Skip to main content

Privacy Policy

Last updated: 15 June 2026

Introduction

This privacy policy explains how XIII Studios (we, us) collects and uses personal information when you visit www.thirteenstudios.agency or contact us.

We are registered in England and Wales (company number 16073688). Our registered address is Marble Hall, 80 Nightingale Road, Derby, DE24 8BF. We are registered with the Information Commissioner's Office (ICO registration reference ZB932550).

This policy applies only to your use of this website. It does not cover third-party websites or services you reach through links on the site (for example Cal.com or LinkedIn).

It is relevant if you are a prospective or current client, or a representative contacting us on behalf of a business. It does not apply to corporate entities as data subjects, though confidentiality may still apply to business information.

Who is responsible for your data?

XIII Studios is the data controller for personal information described in this policy. For privacy questions, data subject requests, or complaints about how we use personal data, email privacy@thirteenstudios.agency.

What information we collect

Depending on how you use the site, we may process:

  • Contact form — name, email address, and message when you submit our contact form. To prevent spam and abuse we also process your IP address and email address for rate limiting (5 submissions per hour per IP, 3 per day per email) and automated bot checks when you submit.
  • Booking links — if you book a call through Cal.com (linked from this site), Cal.com collects the information you provide under their own privacy policy.
  • Website usage — aggregated, privacy-oriented analytics via Vercel Web Analytics and Vercel Speed Insights (see Cookies and similar technologies).
  • Server and security logs — technical data such as IP address, browser type, and request timestamps, processed by our hosting and security providers to deliver and protect the site.
  • Content delivery — when you load pages or images, requests may be handled by Sanity's CDN as part of publishing our blog and marketing content.

We do not knowingly collect information from children under 16. If you believe a child has provided us personal data, please contact us and we will delete it.

How we use your information

We use personal information to:

  • respond to enquiries sent through the contact form;
  • operate, maintain, and improve the website;
  • understand aggregated traffic and performance (analytics);
  • keep the site secure and prevent abuse, including rate limiting contact submissions and blocking automated traffic;
  • comply with legal obligations.

Lawful bases (UK GDPR)

We rely on the following lawful bases:

  • Legitimate interests — running and improving our website, understanding aggregated usage, and securing our services, balanced against your rights.
  • Contract / pre-contractual steps — handling enquiries when you ask about our services.
  • Legal obligation — where we must retain or disclose information by law.

We do not sell your personal information. We do not use it for automated decision-making that has legal or similarly significant effects.

Who we share information with

We use service providers (processors) that handle data on our instructions, including:

  • Vercel — website hosting, Web Analytics, Speed Insights, Firewall/WAF rate limiting, and BotID bot protection on contact submissions.
  • Resend — delivering contact-form notification emails (name, email, message, and reply-to address).
  • Upstash — Redis-backed rate limiting for the contact form (IP address and normalised email).
  • Sanity — delivery of blog content and images.
  • Cal.com — scheduling when you use our booking links.

These providers may process data in the UK, EEA, United States, or other countries. Where data is transferred outside the UK, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement or adequacy regulations) where required.

We may also disclose information if required by law, court order, or to protect our rights and safety.

If we sell, merge, or restructure part of our business, personal information may transfer to a successor who may continue to use it for the purposes described in this policy.

How we protect your information

We use technical and organisational measures appropriate to the data we hold, including HTTPS for the site, access controls on systems that store enquiries, and processor contracts with our service providers. We limit who can access personal data to people who need it for their role.

No method of transmission over the internet is completely secure. If we become aware of a personal data breach that affects your rights, we will notify you and/or the ICO where we are required to do so by law.

How long we keep information

  • Contact form messages — delivered to our team by email. We keep correspondence only as long as needed to respond and manage the enquiry, then delete or anonymise it unless we have a longer legal or business need (for example, if you become a client). Resend retains email content on their systems for up to 30 days on standard plans (see Resend pricing (opens in new tab)).
  • Contact abuse prevention — when you submit the contact form, Vercel (Firewall and BotID) and Upstash process your IP and email for short-lived rate limits and bot checks. We do not store BotID results. Upstash counters expire within about 2 hours (IP) or 48 hours (email).
  • Analytics — Vercel Web Analytics uses anonymous, aggregated data; visitor sessions are discarded after about 24 hours (see Vercel Web Analytics privacy (opens in new tab)).
  • Server logs — retained for a limited period for security and troubleshooting, as configured by Vercel.

Cookies and similar technologies

Under UK privacy rules (PECR), we must tell you about cookies and similar storage on your device and obtain consent for non-essential uses. We do not use advertising or marketing cookies, and we do not show a cookie consent banner because our public site does not place non-essential cookies on your device.

Vercel Web Analytics is designed to work without third-party tracking cookies and collects only anonymous, aggregated statistics. Speed Insights measures performance without setting cookies. Contact-form protection uses Vercel BotID (invisible bot checks on submission) and server-side rate limiting — not tracking cookies. You can read more in Vercel's privacy documentation (opens in new tab).

You can control cookies through your browser settings. Blocking cookies is unlikely to affect core browsing on this site, but may prevent the contact form from submitting if security checks cannot run.

Your rights

Under UK data protection law, you may have the following rights (depending on why we process your data):

  • Access — request a copy of personal data we hold about you and information about how we use it.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data in certain circumstances.
  • Restriction — ask us to limit how we use your data in certain circumstances.
  • Objection — object to processing based on legitimate interests in certain circumstances.
  • Data portability — receive data you provided in a structured, machine-readable format where the legal conditions apply.
  • Withdraw consent — where we rely on consent, you may withdraw it at any time.

To exercise your rights, email privacy@thirteenstudios.agency. We may need to verify your identity before responding. We will respond without undue delay and in any event within one month, unless the law allows a longer period for complex requests.

If you have concerns about how we use your personal data, please contact us first at privacy@thirteenstudios.agency. If you remain unhappy after that, you may complain to the ICO:

  • Website: ico.org.uk (opens in new tab)
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113

Third-party links

This site links to external services (for example Cal.com and LinkedIn). Their privacy practices are governed by their own policies, not this one.

Changes to this policy

We may update this page from time to time. The "Last updated" date at the top shows when it was last revised. Significant changes may also be highlighted on the website where appropriate.