Privacy Policy

Freitas Films
Effective Date: 20/09/2025
Last Updated: 22/09/2025

We are committed to protecting your privacy. This Policy explains how we collect, use, store and share personal data under the UK GDPR and the Data Protection Act 2018.

Data Controller: Freitas Films, Bristol, United Kingdom
Contact: hello@freitasfilms.co.uk

1) Who we are and our roles

  • For our website, enquiries, proposals, invoicing, marketing, portfolio and general operations, we act as the Data Controller.

  • When we manage a client’s social media accounts or process personal data on their behalf (e.g., comments, DMs, audience analytics), we act as a Data Processor and follow the client’s documented instructions. Our Data Processing Addendum (DPA) is available on request and forms part of the SOW where applicable.

We have not appointed a Data Protection Officer and are not required to do so; please use the contact above for any privacy questions.

2) Personal data we collect

You provide:

  • Contact details (name, email, phone, company, address)

  • Project information (brief, goals, budget, timelines)

  • Communication records (emails, meeting notes, feedback)

  • Billing data (billing address, VAT number). Payment card details are processed by our payment providers; we do not store card numbers.

Collected automatically (website/app):

  • Device, browser and usage data (pages viewed, time on page, referring sites, approximate location) via analytics and similar technologies. See Cookies below.

Social media management (if we manage your accounts):

  • Role‑based access to accounts (we prefer admin/invite access; if you provide credentials, we store them securely and delete them when our engagement ends).

  • Platform analytics (reach, engagement, demographics as provided by the platform).

  • Community interactions (comments, messages) when actioning your instructions.

Audio/visual content (production):

  • Images, audio and video captured during filming/photography, which may incidentally include individuals who can be identified. Where needed, we collect model/location releases.

Sources: directly from you; your colleagues; publicly available sources (websites/social profiles); and third‑party providers supporting our services (see §6).

3) Why we use personal data and our lawful bases

We only process personal data where we have a lawful basis. Typical purposes are:

  • Enquiries & proposals - Responding to enquiries, preparing quotes/SOWs

    • Lawful basis: Legitimate interests (running our business, responding to requests)

  • Service delivery - Planning, filming, editing, delivery, account management

    • Lawful basis: Contract (to perform a contract or take steps at your request)

  • Invoicing & tax - Invoicing, accounting, record keeping

    • Lawful basis: Legal obligation (tax/company law)

  • Security & fraud prevention - Keeping systems/accounts secure, preventing misuse

    • Lawful basis: Legitimate interests

  • Portfolio & marketing - Showcasing completed client work and case studies

    • Lawful basis: Legitimate interests (we balance against your rights; you can object)

  • Direct marketing - Email updates to existing clients/contacts

    • Lawful basis: Legitimate interests / PECR soft opt-in where applicable; opt-out anytime

  • Analytics & cookies - Measuring site performance, improving UX

    • Lawful basis: Consent for non-essential cookies

Special category data: We do not aim to capture special category data. If content clearly reveals such data (e.g., health, religion), we will seek explicit consent before using it in our portfolio/marketing, or avoid using that content.

4) Marketing choices

We may send service updates or marketing to existing clients and enquirers about similar services. You can opt out at any time via any email or by contacting us. We do not buy marketing lists.

5) Cookies & analytics

We use a consent banner to collect consent for non‑essential cookies. You can change preferences at any time. We use analytics (e.g., Google Analytics 4) to understand how our site is used; non‑essential analytics run only after consent. See our Cookie Policy for cookie types, names, purposes and retention.

6) Sharing data with others

We share data with trusted providers who help us deliver services, for example: payment processors, email and file‑sharing tools, project management tools, analytics, and social platforms. We only share the minimum necessary and we have contracts in place with our providers. We also share data where required by law or to establish/exercise legal claims.

7) International transfers

Some providers store data outside the UK/EEA. Where we transfer personal data internationally, we use approved safeguards, such as:

  • the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs; and/or

  • transfers to US organisations certified under the UK‑US Data Bridge (UK extension to the EU‑US Data Privacy Framework).
    We assess transfer risks as appropriate and use encryption in transit and at rest.

8) Retention

We keep data only as long as necessary for the stated purposes, including to meet legal, accounting or reporting requirements:

  • Client/project records: for the life of the relationship plus 7 years for tax/audit.

  • Enquiry records: 2 years from last meaningful contact.

  • Marketing contacts: until you opt out or we determine it’s no longer appropriate.

  • Website analytics: per our Cookie Policy settings.

  • Footage & project files: final deliverables available for 30 days after delivery; raw footage/project files generally retained 90 days unless an archive service is agreed in the SOW.

When retention ends, we securely delete or anonymise data.

9) Your rights

You have rights to access, rectify, erase, restrict, object, and portability. Where we rely on consent, you can withdraw consent at any time. You may also object to processing based on legitimate interests (including portfolio/marketing) and we will stop unless we have compelling legitimate grounds.

How to exercise: email hello@freitasfilms.co.uk with enough information to identify you and your request. We respond within one month (we may extend by two months for complex requests and will let you know if we do).

10) Security

We use technical and organisational measures appropriate to the risk, including encryption in transit and at rest where feasible, access controls, multi‑factor authentication on key systems, regular updates, and staff confidentiality.

Data breaches. We assess any personal data breach and, where legally required, notify the ICO within 72 hours of becoming aware. If the breach is likely to result in a high risk to individuals, we will also inform affected individuals without undue delay.

11) Children

Our services are not directed at children. If we rely on consent for any online service, only children aged 13 or over can consent for themselves in the UK; otherwise we obtain parental consent. If you believe a child has provided us data without appropriate consent, contact us and we’ll delete it.

12) Updates

We may update this Policy to reflect changes in law or our practices. We will post the new version with a new “Last updated” date and, for significant changes, provide a notice on our website or email active clients.

13) Complaints

If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to the

Information Commissioner’s Office (ICO):

ico.org.uk • 0303 123 1113 • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF