PRIVACY NOTICE
Arch Agency (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal information with transparency, integrity, and care. This Privacy Notice explains how we collect, use, store, and share personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We operate as a talent and creative agency in the United Kingdom.
1. Who We Are
Arch Agency
85 Great Portland Street
First Floor
London
W1W 7LT
Arch Agency acts as the data controller for the personal data we collect and process. We work with trusted third‑party processors who support our operations, including IT providers, website hosting, and secure communication tools.
2. Personal Data We Collect
We collect only the information necessary to operate as a modelling and creative agency. This may include:
2.1 Identification & Contact Information
-
Name
-
Email address
-
Phone number
-
Address (where relevant)
-
Parent/guardian details for under‑18 applicants
2.2 Application & Representation Data
-
Photos (headshot, mid‑length, full‑length)
-
Model portfolios and media
-
Measurements (optional)
-
Social media handles
-
Application form responses
-
Casting information
2.3 Client & Booking Information
-
Contact details
-
Project briefs
-
Usage rights and licensing information
-
Contractual correspondence
2.4 Financial & Administrative Data
-
Payment information
-
Invoices and accounting records
-
Employment or contractor records (where applicable)
2.5 Technical & Website Data
-
IP address
-
Browser type
-
Device information
-
Website usage analytics
-
Cookies (see Cookies Policy)
We do not collect unnecessary or excessive information.
3. How We Use Personal Data
We process personal data for the following purposes:
3.1 Talent & Applicant Management
-
Assessing applications
-
Managing representation
-
Maintaining portfolios and records
-
Communicating with applicants and talent
3.2 Client & Booking Management
-
Managing bookings and contracts
-
Coordinating shoots, castings, and campaigns
-
Managing usage rights and licensing
-
Processing payments
3.3 Business Operations
-
Maintaining website functionality
-
Ensuring security and fraud prevention
-
Internal administration and compliance
-
Marketing and brand promotion (with consent where required)
3.4 Legal & Safeguarding Obligations
-
Verifying identity
-
Protecting minors
-
Complying with UK law and regulatory requirements
Lawful Bases for Processing
We rely on:
-
Contractual necessity
-
Legitimate interests
-
Legal obligations
-
Consent (e.g., marketing, under‑18 applications)
You may withdraw consent at any time.
4. How We Protect Your Data
We use appropriate technical and organisational measures to protect your data, including:
-
Multi‑factor authentication for staff accounts
-
Encrypted devices and secure backups
-
Restricted, logged access for authorised personnel
-
Regular system monitoring and maintenance
-
Data Processing Agreements with all third‑party providers
-
Safeguarding protocols for under‑18 applicants
Our security practices align with recognised UK standards.
5. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected.
Category
Purpose
Retention / Review
Model & talent data
Managing representation, protecting usage rights, responding to legal or commercial enquiries.
Retained while representation is active and reviewed periodically thereafter.
Applications (unsuccessful)
Assessing suitability for representation.
Automatically deleted after 30 days.
Applications (successful)
Becomes part of the talent record.
Retained in line with representation data.
Client & booking data
Managing bookings, contracts, invoicing.
Retained for the duration of the relationship and as required by law.
Financial records
Tax, accounting, and legal compliance.
Retained in accordance with UK tax law.
Employee/contractor data
HR, payroll, compliance.
Retained as required by employment law.
Marketing data
Newsletters and communications.
Retained while consent is active.
Website/technical data
Security, analytics, diagnostics.
Short operational periods unless required for security.
6. Data Sharing & International Transfers
We may share limited personal data with trusted third‑party service providers who support our operations, including:
-
IT and hosting providers
-
Email and communication platforms
-
Secure cloud storage providers
All providers act on our documented instructions and are bound by confidentiality and data protection agreements.
If data is transferred outside the UK, we use appropriate safeguards such as:
-
UK Addendum to the EU Standard Contractual Clauses
-
Adequacy decisions
-
Approved transfer mechanisms
We do not sell your data.
7. Your Rights
Under UK GDPR, you have the right to:
-
Access your personal data
-
Request correction
-
Request deletion
-
Restrict or object to processing
-
Withdraw consent
-
Request a copy of your data
To exercise your rights, contact: archagency.co@consultant.com
8. Data Breaches
If a personal data breach occurs, we will:
-
Investigate promptly
-
Notify the ICO where required
-
Inform affected individuals where necessary
-
Take steps to prevent recurrence
We comply with the 72‑hour reporting requirement under UK GDPR.
9. Under‑18 Applicants & Safeguarding
For applicants under 18:
-
A parent or legal guardian must complete the application
-
Guardian contact details are required
-
We may request additional verification
-
Guardians must be present for all communication and meetings
-
We comply with the Online Safety Act 2023
-
Unsuccessful applications are deleted within 30 days
Your child’s safety is our priority.
10. Updates to This Notice
We review this Privacy Notice regularly and update it when our practices or legal obligations change. The most recent version will always be available on our website.
11. Contact Us
For questions or requests regarding this Privacy Notice, please contact:
Arch Agency
Email: archagency.co@consultant.com
Phone: +44 07985641490