If you’d like to chat about anything in this policy, please reach out to:

Privacy Policy

Buff is committed to protecting your data and respecting your privacy. This privacy policy outlines how we follow data-protection principles to keep your information secure and protect your right to privacy.

What do we mean by data and why do we have it?

Well, during phone, web or face-to-face interactions we obviously receive some personal information… In doing so, we’re ‘processing data’. While there’s nothing with which we could help fix an election, this info may include, but not be limited to: your name, email address, phone number, postal address, job title, and also some of your opinions; feedback you give us, for example. We also keep information about any financial transactions you make with us.

We hold data that is relevant and business essential.

We handle data in order to carry out legitimate business transactions. This means we only use data in relation to business activities. We ask that you do not provide us with any information that we do not need and have not requested.

We keep your data for as long as it’s needed, and aim to keep it accurate / up-to-date.

We only keep your data for as long as we need to when using it as described, or for as long as we have your permission. We correct data inaccuracies at the point we discover them. We can update or remove it whenever you say.

We keep your data secure.

·  All of our electronic devices are password protected.

·  It is our policy to log-off workspaces or lock mobile devices when not in use to ensure that others cannot access personal information and correspondence.

·  We use Google Drive as cloud storage for our data and any personal information is only accessible by relevant members of the team.

·  We use the accounting software Xero to track our finances and therefore information on our clients and suppliers.

·  If you have opted-in to receive our newsletters, we use MailChimp to send them out. This email marketing tool stores personal data on our behalf. In the astonishingly unlikely event that you’d like to read their privacy policy, it’s here.


We do not share your data.

We will not pass on your data to anyone outside of our organisation, unless we have your explicit permission to do so in relation to a business need; e.g. one of our business contacts asks a for recommendation or a client requests contact details of a supplier for future work. The Company Directors – Chloe Flexman and Thomas Allen – handle the sending of invoices, receiving of payments and buying from suppliers, etc. HMRC will also have access to this information, as will our bank, our accounting software and our accountants: Barclays, Xero and Walpole Dunn respectively. They are all GDPR compliant.

Website cookies

As you probably know, cookies are small files which analyse web traffic. They often ask permission to be placed on your computer's hard drive when you visit a site. If you agree, the file is added, allowing web applications to respond to you as an individual. This means sites can tailor their operations to you. In other words, cookies let websites understand your preferences by gathering/remembering data about your actions. A cookie does not, however, give us access to your computers/devices, or any information about you other than that which you choose to share. Most web browsers automatically accept cookies, but you can usually modify your settings to decline cookies if you prefer.

Links to other websites

We may occasionally link to other sites. If you use these, please note that we have no control over any other website. We cannot be held responsible for the protection and privacy of any information which you provide while visiting such sites and they're neither covered nor governed by our policy statement. You should exercise caution and look at the privacy statements of the site or sites in question.

Obviously, there may also be circumstances in which we're legally required to share certain data. We sincerely hope that's not the case but if legal proceedings should ever require us to do so, we will comply with any legally binding request as per the requirements of legislation, court order, or a governmental authority.

Data Breaches

Losses of personal data constitute ‘a breach’ if it results in a risk to an individual’s rights/freedoms. For example, if the loss detrimentally affects personal reputation, causes loss of finance, confidentiality, discrimination or significant economic or social disadvantage. In that event, we will – depending on its seriousness – either: Report it internally to the directors; Report directly to the individual exposed if there is a high risk to rights & freedoms; Report it, within 72 hours, to the Information Commissioner's Office

Your data rights…

You have the right to access, update, delete or request a copy of any personal data we hold on you. Just email with your request.

Join our newsletter
Leave us with your email to
get updates from the studio