Legal

Privacy Policy

Effective date: 17 March 2026 · Version: 1.0

1. Who We Are

Spectrum& is an AI-powered creative agency operating at spectrumand.com and app.spectrumand.com.

Data Controller:
The Clarion Portfolio Ltd (trading as Spectrum&)
Company number: 4194051 · VAT number: 776017028
Registered address: 2 Great George Street, Godalming, Surrey, GU7 1EE
Email: hello@spectrumand.com
Website: spectrumand.com

We are registered with the Information Commissioner's Office (ICO). Registration number: Z9754410.

If you have any questions about how we handle your personal data, please contact us at hello@spectrumand.com.

2. What This Policy Covers

This policy explains how we collect, use, share and protect your personal data when you:

Visit spectrumand.com or app.spectrumand.com
Register for or use our platform
Communicate with us
Enter into a contract with us

This policy applies to data we process as a data controller — i.e. where we decide how and why personal data is processed. Where we process personal data on behalf of clients (as a data processor), the client's own privacy policy governs the data subject's rights.

3. The Legal Framework

We comply with:

The UK General Data Protection Regulation (UK GDPR) as incorporated by the European Union (Withdrawal) Act 2018
The Data Protection Act 2018 (DPA 2018)
The Privacy and Electronic Communications Regulations 2003 (PECR) where applicable

4. What Personal Data We Collect

4.1 Account and Identity Data

Name, email address, job title, company name
Account login credentials (passwords are hashed; we do not store plain-text passwords)

4.2 Contact and Communications Data

Email correspondence with us
Messages sent through the Platform

4.3 Transaction and Payment Data

Billing name, address, and invoice details
Payment card details are processed directly by Stripe — we do not store full card numbers

4.4 Usage and Technical Data

IP address, browser type and version, device type
Pages visited, features used, session duration
Log data generated by your use of the Platform

4.5 Brief and Project Data

Content of creative briefs you submit, including any written material, brand assets, product information or other content you upload
Note: Briefs should not include special category personal data (e.g., patient data, health data relating to identified individuals). If a brief contains such data, please contact us in advance so appropriate safeguards can be put in place.

4.6 Prospect and Marketing Data

Names and email addresses of prospective clients who contact us or register interest

5. How We Collect Personal Data

Directly from you — when you register, submit a brief, contact us, or purchase services
Automatically — through cookies and similar technologies (see our Cookie Policy)
From third parties — for example, payment processors confirming transaction status

6. Lawful Basis for Processing

We process your personal data on the following lawful bases under Article 6 UK GDPR:

Purpose	Lawful Basis
Providing services under our contract with you	Contract (Art. 6(1)(b))
Processing payments and billing	Contract (Art. 6(1)(b))
Managing your account	Contract (Art. 6(1)(b))
Complying with legal obligations (e.g. tax, financial records)	Legal obligation (Art. 6(1)(c))
Service communications (account-related notices, updates)	Contract / Legitimate interests (Art. 6(1)(b)/(f))
Improving the Platform (aggregated analytics)	Legitimate interests (Art. 6(1)(f))
Fraud prevention and security	Legitimate interests (Art. 6(1)(f))
Marketing to existing clients	Legitimate interests (Art. 6(1)(f)) — you may opt out at any time
Marketing to prospects (email)	Consent (Art. 6(1)(a)) under PECR

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and interests. You have the right to object to legitimate interests processing — see Section 10.

7. Third-Party Processors

We use the following third-party services to operate our business. Each acts as a data processor on our behalf (or in some cases, a controller in their own right for payment data). We have ensured that appropriate contractual safeguards are in place or are in the process of being confirmed.

