Privacy Policy

WHITE HAT DIGITAL PR

PRIVACY POLICY

www.whitehatdigitalpr.com

Effective Date

March 10, 2026

 Last Reviewed

March 10, 2026

 Version

1.0

 

1. Introduction and Scope

White Hat Digital PR (‘Company’, ‘we’, ‘us’, or ‘our’) operates the website www.whitehatdigitalpr.com (the ‘Website’). We are a digital public relations and marketing agency providing services including media outreach, content strategy, SEO, and online reputation management.

 

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our Website or engage our services. It has been drafted to comply with:

  • The General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and UK GDPR
  • The California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) (‘CCPA’), as amended by the California Privacy Rights Act (‘CPRA’)
  • The Privacy and Electronic Communications Regulations 2003 (PECR)
  • Other applicable data protection and privacy laws

 

By using our Website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please discontinue use of our Website immediately.

 

2. Identity of the Data Controller / Business

For the purposes of the GDPR and applicable data protection laws, the data controller is:

 

Company White Hat Digital PR

 

Website www.whitehatdigitalpr.com

 

Email info@whitehatdigitalpr.com

 

DPO Contact info@whitehatdigitalpr.com

 

For CCPA purposes, White Hat Digital PR is the ‘Business’ that determines the purposes and means of processing consumers’ personal information.

 

3. Personal Data We Collect

We collect the following categories of personal data from you:

 

Category Data Types Source Legal Basis (GDPR) CCPA Category
Identity Data Full name, username, title Directly from you Contract / Legitimate Interests Identifiers
Contact Data Email address, phone number Directly from you Contract / Consent Identifiers
Financial Data Payment card details, billing address, transaction history Directly from you (via Stripe) Contract Financial Information
Technical Data IP address, browser type, device identifiers, cookies Automated collection Legitimate Interests / Consent Internet/Electronic Activity
Usage Data Pages visited, click paths, session duration, referral URLs Google Analytics, Facebook Pixel Consent Internet/Electronic Activity
Marketing Data Communication preferences, campaign interactions Directly from you / Inferred Consent Commercial Information

 

We do NOT knowingly collect special categories of personal data (such as racial/ethnic origin, health data, biometric data, or data relating to criminal convictions) unless explicitly required and with your express consent.

 

4. How We Collect Personal Data

4.1 Direct Collection

We collect data directly when you:

  • Complete a contact, enquiry, or service request form on our Website
  • Register for an account or subscribe to our newsletter
  • Engage us for services and enter into a contract
  • Communicate with us by email, phone, or live chat
  • Respond to surveys or provide feedback

 

4.2 Automated Technologies

We use the following third-party technologies to collect data automatically:

 

Google Analytics 4 (GA4)

Tracks website traffic, user behaviour, session data, and device/browser characteristics. Data is processed by Google LLC and may be transferred to the United States. We have activated IP anonymisation. You may opt out at: tools.google.com/dlpage/gaoptout

Meta (Facebook) Pixel

Tracks visitor actions for advertising attribution and retargeting via the Meta platform. Data may be shared with Meta Platforms Inc. and used to deliver personalised ads. You may manage your preferences via your Facebook Ad Settings.

Stripe Payment Processing

Payment card information is processed directly by Stripe, Inc. We do not store raw card numbers on our servers. Stripe is PCI DSS Level 1 certified. Please review Stripe’s privacy policy at stripe.com/privacy.

