Privacy Policy

1 - Introduction

This policy sets Andy Matthews Studio's commitment to protecting your privacy and personal data. This notice explains how we collect, use, store and protect personal information in accordance with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This privacy notice applies to clients, prospective clients, employees, job applicants, contractors, consultants, suppliers, and website visitors. Andy Matthews Studio Ltd is the data controller responsible for your personal data.

Andy Matthews Studio Ltd is registered with the Information Commissioner's Office (ICO) under registration reference ZB736040.

2 - Information we collect

Depending on your relationship with us, we may collect and process the following categories of personal data:

2.1 - Clients and Prospective Clients

  • Contact details including name, address, email, phone number

  • Project information and property details

  • Communication records and correspondence

  • Financial information including invoicing and payment details

  • All records associated with the provision of architectural services as set out in the RIBA Plan of Work

2.2 - Employees and Job Applicants

  • Personal details including name, address, date of birth, contact information

  • Right to work documentation

  • Employment records, contracts, and references

  • Financial details including National Insurance number, bank details, salary, pension information

  • Professional qualifications and ARB registration details

  • CPD records and training history

  • Performance reviews and appraisal records including 1:1’s

  • Time, attendance, and leave records

2.3 - Website Visitors

  • Technical information including IP address, browser type, and device information

  • Website usage data, navigation patterns, behavioural metrics, heatmaps, and session replay

  • Contact form submissions and enquiries

3 - How We Use Your Information

We process personal data for the following purposes:

3.1 - Architectural Services and Client Projects

  • Providing architectural design services and project management

  • Preparing planning applications and building control submissions

  • Contract administration and project coordination

  • Communicating with you about your project

  • Invoicing and payment processing

  • Complying with professional and regulatory requirements including ARB standards

  • Managing building safety information under the Building Safety Act 2022

3.2 - Employment and HR Management

  • Recruitment and employment administration

  • Payroll, benefits, and pension administration

  • Performance management and professional development

  • Health and safety compliance

  • Managing CPD requirements for ARB-registered architects

3.3 - Legal Basis for Processing

We process personal data based on the following legal grounds:

  • Contract performance: to fulfil our contractual obligations to clients and employees

  • Legal obligation: to comply with employment law, tax obligations, professional regulations, and building safety requirements

  • Legitimate interests: for business administration, improving our services, and protecting our legal rights

  • Consent: where explicitly provided for specific purposes

4 - How We Store and Protect Your Information

We maintain appropriate technical and organisational security measures to protect your personal data.

4.1 - Systems and Infrastructure

  • Personal data is stored and managed using the following systems:

  • CapsuleCRM for client relationship management

  • Transpond for marketing and newsletters

  • Microsoft 365 and Outlook for email communications and file storage

  • Atvero/Cmap for project information management and SharePoint integration

  • Secure local and cloud-based backup systems

4.2 - Security Measures

Two-factor authentication (2FA) is required for all systems

  • Role-based access controls and permissions

  • Regular automated backups with local and offsite storage

  • Encrypted data transmission and storage

  • Secure document management with version control and audit trails

  • Regular security reviews and updates managed by specialist IT support

5 - Sharing Your Information

We may share your personal data with:

  • Project consultants and contractors (structural engineers, planning consultants, building control)

  • Local planning authorities and building control bodies

  • Professional advisers including lawyers and accountants

  • HMRC and pension providers for employment-related matters

  • IT service providers including Microsoft and our IT support company

  • The Architects Registration Board (ARB) where required by professional regulations

 All third parties are required to maintain appropriate security measures and process personal data only as instructed by us and in accordance with UK data protection law.

6 - Data Retention

We retain personal data for as long as necessary to fulfil the purposes outlined in this notice and to comply with legal and professional obligations. Typical retention periods:

Client project data: 15 years from project completion (Building Safety Act 2022 requirements)

  • Financial records: 6 years from the end of the financial year (HMRC requirements)

  • Employment records: 6 years from end of employment

  • Right to work documentation: 2 years from end of employment

  • Unsuccessful job applications: 6 months

  • Website enquiries: 2 years unless a client relationship develops

  • After retention periods expire, personal data is securely deleted or anonymised.

7 - Your Rights

Under UK data protection law, you have the following rights:

  • Right of access: to obtain a copy of your personal data

  • Right to rectification: to have inaccurate personal data corrected

  • Right to erasure: to have your personal data deleted in certain circumstances

  • Right to restrict processing: to limit how we use your personal data

  • Right to data portability: to receive your personal data in a structured format

  • Right to object: to object to processing based on legitimate interests

  • Right to withdraw consent: where processing is based on consent

To exercise any of these rights, please contact us using the details in section 9. We will respond within one month. You will not normally be charged for exercising your rights, although we may charge a reasonable fee if your request is clearly unfounded or excessive.

8 - Website Cookies and Analytics

Our website (www.andymatthews.studio) uses essential cookies to ensure basic functionality. We may also use analytics cookies to understand how visitors use our website and improve user experience. You can control cookie preferences through your browser settings. Blocking cookies may affect website functionality.

9 - Contact Information & Complaints

If you have questions about this privacy notice, wish to exercise your rights, or have concerns about how we handle your personal data, please contact:

Andy Matthews
Director
Andy Matthews Studio Ltd
208 Kala Studios
The Biscuit Factory
100 Drummond Road
London
SE16 4DG

hello@andymatthews.studio

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

0303 123 1113

www.ico.org.uk

10 - Changes to This Privacy Notice

We may update this privacy notice from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. The current version will always be available on our website (www.andymatthews.studio/privacy) and updates will be dated in the Document Control section below.

Significant changes will be communicated to affected individuals where appropriate.

The latest PDF version of this policy can be downloaded here.