Last update
How we handle and protect your information.
Suba Creative Ltd Effective date: 9 May 2026 Last updated: 9 May 2026 Version: 1.0
About this policy
This Privacy Policy explains how Suba Creative Ltd (“Suba”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you: - visit www.subacreative.com or any subdomain operated by us (the “Website”); - use the Suba Portal at app.subacreative.com (or any successor URL) as a client, a designer, a member of the Suba team, or an authorised guest (the “Portal”); - engage Suba for creative services, request a proposal, or speak with our team; - receive marketing or prospecting communications from us, including emails sent through our outbound programme; - attend events, webinars or calls hosted or co-hosted by Suba; - apply for a role with Suba. Together the Website, the Portal and our services are referred to in this policy as the “Services”. We are committed to protecting your personal data and respecting your privacy. This policy is written in plain English and follows guidance from the UK Information Commissioner’s Office (ICO). It describes our practices under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and — where applicable — the EU GDPR and US state privacy laws. If you do not agree with anything in this policy, please stop using the Services.
Who we are
Suba Creative Ltd is the controller of personal data processed under this policy. - Legal entity: Suba Creative Ltd - Trading as: Suba Creative (“Suba”) - Company number: 16879473 (registered in England & Wales) - Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom - ICO registration: Pending — reference will be added once issued - Privacy contact: privacy@subacreative.com - General contact: hello@subacreative.com - Security incidents: security@subacreative.com Where we process personal data on behalf of a client (for example, end-user data inside files or briefs the client provides), we act as a processor and the client is the controller. In that case, the client’s own privacy notice governs the processing and you should contact them directly to exercise your rights. We will help our clients respond to such requests as required by our service agreement.
Definitions
- Personal data — any information that identifies you or could be used to identify you, directly or indirectly. - Processing — anything we do with personal data: collecting, storing, using, sharing, deleting, etc. - Controller — the organisation that decides why and how personal data is processed. - Processor — an organisation that processes personal data on the controller’s instructions. - Subprocessor — a third-party service we use to deliver the Services (e.g. our hosting provider).
Information Sharing
• Never sold to third parties • Shared only with authorized project partners • Legal requirements when applicable • Client approval required for case studies
The personal data we collect
We collect different categories of personal data depending on how you interact with us.
Website visitors
- IP address, approximate location (country/city), device type, browser, operating system, referring URL, pages viewed, and time spent. - Information you submit through forms (e.g. name, email, company, message, phone number). - Cookie identifiers and analytics data — see Section 9.
Clients and Portal users
When you sign up to the Portal or engage Suba for services, we collect: - Account data — name, email, password (hashed), profile photo, role, company, time zone, language preference. - Authentication data — session tokens, multi-factor authentication state, passkey credentials (WebAuthn public keys; we never see your biometrics or device PIN), TOTP secrets (encrypted), one-time login codes, sign-in history (timestamps, IP, device). - Billing data — billing contact, billing address, VAT number, plan and tier selected, invoice history, payment method metadata (last four digits, card brand, expiry — full card details are handled by Stripe and never reach our servers). - Brief & project content — anything you upload or submit to the Portal: creative briefs, brand guidelines, logos, fonts, photography, copy, links to source material, mood boards, references, comments, annotations, revision notes, file versions, project status updates and chat messages. - Communications content — messages, threads and notifications you exchange with the Suba team or with assigned designers within the Portal, plus emails you send to or receive from us. - Integration data — when you connect Google Drive, Dropbox, Figma, Canva, Adobe Creative Cloud, Slack or other third-party services to your Portal account, we store OAuth access and refresh tokens, the integration scopes you granted, and metadata about the items you choose to share with Suba (file names, folder paths, asset IDs). We only access content you explicitly select. - Usage data — pages and features you use in the Portal, requests made, action timestamps, error logs and audit-trail events tied to your account.
Designers, contractors and Suba team members
If you provide creative work to Suba (whether as an employee, contractor, or freelancer), we collect: - Identity and contact details (name, email, phone, address, country of residence). - Right-to-work, identity and tax documentation where required by law. - Bank or payout details, tax-residency status and invoices. - Portfolio, CV and skills metadata. - Performance metadata (projects assigned, ratings, on-time delivery rate, internal notes). - Authentication, audit-trail and Portal usage data as described in Section 4.2.
Information about prospects
If you appear on a B2B prospect list we use for outbound outreach (for example, our Smartlead-managed campaigns): - Business contact details — typically work name, work email, job title, company name, public LinkedIn URL. - Engagement data — whether you opened, clicked, replied to or unsubscribed from a message. - Source — the data broker, public source or referral that surfaced you. We obtain prospect data from reputable B2B data providers, public sources (e.g. company websites, LinkedIn) and referrals. We do not buy or use consumer email lists.