7.1 Anthropic — AI Model Provider

Purpose: Processing brief content through the Claude AI model to generate creative outputs, and powering Dot — our in-portal AI support assistant
Data shared: Brief content, which may contain professional/business personal data. Briefs should not contain patient data or special category data. Support chat messages sent to Dot are also processed by Anthropic; do not include sensitive personal data in support queries.
Location: USA
Transfer safeguard: Anthropic's Data Processing Agreement (DPA); standard contractual clauses or equivalent international transfer mechanism

7.2 Vercel — Platform Hosting

Purpose: Hosting app.spectrumand.com and spectrumand.com
Location: USA (with EU edge network nodes available)
Transfer safeguard: Vercel DPA; standard contractual clauses

7.3 Supabase — Database

Purpose: Storing client accounts, project data, briefs, and Platform data
Location: EU region (configured)
Transfer safeguard: Supabase DPA

7.4 Resend — Transactional Email

Purpose: Sending transactional emails (account notifications, invoices, project updates)
Data shared: Name, email address, email content
Location: USA
Transfer safeguard: Resend DPA / standard contractual clauses

7.5 Inngest — Workflow Orchestration

Purpose: Orchestrating automated workflows within the Platform
Location: USA
Transfer safeguard: Inngest DPA / standard contractual clauses

7.6 Stripe — Payments

Purpose: Processing client payments
Data shared: Billing name, address, payment card data (handled directly by Stripe)
Location: USA / EU
Transfer safeguard: Stripe DPA; Stripe is certified to multiple international transfer frameworks
Note: Stripe acts as a data controller for card data for fraud prevention purposes.

7.7 OpenAI — Image Generation

Purpose: Generating creative image assets via the DALL-E API
Location: USA
Transfer safeguard: OpenAI DPA / standard contractual clauses

7.8 Replicate — Image Generation (Flux)

Purpose: Generating creative image assets via the Flux model
Location: USA
Transfer safeguard: Replicate DPA / standard contractual clauses

7.9 DocRaptor — PDF Generation

Purpose: Generating PDF documents (project deliverables, invoices)
Location: USA
Transfer safeguard: DocRaptor DPA / standard contractual clauses

7.10 Dropbox Business — File Delivery

Purpose: Storing and delivering completed project files to clients
Location: USA / EU (configurable)
Transfer safeguard: Dropbox Business DPA; Dropbox EU-US Data Privacy Framework certified

8. International Transfers

Several of our processors are based in the USA. We rely on the following mechanisms to ensure that transfers of personal data outside the UK are lawful:

UK International Data Transfer Agreements (IDTA) — the UK post-Brexit equivalent of EU SCCs, where in place with processors
UK Addendum to EU SCCs — used where processors operate on EU SCCs to which the UK addendum applies
Adequacy decisions — where applicable
Processor compliance frameworks — such as Stripe's Data Privacy Framework certification

9. How Long We Keep Your Data

Data Category	Retention Period
Account data	Duration of account + 6 years after closure (contractual records)
Financial and billing records	6 years (Companies Act / HMRC requirements)
Brief and project data	Duration of relationship + 3 years
Marketing data (prospects)	Until withdrawal of consent or 2 years of inactivity
Server logs	90 days (rolling)
Cookies	As per Cookie Policy

We will delete or anonymise data when retention periods expire.

10. Your Rights

Under UK GDPR, you have the following rights. To exercise any of them, contact us at hello@spectrumand.com:

Right	What it means
Access	Request a copy of the personal data we hold about you
Rectification	Ask us to correct inaccurate or incomplete data
Erasure	Ask us to delete your data in certain circumstances
Restriction	Ask us to restrict processing in certain circumstances
Portability	Receive your data in a structured, machine-readable format
Object	Object to processing based on legitimate interests or for direct marketing
Withdraw consent	Where processing is based on consent, withdraw it at any time
Automated decisions	Not be subject to solely automated decisions that significantly affect you

We will respond to requests within one calendar month. In complex cases, we may extend this by a further two months, in which case we will notify you.

11. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would ask that you contact us at hello@spectrumand.com in the first instance so we have the opportunity to address your concern.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These include:

Encrypted data transmission (TLS/HTTPS)
Access controls and authentication
Data minimisation (we only collect what we need)
Processor due diligence

No transmission or storage system is completely secure. If we become aware of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via the Platform with at least 14 days' notice before changes take effect. The current version will always be available at spectrumand.com/privacy.

14. Contact Us

Spectrum& — Data Controller enquiries:
Email: hello@spectrumand.com
Website: spectrumand.com