Why is the audit free?

Honestly? We're hoping once you see how we think, you'll want us to run your Google Ads instead of anyone else. No pitch, no pressure - just a genuine look at what's broken and how to fix it. If you take the audit and run it yourself, cool. If you come back to us later, even better. We're playing the long game.

What's the catch with "no growth, no fees"?

No catch. Too many ecommerce brands have been burned by agencies charging thousands a month regardless of results - we've seen it, and honestly it's embarrassing for the industry. This is us putting our skin in the game. If we don't generate incremental profit in a given month, you don't pay us that month. Simple. We don't get to hide behind retainers when performance dips. Our money where our mouth is.

Why should I trust you over other agencies?

You probably shouldn't - yet. That's the whole point of the free audit. We'd rather show you how we think than tell you how good we are. If the audit's garbage, you've lost nothing. If it's good, you'll know we're not just another agency saying the right things.

What if I don't want to continue after the audit?

Then don't. The audit is yours to keep - a full strategy doc you can execute yourself or hand to someone else. No contracts, no awkward sales calls, no guilt trips. If we're not the right fit, we'd rather you find someone who is.

How do I know this will work for my business?

Because the audit is built on YOUR numbers - your margins, your unit economics, your account, your data. It's not a template. And if we don't find real opportunities to improve profitability, we'll tell you straight up.

What ad spend do you work with?

We work best with ecommerce brands spending £5k-£30k/month on Google Ads - that's the sweet spot where our profit-focused approach makes the biggest difference. That said, if you're just getting started or sitting slightly outside that range, still reach out. If there's a fit, we'll find a way to make it work. If not, we'll point you in the right direction.

What kind of results should I realistically expect?

Depends on where you're starting from. If your tracking is broken, your feed is a mess, and your account structure makes no sense - fixing those foundations alone can unlock serious gains. But we're not going to promise you "10x ROAS in 30 days" like some agency that needs to close you this week. Real growth takes time. We'll tell you what's realistic based on YOUR account, YOUR margins, and YOUR data - not some made-up number to get you excited. What we can promise: you'll know exactly what's working, what's not, and where the opportunities are. No smoke and mirrors.

Affirmed - Google & YouTube Ads For eCommerce Brands

1. Introduction and Scope

This Privacy Policy explains how Affirmed Agency Ltd ("Affirmed", "we", "us", "our") collects, uses, stores, and protects your personal data when you visit our website (affirmed.co), use our services, or otherwise interact with us.

We serve clients and website visitors worldwide. While Affirmed Agency Ltd is a UK-based company, we recognise that our clients and website visitors may be located anywhere in the world. This Privacy Policy is designed to comply with applicable data protection laws in multiple jurisdictions, including:

United Kingdom: UK General Data Protection Regulation ("UK GDPR"), Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 ("PECR")
European Union: General Data Protection Regulation ("EU GDPR")
United States: California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), and comprehensive state privacy laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Jersey, New Hampshire, Tennessee, Minnesota, Maryland, Nebraska, Rhode Island, Indiana, and Kentucky
Canada: Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec's Law 25 (Act respecting the protection of personal information in the private sector)
Australia: Privacy Act 1988 and Australian Privacy Principles ("APPs")
Brazil: Lei Geral de Proteção de Dados ("LGPD")
Other jurisdictions: Applicable local data protection laws where you are located

This Privacy Policy includes our Cookie Policy (Section 11). Please read it carefully.

2. Data Controller and Contact Information

2.1 Data Controller

Affirmed Agency Ltd is the data controller responsible for your personal data.

Registered Office:

Affirmed Agency Ltd
124 City Road
London, England
EC1V 2NX
United Kingdom

Email: hello@affirmed.co
Company Registration Number: 16475050 (England and Wales)

2.2 Data Protection Contact

For all privacy-related enquiries, data subject requests, or complaints:

Data Protection Contact: hello@affirmed.co

2.3 EU Representative

For individuals located in the European Economic Area, our EU Representative details are available upon request. Please contact hello@affirmed.co.

2.4 Quebec Privacy Officer

In accordance with Quebec's Law 25, our designated Privacy Officer is:

Privacy Officer: Louis, Director
Email: hello@affirmed.co

2.5 Brazil Data Protection Officer (Encarregado)

In accordance with Brazil's LGPD, our designated Data Protection Officer is:

Encarregado: The Data Protection Contact
Email: hello@affirmed.co

We communicate in English. We aim to respond to all enquiries within 5 business days.

