Privacy Policy

This is the Privacy Policy for Create22, H1 & H2 Kingston Business Park, Kingston Bagpuize, Oxfordshire OX13 5FB, United Kingdom.

Create22 is the Data Controller of your personal data. The principles set out in this Privacy Notice apply to all instances in which Create22 receives your personal data as a Data Controller for the purposes of processing when visiting the website or as mentioned below.

If you have any requests concerning your personal data or any queries with regard to these practices please contact Create22 using the contact details given above.

NB: This Privacy Policy may be reviewed and updated from time to time. Please take the time to read it to note any changes which may affect you. 


Visitors to the Create22 website have the option, should they wish, to actively enter personal data through the online contact form for the purpose of making contact with us.

As is common practice with almost all websites, this site uses cookies. Cookies are small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences and provide anonymised tracking data to third party applications such as Google Analytics.

As a rule, cookies will make your browsing experience better. Cookies located on your computer do not contain your name but an IP address.

However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. Please ensure that your computer setting reflects whether you are happy to accept cookies or not. You can set your browser to warn you before accepting cookies, or you can simply set it to refuse them, although you may not have access to all the features of the website if you do so. See your browser “Help” button for how you can do this. Remember that if you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.

For further information about Cookies including how to refuse them, please visit

Create22 Security Measures

Create22 takes appropriate physical and technical security measures to prevent personal data loss, preserve data integrity, and to strictly regulate access to personal data. Only authorized Create22 employees, and authorized employees of our Third-Party service providers’ processing data on our behalf, have access to your personal data. All Create22 employees who have access to your personal data are required to adhere to the Create22 Privacy Notice and internal Data Protection Procedures and all third-party service providers have been chosen by Create22 on the basis of their rigorous data security processes and are subject to individual Privacy Notices which set out their obligations and responsibilities.

What personal data does Create22 hold?

Customer information: this can include names, addresses, email addresses, telephone numbers and invoicing details of current or previous Customers. Customers are either prospective and have received or are receiving quotes, or have entered into a ‘contract’ with us currently or in the past.

Supplier information: this can include names, addresses, email addresses, telephone numbers and purchase order details of Suppliers with whom we do business or have done business.

Staff information: this includes personal employment information pertaining to individual staff members.

Create22 DOES NOT collect any other personal data through mailing lists or newsletters and our personal data will only be used for the purposes for which you provided it to Create.

What are the lawful bases for Create22 holding data?

Create22 has identified the following lawful bases for holding personal data in respect of all its data subjects – Customers, Suppliers and Staff: Contract and Legitimate Interest.

  • All personal data from Customers and Suppliers has been given freely for the purposes of entering into the design services ‘contract’ with the agency (providing quotes or Purchase Orders); the processing of data is necessary for the legitimate interests of this service; a requirement to process data for both individual and commercial interests.
  • Personal data relating to Staff has been given for the purposes of processing and maintaining employment contracts and ongoing internal Human Resource files and is therefore held on the bases of contract and legitimate interest.  Interested parties interacting with the organisation for prospective recruitment queries have provided personal data freely of their own accord and this is held securely in line with Create22’s Data Protection Procedures.
  • With whom does Create22 share personal data?

Create22 will never share, sell or communicate your personal data to any third-party business organisation which intends to use it for their own purposes.

Data is only shared within the organisation between staff members or to third party data processors which have been authorised for the purposes of carrying out the legitimate business on behalf of the agency; more specifically, our authorised suppliers including printers, web developers, merchandisers, our website/email hosts; cloud accounting software providers, technical security providers.

In some instances such as data storage and website/email hosting processors, some of these providers may be located outside the country in which you live and outside the EU. In this instance, Create22 has taken appropriate measures to ensure that these providers have Privacy Policies which align with its own policies.

Your rights

You have the right to ask Create22 to provide you with all the information it stores on you, to access, rectify or delete your personal data, to restrict its use, and to port your data to another organization if applicable. You have the right to request additional information about the handling of your personal data. You also have the right to object to the processing of your data by Create22. If we receive a Subject Access Request, we will handle each one securely and confidentially in accordance with our Data Protection Procedure. These will be responded to without undue delay and within one month of receipt.

  • Retention Periods We will retain your information for as long as your account is active, your information is needed to provide you services, or for a reasonable period of time during which we consider you may reactivate business with us. If you wish to delete your account or request that we no longer use your information to provide you services contact us at: