Section 01 Who We Are Arts Design Studio is a premium creative and digital agency headquartered in Dar es Salaam, Tanzania, operating for clients across six continents. We deliver world-class Web Design, UI/UX Engineering, Social Media Strategy, and Brand Identity services under the guiding principle: "No shortcuts. Every pixel crafted with intent." For the purposes of applicable data protection law — including the Tanzania Personal Data Protection Act (PDPA) 2022, the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) — Arts Design Studio is the Data Controller for personal data collected through our website, enquiry forms, consultation bookings, and project engagements. Registered controller: Arts Design Studio, Dar es Salaam, Tanzania. For enquiries relating to data processing, contact info@artsdesignstudiotz.com. This Privacy Policy governs all personal data we collect, process, and store. By using our website or engaging our services, you acknowledge that you have read and understood this Policy. If you disagree with any part of it, please discontinue use and contact us directly. Section 02 What We Collect We collect only what is genuinely necessary to deliver premium service and maintain a relationship of trust. Data collection is never speculative — every category below has a specific, documented purpose. Information you provide directly Identity & Contact Data Your full name, email address, company name, and telephone number — submitted when you complete our enquiry form (powered by Formspree) or book a consultation via Calendly. Project Briefs & Assets Written project briefs, creative references, brand guidelines, domain credentials, API keys, and technical specifications you share during an active engagement. These are handled under strict confidentiality. Business & Financial Data Budget ranges, invoice records, and payment references. We do not store card numbers — all payments are processed by third-party, PCI-DSS compliant providers. Communications Email exchanges, meeting notes, and written approvals exchanged during project delivery. These are retained for legal and contractual continuity and are never sold or shared externally. Information collected automatically Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL — collected via server logs and analytics tools. Usage Data: Pages visited, session duration, scroll depth, click patterns, and navigation paths — used to understand how visitors interact with our site and improve the experience. Performance Data: Core Web Vitals, Lighthouse scores, and uptime metrics for websites we build and maintain under active retainer agreements. Cookie Data: Session identifiers and preference tokens. See Section 05 for the full breakdown of cookies we use. We do not collect special category data (race, health, political views, biometric identifiers) and have no legitimate reason to do so. If we ever receive such data incidentally, it is immediately deleted. Section 03 How We Use Your Information We process your data only for the purposes listed below. Every use has a defined legal basis under the Tanzania PDPA 2022, GDPR, and CCPA. Project Delivery Using your contact, brief, and asset data to design, build, and launch your project to specification. Legal basis: Performance of contract. Communication Responding to enquiries, sending project updates, sharing delivery milestones, and requesting feedback or approval. Legal basis: Contract performance & legitimate interest. Consultation Booking Using name and email data passed to Calendly to schedule and confirm discovery calls and strategy sessions. Legal basis: Consent (implicit when booking) & contract. Performance Analytics Measuring website traffic, engagement patterns, and referral quality to continually improve our digital presence. Data is anonymised before analysis where possible. Legal basis: Legitimate interest. Legal & Financial Compliance Maintaining invoices, contracts, and communication records as required by Tanzanian and applicable international commercial law. Legal basis: Legal obligation. Marketing (with consent) Sending insight articles, studio updates, and new service announcements to subscribers who have explicitly opted in. You may opt out at any time, instantly. Legal basis: Consent — freely given, specific, and withdrawable. Portfolio & Case Studies Featuring completed project work in our portfolio, case studies, and marketing materials. We will always seek specific written consent before naming a client publicly. Legal basis: Consent. What we never do: We do not sell, rent, auction, or broker your personal data to any third party. We do not use your data to train AI models. We do not conduct automated decision-making that produces legal or similarly significant effects about you. Section 04 Third-Party Data Processors To deliver a world-class experience and operate efficiently, we use a carefully selected set of third-party services. Each processor receives only the data strictly necessary for their function and is contractually bound to protect it under terms consistent with this Policy. Formspree Purpose: Powers the lead capture form on our website. When you submit an enquiry, your name, email, and message are transmitted to Formspree's servers and forwarded to our team inbox. Data stored: Temporarily in Formspree's systems for delivery and spam filtering. Retention: 30 days in Formspree's system; retained in our inbox per Section 07. Jurisdiction: United States. Formspree Privacy Policy ↗ Calendly Purpose: Manages booking of our 30-minute free consultation calls. When you schedule a meeting, your name, email address, and selected time slot are processed by Calendly. Data stored: Calendly retains scheduling data per their own privacy policy. We receive and store confirmation records. Jurisdiction: United States (with GDPR Data Processing Agreement available). Calendly Privacy Policy ↗ Analytics (Google Analytics / Equivalent) Purpose: Tracks aggregated, anonymised website usage data — page