Privacy Policy

We recognise that it is important for you to understand how we use your personal data. Therefore, please read the following information carefully as it contains important information regarding the Phew Design Limited website and the way in which we use your personal data.

This Privacy Statement explains how we use personal data about visitors to our website, including customers and potential customers and about individuals that get in contact with us, our suppliers and those individuals whose personal data we otherwise process in the course of our business. This statement also covers data processing related to job applications and our recruitment activities.

We will only use personal data in ways that are described in this statement and only ways that are consistent with our obligations and your rights under applicable data protection laws.

Who we are?

For the purpose of applicable data protection laws, the data controller (in other words, the organisation that determines how and for what purposes your personal data is used) will be Phew Design Limited (‘Phew’), a company with registered number 04219588 and address Cheribourne House, 45a Station Road, Willington, Bedfordshire, MK44 3QL Our Data Protection Officer  can be contacted at

All handling of your personal data is done in compliance with the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 and the UK GDPR (together, the “Data Protection Legislation”). The terms “Personal Data”, “Special Categories of Personal Data”, “Personal Data Breach”, “Data Protection Officer”, “Data Controller”, “Data Processor”, “Data Subject” and “process” (in the context of usage of Personal Data) shall have the meanings given to them in the Data Protection Legislation. “Data Protection Lead” is the title given to the member of staff leading our data protection compliance programme in lieu of a requirement for a Data Protection Officer. .

What are your rights?

When reading this statement, it might be helpful to understand that your rights arising under Data Protection Legislation as set out below.

If you would like to exercise any of those rights (or if you have any queries about this policy or the way that we use your data, please contact us at

Access A right to access personal data held by us about you
Rectification A right to require us to rectify any inaccurate personal data held by us about you
Erasure A right to require us to erase personal data held by us about you.  This right will only apply where (for example): we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with your right to object, below)
Restriction In certain circumstances, a right to restrict our processing of personal data held by us about you.  This right will only apply where (for example): you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but you require the data for the purposes of dealing with legal claims
Portability In certain circumstances, a right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format.  You also have the right to require us to transfer this personal data to another organisation, at your request
Objection A right to object to our processing of personal data held by us about you where the processing of such data is necessary for the purposes of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process personal data which override your rights or which are for the establishment, exercise or defence of legal claims
Not to be subject to automated processing A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affect you
Withdrawal of consent and objection to marketing A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with marketing information about our services or products).  You can object to direct marketing at any time


You can also gain access to your personal data by emailing with the subject line: “Subject Access Request”. When you submit a ‘subject access request’, you will need to provide confirmation of your identity. The data you requested will be provided free of charge and our response will be made within thirty (30) days unless our Data Protection Officer deems your request to be excessive or unfounded. If this is the case, we will inform you of our reasonable administration costs in advance and/or any associated delays, giving you the opportunity to choose whether you would like to pursue your request. If you believe we have made a mistake in evaluating your request, please see the section ‘Who can you complain to?’.

If you have questions about any of the rights mentioned in this section, please contact our Data Protection Officer at

Personal data we may collect from you and how we collect it

Personal data you provide to us directly

Ways in which you might provide the data to us

This is personal data about you that you give us, which can happen in a wide variety of ways, including by creating an account with us via HubSpot to provide you with products and services and your use of those products or services, signing up to our newsletter, corresponding with us by e-mail, telephone or SMS or if you mention or interact with us on social media (for example by mentioning/tagging us or by contacting us directly).

It also includes personal data you provide when you enter one of our competitions or promotions, if you complete one of our customer satisfaction surveys, provide us with feedback on our products, search for a product on our website, report a problem with our website or products, enter into a contract with us or otherwise provide us with any personal data.

What type of data might be included?

The personal data you give us may include but is not limited to: your name, postal address, e-mail address and phone number (including mobile number), gender (and preferred salutation), date of birth, social media handle and personal data on your social media account, financial and credit card personal data, purchase history (and sales history if you are a distributor or a reseller), thoughts about our products (including complaints), and any content relevant to entering one of our competitions or promotions (which may include a photo). If you are one of our suppliers, we will process your business contact details and your job role.

We will only ever ask you to give us personal data which we need in order to provide you with the products or services that you have requested from us.

Job applicants

If you apply for a role with us, we will collect a range of information directly from you either by email, over the phone or via an online job application process/system which may include but is not limited to: your name, address and phone number (including mobile number), email address, gender (and preferred salutation) date of birth, your health information (if relevant to your application), the contents of your CV (including details of previous roles, any relevant qualifications you have obtained and any languages that you speak), evidence that you are legally permitted to work in the country you are applying for a role in, your current and desired annual salary, your current notice period, candidate portfolio, whether you have previously been employed by us , how you heard about the role you are applying for and any other information that we reasonably require as part of the recruitment process.

If you are a job applicant and want more detail about how we process your personal data as part of our recruitment process, you can contact our HR department by email at

Personal data we collect or generate about you

When you visit our website or get in touch with us, we may collect, generate, store and use certain personal data about you.