Information from job applicants
If you apply for a role with Suba (directly, via a recruiter, or through a third-party platform): - The information you submit (CV, cover letter, portfolio, links, work history, references). - Information from interviews and assessments. - Right-to-work and identity verification documents where required by law.
Event attendees
If you register for an event, webinar or workshop hosted by Suba: name, email, company, role, dietary or accessibility requirements (only when you tell us), and attendance metadata.
Sensitive (special-category) data
We do not normally collect special-category data (such as health, ethnicity, religion or biometric data). If you choose to share it (e.g. accessibility requirements at an event, or content you upload to a brief), we process it only for the purpose you provided it and rely on your explicit consent.
How we collect personal data
- Directly from you — when you fill in a form, sign up, upload content, message us, attend a call or apply for a role. - From your use of the Services — automatically through cookies, server logs, audit logs and analytics. - From third parties — identity / login providers (Google, Microsoft) when you choose to sign in with them; Stripe (billing) and Resend (email delivery); integration platforms you connect (e.g. Google Drive, Dropbox, Figma, Slack); public B2B data providers and public sources for prospecting; referral or partner introductions; and recruitment platforms when you apply for a role.
Why we use your personal data and our legal bases
Under UK GDPR we must have a lawful basis for processing your personal data. Below is what we do, why, and the basis we rely on. - To provide and operate the Website and Portal. Visitor data, account data, usage data, authentication data. Lawful basis: Contract; Legitimate interests (running our business). - To deliver creative services you’ve requested. Account data, brief & project content, communications, integration data. Lawful basis: Contract. - To bill you and process payments. Account data, billing data. Lawful basis: Contract; Legal obligation (tax, accounting, anti-fraud). - To authenticate you and secure the Services. Authentication data, usage data, IP, device. Lawful basis: Contract; Legitimate interests (security, fraud prevention); Legal obligation. - To provide customer support. Account data, communications. Lawful basis: Contract; Legitimate interests. - To send transactional emails (account, security, billing, project updates). Account data, billing data. Lawful basis: Contract; Legitimate interests. - To send marketing emails to existing customers about similar services. Account data, marketing preferences. Lawful basis: Legitimate interests (PECR “soft opt-in”); Consent where required. - To send B2B prospecting emails to corporate contacts. Prospect data. Lawful basis: Legitimate interests (B2B marketing under PECR). See Section 8. - To train and improve the Services. Usage data, anonymised content. Lawful basis: Legitimate interests. - To generate AI-assisted output (briefs, scope checks, mood boards, copy suggestions). Brief content you submit to AI features. Lawful basis: Contract; Legitimate interests. See Section 7. - To manage designer/contractor relationships and pay them. Designer data. Lawful basis: Contract; Legal obligation. - To recruit for open roles. Job applicant data. Lawful basis: Legitimate interests; Consent (where required). - To comply with legal, tax, regulatory and audit requirements. Most categories. Lawful basis: Legal obligation. - To defend, exercise or establish legal claims. Most categories. Lawful basis: Legitimate interests; Legal obligation. - To run events and webinars. Attendee data. Lawful basis: Contract; Consent. Where we rely on legitimate interests, we have carried out a balancing test to confirm our interests are not overridden by your rights and freedoms. You can ask us for a copy of that assessment at any time. Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out beforehand.
How we use AI
The Portal uses AI features to help you scope projects, generate mood boards, summarise threads, suggest copy and accelerate creative work. We want to be transparent about this. - Providers we use. OpenAI, Anthropic, Google AI, and Replicate. The specific provider depends on the feature. - What we send. Only the content needed for the feature — for example, the brief text, a few reference images, or the conversation thread you’re acting on. We do not send your full account or other clients’ data. - No training on your data. We send AI requests through enterprise / API endpoints under contractual terms that prohibit our providers from using your inputs or outputs to train their general models. - Provider retention. Most providers retain inputs and outputs for a short window (typically up to 30 days) for abuse monitoring, then delete them. We document the current retention behaviour of each provider in our internal subprocessor register, available to clients on request. - Human review of AI output. You should review AI-generated content before relying on it. AI can hallucinate, misinterpret briefs or produce biased output. - Opt out. Enterprise clients can request a configuration that disables AI features for their workspace. Email privacy@subacreative.com.
