- The right to request deletion of your information
- The right to restrict how we use your information
Subject Access Requests
You can request a copy of the data we hold about you at any time. We will respond within one month of receiving your written request, and wherever possible, sooner.
This information is provided free of charge. However, we reserve the right to charge a reasonable fee of £10 inc. VAT where a request is manifestly unfounded, excessive or repetitive.
Where possible, we will provide your information in a structured, machine-readable format such as CSV or PDF, and may provide access via a secure self-service area within your customer account.
To submit a Subject Access Request, please contact our team by email at hello@npd.studio or via our website at www.npd.studio.
2.10 Updating This Policy
npd may update this privacy policy from time to time. The most current version is always available at www.npd.studio/privacy-policy. We recommend checking this page periodically to stay up to date with any changes.
2.11 Contacting npd
If you have any questions about this privacy policy or the personal information we hold about you, please get in touch:
By email: hello@npd.studio
Online: www.npd.studio
2.12 Making a Complaint
If you have a concern about how npd handles your personal information, we’d ask that you raise it with us first so we can put things right.
By email: hello@npd.studio
We’ll acknowledge your complaint within 30 days of receiving it, let you know who’s handling it and what to expect, then investigate and come back to you with our findings and what we’ve done (or plan to do) as a result.
If you’re not satisfied with our response, or would prefer to raise the matter independently, you also have the right to report it to the Information Commissioner’s Office (ICO):
Email: casework@ico.org.uk
Website: www.ico.org.uk
