Data Protection and Privacy

The Ideal Collective, respect the privacy and rights of individuals whose personal data we process. We design our products, services, and internal processes in accordance with applicable European data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018.

Data Controller

For the purposes of applicable data protection legislation, The Ideal Collective acts as a data controller in respect of the personal data described in this notice.

How We Use Personal Data

We process personal data only for specified, explicit, and legitimate purposes. These purposes typically include delivering and operating our digital products and services, managing client, partner, and supplier relationships, operating and securing our platforms and infrastructure, and meeting legal, regulatory, and contractual obligations. We do not sell personal data or use it for unexpected or unrelated marketing activities without a lawful basis or valid consent where required.

Lawful Bases for Processing

We process personal data only where a lawful basis applies under Article 6 of the GDPR. These lawful bases may include performance of a contract, compliance with a legal obligation, legitimate interests pursued by The Ideal Collective, and consent where required. Where we rely on legitimate interests, we carry out a balancing assessment to ensure our interests do not override the rights and freedoms of individuals.

Data Minimisation and Retention

We collect only the personal data that is relevant and necessary for each stated purpose. Personal data is retained only for as long as required to fulfil the purpose for which it was collected, unless a longer retention period is required by law or regulation. As a general principle, operational records containing personal data are deleted or anonymised within 90 days of the relevant business purpose being fulfilled. We periodically review our datasets to ensure data remains accurate, relevant, and up to date.

Security Measures

Protecting information is fundamental to our business. We implement appropriate administrative, technical, and organisational security measures aligned with ISO 27001 principles. These include access controls and role-based permissions, encryption of data in transit and at rest, audit logging and monitoring, and supplier and vendor due-diligence assessments. We regularly test our controls and maintain incident response and disaster recovery procedures.

International Data Transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area, we ensure appropriate safeguards are in place. These may include Standard Contractual Clauses or reliance on adequacy decisions recognised by the UK Information Commissioner’s Office and the European Commission. We monitor legal and regulatory developments to ensure continued compliance.

Individual Rights

We respect and uphold the rights of individuals under data protection law. These rights include the right to access personal data, rectify inaccurate data, request erasure, restrict or object to processing, and data portability where applicable. Requests may be submitted using the contact details provided on this website, and we respond within the statutory timeframes set out in applicable data protection legislation.

Complaints

Individuals have the right to lodge a complaint with the UK Information Commissioner’s Office if they believe their personal data has been processed unlawfully or that their data protection rights have been infringed.

Working with Partners

Where we engage suppliers, partners, or subprocessors who process personal data on our behalf, we carry out appropriate due diligence and require contractual commitments covering data protection, confidentiality, and breach notification. Such parties are permitted to process personal data only in accordance with our documented instructions.

Electronic Signature Provider

We use Dropbox Sign (formerly HelloSign) to facilitate electronic contract execution. This service processes signer information and agreement artefacts solely for the purpose of providing electronic signature workflows. We maintain a data processing agreement with this provider, review their security and compliance posture regularly, and ensure that contract packets are deleted or archived in line with our 90-day retention policy unless legal obligations require longer retention.

Contacting Us

Questions regarding this Data Protection and Privacy Notice or our privacy practices may be directed to privacy@theidealcollective.ai or to our Data Protection Officer at our registered office.

Updates to This Notice

We keep this notice under regular review and may update it to reflect changes in legislation, regulatory guidance, or our services.