3. Information We Collect

We collect and process the following categories of personal data:

3.1 Information You Provide Directly

Identity Data: First name, last name, job title — collected when you contact us, submit a form, book a call, or become a client
Contact Data: Email address, telephone number, business address — collected when you contact us, submit a form, book a call, or become a client
Business Data: Company name, website URL, industry, business size, Google Ads account details, revenue data, profit margins, cost of goods sold — collected when you become a client or request an audit
Booking Data: Scheduled meeting times, calendar availability, meeting notes, time zone — collected when you book a call via Cal.com
Communication Data: Contents of emails, messages, call notes, and other correspondence — collected when you communicate with us
Financial Data: Billing address, VAT number (payment card details are collected directly by Stripe - we do not receive or store full card numbers) — collected when you become a paying client
Marketing Preferences: Your preferences for receiving marketing communications, communication frequency preferences — collected when you subscribe to our newsletter or update your preferences

3.2 Information Collected Automatically

Technical Data: IP address, browser type and version, operating system, device type, screen resolution, time zone setting, language preferences — collected automatically when you visit our website
Usage Data: Pages visited, time spent on pages, click patterns, navigation paths, referring website, exit pages — collected automatically via analytics tools (with consent)
Behavioural Data: Mouse movements, scroll depth, clicks, form interactions, session recordings, heatmap data — collected via Microsoft Clarity (with consent)
Cookie Data: Cookie identifiers, consent preferences, session information — collected via cookies (see Section 11)
Location Data: Country, region, city (derived from IP address) — collected automatically via analytics tools (with consent)

3.3 Information from Third Parties

Analytics Data: From Google Analytics 4 — aggregated website usage patterns, traffic sources, user demographics
Advertising Data: From Google Ads — conversion data, audience insights, campaign performance
Payment Data: From Stripe — transaction confirmations, payment status, billing confirmations
Booking Data: From Cal.com — meeting confirmations, scheduling information, calendar sync data

3.4 Special Category Data

We do not intentionally collect special category data (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation). Our services are directed at businesses, not individuals in contexts where such data would typically be relevant.

3.5 Source of Data Not Collected Directly From You

Where we obtain personal data from sources other than you directly (such as from a colleague who refers you, or from publicly available business directories), we will inform you of this within a reasonable period and no later than one month after obtaining the data, or at the time of first communication if we use the data to contact you.

4. How We Use Your Personal Data and Legal Bases

We only process your personal data when we have a lawful basis to do so. Under UK GDPR Article 6, we rely on the following lawful bases:

4.1 Processing Activities, Purposes, and Lawful Bases

Responding to enquiries: Using Identity, Contact, and Communication data based on Legitimate Interests — to respond to your questions and provide information about our services
Scheduling calls and meetings: Using Identity, Contact, and Booking data based on Legitimate Interests / Contract Performance — to book and manage discovery calls and client meetings via Cal.com
Providing our services: Using Identity, Contact, Business, and Financial data based on Contract Performance — necessary to deliver the Google Ads management, audits, conversion tracking, and related services you have engaged us for
Managing client relationships: Using Identity, Contact, Communication, and Business data based on Contract Performance — to communicate about your account, send performance reports, and provide ongoing support
Invoicing and payments: Using Identity, Contact, and Financial data based on Contract Performance / Legal Obligation — to issue invoices, process payments via Stripe, and maintain financial records as required by HMRC
Website analytics: Using Technical, Usage, and Location data based on Consent — to understand how visitors use our website and improve user experience via Google Analytics 4
Session recording and heatmaps: Using Technical, Usage, and Behavioural data based on Consent — to analyse user behaviour and improve website usability via Microsoft Clarity
Remarketing and advertising: Using Technical and Cookie data based on Consent — to show you relevant advertisements on other websites via Google Ads
Conversion tracking: Using Technical and Cookie data based on Consent — to measure the effectiveness of our advertising campaigns
Server-side tracking: Using Technical and Usage data based on Consent — to improve data accuracy using server-side tag management (TAGGRS)
Email marketing: Using Identity, Contact, and Marketing Preferences data based on Consent / Legitimate Interests — to send newsletters, updates, and marketing communications
Legal compliance: Using all categories as required based on Legal Obligation — to comply with legal and regulatory requirements including tax law, anti-money laundering, and court orders
Protecting our rights: Using all categories as required based on Legitimate Interests — to establish, exercise, or defend legal claims
Fraud prevention: Using Technical, Identity, and Financial data based on Legitimate Interests — to detect and prevent fraudulent activity

4.2 Legitimate Interests Assessment

Where we rely on legitimate interests as a lawful basis, we have conducted a Legitimate Interest Assessment ("LIA") to ensure our interests do not override your rights and freedoms. Our legitimate interests include:

Operating and improving our website and services
Understanding how our services are used to improve them
Marketing our services to businesses who may benefit from them
Protecting our business from fraud, security threats, and legal claims
Maintaining records for administrative and legal purposes
Communicating with business contacts about relevant services

Copies of our Legitimate Interest Assessments are available upon request.

