Privacy Policy

RHBG Limited T/A Paper Kite Media customer privacy notice.

This privacy notice tells you what to expect us to do with your personal information.

Welcome to Paper Kite Media's Privacy Policy

1.1   RHBG Limited (“us”, “we”, or “our”) operates the paperkitemedia.co.uk website and our remarketing operations.

We respect your privacy and are committed to protecting your data. This purpose of this notice is to inform you about our policies regarding the collection, use, and disclosure of personal data when you use our Service (regardless from where you visit it), or provided by you in some other manner, or collected by us separately in the course of our dealings with you and /or your company. The notice also explains the choices you have associated with that data.

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware.   

This privacy notice tells you what to expect us to do with your personal information.

· Contact details

· What information we collect, use, and why

· Lawful bases and data protection rights

· Where we get personal information from

· How long we keep information

· Who we share information with

· Sharing information outside the UK

· How to complain

Contact Details:

Postal address: 124 City Road, London, United Kingdom, EC1V 2NX

Email: hello@paperkitemedia.co.uk

We are registered at the ICO: https://ico.org.uk/ESDWebPages/Entry/ZB740970

What information we collect, use, and why:

We collect or use the following information to provide services and goods, including delivery:

· Names and contact details

· Addresses

· Payment details (including card or bank information for transfers and direct debits)

· Account information

· Website user information (including user journeys and cookie tracking)

· Photographs or video recordings

· Call recordings

· Records of meetings and decisions

· Information relating to compliments or complaints

We collect or use the following information for the operation of customer accounts and guarantees:

· Names and contact details

· Addresses

· Payment details (including card or bank information for transfers and direct debits)

· Purchase history

· Account information, including registration details

· Information used for security purposes

· Marketing preferences

We collect or use the following information for service updates or marketing purposes:

· Names and contact details

· Addresses

· Marketing preferences

· Location data

· Purchase or viewing history

· IP addresses

· Website and app user journey information

· Records of consent, where appropriate

We collect or use the following information to comply with legal requirements:

· Name

· Contact information

· Financial transaction information

· Criminal offence data (including Disclosure Barring Service (DBS), Access NI or Disclosure Scotland checks)

· Any other personal information required to comply with legal obligations

· Safeguarding information

We collect or use the following information for recruitment purposes:

· Contact details (eg name, address, telephone number or personal email address)

· Date of birth

· National Insurance number

· Copies of passports or other photo ID

· Employment history (eg job application, employment references or secondary employment)

· Education history (eg qualifications)

· Right to work information

We collect or use the following personal information for dealing with queries, complaints or claims:

· Names and contact details

· Address

· Payment details

· Account information

· Purchase or service history

· Customer or client accounts and records

· Correspondence

Lawful bases and data protection rights: 

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website. Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

· Your right of access- You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

· Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

· Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.

· Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

· Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

· Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

· Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide services and goods are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to deliver coaching services, workshops, and content creation support to our clients. This includes managing bookings, communicating with clients, producing social media content, and tailoring services to individual needs. Our legitimate interest is to operate and grow our business by providing high-quality, personalised services that our clients reasonably expect. The processing is necessary to fulfil these services efficiently and securely, and we ensure that it does not override the rights or freedoms of individuals. 