views, session duration, traffic sources, and device types. IP anonymisation is enabled. We do not use this data to identify individuals. Legal basis: Legitimate interest (performance optimisation). You may opt out via our cookie consent tool. Netlify / Vercel (Hosting) Purpose: Hosts our website and, where applicable, client projects. Server logs containing IP addresses and request metadata are generated automatically. These logs are used solely for security monitoring and are not used for profiling. Retention: 30 days. Jurisdiction: Global edge network (region configurable per project). Google Workspace Purpose: Our primary communication and document management platform. Emails, project files, and proposals are stored within Google's infrastructure under a business agreement that includes GDPR-compliant Data Processing Addenda. Jurisdiction: EU data residency where applicable. Notion / Project Management Tools Purpose: Internal project tracking and documentation. Client names and project descriptions may appear in workspace entries accessible to the assigned project team only. Access is role-restricted; no external sharing occurs without consent. We review our processor list on a rolling basis. Any new processor that handles personal data will be assessed for compliance, bound by a Data Processing Agreement, and listed in the next quarterly update of this Policy. Section 05 Cookies & Tracking Technologies Our website uses cookies and similar technologies to function correctly and to understand how it is used. We never deploy tracking technologies that compromise your privacy without your consent. Types of cookies we use Essential / Strictly Necessary: Required for the website to operate. These include session management cookies set by Netlify, CSRF protection tokens for form submissions, and consent preference storage. These cannot be disabled without breaking site functionality. Analytical (consent required): Used to measure aggregate performance — page views, session length, bounce rate, and traffic sources. Collected via Google Analytics with IP anonymisation enabled. No cross-site tracking is performed. Marketing / Retargeting (consent required): May be deployed where we run paid digital campaigns (Meta Ads, Google Ads). These are only active if you have given explicit consent via our cookie consent interface. On your first visit, you are presented with a clear consent interface. You may withdraw or modify consent at any time by clicking the cookie settings icon in the page footer. For a full list of active cookies, their purposes, and durations, see our dedicated Cookie Policy. Browser controls: You may also manage cookies directly via your browser's settings. Disabling all cookies may affect certain site features. Instructions for major browsers: Chrome · Firefox · Safari. Section 06 International Data Transfers Arts Design Studio operates globally and may transfer your data to countries outside Tanzania and the European Economic Area. We understand this requires robust safeguards, and we apply them without exception. Where personal data is transferred to processors in the United States (such as Formspree or Calendly), we rely on one or more of the following mechanisms: Standard Contractual Clauses (SCCs): The European Commission-approved contractual framework requiring recipient processors to uphold GDPR-equivalent protections. Data Processing Agreements: Signed with each processor, specifying the purposes, scope, and security obligations applicable to transferred data. Adequacy Assessments: We evaluate whether each destination country or processor offers adequate protection before any transfer takes place. For EU-based clients, these transfers are also governed by GDPR Chapter V. You have the right to request details of the safeguards applied to any specific transfer of your data — contact us at info@artsdesignstudiotz.com. Section 07 Data Retention We do not keep data a day longer than necessary. Retention periods are determined by the purpose of processing, legal obligations, and our legitimate business interests. Below are our standard retention schedules: Enquiry & Lead Data Data submitted via our contact form is retained for 12 months from the date of submission if no engagement commences, or until you request deletion — whichever comes first. If an engagement begins, data transitions to the client project record. Active Client Data Project briefs, communications, assets, and deliverables are retained for the duration of the engagement plus 36 months post-completion to support warranty periods, follow-on work, and dispute resolution. Financial Records Invoice records, payment confirmations, and contracts are retained for 7 years in compliance with Tanzanian tax and commercial law, and international financial reporting obligations. Marketing Subscribers Email addresses of newsletter subscribers are retained until you unsubscribe. Unsubscribe links are present in every marketing communication. Deletion is actioned within 72 hours of request. Analytics Data Aggregated, anonymised analytics data has no set retention limit. Raw session data (where applicable) is retained for a maximum of 26 months in line with GA4 defaults, after which it is automatically deleted. Calendly Booking Records Scheduling confirmation records containing name, email, and meeting time are retained for 12 months post-meeting for our internal project management records. When data reaches the end of its retention period, it is securely deleted or anonymised. Backups are also purged on the same schedule. You may request earlier deletion of your data at any time under the rights in Section 09. Section 08 Security Measures The same standards we apply to building secure, high-performance websites for clients are applied to protecting the data you entrust to us. Security is not an afterthought at Arts Design Studio — it is embedded in every workflow. Encryption at Rest & in Transit All sensitive data — credentials, project files, API keys — is encrypted