4.3 Consent

Where we rely on consent as our lawful basis, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. See Section 9.3 for how to withdraw consent.

4.4 Processing Based on Contract

Where processing is necessary for the performance of a contract with you, failure to provide the required personal data may mean we cannot enter into the contract or provide the requested services.

4.5 Requirement to Provide Data

Where we require personal data to comply with legal obligations or to perform a contract, and you do not provide that data, we may not be able to provide services to you. We will notify you if this is the case at the time.

5. Data Sharing and Recipients

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We may share your personal data with the following categories of recipients:

5.1 Third-Party Service Providers

Google LLC (GA4, Ads, GTM, Workspace): For website analytics, advertising, conversion tracking, tag management, email, and document storage. Data shared includes Technical Data, Usage Data, Cookie Data, Identity Data, Contact Data, Business Data, and Communication Data. Location: USA. Transfer safeguard: EU-US Data Privacy Framework (DPF) certified.
Microsoft Corporation (Clarity): For session recording, heatmaps, and behavioural analytics. Data shared includes Technical Data, Usage Data, and Behavioural Data. Location: USA. Transfer safeguard: EU-US Data Privacy Framework (DPF) certified.
Cal.com, Inc.: For meeting scheduling and booking. Data shared includes Identity Data, Contact Data, and Booking Data. Location: USA. Transfer safeguard: Standard Contractual Clauses (SCCs).
Stripe, Inc.: For payment processing. Data shared includes Identity Data, Contact Data, and Financial Data (excluding full card numbers). Location: USA. Transfer safeguard: EU-US Data Privacy Framework (DPF) certified, PCI DSS Level 1 compliant.
TAGGRS B.V.: For server-side tracking and tag management. Data shared includes Technical Data and Usage Data. Location: Netherlands (EU). Transfer safeguard: EU adequate jurisdiction - no additional safeguards required.

You can verify Data Privacy Framework certification at dataprivacyframework.gov.

5.2 People Who Access Your Data Within Affirmed

Your personal data may be accessed by:

Employees of Affirmed Agency Ltd who need access to perform their duties
Contractors engaged by us to provide specific services (e.g., development, design, bookkeeping)
Partners who collaborate with us on client projects

All personnel with access to personal data are bound by confidentiality obligations, have received appropriate data protection training, and only access data on a need-to-know basis.

5.3 Other Disclosures

We may also share your personal data:

With your consent: Where you have given us specific consent to share your data with named parties
For legal reasons: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests
To protect rights: To enforce our Terms of Service, protect our rights, privacy, safety, or property, and/or that of our clients or others
Professional advisers: To our lawyers, accountants, insurers, and other professional advisers as necessary for their services
Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, where your data may be transferred to the acquiring entity (we will notify you of any such change)

5.4 Client Account Data (Processor Role)

When providing our services, we access your Google Ads accounts, Google Analytics, Google Merchant Center, and related platforms. In this context:

You remain the data controller for data within your accounts
We act as your data processor, processing data on your behalf and under your instructions
This relationship is governed by our Terms of Service and, where applicable, a separate Data Processing Agreement
We do not use client account data for our own purposes beyond providing the contracted services

6. International Data Transfers

Affirmed Agency Ltd is based in the United Kingdom. Your personal data may be transferred to, stored, and processed in countries outside your country of residence, including the United Kingdom, United States, and European Economic Area.

6.1 Where Your Data May Be Transferred

United Kingdom: Affirmed Agency Ltd — primary data storage and processing
United States: Google, Microsoft, Stripe, Cal.com — analytics, advertising, payments, scheduling, email
Netherlands: TAGGRS — server-side tracking
Ireland: Various sub-processors — cloud infrastructure

6.2 Transfer Safeguards

We ensure appropriate safeguards are in place for all international transfers:

Transfers from the UK:

USA (DPF-certified organisations): UK Extension to EU-US Data Privacy Framework
USA (non-DPF organisations): UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
EEA: UK Adequacy Decision for EEA
Other countries: UK IDTA or UK Addendum to EU SCCs + Transfer Risk Assessment

Transfers from the EEA:

UK: EU Adequacy Decision for UK (valid until 27 December 2031)
USA (DPF-certified organisations): EU-US Data Privacy Framework
USA (non-DPF organisations): EU Standard Contractual Clauses (SCCs)
Other countries: EU SCCs + Transfer Impact Assessment

Transfers involving Brazil (LGPD):

For transfers of Brazilian data subjects' personal data, we use ANPD-approved Standard Contractual Clauses where required.