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to manage customer accounts, provide service guarantees, and ensure accurate and secure account operations. This includes maintaining up-to-date contact details, tracking service usage, and verifying eligibility for guarantees or entitlements. Our legitimate interest lies in delivering a reliable and personalised service experience, ensuring customers receive the benefits they are entitled to, and protecting our business from misuse or fraud. This processing is necessary to operate efficiently, reduce administrative errors, and maintain customer trust. We have assessed that the impact on individuals is minimal, as the data used is limited to what is necessary, handled securely, and used in ways customers would reasonably expect. We do not use the data in ways that are intrusive or unfair, and we have implemented safeguards to protect individuals’ rights and freedoms.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to send service updates, relevant content, and marketing communications to our clients and contacts. This includes information about new coaching offerings, upcoming workshops, content clinics, and resources that may be of professional interest. Our legitimate interest is to grow our business by keeping our clients informed and engaged, and to provide value through timely, relevant updates that support their professional development. This processing is necessary to maintain strong client relationships and ensure individuals are aware of opportunities aligned with their interests. We have assessed that the impact on individuals is limited, as we only use contact details provided by the individuals themselves, offer clear opt-out options in every corporate communication, and avoid excessive or intrusive messaging. We do not share personal data with third parties for their own marketing purposes, and we respect individuals’ preferences at all times.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for legal requirements are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to meet our legal and regulatory obligations, such as maintaining accurate financial records, responding to lawful requests from authorities, and complying with employment, tax, and consumer protection laws. Our legitimate interest is to operate responsibly and lawfully, ensuring that we fulfil our duties under UK legislation and avoid penalties or legal disputes. This processing is necessary to demonstrate accountability, maintain trust with clients and stakeholders, and uphold the integrity of our business operations. The benefits of this processing include legal compliance, operational transparency, and protection of both our organisation and individuals from potential harm or liability. The data used is limited to what is strictly necessary, handled securely, and processed in ways individuals would reasonably expect. We do not use this data for unrelated or intrusive purposes, and we have safeguards in place to protect individuals’ rights and freedoms.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for recruitment purposes are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to manage recruitment activities, including assessing applications, communicating with candidates, and making informed hiring decisions. This may include reviewing CVs, conducting interviews, and verifying qualifications or references. Our legitimate interest is to identify and engage suitable candidates to support the growth and success of our business. This processing is necessary to ensure we recruit individuals with the right skills and experience, maintain a fair and efficient recruitment process, and comply with employment best practices. The benefits of this processing include improved hiring outcomes, reduced recruitment costs, and a better candidate experience. We limit the data collected to what is relevant and necessary, and we handle it securely and respectfully. We have assessed that the impact on individuals is proportionate and expected, as candidates voluntarily provide their information for the purpose of seeking employment. We do not use this data for unrelated purposes, and we offer transparency and the opportunity to exercise data rights throughout the process. 

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

· Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

· Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

· Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

· Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. 

Our legitimate interests are:

o We process personal information to respond to queries, investigate complaints, and manage claims related to our services. This includes reviewing correspondence, accessing relevant records, and communicating with individuals to resolve issues fairly and efficiently. Our legitimate interest is to maintain high standards of service, protect our business reputation, and ensure accountability in our operations. This processing is necessary to understand and address concerns, prevent recurrence of issues, and improve our services. The benefits of this processing include timely resolution of problems, enhanced customer satisfaction, and reduced legal or reputational risk. We only use data that is relevant to the issue raised, and we handle it securely and confidentially. We have assessed that the impact on individuals is proportionate and expected, as people contacting us for support or complaints reasonably anticipate that their information will be used to address their concerns. We do not use this data for unrelated purposes, and we offer transparency and support throughout the process.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from:

· Directly from you

· Video recordings (with consent)

· Debt collection agencies

· Legal and judicial sector organisations

· Publicly available sources

· Previous employers

· Third parties:

· We may receive personal information from third parties such as professional contacts, clients, or members of our network who introduce or refer individuals to our services. This typically includes basic contact details and relevant context to facilitate an introduction or assess interest in our offerings. We ensure that any personal data shared in this way is handled lawfully, respectfully, and in accordance with data protection principles. Individuals are informed of the referral and given the opportunity to exercise their data rights.

How long we keep information: 

• Client Data 
  • Examples: Contact details, service records, session notes, social media content
  • Retention period: We retain personal data only for as long as necessary to fulfil the original purpose for which it was collected. However, where there is a legitimate reason to retain data for longer, such as legal, regulatory, or contractual obligations, we may retain it for up to six years.
  • Examples of extended retention include:
  • Contractual records: To support potential disputes or audits.
  • Financial transactions: For compliance with tax and accounting regulations.
  • Employment-related data: To meet obligations under employment law.
  • Client communications: To maintain continuity and context in long-term engagements. After the relevant retention period, data is securely deleted or anonymised in accordance with our data protection policies.
  • Secure deletion or anonymisation
• Marketing Data 
  • Examples: Mailing list contacts, engagement history
  • Retention period: 2 years from last interaction or opt-out
  • Secure deletion: Deletion or suppression from marketing systems
• Financial Records 
  • Examples: Invoices, payment records, expense receipts
  • Retention period: 6 years from end of financial year
  • Secure deletion: Secure deletion (in line with HMRC requirements)
• Recruitment Data
  • Examples: CVs, interview notes, candidate correspondence
  • Retention period: 12 months from end of recruitment process
  • Secure deletion: Deletion unless consent obtained for future roles
• Complaints / Queries
  • Examples: Correspondence, investigation notes, resolution records
  • Retention period: 3 years from resolution
  • Secure deletion: Secure deletion or anonymisation

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Who we share information with: 

· Organisations we need to share information with for safeguarding reasons

· Professional or legal advisors

· Financial or fraud investigation authorities

· Relevant regulatory authorities

· External auditors or inspectors

· Warranty and guarantee providers

· Professional consultants

· Organisations we’re legally obliged to share personal information with

· Publicly on our website, social media or other marketing and information media

· Previous employers

· Suppliers and service providers

· Other relevant third parties:

o We may share personal information with trusted third-party service providers who support the delivery and operation of our services. 