Existing customers
If you are a Suba customer, we may email you about similar services and product updates under the PECR “soft opt-in” rule. Every such email contains a one-click unsubscribe link, and you can also email privacy@subacreative.com.
B2B prospecting (cold email)
We run a B2B outbound programme to introduce Suba to corporate marketing, design and creative leaders. We rely on legitimate interests under UK GDPR and the B2B carve-out under PECR Regulation 22(2) (corporate-subscriber email). If you receive a prospecting email from us: - Each email identifies the sender, Suba Creative Ltd, our address, and contains an unsubscribe link. - We will stop emailing you if you reply STOP, click unsubscribe, or email privacy@subacreative.com. - You can ask what data we hold about you, where we obtained it, and request deletion (see Section 13). - We do not email role-based or generic mailboxes (e.g. info@, contact@) unless they have publicly invited business enquiries. - We do not send prospecting emails to individual sole traders or non-corporate subscribers without consent.
Other channels
We may also reach out via LinkedIn or by phone to corporate contacts. The same opt-out applies — tell us once and we will suppress your details across all channels.
Cookies and similar technologies
The Website and Portal use cookies and similar technologies. We categorise them as: - Strictly necessary — required for the Services to work (authentication, session, security, load balancing, CSRF protection). These do not require consent. - Functional — remember your preferences (language, theme, last-viewed project). - Analytics — measure how the Services are used, in aggregate, so we can improve them. - Marketing — measure the effectiveness of our advertising on the Website (only). Non-essential cookies are set only after you accept them through our cookie banner. You can change your choice at any time via the “Cookie preferences” link in the footer of the Website. A full list of cookies (name, purpose, provider, duration) is maintained in our Cookie Notice at www.subacreative.com/cookies.
Sharing with designers and contractors
To deliver creative work, we share the briefs, files and project content you upload with the specific Suba team members and external designers assigned to your project, under written confidentiality and data-protection obligations.
Professional advisers
Lawyers, accountants, auditors, insurers and similar advisers, under duties of confidentiality.
Authorities
Law enforcement, regulators, courts and government bodies where we are legally required to share data, where it’s necessary to protect our rights, or where you have asked us to.
Corporate transactions
If Suba is involved in a merger, acquisition, asset sale or financing, personal data may be transferred as part of that transaction. We will notify you and ensure protections continue to apply. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as defined under US state privacy laws.
International transfers
Suba is established in the United Kingdom. Some of our subprocessors are based outside the UK and EEA (notably the United States). When we transfer personal data outside the UK we use one or more of: - transfers to countries the UK government has determined provide an adequate level of protection (e.g. EEA, the EU–US Data Privacy Framework where applicable); - the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where required; - transfers necessary for the performance of a contract with you, in limited circumstances. You can request a copy of the relevant transfer mechanism by emailing privacy@subacreative.com.
How long we keep personal data
We keep personal data for only as long as necessary for the purposes set out in this policy or as required by law. - Account data while your subscription is active — for the life of the account. - Account data after closure — up to 24 months, then anonymised or deleted. - Brief & project content — for the life of the account, plus 24 months post-closure for dispute resolution, then deleted on request or scheduled purge. - Billing records and invoices — 7 years from the end of the relevant tax year (UK statutory requirement). - Authentication logs, audit trails — 24 months. - Support communications — 3 years from last interaction. - Prospect data (uncontacted or unengaged) — 12 months, then deleted. - Prospect data (after opt-out / unsubscribe) — suppression-list entry kept indefinitely so we don’t email you again. - Job applicant data (unsuccessful) — 12 months, then deleted (with consent we may keep longer for future roles). - Cookies — as described in our Cookie Notice (most expire within 13 months). We may keep data longer where required to comply with legal, tax or regulatory obligations or to defend legal claims. After the retention period, we securely delete or irreversibly anonymise the data.
Your rights (UK & EU)
Under UK GDPR you have the following rights, free of charge in most cases: - Access — get a copy of the personal data we hold about you (a “data subject access request” or DSAR). - Rectification — ask us to correct inaccurate or incomplete data. - Erasure — ask us to delete your data (the “right to be forgotten”) in certain circumstances. - Restriction — ask us to pause processing while we consider an objection or correction. - Portability — get a copy of data you provided to us in a structured, machine-readable format and ask us to send it to another controller where technically feasible. - Object — object to processing based on legitimate interests (including direct marketing, which we will always honour immediately). - Withdraw consent — where we rely on consent, you can withdraw it at any time. - Automated decision-making — we do not make solely automated decisions that produce legal or similarly significant effects on you. To exercise any right, email privacy@subacreative.com with the right you want to exercise and enough information for us to identify you. We will respond within one calendar month. We may extend this by two further months for complex or numerous requests, and we will tell you if we do. We may need to verify your identity before responding (especially for access and erasure). Where you act for someone else, we may ask for proof of authority. Right to complain to the ICO. If you are unhappy with how we have handled your data, please contact us first so we can try to resolve it. You also have the right to complain to the UK Information Commissioner’s Office: - Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF - Helpline: 0303 123 1113 - Email: casework@ico.org.uk - Online: ico.org.uk/make-a-complaint If you are based in the EEA, you can also complain to your local supervisory authority.