This personal data may include: technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information (if accessing an account with us), browser type and version, time zone setting, browser plug-in types and versions, device types, operating system, time and date of consent and platform and any phone number used to call our customer service number.

It may also include information about your visit to our website, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed, searched for or purchased, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse our website.

This information is used by us to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes and for the control of illegal acts.  We reserve the right to check these log files and data retroactively if there is reasonable suspicion of an illegal act due to concrete indications. We safeguard your interests by anonymising your IP address upon collection so that you are not identifiable.

Personal data we receive from other sources

We may occasionally receive personal data about you from other sources, for example if you leave a review on our third-party consumer review platform or use any of the other websites we operate or the other services we provide.

What are the lawful bases for processing personal data?

Under Data Protection Legislation, there must be a ‘lawful basis’ for the use of personal data. The lawful bases are:

  1. ‘your consent’;
  2. ‘performance of a contract’;
  3. ‘compliance with a legal obligation’;
  4. ‘protection of your, or another’s vital interests’;
  5. ‘public interest/official authority’; and
  6. ‘our legitimate interests’.

We are committed to being transparent about our data processing activities. If you have questions about the specific legal basis we are relying on to process your personal data, please contact our Data Protection Officer at

What are Phew’s ‘legitimate interests’?

Legitimate interests are a flexible basis upon which the law permits the processing of an individual’s personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Officer. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest. If you would like to find out more about our legitimate interests, please contact

About our processing of your data

We might collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:

Identity Data such as names, usernames or similar; marital status; title; date of birth; sex and gender.

Contact Data such as addresses; email addresses and telephone numbers.

Financial Data such as bank account and payment card information.

Transaction Data such as information about payments and details of purchases you have made.

Technical Data such as IP addresses; login data; browser info; time zone; location; browser plug-ins; operating systems; platforms and other technology on the device used to access this website.

Profile Data such as usernames; passwords; security answers; purchases/orders; interests; preferences; feedback and responses to surveys, blogs and messages.

Usage Data such as analytics relating to how you use the website.

Marketing and Communications Data such as your preferences about receiving communications from us or third parties.

Special Categories of Data such as details about race or ethnic origins, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, genetic or biometric data.


This Website is not directed toward children (as defined by local law), nor does Phew knowingly collect information from children without parental consent except where in compliance with applicable law.

We may also collect, use and share Aggregated Data such as statistical or demographic data. Aggregated Data can be derived from your Personal Data but is not itself Personal Data as it cannot be used to reveal your identity. If Aggregated Data is ever used in combination with your Personal Data and becomes identifiable, it will be treated in accordance with this notice.

How do we use your personal data and what are our justifications for doing so?

Whenever we use your personal data, we need to make sure that we have established a valid legal justification (known as a “lawful basis”) for that use of data.  We have described the ways that we use your data and the associated lawful basis below.

Reference What categories of information about you do we process? Why are we processing your data? Where did we get your personal data from?
Client Correspondence and Professional Services · Identity Data

· Contact Data

We use the personal data you have given us in order to communicate with you and provide our goods and services to you. This can also include processing data in relation to support. This processing is conducted lawfully on the basis of ‘performance of a contract’. Obtained directly from you.
Direct Marketing · Identity Data

· Contact Data

· Marketing and Communications Data

We use this personal data in order to market our products and services to you that we believe you will benefit from. This processing is conducted lawfully on the basis of ‘our legitimate interests’. Obtained directly from you.
Legal Obligations · Identity Data

· Contact Data

To ensure we comply with any legal and statutory obligations that might arise. This processing is conducted lawfully on the basis of ‘compliance with a legal obligation’. Directly obtained from you.
Product Hub Account · Identity Data

· Contact Data

· Technical Data

· Profile Data

To provide you with access to your account. Directly obtained from you.
Enquiries · Identity Data

· Contact Data

· Any other unsolicited personal data that you choose to submit

We use the contact information sent to us through web forms, by phone or by email in order to respond to enquiries from existing and potential clients. This processing is conducted lawfully on the basis of ‘our legitimate interests’. Directly obtained from you.

Third-Party Links

Our services may include links to third-party websites or applications. Interacting with these may allow them to collect or share your data. We don’t control these third-parties and aren’t responsible for their privacy practices. Once you leave our site, our privacy policy doesn’t apply. We recommend reading the privacy policy of every site you visit. Contact them directly if you have concerns about their data practices.


We take the security of your personal data very seriously and have put physical, technical, operational and administrative strategies, controls and measures in place to help protect your personal data from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.

Unfortunately (and as you will probably already know) the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Global Patient Survey; any transmission is at your own risk.

Disclosure of your information

We may share your Personal Information with our group members, including subsidiaries and partners, as defined in the UK Companies Act 2006. As part of GDPR compliance, we ensure any third-party recipient respects data protection standards. We may disclose your data: when buying or selling a business or assets; if our company or majority of assets are acquired to fulfil legal obligations; to enforce agreements; or to protect the rights, property, or safety of our company, customers, or others.

What happens if I refuse to give Phew my personal data?

