GDPR and Privacy Overview

The following page outlines the Market Avenue Limited (MAL) policy in compliance with the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

The policy ensures good practice in data handling and the protection of business and personal information. Data is processed fairly and lawfully and covers the implications for staff, clients and suppliers.

Under GDPR personal data is defined as information that can be used to identify someone, directly or indirectly. This includes IP address, cookies, location data, name, and email address.

MAL is considered to be ‘controllers’ and ‘processors’ of data:

  • A controller determines the purposes and means of processing personal data
  • A processor is responsible for processing personal data on behalf of a controller

Personal Data


What information we hold about you

We store contact data on our business operating systems (CRM) such as name, email address, telephone number, company address, website and social media profiles (if applicable).


How we hold data

Stored information is electronic only and is maintained within a secure and encrypted online storage facility and a GDPR compliant cloud-based project management system.

Sensitive information such as website and social media profile logins are securely saved on a two-level password protected document within a secure access-only online storage facility.

If you alter your data after providing it to us, please inform us. From time to time, we may contact you to check the information is correct.

All data is retained for as long as you use our services. We may retain some data after you have ceased using our services to comply with legal obligations (including law enforcement requests), to meet regulatory requirements, maintain security, prevent fraud and abuse, resolve disputes, enforce our business terms, offer new features you may be interested in. If none of these obligations apply, personal data will be deleted within 24 months of our contract end.

How we use data – its purpose

The lawful basis for processing client data is for ‘Contract’ purposes and thereby necessary. Data is used to ensure that we are efficient in our working practices and online platforms we use to deliver services.

Existing clients are contacted by their preferred/accepted means of communication (aside from face to face meetings) such as email, telephone call, text message or an instant chat platform. Communication is to keep you informed of project related developments and news of services that may suit your business.

The lawful basis for processing non-client data is also ‘Consent’ because the individual has given clear consent for us to process their personal data for a specific purpose. Our data is added to a CRM system that confirms where and when the data was added.

Consent is always voluntary, specific and informed, and unambiguous.


How we collect data

 Client data is provided at the time a contract commences. Data held that does not pertain to existing clients will have been freely submitted via one of our social media channels, through a double opt-in email, or from a face to face business event.

We may have been passed personal data such as a name or telephone number from a mutual contact if the person felt there was a legitimate interest or reason for us to discuss business. Any such information will not be held on our business file unless a ‘contract’ is issued or ‘consent’ given.

We do not collect the data of anyone under the age of 16 years. If work requires the usage of personal data, such as photographs of children, the client will need to provide proof of consent to use.

Please see our full Privacy Policy that includes our Website and Cookies Terms here.

Please read our standard client Terms and Conditions here.


Your rights

Consent to receive information can be withdrawn at any time via email preferences or by contacting us here. All information will be removed from our systems in accordance to our debrief process.

You have the right to access the data we hold for you and to request its deletion, rectification, restriction and portability.

Any access requests will be fulfilled within 30 days. MAL has the right to refuse access with full written details as to why within 30-days. You have the right to complain against such a refusal.


Market Avenue Limited Processes

Every client will undergo an onboarding process in order for us to gather sufficient information to conduct services professionally and effectively.

Should a project come to an end, a debrief process is followed to remove data from our daily storage facility and project management boards.

Project work and data will be stored on an external backup hard drive for up to ten years. Personal data will be kept on file, in accordance to any ‘contract’ or ‘consent’ implications for up to five years. During this period, you can still request all data to be removed.

We use a number of third party systems to deliver client facing services and internal business processes. All data input is added by MAL personnel or clients (via an online portal if they sign up to an email list, download a PDF or make a payment to MAL). All policies have been reviewed by us before any contract has commenced. You can request a copy of the systems and their respective privacy policies by contacting us.

Who processes data within MAL?

Employed MAL personnel have access to all client data that is specific to the projects they work on. Personnel have been trained on the requirements of GDPR and adhere to the necessities of company cyber insurance policies.

The designated person, responsible for data protection compliance is Anna Woolliscroft, MAL owner and sole shareholder.


Who processes data outside of MAL?

MAL work with a small number of trusted external colleagues and freelancers to enhance our creative service offering. Non Disclosure Agreements are issued to all external organisations. Colleagues do not have the same access to client data as employed personnel and all work is filed, proofed and distributed by MAL employees.


Where the data is processed

We store information through a third-party provider to securely file and process information. All third party privacy policies have been consulted prior to investment.

Privacy Impact Assessment (PIA) 


Processes in place to guard against data breaches


Our website is secured and SSL certified.

All devices are password protected, encrypted and backed-up. Anti-virus, anti-spyware and firewall protection systems are installed on all computers systems with daily system checks, and required system updates are installed immediately. Equipment is insured and used on private property or during client meetings.

Client data is stored within the cloud and not on a desktop. All mobile devices have a remote wipe feature if lost or stolen.

Sensitive data is encrypted when sent via email.

MAL has the following insurance policies in place:

  • Public/products liability
  • Cyber and data risks
  • Professional liability

Cyber and data risk insurance specifically relates to good practice for data processing and IT.

MAL has a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, we will inform the individuals impacted.


Changes to the collection, storage and usage of data

If MAL are involved in a structural reorganisation, merger, acquisition or sale, your information may be transferred as part of that deal. We will notify you by email or formal letter of any such change and outline your choices before the event.

Our privacy policy may be revised from time to time, and an up-to-date version will always be available on our website.


Website privacy notice and use of cookies

We use cookies on our website to distinguish you from other users, provide you with a good experience and allow us to make improvements. Any data collected from website traffic is retained within Google Analytics for 38 months after which it is automatically deleted.



Should you wish to contact us over any concerns you may have about our services or policy, please email us here. We hope that you would reach out to us first, but you also have the right to contact the Information Commissioner’s Office too.

Our full details:

Market Avenue Limited

Registered business address: 319A Uttoxeter Road, Blythe Bridge, Stoke on Trent, ST11 9QA
Contact details: 01543 897121
info [at] marketavenueltd.co.uk
Company Registered No. 6820331
VAT No. GB 946795265.
Business owner: Anna Woolliscroft