6.3 Your Rights Regarding International Transfers

You have the right to:

Request information about the safeguards we use for international transfers
Obtain a copy of the relevant transfer mechanisms (e.g., SCCs, IDTA) upon request
Lodge a complaint with your local supervisory authority if you believe your data has been transferred unlawfully

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. We do not keep your data for longer than we need it.

7.1 Retention Periods

Client contract and business data: Duration of client relationship + 6 years (Limitation Act 1980 - contract claims limitation period is 6 years)
Financial and invoicing records: 7 years from end of financial year (HMRC requirements for tax records)
Marketing consent records: Duration of consent + 2 years (evidence of GDPR/PECR compliance)
Website enquiry data (non-clients): 2 years from last contact (legitimate interest in following up; reasonable expectation period)
Booking/scheduling data: 2 years from meeting date (business records and potential follow-up)
Google Analytics 4 data: 14 months (GA4 data retention setting)
Microsoft Clarity data: 13 months (Microsoft Clarity retention policy)
Cookie consent records: 2 years (evidence of PECR compliance)
Email marketing data: Until unsubscribe, then 2 years on suppression list (compliance and to honour ongoing opt-out requests)
Data subject request records: 3 years from request completion (evidence of compliance)

7.2 Retention Review

We periodically review the data we hold and securely delete or anonymise data that is no longer needed. Where data is anonymised (so that it can no longer identify you), it is no longer personal data and may be retained indefinitely for statistical purposes.

7.3 Exceptions

We may retain data for longer periods where:

Required by law or regulatory obligation
Needed to establish, exercise, or defend legal claims
You have given consent to longer retention
Data has been fully anonymised

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, loss, or destruction.

8.1 Security Measures

Encryption in transit: All data transmitted to and from our website is encrypted using TLS 1.2+ / SSL
Encryption at rest: Sensitive data is encrypted at rest where technically feasible
Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, using role-based access controls
Authentication: Multi-factor authentication (MFA) is used for accessing systems containing personal data
Secure storage: Data is stored on secure servers with enterprise-grade security controls
Third-party security: We only use service providers who demonstrate appropriate security measures and certifications
Confidentiality: All employees and contractors with data access are bound by confidentiality obligations
Training: Personnel receive regular data protection and security awareness training
Regular review: We regularly review and test our security practices and update them as needed
Incident response: We maintain documented procedures for responding to security incidents

8.2 Data Breach Notification

In the event of a personal data breach:

UK/EEA: We will notify the ICO (and relevant EEA supervisory authority if applicable) within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms. We will notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.

Other jurisdictions: We will comply with applicable breach notification requirements, including:

Canada (PIPEDA): Notification to OPC and affected individuals for breaches creating real risk of significant harm
Australia: Notification to OAIC and affected individuals within 30 days for eligible data breaches
Brazil (LGPD): Notification to ANPD within 3 working days
California (CCPA): Notification as required by California Civil Code

8.3 Your Security Responsibilities

You are responsible for:

Keeping any account credentials confidential
Notifying us immediately of any unauthorised access to your account
Ensuring the security of devices you use to access our services

9. Your Privacy Rights

You have rights regarding your personal data. The specific rights available to you depend on your location and the applicable law.

9.1 Rights Under UK GDPR and EU GDPR

If you are located in the UK or EEA, you have the following rights:

Right to be informed: To know how your personal data is collected and used (this Privacy Policy)
Right of access: To request a copy of the personal data we hold about you (Subject Access Request)
Right to rectification: To request correction of inaccurate or incomplete personal data
Right to erasure: To request deletion of your personal data in certain circumstances ("right to be forgotten")
Right to restrict processing: To request that we limit how we use your data in certain circumstances
Right to data portability: To receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to object: To object to processing based on legitimate interests or for direct marketing
Rights related to automated decision-making: To not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects

Right to Object - Important Information:

Direct marketing: You have an absolute right to object to processing for direct marketing purposes. We will stop immediately upon request.
Legitimate interests: You can object to processing based on legitimate interests. We will stop unless we demonstrate compelling legitimate grounds that override your interests.

9.2 Response Times

UK/EEA: We will respond within one month. This may be extended by up to two additional months for complex or numerous requests, in which case we will inform you within the first month.
California: We will respond within 45 days, extendable by an additional 45 days with notice.
Other jurisdictions: We will respond within the timeframe required by applicable law.