The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the services we offer. If we are already processing your personal information under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your rights. If we process some personal information as part of a contractual relationship with a Data Controller, then any requests to restrict this type of processing should be forwarded to the Data Controller; they will be responsible for discussing your concerns and making any decisions.

What profiling and automated decision making does Phew perform?

Phew does not use your personal data for automated decisions or profiling. All decisions involving your data are made by our staff, not algorithms. We treat users as individuals, avoiding assumptions based on profiling. We aim for fairness and transparency in processing your data while respecting your privacy. For any queries, reach out to

How long will your data be kept?

Phew holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold and the length of time for which it is held.

  • If ‘consent’ is the basis for our lawful processing of your data, we will retain your data so long as both the purpose for which it was collected, and your consent, are still valid. Occasionally, we might identify a legitimate interest in retaining some of your personal data that has been obtained by consent. If we do, we will inform you that we intend to retain it under these conditions and identify the interest specifically.
  • If we process your data on the basis of ‘legitimate interests’, we will retain your data for as long as the purpose for which it is processed remains active.
  • All categories of personal data that are held by us because they are essential for the performance of a contract, will be held for a period of six years, or as otherwise required under applicable law, for the purposes of exercising or defending legal claims.

Who else will receive your personal data?

Phew may pass your data to the third parties listed in the section ‘Third Party Interests’ below.

Who else will receive your personal data?

Third party suppliers and service providers involved in our contractual relationship with you:

Like most businesses, we work with third party suppliers and service providers as part of the day-to-day operation of our business. Some of these trusted suppliers will process your personal data on our behalf and provide services to us such as research, analytical health data, statistics.

We will always make sure that we require them to meet agreed standards for the protection of your data and they will only ever be allowed to use the data in order to provide services to us and not for their own commercial purposes. If any of these trusted third-party suppliers is based outside of the UK or EEA (i.e. in a territory where local laws may not provide the same level of protection for your data), we will implement safeguards to ensure that your personal data is protected in accordance with our obligations under data protection law.

Phew may pass your data to the third parties listed in the section ‘Third Party Interests’ below.

Where your personal data may be processed

We may transfer your personal data outside of the UK, Switzerland and the European Economic Area (“EEA”) where local laws may not provide legal protection for your personal data in the same way as is applicable in the UK, Switzerland or the EEA. Examples of when your personal data may be processed outside of the UK, Switzerland and the EEA include for the purposes of for example research and analysing health data. Similarly, some of our trusted third-party suppliers may transfer data outside of the UK/Switzerland /EEA and wherever this is the case, we will implement appropriate safeguards to protect your personal data.

Whenever we send (or permit a third party to send) your personal data outside of the UK, Switzerland and the EEA, we will make sure that we take steps necessary to protect your data as required by applicable laws. For example, we may require the overseas recipient (including any of our group companies) to enter into particular contract terms such as the European Commission’s Standard Contractual Clauses or the UK IDTA.

Does your data leave the EU?

Yes. Details are included in the section ‘Third Party Interests’ below.

Phew has risk assessed where Personal Information may be transferred outside the UK and EEA.  As part of our own due diligence, we have identified that some of the Personal Data held for and by Phew resides outside of the EU.  Phew will continue to monitor this for Phew considering any third-party provider changes in the future. Should a requirement for data to be transferred outside of the UK and/or EU in future, Phew will implement controls and safeguards to ensure that equal to or greater data protection measures are enforced and records retained to evidence this.

Third Party Interests

Data Controllers

Name or Category of Third Party Controller What processing is being performed? If applicable – who is their representative within the EU?
HMRC, regulatory authorities or other authorities We are joint Controller with these authorities who require reporting of processing in some situations. N/A


Our Data Processors

Name or Category of Third Party Processor Purposes for carrying out processing If applicable – where does data leaving the EEA go and what safeguards are in place?
Web hosting providers Hosting of our Website and Product Hub, including the storage of data forming the Website and Product Hub content and processing your Technical Data (and Profile Data, where applicable) in order to provide you with access to our Website and Product Hub. In the interests of providing a quality service, we may use providers located in the United States. These providers are bound by the contractual provisions of the EU Commissions model clauses and UK model clauses.
Internal technology providers · CRM software providers, whose services we use in order to manage our business with you.

· Telephony providers.

· Office software providers, such as email clients.

· IT Support services, who might require access to our systems (with our strict supervision) in order to remedy faults with our technology.

In the interests of providing a quality service, we may use providers located in the United States. These providers are bound by the contractual provisions of the EU Commissions model clauses.
Marketing technology providers Providers who enable us to send you our marketing emails. In the interests of providing a quality service, we may use providers located in the United States. These providers are bound by the contractual provisions of the EU Commissions model clauses.

Who can you complain to?

In addition to sending us your complaints directly to, you can send complaints to our supervisory authority. As Phew predominantly handles the personal data of UK nationals, our supervisory authority is the UK Information Commissioner’s Office. If you believe that we have failed in our compliance with data protection legislation, complaints to this authority can be made by visiting

Changes To Our Privacy Statement 

We keep this privacy statement under regular review, and we will place any updates here on this page. This privacy statement was last updated on 13th June 2023.