These include: 

• CRM systems and IT\/Finance infrastructure providers – to manage client relationships, communications, and business operations.,
• Email logistics and automation platforms – to send service updates, marketing communications, and event information., Legal support providers – for professional advice and compliance purposes., 
• Presentation and content creation tools – used during workshops, coaching sessions, and client engagements., 
• Video recording and social media analytics platforms – to create and analyse content for client and promotional use. (written, design, photography and video)., 
• Website development partners – who may require access (e.g. FTP credentials) to maintain or update client websites securely., 

All third parties are required to handle personal data in accordance with UK GDPR and data protection standards.

Sharing information outside UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Riverside.fm

Category of recipient: Content creation and recording platform / data processor

Country the personal information is sent to: United States, Israel, and other global locations

How the transfer complies with UK data protection law:
Riverside.fm is certified under the EU-U.S. Data Privacy Framework (DPF) and has opted into the UK Extension (UK-U.S. Data Bridge), which provides an adequacy decision for transfers to the United States. Israel is also recognised by the UK as providing adequate protection under UK GDPR. Therefore, transfers to both countries are covered by UK adequacy regulations. While privacy laws may vary between jurisdictions, Riverside, its affiliates and Service Providers are each committed to protecting personal data in accordance with their Privacy Policy and customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

Organisation name: Microsoft Corporation

Category of recipient: Cloud service provider / data processor

Country the personal information is sent to: United States and other global locations

How the transfer complies with UK data protection law:
Microsoft uses Standard Contractual Clauses (SCCs) and technical safeguards for transfers outside the UK and EU. They also offer Customer Lockbox and EU Data Boundary services for additional control 

Organisation name: Canva Pty Ltd

Category of recipient: Design and content creation platform / data processor

Country the personal information is sent to: Australia, United States, Philippines, New Zealand, Singapore, UK, EU and other global locations.

How the transfer complies with UK data protection law:
Canva relies on EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), along with intra-group agreements and transfer impact assessments. Canva’s U.S. subsidiary adheres to compliance with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework. 

Organisation name: HubSpot Inc.

Category of recipient: CRM and marketing automation platform / data processor

Country the personal information is sent to: United States

How the transfer complies with UK data protection law:
HubSpot uses EU Standard Contractual Clauses (SCCs) and has updated its Data Processing Agreement (DPA) to include the latest SCCs. They also maintain supplementary contractual measures 

Organisation name: Pitch Software GmbH

Category of recipient: Presentation software provider / data processor

Country the personal information is sent to: Ireland (EU)

How the transfer complies with UK data protection law:
Data is hosted in the EU (Ireland) via AWS. Transfers to other countries (if any) are covered by Standard Contractual Clauses (SCCs) and Data Processing Agreements 

Organisation name: Xero Limited

Category of recipient: Accounting software provider / data processor

Country the personal information is sent to: New Zealand, United States, Australia

How the transfer complies with UK data protection law:
Xero relies on EU Standard Contractual Clauses (SCCs) for transfers to the US and Australia. New Zealand is covered by a UK adequacy decision

Organisation name: Google LLC

Category of recipient: Cloud infrastructure, analytics, and productivity platform / data processor

Country the personal information is sent to: United States and other global locations

How the transfer complies with UK data protection law:
Google is certified under the EU-U.S. Data Privacy Framework (DPF) and has opted into the UK Extension (UK-U.S. Data Bridge), which provides an adequacy decision for transfers to the United States. For other countries not covered by adequacy decisions, Google relies on Standard Contractual Clauses (SCCs) approved by the UK and EU regulators.

In addition to the named third-party service providers, we may engage other trusted organisations to support the delivery of our services. These may include providers of cloud infrastructure, analytics, communications, scheduling, and productivity tools.

We ensure that all third parties meet our data protection standards and comply with UK GDPR. Where personal data is transferred internationally, we rely on appropriate safeguards such as adequacy decisions, Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA).

Links To Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy notice or policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
 

Changes To This Privacy Notice

We may update our Policies from time to time and reserve the right to do so. You are advised to review this privacy notice periodically for any changes.

Security Of Data

The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a suspected or actual data breach, we will notify you, any applicable regulator where we are legally required to do so.
 

Making a Complaint In the UK

We would appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. Otherwise, if you are unhappy about our use of your Information, you are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:

Address: 

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint
 

Last updated

27 August 2025