9.3 Exercising Your Rights and Withdrawing Consent

To exercise any of your rights:

Email: hello@affirmed.co
Post: Affirmed Agency Ltd, 124 City Road, London, EC1V 2NX

Please include:

Your name and contact information
Your country/state of residence
The specific right(s) you wish to exercise
Any information that will help us locate your data (e.g., email address used, approximate dates of interaction)

To withdraw consent:

Cookies: Click the cookie settings link in our website footer or clear cookies via your browser
Marketing emails: Click the "unsubscribe" link at the bottom of any marketing email
Microsoft Clarity / Analytics: Adjust preferences via our cookie consent tool
Other consent: Contact us at hello@affirmed.co

Verification: We may need to verify your identity before processing your request to protect your data from unauthorised access.

Fees: There is no fee for exercising your rights, unless requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse to act.

9.4 Right to Complain

If you are not satisfied with how we handle your personal data or respond to your request, you have the right to lodge a complaint with a supervisory authority:

United Kingdom:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

European Union:

You may lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority. Please contact us first at hello@affirmed.co.

10. Jurisdiction-Specific Rights and Disclosures

10.1 California, USA (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Privacy Rights:

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information for cross-context behavioural advertising
Right to Limit Use of Sensitive PI: Limit the use of sensitive personal information (we do not collect sensitive PI as defined by CPRA)
Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Categories of Personal Information Collected (past 12 months):

Identifiers: Name, email, IP address, account name — Yes — for service delivery and communications
Customer records: Name, address, telephone, payment information — Yes — for billing and service delivery
Commercial information: Services purchased, purchasing histories — Yes — for service delivery and improvement
Internet/network activity: Browsing history, search history, website interactions — Yes — for analytics and website improvement
Geolocation data: Country, region, city (from IP) — Yes — for analytics and localisation
Professional/employment information: Job title, company name — Yes — for service delivery
Inferences: Preferences, characteristics, behaviour — Yes — for service improvement
Sensitive personal information: N/A — No

Sale and Sharing of Personal Information:

We do not sell your personal information. We do not exchange personal information for monetary or other valuable consideration.

We do not share your personal information for cross-context behavioural advertising in a manner that constitutes "sharing" under CPRA.

Disclosure of Personal Information for Business Purposes:

In the past 12 months, we have disclosed the following categories of personal information to service providers for business purposes:

Identifiers (to Google, Microsoft, Stripe, Cal.com)
Internet/network activity (to Google, Microsoft)
Professional information (to Google Workspace)

Retention: We retain each category of personal information for the periods described in Section 7.

Authorised Agents: You may designate an authorised agent to submit requests on your behalf. We may require verification of the agent's authority and your identity.

How to Submit a Request: Email hello@affirmed.co. We will verify your identity before processing requests. We will respond within 45 days (extendable by 45 days with notice).

Financial Incentives: We do not offer financial incentives for the collection, sale, retention, or deletion of personal information.

Global Privacy Control (GPC): We honour GPC signals. If your browser sends a GPC signal, we will treat this as a valid request to opt out of any sale or sharing of personal information.

10.2 Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, New Jersey, New Hampshire, Tennessee, Minnesota, Maryland, Nebraska, Rhode Island, Indiana, Kentucky, and other states with comprehensive privacy laws have rights that generally include:

Right to confirm whether we are processing your personal data
Right to access your personal data
Right to correct inaccurate personal data
Right to delete your personal data
Right to obtain a portable copy of your data
Right to opt out of targeted advertising
Right to opt out of sale of personal data (where applicable)
Right to opt out of profiling in furtherance of decisions that produce legal or significant effects
Right to appeal our decision on your request

Important Note for B2B Contacts: Most US state privacy laws (except California) exempt business contact information used solely for B2B communications. However, we extend privacy rights to all US residents regardless of exemptions.

To exercise your rights: Email hello@affirmed.co

Right to Appeal: If we decline your request, you have the right to appeal. Submit appeals to hello@affirmed.co. We will respond within the timeframe required by applicable state law.

10.3 Canada (PIPEDA and Quebec Law 25)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, additional rights under Law 25.

Your Rights Under PIPEDA:

Right to access your personal information
Right to request correction of inaccurate information
Right to withdraw consent (subject to legal/contractual restrictions)
Right to challenge compliance by filing a complaint with the Office of the Privacy Commissioner of Canada

Additional Rights Under Quebec Law 25:

Right to data portability (in a commonly used technological format)
Right to be informed of automated decision-making
Right to de-indexing (right to be forgotten in certain circumstances)
Right to be informed before personal information is used for profiling purposes

Privacy Officer for Quebec:

Louis, Director
Email: hello@affirmed.co

Regulatory Authorities:

Office of the Privacy Commissioner of Canada:
30 Victoria Street, Gatineau, Quebec K1A 1H3
Website: priv.gc.ca
Toll-free: 1-800-282-1376

Commission d'accès à l'information du Québec (Quebec residents):
Website: cai.gouv.qc.ca

Cross-Border Transfers: Your personal data may be transferred to and processed in the United Kingdom and United States. By providing your information, you consent to this transfer. We ensure appropriate safeguards are in place.