Notice to US state residents
This section applies if you are a resident of California, Colorado, Connecticut, Utah or Virginia. The terms below have the meaning given to them under the relevant state privacy law (CCPA/CPRA, CPA, CTDPA, UCPA, VCDPA).
Personal information we collect (last 12 months)
Identifiers (name, email, IP, account ID); commercial information (subscription, billing); internet/electronic activity (page views, clicks, server logs); professional/employment information (role, company); inferences drawn from the above; and — for users — content you upload to the Portal.
How we use this information
The purposes set out in Section 6 of this policy.
Disclosures for business purposes
Identifiers and commercial information to the subprocessors listed in Section 10. We disclose internet/electronic activity to our analytics and security providers.
Sale and sharing
We do not sell personal information for money, and we do not share it for cross-context behavioural advertising. If we ever change this, we will update this policy and provide a “Do Not Sell or Share My Personal Information” link.
Your rights (US state residents)
You have the right to: - know what personal information we collect, use, disclose and (where applicable) sell or share; - access a copy of your personal information and request portability; - correct inaccuracies; - delete your personal information, subject to legal exceptions; - opt out of any “sale” or “sharing” (none currently); - limit the use of sensitive personal information (we do not use sensitive PI to infer characteristics); - be free from unlawful discrimination for exercising your rights. To exercise these rights, email privacy@subacreative.com. We will verify your identity using information already on file. You may use an authorised agent, with signed written permission and verification. If we deny your request, you can appeal by replying to our response with the word “appeal”.
Notice of financial incentive
We do not currently offer financial incentives in exchange for personal information.
Security
We protect personal data using a layered set of technical and organisational measures, including: - Encryption in transit — TLS 1.2+ on all connections to the Website and Portal. - Encryption at rest — for our database and file storage at Supabase, plus AES-256 envelope encryption for sensitive secrets (integration tokens, TOTP secrets) using a managed encryption key. - Authentication — passwords hashed with industry-standard algorithms; optional multi-factor authentication (TOTP, WebAuthn passkeys); short-lived sessions; rate limiting on authentication endpoints. - Access control — role-based access, least-privilege defaults, and audit logging for sensitive actions inside the Portal. - Vendor due diligence — written processing agreements with all subprocessors and ongoing review of their security posture. - Backups — encrypted, region-resident backups with documented restore procedures. - Incident response — a documented process for assessing breaches and notifying the ICO within 72 hours where required, and you without undue delay if your data is affected and there is a high risk to you. No system is 100% secure. If you suspect your account has been compromised, contact security@subacreative.com immediately.
Children
The Services are intended for business use by adults aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact privacy@subacreative.com and we will delete it.
Third-party links and content
The Website and Portal may contain links to third-party sites and services (e.g. partner integrations, designer portfolios, social media). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices.
How we handle job applications
If you apply for a role at Suba: - We process your application data on the basis of legitimate interests (assessing your suitability) and, where you actively submit a portfolio or CV, your request to take steps prior to entering a contract. - We share your application only with the hiring panel and (where applicable) recruitment partners. - We delete unsuccessful application data after 12 months unless you ask us to keep it for future roles. - If you join Suba, your data will be transferred to our HR records under a separate employee privacy notice.
Changes to this policy
We may update this policy from time to time. When we do: - Material changes — we will notify you by email or through the Portal at least 30 days before they take effect. - Non-material changes — we will update the “Last updated” date above. Older versions of this policy are available on request from privacy@subacreative.com.
How to contact us
- Privacy questions, DSARs, complaints: privacy@subacreative.com - Security incidents, suspected account compromise: security@subacreative.com - General enquiries: hello@subacreative.com - Postal: Suba Creative Ltd, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom You can also complain to the UK Information Commissioner’s Office: ico.org.uk/make-a-complaint · 0303 123 1113 · casework@ico.org.uk. Suba Creative Ltd is registered in England & Wales, company number 16879473.