CDM Logo

Privacy Policy

At CDM Marketing Ltd, we are committed to safeguarding and preserving the privacy of our visitors. This Privacy Policy outlines how we collect, use, and protect your personal data in compliance with the UK General Data Protection Regulation (GDPR).

1. Who We Are

CDM Marketing Ltd is a digital marketing agency based in Essex, UK. We are the data controller responsible for processing your personal information. For any data protection queries, you can contact us at:

Company Name: CDM Marketing Ltd

Company Number: 14010841

Registered in: England and Wales

Registered Office: 34 Clarence St, Southend-on-Sea, SS1 1BD, UK

Email: Contact us

Address: 34 Clarence St, Southend-on-Sea, SS1 1BD, UK

2. What Information We Collect

  • Personal Identification Information: Such as your name, email, phone number, and company name.
  • Technical Data: This includes IP address, browser type, time zone settings, operating system, and platform.
  • Usage Data: Information on how you use our website, products, and services, including page interaction data.
  • Marketing and Communication Data: Your preferences in receiving marketing communications from us and your communication preferences.
  • Transactional Email Data: Delivery and open status of transactional emails we send you (such as invoices, quotes, and receipts), used to confirm important documents have reached you. This data is automatically deleted after 12 months.

3. How We Collect Your Information

  • Information you provide directly via contact forms, emails, or phone calls.
  • Information collected automatically through cookies and server logs.
  • Third-party services like Google Analytics, Microsoft Clarity, and Meta (Facebook) Pixel for analytics and marketing (only with your consent).

4. How We Use Your Information

  • To respond to enquiries and provide our services.
  • To improve our website and services through analysis of user data.
  • To send marketing communications where consent has been provided.
  • To comply with legal obligations and protect our legal rights.

5. Legal Basis for Processing Personal Data

We process your personal data based on the following legal grounds:

  • Consent: When you provide consent for us to process your data for marketing purposes.
  • Contractual Obligation: To fulfil a contract or provide services requested by you.
  • Legal Obligation: Where we are legally required to process your data.
  • Legitimate Interest: For activities necessary for the operation of our business, provided that these interests do not override your rights.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to understand how you use our website and to improve your experience. Non-essential cookies (such as analytics and marketing cookies) are only placed on your device with your prior consent, in accordance with the Privacy and Electronic Communications Regulations (PECR). For full details of the cookies we use, please see our Cookie Policy.

7. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following categories of recipients, only where necessary and with appropriate safeguards:

  • Service providers: Third-party companies that help us deliver our services, such as hosting providers (Vercel), email services (Resend), and AI tools (OpenAI) for report generation. These providers process data on our behalf under data processing agreements.
  • Analytics and advertising partners: Where you have given consent, we share data with Google (Analytics), Microsoft (Clarity), and Meta (Facebook Pixel) for website analytics and targeted advertising.
  • Professional advisers: Our accountants, lawyers, or auditors where necessary for business administration or legal compliance.
  • Legal and regulatory authorities: Where we are required to do so by law, court order, or regulatory obligation (e.g., HMRC for tax purposes).

8. International Data Transfers

Some of our service providers (such as Vercel, Google, OpenAI, and Meta) are based in or process data in the United States and other countries outside the UK. Where such transfers occur, we ensure that appropriate safeguards are in place, including:

  • Transfers to countries that the UK government has recognised as providing an adequate level of data protection (adequacy regulations).
  • The UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
  • Binding corporate rules or other approved transfer mechanisms where applicable.

You can contact us at Contact us for more information about the specific safeguards applied to your data.

9. Your Data Protection Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right to Access: You can request access to the personal data we hold about you.
  • Right to Rectification: You can request corrections to your personal data.
  • Right to Erasure: You can request the deletion of your personal data.
  • Right to Restrict Processing: You can ask us to limit the processing of your personal data in certain circumstances.
  • Right to Object: You can object to our processing of your personal data.
  • Right to Data Portability: You can request your personal data in a structured, machine-readable format.
  • Right to Withdraw Consent: Where we rely on consent to process your data, you may withdraw that consent at any time. This does not affect the lawfulness of processing carried out before consent was withdrawn. You can withdraw cookie consent at any time using the “Cookie Settings” link in our website footer.

To exercise any of these rights, contact us at Contact us. We will respond within one month of receiving your request.

10. Right to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office

Website: ico.org.uk/make-a-complaint

Telephone: 0303 123 1113

We would appreciate the opportunity to address your concern before you contact the ICO, so please reach out to us first at Contact us.

11. Data Retention

We retain your data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

  • Contact form submissions: Retained for up to 24 months from last contact, unless you become a client.
  • Client data: Retained for the duration of our engagement and for up to 6 years afterwards to comply with tax and legal obligations.
  • Transactional email data: Delivery and open status is retained for up to 12 months.
  • Cookie consent preferences: Retained for 12 months.
  • Analytics data: Processed by Google Analytics and Microsoft Clarity in accordance with their own retention policies.

12. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects you.

13. Client Hub & Reporting (Client Portal)

If you become a client, we may provide access to a secure Client Hub (portal) to manage onboarding, invoices, quotes, and monthly reporting. Where you choose to connect analytics accounts (e.g. Google Analytics 4 or Google Search Console), we use that access to generate reports for you.

  • Purpose: To provide monthly performance reports, explain results clearly, and recommend improvements.
  • Data minimisation: We aim to use aggregated metrics and the minimum data required to produce accurate reporting.
  • Access controls: Reports are visible only to authorised users in the portal; drafts may be visible only to CDM Marketing staff until approved.
  • Automated reporting: Some reports may be generated on a schedule. We review and approve reports before sending them to clients.

14. Sub-processors and Service Providers

We use trusted service providers (“processors” / “sub-processors”) to operate the Client Hub and deliver reporting. These providers may process personal data on our instructions. We review providers for security and compliance and put appropriate safeguards in place where required.

  • Google (GA4 / Search Console): Used to access analytics data when a client connects their accounts for reporting.
  • OpenAI: Used to help generate draft report summaries and recommendations based on reporting data (where enabled). We aim to avoid sending unnecessary personal data.
  • Resend: Used to send transactional emails (e.g. invoices, quotes, receipts, and report availability notifications). We track whether transactional emails have been delivered and opened to ensure important financial documents reach you. Delivery data is retained for up to 12 months and is included in any data export request. We do not track link clicks within transactional emails.
  • Hosting / infrastructure: Used to host and run the Client Hub and store data securely.

15. Data Security

We implement appropriate security measures to protect your data. However, no system is entirely secure, and we cannot guarantee absolute security.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated “Last Updated” date. Where changes are significant, we will take reasonable steps to notify you (for example, by displaying a notice on our website or, where applicable, by email).

Last Updated: 24/03/2026

17. Contact Us

If you have any questions, please contact us at Contact us.