10.4 Australia (Privacy Act 1988)

If you are located in Australia, the Privacy Act 1988 and Australian Privacy Principles (APPs) govern how we handle your personal information.

Your Rights Under the APPs:

Right to access personal information we hold about you (APP 12)
Right to request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information (APP 13)
Right to complain about a breach of the APPs
Right to deal with us anonymously or using a pseudonym where practicable (this may limit services we can provide)

We will respond to access and correction requests within a reasonable period (typically 30 days). If we refuse a request, we will provide written reasons.

Cross-Border Disclosure: Before disclosing your personal information to an overseas recipient, we take reasonable steps to ensure the recipient does not breach the APPs in relation to the information. By providing your personal information, you consent to its transfer to the United Kingdom and other countries as described in Section 6.

Regulatory Authority:

Office of the Australian Information Commissioner (OAIC):
GPO Box 5218, Sydney NSW 2001
Website: oaic.gov.au
Phone: 1300 363 992

10.5 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) provides you with specific rights:

Your Rights Under LGPD:

Confirmation of the existence of processing
Access to your personal data
Correction of incomplete, inaccurate, or outdated data
Anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data
Data portability to another service provider (upon express request)
Deletion of personal data processed with your consent (except where retention is legally required)
Information about public and private entities with which your data has been shared
Information about the possibility of denying consent and the consequences
Revocation of consent at any time

Data Protection Officer (Encarregado):

The Data Protection Contact
Email: hello@affirmed.co

International Transfers: Transfers of Brazilian personal data are conducted in compliance with LGPD Chapter V, using ANPD-approved Standard Contractual Clauses where required.

Regulatory Authority:

ANPD (Autoridade Nacional de Proteção de Dados):
Website: gov.br/anpd

10.6 Other Jurisdictions

If you are located in a jurisdiction not specifically listed above (including Singapore, New Zealand, South Africa, Japan, South Korea, UAE, India, or others), we will comply with applicable local data protection laws.

General Principles We Apply Globally:

We only collect personal data that is necessary for our legitimate purposes
We are transparent about how we use your data
We implement appropriate security measures to protect your data
We respect your rights to access, correct, and delete your data
We do not sell your personal data
We provide mechanisms for you to exercise your rights and raise concerns

11. Cookies and Similar Technologies

This section serves as our Cookie Policy and explains what cookies and similar technologies we use, why we use them, and how you can control them.

11.1 What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, smartphone) when you visit a website. They are widely used to make websites work more efficiently, provide information to website owners, and enable certain features.

Similar technologies include:

Web beacons/pixels: Small graphics that track user behaviour
Local storage: Data stored in your browser
Session storage: Temporary data stored for a single browser session

11.2 Our Cookie Consent Approach

We do not set non-essential cookies until you provide consent.

When you first visit our website, you will see a cookie consent banner. You can choose to:

Accept all cookies: We will set all cookies described below
Reject non-essential cookies: We will only set strictly necessary cookies
Customise your preferences: Choose which categories of cookies to allow

You can change your preferences at any time using the cookie settings link in our website footer.

Important: Under UK PECR and EU ePrivacy rules, consent must be:

Freely given: You have a genuine choice with no detriment for refusing
Specific: You know exactly what you're consenting to
Informed: We explain what cookies do before you consent
Unambiguous: You take a clear affirmative action (no pre-ticked boxes)

We do not use:

Pre-ticked consent boxes
Implied consent (e.g., "by continuing to browse...")
Cookie walls that block all access without consent
Dark patterns that make rejection difficult
"Reject" buttons that are harder to find than "Accept"

11.3 Cookie Categories

Strictly Necessary: Essential for the website to function. Cannot be disabled. Consent not required.
Analytics/Performance: Help us understand how visitors use our website. Consent required.
Marketing/Advertising: Used to deliver relevant advertisements and measure campaign effectiveness. Consent required.

11.4 Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the website to function and cannot be switched off. They do not store any personally identifiable information.

Session ID (affirmed.co): Maintains your session state for security and functionality — Session duration
Cookie consent (CMP): Stores your cookie consent preferences so we don't ask repeatedly — 12 months
Security tokens (affirmed.co): CSRF protection and security — Session duration

Analytics Cookies (Require Consent)

These cookies help us understand how visitors interact with our website by collecting and reporting information.

