Privacy
Policy

Ikaroa is a creative agency and technology studio headquartered at Level 41, Emirates Towers, Sheikh Zayed Road, Dubai. We also operate from offices in Abu Dhabi, London (9 Noel Street, Soho, W1F 8GH), Los Angeles, and San Francisco. We are the data controller for all personal data collected through ikaroa.com and our services.

We collect the following categories of personal data:

Identity data: your name, job title, and company name when you fill in our contact form or engage with us.

Contact data: email address, phone number, and business address provided through our enquiry forms or during project engagements.

Technical data: IP address, browser type, operating system, device type, screen resolution, referring URL, pages visited, and time spent on each page. This is collected automatically via Google Analytics 4 and our hosting provider (Vercel).

Chat data: messages you send through our live chat widget (powered by Lead Connector/HighLevel). This may include your name, email, and the content of your conversation.

Form data: any information you submit through our contact forms (powered by Open Doors CRM), including project details, budget, and timeline information.

Affiliate tracking data: when you visit our partner pages, anonymous click and referral data is collected by PartnerStack to track affiliate referrals. This does not include personally identifiable information unless you sign up for a partner product.

We do not collect special category data (health, biometric, genetic, political opinions, religious beliefs, trade union membership, or sexual orientation) unless you voluntarily provide it.

We process your personal data under the following legal bases:

Contractual necessity (Article 6(1)(b) UK GDPR): to deliver services you have engaged us for, manage projects, issue invoices, and communicate about ongoing work.

Legitimate interests (Article 6(1)(f) UK GDPR): to improve our website and services, analyse site usage, respond to enquiries, and manage our business relationships. Our legitimate interest assessment confirms these activities do not override your rights.

Consent (Article 6(1)(a) UK GDPR): where you have opted in to receive marketing communications, submitted an enquiry form, or engaged with our live chat. You may withdraw consent at any time by contacting us or using the unsubscribe link in any marketing email.

Legal obligation (Article 6(1)(c) UK GDPR): to comply with tax, accounting, and regulatory requirements in the UK, UAE, and US.

Our website uses cookies and similar technologies. Full details are in our Cookie Policy, but in summary:

Essential cookies: required for the site to function (Vercel deployment, session management). These cannot be disabled.

Analytics cookies: Google Analytics 4 (measurement ID: collected anonymously, IP anonymisation enabled). Set only with your consent.

Chat widget cookies: Lead Connector/HighLevel sets cookies to maintain your chat session and remember your preferences.

Affiliate cookies: PartnerStack sets first-party cookies when you click on partner product links to attribute referrals. These do not track you across other websites.

You can manage cookie preferences via our cookie banner, your browser settings, or by contacting us directly.

We do not sell your personal data. We share data only with trusted processors under strict data processing agreements:

Vercel Inc. (USA): website hosting and deployment. Data processed under Standard Contractual Clauses.

Google LLC (USA): analytics (GA4). Data anonymised and processed under Google Cloud data processing terms.

HighLevel/Lead Connector (USA): CRM, chat widget, and form handling. Data processed under their DPA.

Open Doors (our CRM platform): contact form submissions and client management.

PartnerStack Inc. (Canada): affiliate link tracking on partner pages. Only anonymous click data unless you create an account with a partner.

Cloudflare Inc. (USA): CDN, DNS, and security services.

We may also share data with professional advisors (lawyers, accountants) and regulatory authorities where required by law.

We retain personal data only for as long as necessary:

Client project data: up to 7 years after project completion for accounting, tax, and legal purposes.

Enquiry and contact form data: up to 2 years from last contact, then securely deleted.

Chat conversations: retained for up to 12 months, then automatically purged.

Analytics data: retained in aggregated, anonymised form for up to 14 months (GA4 default).

Affiliate tracking data: retained by PartnerStack for up to 90 days for attribution purposes.

Marketing consent records: retained for as long as consent is active, plus 2 years after withdrawal for audit purposes.

When data is no longer needed, we securely delete it or render it permanently anonymous.

As a global company with offices in the UAE, UK, and US, we transfer data internationally. We ensure appropriate safeguards for all transfers:

UK to US transfers: protected by Standard Contractual Clauses (SCCs) approved by the ICO, or the UK Extension to the EU-US Data Privacy Framework where applicable.

UK to UAE transfers: our UAE operations process data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

UK to Canada transfers: Canada has an adequacy finding from the European Commission, providing equivalent data protection.

All third-party processors are contractually required to maintain safeguards equivalent to UK GDPR standards.

Under UK GDPR, you have the following rights:

Right of access (Article 15): request a copy of all personal data we hold about you. We will respond within one month.

Right to rectification (Article 16): request correction of inaccurate or incomplete data.

Right to erasure (Article 17): request deletion of your data where there is no compelling reason for continued processing ("right to be forgotten").

Right to restrict processing (Article 18): request that we limit how we use your data.

Right to data portability (Article 20): receive your data in a structured, machine-readable format.

Right to object (Article 21): object to processing based on legitimate interests, including profiling and direct marketing.

Right to withdraw consent: where processing is consent-based, withdraw at any time without affecting prior processing.

To exercise any right, email privacy@ikaroa.com with the subject line "Data Rights Request". We will verify your identity and respond within one calendar month. If your request is complex, we may extend this by two months and will notify you.

You also have the right to lodge a complaint with the UK Information Commissioner (ico.org.uk) or the UAE Data Office.

We implement appropriate technical and organisational measures:

Encryption in transit: all data transmitted via HTTPS/TLS 1.3.

Encryption at rest: sensitive data encrypted using AES-256 where applicable.

Access controls: role-based access, multi-factor authentication for all internal systems.

Regular reviews: periodic security audits and vulnerability assessments.

Staff training: all team members complete data protection training annually.

Incident response: documented breach response procedure. In the event of a breach posing risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by Article 33 UK GDPR.

Our services are not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you. Our analytics tools process data in aggregate to improve our website, but no individual decisions are made based on automated processing.

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. The last updated date is shown at the top of this page. Where changes are material, we will notify you by email or via a prominent notice on our website before they take effect. We encourage you to review this policy periodically.