DATA USE POLICY
Redline Design - Data Use Policy 1. Introduction & Purpose Redline Design is committed to the ethical, lawful, and transparent use of all data it collects, processes, and stores, particularly personal data. We recognize the profound responsibility that comes with handling personal information and are dedicated to upholding the privacy rights of individuals. Compliance with evolving data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) is a legal imperative and a cornerstone of building client and consumer trust. The purpose of this Data Use Policy is to ensure that all personal data handled by Redline Design is done in strict accordance with applicable data protection laws, industry best practices, and the principles outlined herein. The scope of this Policy applies to all personal data processed by Redline Design, its employees, contractors, and any third parties acting on its behalf. 2. Definitions Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject'), such as a name, an identification number, location data, or an online identifier. Sensitive Personal Information: Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. Redline Design generally does not process this data unless explicitly required and legally protected. Processing: Any operation performed on Personal Data, such as collection, recording, storage, use, disclosure, or destruction. Data Subject: The individual to whom Personal Data relates. Controller: The entity that determines the purposes and means of processing Personal Data. Redline Design is a Controller for its own data and typically a Processor for client data. Processor: An entity that processes Personal Data on behalf of a Controller. Consent: Any freely given, specific, informed, and unambiguous indication of a Data Subject's agreement to the processing of their Personal Data. Data Breach: A security breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data. Applicable Data Protection Laws: All relevant data privacy laws, including GDPR and CCPA/CPRA. 3. Data Protection Principles (GDPR-aligned) Redline Design adheres to the following core data protection principles: Lawfulness, Fairness, and Transparency: Processing must be lawful, fair, and transparent to the Data Subject. Purpose Limitation: Data will be collected for specified, explicit, and legitimate purposes only.
Data Minimization: Data collected will be adequate, relevant, and limited to what is necessary. Accuracy: Personal Data will be accurate and kept up to date. Storage Limitation: Data will be kept in an identifiable form for no longer than is necessary. Integrity and Confidentiality (Security): Data will be processed securely to protect against unauthorized access, loss, or damage. Accountability: Redline Design is responsible for and must be able to demonstrate compliance with these principles. 4. Lawful Basis for Processing All processing of Personal Data must be based on a valid lawful basis. Consent Management: Where consent is the basis, it must be freely given, specific, informed, and unambiguous. Data Subjects have the right to withdraw consent at any time. Records of consent will be maintained. For email marketing, a double opt-in process will be used where appropriate. Legitimate Interests: Data may be processed based on legitimate interests, provided these are not overridden by the rights of the Data Subject. A Legitimate Interests Assessment (LIA) will be conducted when relying on this basis. Other Lawful Bases: Other bases, such as performance of a contract or legal obligation, will be used where appropriate. 5. Data Collection and Use Practices Transparency and Notice at Collection: At the point of collection, Data Subjects will be provided with a clear Privacy Notice detailing the who, what, why, and how of data processing. Cookie Policy and Consent Banners: A clear Cookie Policy will be maintained. Websites will use cookie consent banners that allow users to accept, reject, or customize their preferences for non-essential cookies. Non-essential cookies will not be placed before valid consent is obtained. Email Marketing: All email marketing will comply with anti-spam laws. Explicit opt-in consent will be obtained, and a clear unsubscribe mechanism will be provided in every marketing email. Targeted Advertising and Profiling: When engaging in targeted advertising, a lawful basis (typically explicit consent) will be ensured, and individuals will be informed of their right to opt-out. Use of Client-Provided Data: When acting as a Processor for a client, Redline Design will only process data according to the client's documented instructions and the Data Processing Agreement (DPA). Children's Data: Redline Design will not knowingly collect or process Personal Data from children under 16 without verifiable parental consent. 6. Data Subject Rights (GDPR, CCPA/CPRA) Redline Design will facilitate the rights of Data Subjects, including: Right to Know/Access: To request information about the data collected about them.
Right to Delete/Erasure: To request the deletion of their Personal Data. Right to Rectification: To request the correction of inaccurate data. Right to Restrict Processing: To request a halt to processing under certain conditions. Right to Data Portability: To receive a copy of their data in a machine-readable format. Right to Object: To object to processing, especially for direct marketing. Right to Opt-Out of Sale or Sharing (CCPA/CPRA): To opt-out of the "sale" or "sharing" of their information. Right to Limit Use and Disclosure of Sensitive Personal Information (CPRA): To limit the use of their sensitive data. Right to Non-Discrimination: To not be discriminated against for exercising privacy rights. Procedures are in place for submitting requests, verifying identity, and responding within legally mandated timeframes. When acting as a Processor, Redline Design will assist the client (Controller) in responding to these requests. 7. Data Sharing and Third Parties Personal Data will only be shared with third parties when there is a lawful basis and a written contract (DPA) is in place. Due diligence will be conducted on all third parties. International Data Transfers: For transfers of data outside regions like the EEA or UK, appropriate safeguards such as Standard Contractual Clauses (SCCs) will be implemented to ensure data protection. 8. Data Security Redline Design is committed to implementing appropriate technical and organizational security measures to protect Personal Data. Specific details are outlined in Redline Design's Information Security Policy, which is an integral part of this data governance framework. 9. Data Retention and Disposal Personal Data will be retained only as long as necessary to fulfill the purposes for which it was collected or as required by law. Data retention schedules will be maintained for different categories of data. Once no longer needed, data will be securely disposed of (e.g., cryptographic erasure, shredding). 10. Data Protection Impact Assessments (DPIAs) For data processing activities likely to result in a high risk to individuals, a DPIA will be conducted prior to processing to assess and mitigate risks. This may be required for large-scale profiling or processing of sensitive data. 11. Training and Awareness All employees and relevant contractors will receive regular training on this Data Use Policy and applicable data protection laws.
12. Policy Review and Updates
This Policy will be reviewed at least annually and updated as required by changes in laws or business practices.
13. Contact Information
For any questions regarding this Data Use Policy or to exercise Data Subject rights, please contact the Data Protection Contact / Designated Security Lead at Redline Design.