_ga (Google Analytics): Distinguishes unique users by assigning a randomly generated number as a client identifier — 14 months
_ga_[ID] (Google Analytics): Maintains session state and tracks campaign data — 14 months
_gid (Google Analytics): Distinguishes users for 24-hour aggregation — 24 hours
_gat (Google Analytics): Throttles request rate to limit data collection on high-traffic sites — 1 minute
_clck (Microsoft Clarity): Persists the Clarity User ID and preferences — 12 months
_clsk (Microsoft Clarity): Connects multiple page views by a user into a single Clarity session recording — 1 day
CLID (Microsoft Clarity): Identifies the first time Clarity saw this user — 12 months
ANONCHK (Microsoft Clarity): Indicates whether MUID is transferred to ANID (advertising cookie) — Session duration
MR (Microsoft Clarity): Used to collect information for analytics purposes — 7 days
SM (Microsoft Clarity): Synchronises the MUID across Microsoft domains — Session duration

Microsoft Clarity Disclosure: We use Microsoft Clarity to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay. Website usage data is captured using first and third-party cookies and other tracking technologies. This data helps us improve and market our products/services. For more information about how Microsoft collects and uses your data, see the Microsoft Privacy Statement.

Marketing Cookies (Require Consent)

These cookies are used to deliver relevant advertisements and measure advertising campaign effectiveness.

_gcl_au (Google Ads): Used by Google AdSense for experimenting with advertisement efficiency — 90 days
_gcl_aw (Google Ads): Stores conversion information after a user clicks on an ad — 90 days
IDE (Google DoubleClick): Used by Google DoubleClick for remarketing, optimisation, attribution, and reporting — 13 months
NID (Google): Stores preferences and information for Google services — 6 months
test_cookie (Google DoubleClick): Used to check if the user's browser supports cookies — 15 minutes

Google Ads Disclosure: We use Google Analytics and Google Ads to understand website usage and measure advertising effectiveness. For information about how Google uses data, visit: How Google uses information from sites that use our services.

11.5 Google Consent Mode v2

We have implemented Google Consent Mode v2, which adjusts how Google tags behave based on your consent status. This includes the required parameters:

ad_storage: Controls storage (cookies) for advertising purposes
analytics_storage: Controls storage for analytics purposes
ad_user_data: Controls whether user data can be sent to Google for advertising purposes
ad_personalization: Controls whether personalized advertising (remarketing) is enabled

When you decline consent, Google tags operate in a limited, privacy-preserving mode (cookieless pings with limited data).

11.6 Server-Side Tracking (TAGGRS)

We use server-side tracking via TAGGRS to improve data accuracy and reliability. With server-side tracking:

Data is sent from your browser to our server first, then forwarded to analytics/advertising platforms
This reduces reliance on browser-based cookies and improves data quality
It can improve page load performance
Consent requirements still apply - we only process and forward data based on your consent preferences
Your consent choices are passed to our server-side container and respected

Server-side tracking does not bypass your privacy choices or consent requirements.

11.7 How to Control Cookies

On our website:

Use the cookie consent banner when you first visit
Click the "Cookie Settings" link in our website footer at any time to change your preferences
Your preferences are saved and respected across sessions

In your browser:

Most browsers allow you to:

View cookies currently stored on your device
Delete specific or all cookies
Block cookies from specific or all websites
Set different preferences for first-party vs third-party cookies

Browser-specific instructions:

Opt-out tools:

Note: Blocking certain cookies may affect website functionality and your user experience.

11.8 Do Not Track and Global Privacy Control

Do Not Track (DNT): Some browsers offer a DNT setting. There is currently no universal standard for responding to DNT signals. Our website does not currently respond to DNT browser signals, but you can manage cookies using the methods described above.

Global Privacy Control (GPC): We honour GPC signals. If your browser sends a GPC signal:

For California residents: We treat this as a valid opt-out of sale/sharing of personal information
For all users: We will limit tracking to essential functions only

12. Marketing Communications

12.1 How We May Market to You

With your permission or where otherwise permitted by law, we may send you marketing communications about our services, including:

Email newsletters with industry insights and tips
Service updates and announcements
Case studies and success stories
Event invitations and webinar announcements
Information about new services

12.2 Lawful Basis for Marketing

You have explicitly opted in to marketing: Consent — clear, specific opt-in; records maintained
You are an existing client (UK B2B "soft opt-in"): Legitimate Interests — similar services only; easy opt-out provided at every communication
You are a business contact we have a legitimate reason to contact: Legitimate Interests — relevant to your role; easy opt-out provided

B2B Marketing Note (UK PECR): For business-to-business email marketing sent to corporate subscribers at their business email addresses, UK PECR does not require prior consent. However, UK GDPR still applies, so we must have a lawful basis (typically legitimate interests) and you always have the right to opt out.

