Secure data centre corridor with illuminated server racks and dramatic blue lighting
Back to Resources

Privacy & Data Protection Policy

How we collect, use, and protect your personal data

Last Updated: March 2026

1. INTRODUCTION

Design Me a Solution Lab ("we", "us", "our") is a sole-trader consultancy based in the United Kingdom. We are committed to protecting the privacy and personal data of everyone who uses our website, services, and tools.

This policy explains what data we collect, why we collect it, how we use and safeguard it, and what rights you have. It applies to all visitors to designmeasolution.com and all clients who engage our consulting services, regardless of their country of residence.

2. DATA CONTROLLER

Data Controller: Design Me a Solution Lab
Contact: [email protected]
Jurisdiction: United Kingdom

We are registered under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For the purposes of international data protection laws including the EU GDPR, CCPA, LGPD, and POPIA, we act as the data controller for personal data collected through this website and our services.

3. WHAT DATA WE COLLECT

We collect only the data necessary to deliver our services and operate this website. The categories are:

3.1 Data You Provide Directly

  • Contact Form Submissions: Full name, email address, subject, and message content.
  • Niche Discovery Test: Full name, email address, and your responses to 10 diagnostic questions about your professional background and venture aspirations.
  • Consulting Engagements: Name, email, business information, project details, and any documentation shared during Build Sprint sessions.

3.2 Data Collected Automatically

  • Website Analytics: Pages visited, time on site, referring URL, browser type, device type, and approximate geographic location (country/region level only).
  • Cookies: Essential session cookies and optional analytics cookies (see our Cookie Policy for full details).

3.3 Data We Do Not Collect

We do not collect payment card details directly (payments are processed by third-party providers), biometric data, health data, or data about children under 16.

4. LEGAL BASIS FOR PROCESSING

Under UK GDPR and EU GDPR, we process personal data on the following legal bases:

  • Consent (Art. 6(1)(a)): When you submit the Niche Discovery Test or contact form, you consent to us processing your data for the stated purpose.
  • Contract Performance (Art. 6(1)(b)): Processing necessary to deliver consulting services you have engaged.
  • Legitimate Interest (Art. 6(1)(f)): Website analytics and security monitoring, where our interest does not override your rights.

5. HOW WE USE YOUR DATA

  • To respond to your enquiries and deliver consulting services.
  • To generate your personalised Venture Profile from the Niche Discovery Test.
  • To send you the documents and outputs agreed during our engagement.
  • To improve our website, services, and content.
  • To comply with legal obligations.

We will never sell, rent, or share your personal data with third parties for their marketing purposes.

6. DATA SHARING & THIRD-PARTY PROCESSORS

We share data only with processors who are essential to delivering our services:

  • AI Platform Provider (Abacus.AI): Processes Niche Test responses to generate your Venture Profile. Data is processed under their enterprise data processing terms.
  • Email Notification Service: Delivers transactional emails (Venture Profile results, contact confirmations).
  • Hosting Provider: Hosts this website and database infrastructure.

All third-party processors are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.

7. INTERNATIONAL DATA TRANSFERS

Some of our processors operate outside the UK and EU. Where data is transferred internationally, we ensure adequate protections are in place through:

  • UK and EU adequacy decisions (e.g., transfers to countries deemed adequate by the UK Secretary of State or EU Commission).
  • Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO).
  • Binding Corporate Rules where applicable.

8. DATA RETENTION

  • Contact Form Submissions: Retained for 12 months, then deleted unless an ongoing relationship exists.
  • Niche Test Submissions: Retained for 24 months to allow you to return and reference your Venture Profile.
  • Client Project Data: Retained for the duration of the engagement plus 6 years (UK statutory limitation period), then securely deleted.
  • Website Analytics: Aggregated and anonymised data retained indefinitely. Identifiable analytics data retained for 26 months.

9. YOUR RIGHTS

Under UK GDPR, EU GDPR, and applicable international laws, you have the following rights:

  • Right of Access: Request a copy of all personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data where there is no compelling reason for continued processing.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. ADDITIONAL RIGHTS BY JURISDICTION

10.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to know what personal information we collect and how it is used.
  • Right to delete personal information.
  • Right to opt out of the "sale" of personal information — we do not sell personal data.
  • Right to non-discrimination for exercising your privacy rights.

10.2 Brazil Residents (LGPD)

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados including confirmation of processing, access, correction, anonymisation, portability, deletion, and information about shared data.

10.3 South Africa Residents (POPIA)

If you are a resident of South Africa, you have rights under the Protection of Personal Information Act including the right to access, correct, and delete your personal information, and to object to processing.

10.4 Australian Residents (APPs)

If you are an Australian resident, we comply with the Australian Privacy Principles under the Privacy Act 1988, including transparency, anonymity, data quality, and cross-border disclosure requirements.

11. DATA SECURITY

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/SSL) and at rest.
  • Access controls and authentication for all systems.
  • Regular security reviews of our infrastructure and processors.
  • Secure deletion procedures for data past its retention period.

12. DATA BREACH NOTIFICATION

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach.
  • Notify affected individuals without undue delay where the breach is likely to result in high risk.
  • Document all breaches and remedial actions taken.

13. CHILDREN'S PRIVACY

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

14. CHANGES TO THIS POLICY

We may update this policy from time to time to reflect changes in our practices or legal requirements. The "Last Updated" date at the top of this page indicates the latest revision. Material changes will be communicated via email to active clients.

15. COMPLAINTS & SUPERVISORY AUTHORITY

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with:

  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • EU: Your local Data Protection Authority.
  • California: Office of the Attorney General.
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
  • South Africa: Information Regulator.

16. CONTACT

For any privacy-related questions, data requests, or concerns:

Email: [email protected]
Subject Line: "Data Protection Request"