Privacy Policy

1. Introduction

This Privacy Notice describes how we manage personal data when you visit our website.

We believe in making things easy for our clients. We know there’s nothing more off-putting than the sight of a lot of small print, so we’ve made our Privacy Notice clear, simple and easy to read.

Our privacy notice is structured by providing you with information about how we manage data relevant to all our interactions with you – for example your data protection rights, who to contact, who we share your data with

2. What’s changed?

There have been no material changes to the policy since it was last updated. We have changed the way it is presented.

3. Our promise to you

Create/Change is committed to protecting your privacy. Any processing of personal data, such as the name, email address, or computer ip data will always be carried out in line with data protection legislation.

We have implemented processes and security measures in line with industry best practice to keep your personal information safe. We will never sell your data to third parties.

We will be clear and open with you about why we collect your personal information and how we use it.

4 Who is in control of your information?

We never lose sight of the fact that it is your personal information and you own it and can choose who has access to it and how it is processed.

We are Create Change London, trading as Create/Change.
Registered in Cardiff, Company number 10065506. 

We are registered as ‘Data Controllers’ with the Information Commissioner’s Office (ICO).

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.  These include:

  • Right of access – to obtain from us, confirmation that personal data is held, as well as a written description personal data we have, the purpose(s) for which it is being used and where we got your data
  • Right to rectification – request corrections of personal data we hold which is inaccurate ie incorrect or misleading 
  • Right to erasure – request deletion of data where: 
  1. your data is no longer necessary for the purpose which we originally collected or processed it
  2. you withdraw consent where we are holding it on the basis of consent or legitimate interest
  3. you object to us processing your data for direct marketing
  4. we have processed your data unlawfully

If there are circumstances where you do not have the right we will let you know promptly.

  • Right to restrict processing – request we stop processing associated your personal data if:
  1. there is a dispute about accuracy of data
  2. we no longer need the data, but you need us to keep it for legal claims
  3. we have processed the personal data unlawfully]
  • Right to data portability – request we provide you an electronic copy of the personal data you have provided us. This applies where:
  1. basis for holding the data is consent or for the performance of a contract
  2. we are processing the data electronically
  • Right to object to any unsolicited information sent by us eg regarding promotions or new products and services and processing for research and statistics
  • Right to ask for human intervention in automated decision making, however we have no automated decision making processes
  • Right of withdraw consent to processing personal data at any time

When you make a request

  • We will respond within a month of you making the request
  • We will not charge you for making a request unless the request is unreasonable.
  • Where we refuse to respond to a request, we will explain why we are not responding and remind you that you can complain to the ICO.

If you wish to contact us about the personal data we hold about you or have any other question about our data privacy procedures, they should email us at or send a letter to Privacy at Create/Change, Public Hall, 1 Horseguards Avenue, London, SW1A 2HU.

If you want to complain about how we are handling your data or responding to your requests you should contact the Information Commissioners Office –

5. What we do with your data?

5.1 How do we obtain personal data?

In general, you can visit this website without providing any information about yourself. If we do collect personal data through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.

When you use our website, we collect information in the following ways:


We use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.


We use a cookies widget on our website which relies on implied consent of users. We have aligned our use of cookies with the standard of consent required by data protection legislation.

This means that we are in the process of updating the widget which, by default, requires explicit opt in action by users of our website. This will apply to the non-necessary cookies. We will ensure any necessary cookies for functionality and security are marked so that they are not deleted by the tool.

5.2 What types of personal data do we collect and use?

When visiting our website without identifying yourself we collect some anonymous information including online identifiers which includes IP address.

5.3 How do we use the personal data we hold?

This information is used to help us to improve our site’s content and functionality. The legal basis we rely on to process your personal data is legitimate interests – this allows us to process personal data when its necessary for the purposes of our legitimate interests.

5.4 What processing of personal data is done?

We analyse where, on which types of devices and how our site is used, how many visitors we receive, and where they click through to the site from; and remember you in case you re-visit our site, so we will know if you have already been served with cookie banners, surveys, or (where site content is undergoing testing) which version of the content you looked at.

5.5 Who do we share personal data with?

We use third parties in running some pieces of our business and providing some of our services. We have contracts with all these organisations which ensures they protect your data in the same way we do.

5.6 How long do we keep the personal data it holds?

We would generally expect to keep data for up to two years.

5.7 Do we transfer personal data overseas?

We do not transfer personal data outside the European Economic Area.

Google Analytics  and Medium are US based organisations. Both have signed up to the Privacy Shield Framework, this commits the organisations to looking after data when they transfer EU residents data to the US and process it.

6. Children’s data

We do not provide services directly to children or proactively collect their personal information. The information in the relevant parts of this notice applies to children as well as adults.

7. Links to other websites

Where we provide links to other websites, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

When you read our Blogs or leave comments you are visiting the Medium website[a]. Read the Medium privacy policy for more details. 

8. How is data protected?

We take confidentiality of data and security very seriously. We have implemented internal processess that restrict access to, and disclosure of, personal data within our organisation to those who need to see it. Our processes are regularly reviewed to check they are being complied with and are effective.

Where data is shared by 3rd parties they are bound by contract to do the same.

We have implemented security measures such that we have achieved the Cyber Essentials Certification.

9. Policy updates

As part of our commitment to compliance with data privacy requirements, and to reflect changes in our operating procedures, we may update the terms of this policy from time to time.

10. Contact details

If you wish to contact us about the personal data we hold about you or have any other question about our data privacy procedures, they should email us at or send a letter to Privacy at Create/Change, Public Hall, 1 Horseguards Avenue, London, SW1A 2HU.