Legal · Privacy
Privacy Policy
Effective date: January 1, 2026 · Version 1.1
1. Who runs this site
TakeForge Studio (a sole proprietorship trading under that name) is the data controller for this website and any project we work on with you. Contact: [email protected].
2. What we collect, why, and where it lives
| Data | Why | Where it's stored | How long we keep it |
|---|---|---|---|
| Name, email, company, phone | To reply to your enquiry and run your project | Our Google Workspace inbox ([email protected]) |
Until you ask us to delete, or 7 years after project end — whichever is sooner |
| Project brief content (script ideas, references, brand assets) | To produce the video you commissioned | Google Workspace (Drive + Gmail) | Project archive: 2 years for revisions, then deleted on request |
| Consent record (the "I agree to the Terms" checkbox you tick before submitting any form, plus the form-submission timestamp and the Terms version you accepted) | Legal proof that you agreed to our Terms (GDPR Art. 7 / click-wrap enforceability) | Embedded in the Gmail message we receive when you submit the form — preserved as part of the email body | 7 years (matches statute of limitations for service contracts) |
| Payment metadata (amount, package, order ID — not card details) | To match payments to projects and issue receipts | PayPal holds this; we only see the order metadata in their merchant dashboard | Per processor retention (typically 7 years for tax) |
| Cookies | First-party only: remember your cookie-banner choice and your draft form fields if your connection drops | Your browser's localStorage (we don't see them) |
Until you clear your browser, or for 12 months |
We do not log IP addresses, user-agents or any network identifiers. The only metadata attached to a submission is the timestamp Gmail adds to the inbound email.
3. The third parties we rely on (sub-processors)
- DigitalOcean (USA, with global CDN edge) — hosts the static marketing site you're reading. They see HTTP requests to fetch the page; they do not see anything you type into the forms.
- Google Workspace + Google Apps Script (USA / EU) — our team inbox (
[email protected]) and the lightweight Apps Script handler that receives form submissions, performs server-side validation, logs them to a private Google Sheet, and emails them to our inbox. The Apps Script runs under our Google Workspace account; nothing in your submission leaves Google's infrastructure on our side. - PayPal (Luxembourg for EU) — when you pay, whether by PayPal balance or by card via PayPal Guest Checkout. They handle PCI-compliant card storage and the wallet relationship; we never see your card number or account password.
- Vimeo (USA) — embeds the portfolio reels on the homepage. Vimeo may process data when you press play; loading the page alone does not transmit anything to Vimeo until you interact with a video.
4. Lawful basis (GDPR / UK GDPR)
We process your personal data on the following bases:
- Contract performance — to deliver the video service you commissioned.
- Legitimate interest — to reply to enquiries, maintain a fraud-resistant audit log, secure our infrastructure.
- Legal obligation — to retain consent records, payment data, and tax records for the periods required by law.
- Consent — for any optional analytics or marketing communications (we don't currently send marketing emails; if that ever changes, you'll get to opt in).
5. Your rights
You can at any time, free of charge, ask us to:
- Show you a complete copy of every piece of data we hold about you (right to access).
- Correct anything that's wrong (right to rectification).
- Delete everything we can lawfully delete (right to erasure / "right to be forgotten" — note: we keep consent records and payment data as long as required by law, even after a deletion request).
- Stop us processing your data, or restrict it to a specific use (right to object / restrict).
- Hand it over in a portable format you can take to another provider (right to portability).
Send any of these requests to [email protected]. We respond within 30 days (usually within 48 hours).
If we mishandle your data, you can complain to the data protection authority in your country (e.g. ICO in the UK, CNIL in France, Datatilsynet in Denmark).
6. Cookies — the full list
tf-consent— remembers you dismissed the cookie banner (~ 50 bytes, 12 months).tf-draft-contact/tf-draft-questionnaire— keeps your typed brief safe if your connection drops mid-submit (cleared once you successfully submit).
We do not use advertising cookies or tracking pixels. Embedded video providers (Vimeo) may process data when you press play. If we ever add analytics it will be a privacy-preserving option (Plausible / Fathom) with no cross-site tracking, and you'll be informed before it goes live.
7. International transfers
Our sub-processors (DigitalOcean, Google, PayPal, Vimeo) are headquartered in the United States or have a primary EU establishment. Personal data of EU/UK users that flows to any of them is transferred under the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
8. Security
The site is served over TLS 1.3 from DigitalOcean's edge. Form submissions are sent over HTTPS to a Google Apps Script handler that runs entirely inside our Google Workspace account; from there they are stored in a private Google Sheet and emailed to [email protected]. Payment processing happens entirely on PayPal's own infrastructure; we never receive, see or store your card or account credentials.
9. Changes to this policy
If we make a material change, we'll update the "Effective date" above and (for material changes that affect your rights) email you in advance using the address you gave us.
10. Contact
Questions, requests, complaints — all to [email protected].