Privacy notice

At Epoch, we care about doing good work – and doing it responsibly. That includes looking after the personal information you share with us.

This notice explains what information we collect, why we collect it, how we use it, and the rights you have. Whether you’re browsing our website, working with us as a client or supplier, applying for a role, or raising a concern, we want you to feel confident that your data is handled with care.

For the purposes of the Data Protection Act 2018 and the UK GDPR, Epoch is the data controller.

Company details:
Epoch Design Limited
Registered in England & Wales – Company No. 03039255
Registered address: 30 Park Street, London, SE1 9EQ
Bristol office: 54 Queen Square, Bristol BS1 4LH

If you have any questions about how we use your data, please contact our Data Protection Lead at: datacontrol@weareepoch.com

Our commitments to you

When we process your data, we will:

  • Be clear about what we are doing and why
  • Use it only for legitimate purposes
  • Keep it accurate and up to date
  • Keep it only for as long as necessary
  • Protect it with appropriate security measures
  • Not sell personal data to third parties.

We are committed to using data in ways that are fair, transparent and respectful of individuals’ rights. Where we use emerging technologies, including AI tools, we ensure appropriate safeguards, human oversight, and data protection controls are in place.

What information we collect

The information we collect depends on how you interact with us.

When you use our website

We may collect:

  • Your IP address
  • Information about your browser, device and operating system
  • Details of pages visited and resources accessed
  • Information submitted through contact forms

This helps us understand how our website is used and improve your experience.

When you work with us

If you are a client, supplier, freelancer or business contact, we may collect:

  • Your name and job title
  • Organisation name
  • Contact details (email, phone number, business address)
  • Bank details
  • Correspondence and meeting notes

We use this information to manage our professional relationship and deliver our services.

When you apply to work with us

If you apply for a role at Epoch, we may collect:

  • Your portfolio, CV and employment history
  • Qualifications and experience
  • Interview notes
  • Right to work documentation

This information is used solely to assess your suitability for employment.

When you raise a concern or grievance

If you contact us to raise a concern or formal grievance, we may collect:

  • Your name and contact details
  • A description of the issue
  • Relevant dates, documents or supporting information
  • Details of individuals involved

Sometimes, concerns may involve sensitive information, for example, relating to health, discrimination, or allegations of misconduct. Where this happens, we treat that information with additional care and only process it where the law allows us to do so.

We use this information to fairly review, investigate and resolve the matter, and to improve how we operate.

Why we use your information

We use personal information to:

  • Respond to enquiries
  • Deliver our services
  • Manage client and supplier relationships
  • Improve our website and communications
  • Run recruitment processes
  • Review and resolve concerns or complaints
  • Meet our legal and regulatory obligations
  • Protect our rights and the rights of others

In simple terms: we use your information to run our business responsibly and transparently.

Our legal basis for using your data

Data protection law requires us to have a valid reason for processing personal data. Depending on the situation, this may include:

  • Legitimate interests – for example, managing relationships, handling complaints, improving our services, and maintaining good governance – where we rely on this basis, we carry out a balancing assessment to ensure our interests do not override your rights and freedoms
  • Contract – where we need to process information to fulfil an agreement
  • Legal obligation – where we are required to comply with the law
  • Consent – where you have agreed to certain uses (such as non-essential cookies)

Where sensitive information is involved, we process it only where a lawful condition applies under Article 9 of UK GDPR, such as where necessary to establish, exercise or defend legal claims, comply with employment law obligations, or where explicit consent has been provided.

How we share information

We may share personal data:

  • With trusted service providers who support our systems and operations
  • With professional advisers (such as legal advisers)
  • Where required by law or regulatory authorities
  • In connection with a business merger or acquisition

We ensure that any third-party handling personal data on our behalf does so securely and in line with legal requirements.

Where we store your personal data

The data that we collect from you will not normally be transferred outside the UK.

If your data is transferred outside the UK, we will ensure appropriate safeguards are in place, such as adequacy regulations or approved contractual arrangements, to protect your information in line with UK data protection law.

How long we keep your information

We retain personal data only for as long as necessary for the purposes for which it was collected, including to meet legal, accounting, or reporting requirements.

Typical retention periods include:

  • General business correspondence: up to 2 years after last contact
  • Contractual correspondence: duration of consent, plus up to 6 years
  • Recruitment records (unsuccessful candidates): up to 6 months
  • Complaint and grievance records: up to 6 years after closure, unless a longer period is required for legal reasons

After this, information is securely destroyed or anonymised.

Cookies and website analytics

Our website uses cookies to help us understand how it is used and to improve functionality.

This may include:

  • Analytics cookies (such as Google Analytics)
  • Functional tools such as reCAPTCHA to protect against spam

Non-essential cookies are only used with your consent. You can manage your preferences at any time through our cookie banner or your browser settings, in line with the Privacy and Electronic Communications Regulations.

Your rights

You have rights in relation to your personal data. These include the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Request deletion in certain circumstances
  • Restrict or object to certain types of processing
  • Object to processing for direct marketing purposes
  • Request the transfer of your data (data portability)
  • Withdraw consent where applicable
  • Access the personal data we hold about you
  • Correct inaccurate information
  • Request deletion in certain circumstances
  • Restrict or object to certain types of processing
  • Object to processing for direct marketing purposes
  • Request the transfer of your data (data portability)
  • Withdraw consent where applicable

We aim to respond to all requests within one month. You will not normally be charged for making a request, although a reasonable fee may apply where requests are manifestly unfounded or excessive.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

Automated decision making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Data security

Protecting information is part of how we operate responsibly.

Cyber Essentials

Epoch is certified under the UK government’s Cyber Essentials scheme. This means we’ve put key protections in place to defend against common online threats and keep your data safe.

Our certification shows that we:

  • Use firewalls and secure settings to protect our systems
  • Keep software up to date and fix security issues quickly
  • Control who has access to our data and systems
  • Use tools to guard against viruses and malware
  • Manage laptops, phones, and other devices securely

ISO/IEC 27001:2022

Epoch is certified to ISO/IEC 27001:2022, the international gold standard for managing information securely. It shows that we take data protection seriously and follow clear rules to keep client and company information safe.

As part of this certification, we:

  • Regularly assess risks and take action to reduce them
  • Check the security of any companies we work with
  • Make sure only the right people can access sensitive data
  • Carry out regular checks to keep improving how we protect information
  • Follow GDPR and other important legal standards
  • Train our team to understand and follow good security practices

We implement appropriate technical and organisational safeguards to protect personal data against loss, misuse or unauthorised access.

In the event of a personal data breach, we will assess the risk and notify affected individuals and regulators where required by law.

Children’s data

Our services are not directed at children, and we do not knowingly collect personal data from individuals under the age of 16.

Updates to this notice

We may update this notice from time to time to reflect changes in our practices or legal requirements. The most recent version will always be available on our website.

Contacting us

If you are dissatisfied about the processing of your personal information then please contact us first instance at datacontrol@weaeeopoch.com, alternatively via this form.

If we cannot resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

We welcome any questions, comments or requests regarding this notice.

This notice was last revised 25th March 2026