12.3 Your Marketing Choices

You can opt out of marketing communications at any time by:

Clicking the "unsubscribe" link at the bottom of any marketing email
Replying to any marketing email with "unsubscribe"
Contacting us at hello@affirmed.co

We will process your opt-out request within 10 business days (typically much faster).

Important: Opting out of marketing does not affect service-related communications (e.g., invoices, performance reports, contract notices, security alerts). These are necessary for our contract with you and are not "marketing."

13. Third-Party Links and Services

Our website may contain links to third-party websites, plugins, and services that are not operated by us. This includes:

Social media platforms (LinkedIn, Twitter/X, etc.)
Embedded content (YouTube videos, etc.)
Partner websites
Industry resources and tools

We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policy of every website you visit.

Clicking on a third-party link or enabling embedded content may allow that third party to collect data about you. We have no control over and are not responsible for this.

14. Children's Privacy

Our website and services are intended for businesses and business professionals. They are not directed at individuals under the age of 18 (or the age of majority in your jurisdiction, if higher).

We do not knowingly collect personal data from children. Different jurisdictions define "child" differently:

UK (digital consent): Under 13
EU (varies by member state): Under 13-16
USA (COPPA): Under 13
California (CPRA): Under 16 for certain rights
Australia: Under 18
Brazil: Under 18
Canada: Varies by province (13-18)

If you believe we have inadvertently collected data from a child, please contact us immediately at hello@affirmed.co. We will take steps to delete such data promptly.

15. Automated Decision-Making and Profiling

We do not currently use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

We may use automated tools for:

Basic analytics and reporting (aggregate data, does not affect you individually)
Spam and fraud detection (legitimate security interest)
Personalising website content based on your expressed preferences (with consent)

If we introduce automated decision-making with significant effects in the future, we will:

Update this Privacy Policy
Provide clear information about the logic involved
Implement appropriate safeguards including the right to human intervention

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How we notify you of changes:

Material changes: We will notify clients by email and post a prominent notice on our website at least 14 days before changes take effect
All changes: The "Last Updated" date at the top of this Privacy Policy will be revised
Previous versions: Available upon request at hello@affirmed.co

We encourage you to review this Privacy Policy periodically.

Your continued use of our website or services after changes become effective constitutes your acknowledgement of the modified Privacy Policy. If changes materially affect how we process your personal data, we will give you the opportunity to consent to the new processing or object to it, where required by law.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:

Affirmed Agency Ltd
124 City Road
London, England
EC1V 2NX
United Kingdom

Email: hello@affirmed.co
Company Registration Number: 16475050 (England and Wales)

Jurisdiction-specific contacts are listed in Section 2.

We aim to respond to all enquiries within 5 business days and to all formal data subject requests within the timeframes required by applicable law.

18. Glossary

Data Controller: The entity that determines the purposes and means of processing personal data. Affirmed Agency Ltd is the data controller for data collected through our website and services.
Data Processor: An entity that processes personal data on behalf of a data controller, under their instructions.
Data Subject: An identified or identifiable natural person whose personal data is processed.
Personal Data / Personal Information: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation. Also known as "sensitive personal data."
UK GDPR: The UK General Data Protection Regulation, as retained in UK law.
EU GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).
CCPA/CPRA: California Consumer Privacy Act as amended by the California Privacy Rights Act.
PIPEDA: Canada's Personal Information Protection and Electronic Documents Act.
LGPD: Brazil's Lei Geral de Proteção de Dados (General Data Protection Law).
ICO: Information Commissioner's Office, the UK's data protection supervisory authority.
PECR: Privacy and Electronic Communications Regulations 2003 (UK).
Lawful Basis: A legal ground under UK GDPR Article 6 that permits processing of personal data.
Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.
Legitimate Interests: A lawful basis where processing is necessary for purposes of legitimate interests pursued by the controller or a third party, balanced against the data subject's interests, rights, and freedoms.
Subject Access Request (SAR): A request by a data subject to access the personal data held about them.
Data Processing Agreement (DPA): A legally binding contract between a data controller and data processor.
Standard Contractual Clauses (SCCs): Pre-approved contract terms for international data transfers.
Data Privacy Framework (DPF): The EU-US and UK-US framework for transatlantic data transfers.
Cookies: Small text files stored on your device by websites.
Global Privacy Control (GPC): A browser setting that signals privacy preferences.