PodLot Studios Ltd. GDPR Compliance Policy
Last Updated: 15/03/2025
1. Introduction
PodLot Studios Ltd. ("PodLot") is committed to compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This policy outlines how we collect, process, store, and protect personal data for clients using our podcast facilitation services.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contractual Necessity: To fulfill service agreements (e.g., recording sessions, billing).
- Consent: For marketing communications and sharing client content publicly.
- Legitimate Interests: Improving services, fraud prevention, and promoting our business.
3. Data We Collect
| Category | Examples | Purpose |
|---|---|---|
| Client Data | Name, email, phone number, billing address | Service delivery, payment processing |
| Content Data | Recorded audio/video files, show notes | Production, editing, and distribution |
| Technical Data | IP address, device type, browser | Website functionality, analytics |
| Marketing Data | Consent preferences, campaign engagement | Promotional emails, social media ads |
4. Data Subject Rights
Clients have the right to:
- Access: Request a copy of their personal data.
- Rectification: Correct inaccurate/incomplete data.
- Erasure: Request deletion (e.g., after account termination).
- Portability: Receive data in a machine-readable format.
- Withdraw Consent: Opt out of marketing or content sharing.
To exercise rights, email gdpr@podlot.co.uk. We respond within 30 days.
5. Data Sharing & Third Parties
- Service Providers: Data is shared with:
- Payment processors (Stripe, PayPal) for transactions.
- Cloud storage (Firebase, AWS) for content hosting.
- Email platforms (Mailchimp) for communications.
- Legal Obligations: Disclosed only if required by law (e.g., court orders).
6. Data Security
- Encryption: All data transmitted via SSL/TLS; files encrypted at rest (AES-256).
- Access Controls: Role-based permissions limit staff access to sensitive data.
- Audits: Annual penetration testing and GDPR compliance reviews.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Client account data | 6 years post-termination (HMRC compliance) |
| Audio/video recordings | 12 months post-project completion |
| Marketing data | Until consent is withdrawn |
8. Cookies & Tracking
- Essential Cookies: Session management, login functionality.
- Analytics Cookies: Google Analytics (anonymized IPs, opt-out available).
- Marketing Cookies: Facebook Pixel (only with explicit consent).
9. International Data Transfers
Data may be transferred outside the UK/EEA to partners with:
- Adequacy Decisions (e.g., EU-US Data Privacy Framework).
- Standard Contractual Clauses (SCCs) for non-adequate countries.
10. Data Breach Protocol
- Notification: Reported to the ICO within 72 hours if risk exists.
- Communication: Affected clients notified via email if breach poses high risk.
11. Updates to This Policy
Changes will be posted on our website. Material updates (e.g., new data uses) will be emailed to clients.
12. Contact Us
Data Protection Officer: [Pending]
Email: gdpr@podlot.co.uk
Postal Address: [Upon Request]
Podcast-Specific Compliance Notes
- Content Licensing: Clients consent to public use of their content (e.g., social media clips) via opt-in during onboarding.
- Guest Releases: Clients must obtain GDPR-compliant consent from podcast guests before sharing recordings with PodLot.
- Children's Data: We do not knowingly process data from individuals under 16 without parental consent.