Data Policy

1. Purpose

This Data Policy sets out how Tinmouse Animation Studio Ltd (“Tinmouse”, “we”, “our”, “us”) manages, stores, and protects data belonging to clients, employees, freelancers, and partners. We are committed to ensuring that all personal and company data is handled responsibly, securely, and in compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

2. Scope

This policy applies to:

  • All Tinmouse employees, contractors, and freelancers who handle company, client, or supplier data.
  • All data created, received, or processed through Tinmouse systems, whether digital or physical.
  • Anyone engaged in work that may involve access to confidential or commercially sensitive client information must sign a Non-Disclosure Agreement (NDA) before beginning work.

3. Data Collected

Tinmouse may collect and process the following categories of data:

  • Client and business contact details: names, job titles, email addresses, phone numbers, company addresses.
  • Project-related data: scripts, artwork, creative assets, and communications.
  • Freelancer data: names, contact details, payment information, and portfolio links.
  • Operational data: usage of digital tools, time tracking, and communications.
  • Employee data (if applicable): payroll details, emergency contacts, and HR records.

4. Data Storage and Security

We use secure, cloud-based platforms for data storage and collaboration. Our current systems include:

  • Google Workspace (Drive, Docs, Gmail) – for communication and file storage.
  • CrashPlan – for secure backup and recovery.
  • ChatGPT and related AI tools – for internal ideation and document drafting (non sensitive data only).
  • Password-protected devices – all laptops and work stations.
    • Security measures include:
    • Restricted access: only authorised personnel can access relevant project folders. - Encrypted backups and secure passwords.
    • Regular review of user access and permissions.
    • Automatic updates and security patches.

5. Data Retention and Deletion

  • Project files (non-sensitive) are retained indefinitely on our secure Google Drive for client access and retention.
  • Sensitive client data is retained for up to 5 years after project completion, unless otherwise required by contract or law.
  • Freelancer and supplier data is retained for 3 years after the last engagement.
  • Financial records are kept for 7 years to meet accounting requirements.
  • At the end of retention periods, data is securely deleted or anonymised.

6. Data Sharing

We only share data where necessary for business purposes, such as:

  • With freelancers or partners directly involved in a project, all of whom are required to sign NDAs for sensitive work.
  • With service providers (e.g. accountants, cloud storage providers) under data processing agreements.
  • We do not sell or trade data to third parties.

7. Confidentiality and NDAs

All employees, contractors, and freelancers must:

  • Sign a Non-Disclosure Agreement (NDA) before accessing or handling client materials, proprietary data, or commercially sensitive information.
  • Maintain strict confidentiality regarding client projects, pricing, and internal operations.
  • Avoid discussing or sharing project information with unauthorised individuals, both during and after the engagement.

Any breach of confidentiality may result in termination of contract and potential legal action.

8. Data Breach Procedure

If a data breach is suspected or confirmed:

  1. Notify the company owner immediately.
  2. Assess the scope and impact within 24 hours.
  3. Contain and mitigate the breach (e.g. revoke access, secure systems).
  4. If necessary, report the breach to the Information Commissioner’s Office (ICO) within 72 hours.
  5. Inform affected individuals if their data may be at risk.

9. Individual Responsibilities

All Tinmouse employees and freelancers must:

  • Keep passwords secure and confidential.
  • Avoid sharing client or project data via unsecured channels.
  • Report any suspected data breaches or suspicious activity immediately.
  • Only use company-approved systems for storing and transferring files.

10. Data Subject Rights

Individuals have the right to:

  • Access, correct, or delete their personal data.
  • Withdraw consent for processing.
  • Request data portability or object to processing.

All requests should be directed to: tom@tinmouseanimation.com

11. Policy Review

This policy will be reviewed annually or when there are significant changes in legislation or company operations.