 

5. How We Use Your Personal Data

We use your personal data only for legitimate, specified purposes. The table below sets out each purpose, the data used, and our legal basis under the GDPR:

 

Purpose Data Used GDPR Legal Basis
Providing and managing services Name, Email, Payment Info Performance of a Contract (Art. 6(1)(b))
Processing payments and billing Name, Payment Info Performance of a Contract (Art. 6(1)(b))
Communicating with you Name, Email Legitimate Interests / Contract (Art. 6(1)(f)(b))
Sending marketing communications Name, Email Consent (Art. 6(1)(a)) — opt-in only
Website analytics and improvement IP Address, Usage Data Consent / Legitimate Interests (Art. 6(1)(a)(f))
Advertising and retargeting IP Address, Cookies Consent (Art. 6(1)(a))
Fraud prevention and security IP Address, Payment Info Legitimate Interests (Art. 6(1)(f))
Legal and regulatory compliance All categories as required Legal Obligation (Art. 6(1)(c))

 

We will never use your personal data for purposes incompatible with those stated above without first obtaining your consent or establishing a new lawful basis.

 

6. Data Storage, Security, and Retention

6.1 Where We Store Your Data

Your personal data is stored on secure servers within the European Economic Area (EEA) and/or United Kingdom. Where data is transferred outside the EEA/UK (for example, to Google LLC, Meta Platforms Inc., or Stripe, Inc. in the United States), we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions issued by the UK Information Commissioner’s Office (ICO)
  • Binding Corporate Rules (BCRs) where applicable
  • Certification under the EU-US Data Privacy Framework

 

6.2 Security Measures

We implement appropriate technical and organisational security measures including:

  • SSL/TLS encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Multi-factor authentication on all internal systems
  • Access controls and role-based permissions
  • Regular penetration testing and vulnerability assessments
  • Staff training on data protection obligations

 

6.3 Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:

 

Data Type Retention Period Reason
Client contact data 7 years from end of contract Legal and tax obligations
Payment and financial records 7 years HMRC / financial regulations
Marketing preferences Until withdrawal of consent GDPR consent requirements
Website analytics data 26 months (GA4 default) Analytics purposes
IP address logs 12 months Security and fraud prevention
Cookies data Per cookie policy (12–24 months) See our Cookie Policy

 

Upon expiry of the applicable retention period, data is securely deleted or anonymised in accordance with our data deletion procedures.

 

7. How We Share Your Personal Data

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients:

 

7.1 Third-Party Service Providers (Data Processors)

We share data with trusted processors acting on our instructions under binding data processing agreements:

 

Processor Purpose Location Safeguard
Google LLC (GA4) Website analytics USA EU-US DPF / SCCs
Meta Platforms Inc. Advertising pixel USA EU-US DPF / SCCs
Stripe, Inc. Payment processing USA EU-US DPF / SCCs
Email service provider Transactional emails EEA/UK GDPR compliant
Hosting provider Web infrastructure EEA/UK GDPR compliant
CRM software Client management EEA/UK GDPR compliant

 

7.2 Legal Disclosures

We may disclose your personal data without your consent where required:

  • To comply with a legal obligation, court order, or regulatory request
  • To protect our legal rights or those of third parties
  • In connection with the prevention, detection, or investigation of fraud or criminal activity
  • In the event of a merger, acquisition, or sale of all or part of our business (subject to confidentiality obligations)

 

We will always inform you of any such disclosure to the extent permitted by law.

 

8. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our Website. A cookie is a small text file placed on your device to distinguish you from other users. We use the following types of cookies:

 

Cookie Type Purpose Examples Consent Required
Strictly Necessary Core website functionality, session management Session cookies No
Performance Website analytics and usage statistics Google Analytics (_ga, _gid) Yes
Functional Remembering preferences, language settings Preference cookies Yes
Targeting/Advertising Retargeting, ad personalisation Facebook Pixel (_fbp) Yes

 

You can manage or withdraw your cookie consent at any time using our Cookie Preferences Centre (accessible via the footer of every page). You may also control cookies through your browser settings. Note that disabling certain cookies may impact Website functionality.

 

9. Your Rights Under GDPR

If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR and UK GDPR:

 

Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with supplementary information about how it is used.

Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected and incomplete data completed without undue delay.

Right to Erasure / ‘Right to be Forgotten’ (Art. 17)

You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where consent is withdrawn, or where processing is unlawful. This right is subject to legal retention obligations.

