Whitelam.Media
Start a projectinfo@whitelam.media
Privacy

Privacy policy.

What we collect, why we collect it, who we share it with, how to delete it. Last updated 19 May 2026.

Who we are

Whitelam Media (the "Studio") is the data controller for personal information collected via this site. Contact: info@whitelam.media. Address: Avenida de Manoteras, 38, Madrid, Spain.

What we collect

We collect only the data needed to do the work. Specifically:

  • Contact form submissions: name, email, optional company, optional budget, optional message, IP address, user agent string. Stored in our database for as long as the relationship is active, plus 3 years.
  • Newsletter subscribers: email address, source page (which page the form was on), subscription date. Stored until you unsubscribe.
  • Bookings (call requests): name, email, optional company, visitor timezone, optional notes, IP, user agent. Stored for the duration of the relationship plus 3 years.
  • Clients: name, email, company, phone, country, Stripe customer ID, payment history. Stored for the legal retention period (typically 6-7 years for tax records).
  • Payments: the amount, currency, description, payment intent ID and your billing address are stored both with us and with Stripe. We never see or store full card numbers.
  • Site analytics: if Google Analytics 4 is enabled, anonymous session data (page views, traffic source, country, device type). No personal identifiers are sent to GA4. You can opt out via your browser's Do-Not-Track setting or by blocking google-analytics.com.

Why we collect it

  • To respond to enquiries and deliver the work you've commissioned.
  • To send transactional emails (invoices, receipts, booking confirmations, support notifications).
  • To keep tax and accounting records as required by law.
  • To understand which pages on our own site get used so we can improve them (GA4, when enabled).

We do not profile you, do not sell your data, do not run retargeting ads, and do not share your information with marketing platforms.

Who processes data on our behalf

  • Stripe (payment processing) — see their privacy notice.
  • Resend (transactional email delivery).
  • Neon (Postgres database hosting, EU region).
  • Vercel (website hosting, edge network).
  • Google Workspace + Google Calendar (booking integration, email correspondence).
  • Sentry (error monitoring — when an error happens, the relevant URL and stack trace get sent; we don't configure Sentry to capture form contents).

Each of these is a sub-processor bound by their own terms and our written data-processing terms with them where applicable.

Cookies and similar technology

We use a single first-party session cookie (wm_session) when you sign in to the client portal at https://whitelam.media/account. HttpOnly, Secure, SameSite=Lax, 30-day expiry. Strictly necessary for authentication.

If GA4 is enabled, Google sets analytics cookies. These can be blocked at the browser level. We do not use marketing cookies, retargeting pixels or third-party advertising trackers.

Your rights (GDPR + UK GDPR + CCPA)

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Have your data deleted (subject to legal retention requirements for tax records).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time (e.g. unsubscribe from the newsletter).
  • Lodge a complaint with your supervisory authority. For EU residents this is your national Data Protection Authority; for UK residents this is the ICO (ico.org.uk).

To exercise any of these rights, email info@whitelam.media. We respond within one calendar month.

International transfers

Our processors (Stripe, Vercel, Google, Sentry) operate globally. Where data leaves the EU/EEA, it travels under Standard Contractual Clauses or equivalent legal mechanisms required by GDPR.

Security

The site is HTTPS-only with HSTS preloaded. Card data never reaches our servers (PCI-DSS SAQ-A via Stripe Payment Element). Database is hosted on Neon's isolated infrastructure with TLS in transit. Dashboard access requires a strong password behind HTTP Basic Auth on the middleware layer. Magic-link tokens for the client portal are one-shot and expire in 30 minutes.

Changes to this policy

We may update this notice from time to time. The current version is always available at https://whitelam.media/privacy. Material changes affecting how we use existing data will be communicated by email to anyone with an active account or active engagement.

Questions

Email info@whitelam.media. We'll respond within one business day.