at rest using AES-256. All data in transit is enforced over TLS 1.3. Plaintext transmission of credentials is strictly prohibited. Senior-Only Access Access to client data is restricted to senior team members assigned to your project, enforced via role-based access control (RBAC) and multi-factor authentication (MFA) across all internal systems. No junior staff or contractors receive unsupervised data access. Credential Vault Management All client credentials (hosting, CMS, API keys) are stored exclusively in enterprise-grade, end-to-end encrypted password managers. Credentials are never transmitted via email or messaging apps. They are revoked within 7 days of project completion. Radical Transparency on Incidents In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery — as required by GDPR Article 33 and PDPA 2022 principles. Notification will include: what happened, what data was involved, what steps we have taken, and what you should do. We conduct internal security reviews quarterly. Code deployed to client production environments is reviewed for OWASP Top 10 vulnerabilities before launch. Our team does not use personal devices for client work — all project activity occurs on managed, secured devices only. Section 09 Your Rights You have clear, enforceable rights over your personal data. These rights exist under the Tanzania PDPA 2022, GDPR (for EU residents), and CCPA (for California residents). We honour all of them — fully, promptly, and without obstruction. ✓ Right of Access Request a copy of the personal data we hold about you, including what categories we have, how it was collected, and how it is being used. ✓ Right to Rectification Request correction of inaccurate or incomplete personal data. We will update records within 5 business days of receiving a valid request. ✓ Right to Erasure ("Right to be Forgotten") Request deletion of your personal data where there is no overriding legal reason to retain it. We will confirm deletion within 30 days, except where retention is legally required. ✓ Right to Restrict Processing Ask us to pause processing of your data while a dispute is pending, without requiring full deletion. Your data will be stored but not actively used. ✓ Right to Data Portability Request your data in a structured, machine-readable format (JSON or CSV) so you can transfer it to another service provider without friction. ✓ Right to Object Object to processing based on legitimate interest — including direct marketing. If you object to marketing, we will stop immediately and without question. ✓ Right to Withdraw Consent Where processing is based on your consent (e.g. marketing emails, analytics cookies), you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing. ✓ CCPA: Do Not Sell My Information California residents have the right to opt out of the sale of personal information. We do not sell personal data — this right is automatically honoured. To exercise any right, email us at info@artsdesignstudiotz.com with the subject line "Data Rights Request" and specify which right you wish to exercise. We will verify your identity and respond within 30 days. Complex requests may take up to 90 days; you will be informed of any extension within the initial 30-day window. If you are an EU resident and believe your rights have been violated, you have the right to lodge a complaint with your national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. Section 10 Children's Privacy Our services are designed exclusively for businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted data through our website or services, please contact us immediately at info@artsdesignstudiotz.com and we will delete it without delay. Parents and guardians who become aware of any inadvertent data collection from a minor under their care are encouraged to contact us through the details in Section 12. Section 11 Changes to This Policy We review this Privacy Policy quarterly and update it whenever our data practices change materially. We will never quietly edit this Policy in ways that reduce your rights — any change that materially affects how your data is used will be communicated proactively. When we make significant updates: The "Last Updated" date at the top of this page will be revised. Active clients and newsletter subscribers will receive an email notification with a plain-English summary of what changed and why. Major structural changes will be announced with a minimum of 14 days notice before taking effect. Continued use of our website or services after the effective date of any revision constitutes acceptance of the updated Policy. If you disagree with any change, you have the right to discontinue use and request deletion of your data under Section 09. Version history: Previous versions of this Privacy Policy are available on request. Email info@artsdesignstudiotz.com with the subject "Privacy Policy Archive" to receive a copy of a prior version. Section 12 Contact Us & Data Requests All privacy enquiries, rights requests, complaints, and data breach reports should be directed to us through the following channels. We do not use automated responses — a qualified, senior team member handles every data-related communication. Arts Design Studio — Data Controller Primary contact: info@artsdesignstudiotz.com Subject line for data requests: "Data Rights Request — [Your Name]" Response time: Within 72 hours for acknowledgement; full response within 30 days. Postal address: Arts Design Studio, Dar es Salaam, Tanzania. Calendly (consultations): Book a free 30-minute consultation For urgent security incidents or data breach reports, please mark your email subject as "URGENT — Data Security". We monitor this inbox continuously during business hours (GMT+3, Monday–Friday, 08:00–18:00) and aim to acknowledge urgent reports within four hours. We are committed to resolving every privacy concern internally. If you are unsatisfied with our response, you retain the right to escalate to the relevant supervisory authority in your jurisdiction.