Right to Restriction of Processing (Art. 18)

You may request that we restrict the processing of your data in certain circumstances, such as while we verify the accuracy of contested data.

Right to Data Portability (Art. 20)

Where processing is based on consent or a contract, and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

 

To exercise any of these rights, please contact us at info@whitehatdigitalpr.com. We will respond within 30 days of receiving a verified request. We will not charge a fee except where requests are manifestly unfounded or excessive.

 

10. Your Rights Under the CCPA / CPRA (California Residents)

If you are a California resident, you are afforded the following rights under the CCPA as amended by the CPRA:

 

10.1 Right to Know

You have the right to request disclosure of: (i) the categories and specific pieces of personal information we have collected about you; (ii) the categories of sources from which it was collected; (iii) the business or commercial purpose for collecting or sharing it; and (iv) the categories of third parties with whom we share it.

 

10.2 Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., where retention is required to complete a transaction, comply with a legal obligation, or for security purposes).

 

10.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

 

10.4 Right to Opt-Out of Sale or Sharing

We do not sell personal information for monetary consideration. However, our use of Google Analytics and Meta Pixel may constitute ‘sharing’ for cross-context behavioural advertising purposes under the CPRA. You have the right to opt out of such sharing by using the link: ‘Do Not Sell or Share My Personal Information’ on our Website footer.

 

10.5 Right to Limit Use of Sensitive Personal Information

To the extent we collect sensitive personal information (such as payment card data), you have the right to limit its use to necessary purposes only.

 

10.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny goods or services, charge different prices, or provide a different level of quality because you exercised your privacy rights.

 

10.7 How to Submit a CCPA Request

To submit a verifiable consumer request under the CCPA, you or your authorised agent may contact us by:

  • Email: info@whitehatdigitalpr.com with subject line ‘CCPA Privacy Request’
  • Website form: www.whitehatdigitalpr.com/privacy-request

 

We will verify your identity before responding and will fulfil verified requests within 45 days, with a possible 45-day extension where reasonably necessary (with prior notice).

 

11. Children’s Privacy

Our Website and services are not directed at children under the age of 16 (or 13 in California for COPPA purposes). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at info@whitehatdigitalpr.com and we will delete it promptly.

 

12. Automated Decision-Making and Profiling

We do not use your personal data for solely automated decision-making that produces legal or similarly significant effects on you, as defined under Article 22 of the GDPR. Where any profiling occurs (such as via advertising algorithms), you may object to such processing using the rights set out in Section 9 above.

 

13. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. Where changes are material, we will provide prominent notice via our Website and/or direct email communication at least 30 days before the changes take effect. The revised policy will be posted with an updated ‘Last Reviewed’ date.

 

Your continued use of the Website after the effective date of any updated policy constitutes your acceptance of those changes.

 

14. Right to Lodge a Complaint with a Supervisory Authority

If you are located in the EEA or UK and believe your data protection rights have been infringed, you have the right to lodge a complaint with the competent supervisory authority:

  • United Kingdom: Information Commissioner’s Office (ICO) — ico.org.uk | 0303 123 1113
  • European Union: Your national Data Protection Authority — edpb.europa.eu/about-edpb/board/members_en
  • California: California Privacy Protection Agency — cppa.ca.gov

 

We would, however, appreciate the opportunity to resolve any concern directly before you escalate to a supervisory authority. Please contact us first at info@whitehatdigitalpr.com.

 

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer:

 

Email info@whitehatdigitalpr.com

 

DPO Email info@whitehatdigitalpr.com

 

Website www.whitehatdigitalpr.com/privacy_policy

 

Response Time We aim to acknowledge all requests within 72 hours

 

This Privacy Policy was prepared to comply with GDPR, UK GDPR, and CCPA/CPRA requirements.

© 2026 White Hat Digital PR. All rights reserved.