Policy · Privacy · AI Transparency · Data Ethics
Privacy Notice
Effective date: 7 January 2025
Controller: Andrew Woolterton (trading as NullProof Studio)
Brands: NullProof Studio, After-Image, and Anachrome
Location: United Kingdom
Contact: [email protected]
1. Who We Are
NullProof Studio is the trading name of Andrew Woolterton, a sole trader based in the United Kingdom.
We operate the brands NullProof Studio, After-Image, and Anachrome, combining analogue photography with AI-assisted governance systems.
This notice explains how we collect, use, and protect personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For clients and visitors in the European Economic Area, this notice also complies with the EU GDPR.
2. What Data We Collect
We collect and process limited personal data in the following contexts:
| Context | Data Types | Source |
|---|---|---|
| Commissions / Client work | Name, email, address, communication history, project files | Direct from client |
| Enquiries & Mailing lists | Name, email address, message content | Form or email submission (opt-in only) |
| Influencer / Outreach Research | Public name, business email, role, social profile link | Public web sources (websites, press pages, LinkedIn) |
| Operational systems / governance | Contributor names and emails (limited to internal use) | Internal records |
| Website visits | IP address and browser metadata (anonymised) | Cloudflare analytics |
We do not collect sensitive (special-category) data.
We do not knowingly process data relating to minors.
3. How We Use Your Data
| Purpose | Lawful Basis (UK GDPR Art. 6) |
|---|---|
| Respond to enquiries and deliver commissions | Contract / pre-contract steps |
| Maintain provenance and invoicing records | Legal obligation (HMRC record keeping) |
| Marketing and creative outreach (using public data) | Legitimate interest (business development) |
| Send optional updates or invites | Consent (opt-in only) |
| Secure our websites and infrastructure | Legitimate interest (site security and performance) |
Direct marketing: You can object at any time to direct marketing; we will stop promptly. See Section 7 for how to contact us.
4. Where and How Data Is Stored
| Platform / Provider | Role | Notes |
|---|---|---|
| Google Workspace (Drive + Gmail) | File storage & communications | 2FA enabled; 6-month retention for outreach lists |
| Notion | Governance & project docs | No sensitive client data stored |
| Cloudflare Pages / Workers | Web hosting + analytics | Privacy-first analytics only; no PII storage |
| Anthropic Claude Pro | Research & governance assistant | Training opt-out enabled |
| OpenAI ChatGPT Plus | Writing & governance assistant | No training on Plus tier |
| Google Gemini | Research / concept exploration | Used without PII input |
| Stripe / PayPal | Payment processing | Payment details handled directly by provider |
We use providers that apply industry-standard encryption in transit (TLS) and encryption at rest (provider-specific). Physical and logical access are limited to authorised users only.
We aim not to enter personal or client data into AI prompts and train contributors accordingly.
5. Data Retention
- Commission and financial records → 6 years (HMRC requirement)
- Outreach / prospect lists → deleted or anonymised after 6 months
- Enquiry emails → 12 months after last contact
- Governance records (MIR, logs) → retained for archival reference; may contain limited contributor details which are anonymised or pseudonymised where practical
6. Sharing and Disclosure
We never sell, rent, or trade personal data.
We share information only with:
- Trusted sub-processors listed above
- Accountants / tax advisers (for statutory records)
- Courier or print partners when required for delivery of physical works
All sub-processors operate under UK GDPR-compliant agreements or appropriate transfer mechanisms.
7. Your Rights
Under UK GDPR, you have the right to:
- Access — Request a copy of your data (subject access request)
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data (where applicable)
- Restriction — Request we limit how we process your data
- Portability — Receive your data in a portable format (where applicable)
- Object — Object to processing based on legitimate interest, including direct marketing
- Withdraw consent — Where processing is based on consent (e.g., marketing or image use)
To exercise any of these rights, email us at [email protected]. Email is the fastest way to reach us for privacy requests.
You also have the right to complain to the ICO at ico.org.uk.
8. Outreach and Public Data Processing
We sometimes process publicly available professional contact details to invite collaboration or press coverage. We only contact people in a professional capacity.
What we collect: Name, business email, role, and public profile link.
Sources: Public websites, press pages, LinkedIn, and similar professional platforms.
What we send: Invitations to collaborate, press/media inquiries, or information about our work.
Storage: Securely in Google Drive for no more than six months, removed after campaign completion.
Lawful basis: Legitimate Interest. A formal Legitimate Interest Assessment (LIA) is maintained in our governance records.
Opt-out: You can object at any time to this type of outreach. Email us at [email protected] or reply to any message with “unsubscribe” and we will remove your details promptly.
9. AI Systems and Data Handling
We use AI tools (Claude Pro, ChatGPT Plus, Gemini) for research, writing, and governance support.
- We aim not to enter personal or client data into AI prompts and train contributors accordingly
- Pro/Plus tiers are configured to disable model training on our inputs where available
- We retain human authorship and accountability for all outputs
See our AI Transparency Statement for full details.
10. Cookies and Analytics
Our websites use Cloudflare Web Analytics, which collects only aggregated technical data (no cookies or tracking IDs).
No behavioural or marketing cookies are set.
If we introduce non-essential cookies in the future, we will update this notice and request consent where required.
11. Security Measures
- Two-factor authentication on all accounts
- Industry-standard encryption in transit and at rest
- Periodic access review and audit trail retention
- Manual review of shared links and permissions each quarter
12. Data Transfers Outside the UK
Some of our service providers may process personal data outside the UK.
Where required, transfers are protected using appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (UK International Data Transfer Agreement), and/or the UK Extension to the EU–US Data Privacy Framework where applicable.
13. Policy Updates
This notice is reviewed annually or when new platforms are introduced.
The latest version is always available at nullproof.studio/policy/privacy-notice/.
Last updated: 7 January 2025