This Privacy Policy explains how Blu Frame collects, uses, and protects your personal data. We take your privacy seriously and are committed to being transparent about how we handle your information.

Blu Frame is operated by Dendelion Blu Ltd, a company registered in England and Wales.

Our address: 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom.

We are the data controller for any personal data collected through blufra.me. This means we decide how and why your data is processed, and we are responsible for complying with data protection laws.

We collect different types of data depending on how you interact with our site:

Data You Give Us

• Contact form submissions — name, email address, phone number, and message content when you reach out through our site

Data We Collect Automatically

• IP address — logged when you visit our site, used for analytics and security
• Browser and device information — browser type, operating system, device type, collected through analytics tools
• Pages visited and time spent — tracked through Google Analytics to understand how people use our site
• Referring URL — how you found us (organic search, social media, direct visit, etc.)
• Click data — interactions with CTAs, buttons, and links (via Google Tag Manager events)

Data from Third Parties

• Social media platforms — if you interact with us through LinkedIn, Twitter/X, or other channels, we may receive your public profile information from those platforms

We use your data for these purposes:

Website Operation

• Display our content, case studies, and portfolio
• Run analytics to understand visitor behaviour and improve our site
• Prevent fraud and abuse
• Ensure our site works correctly across devices and browsers

Communication

• Respond to your enquiries submitted through our contact form
• Send newsletters or updates (only if you have opted in)
• Share case studies and relevant content

Legal Obligations

• Comply with tax and accounting requirements
• Defend legal claims
• Cooperate with regulatory authorities when required

We will not sell your data. Ever. That is not our business.

Under GDPR, we rely on the following legal bases to process your personal data:

Legitimate Interests

We process your data when it is in our legitimate interests or those of a third party, provided your rights do not override those interests. This includes:

• Analysing website traffic to improve our site
• Responding to enquiries from visitors
• Protecting against fraud and security threats

Consent

We process your data based on your consent when:

• You subscribe to our newsletter or marketing communications
• You allow non-essential cookies on our site
• You provide feedback or testimonials

You can withdraw consent at any time by contacting us through our contact form. Withdrawal does not affect the lawfulness of processing before consent was withdrawn.

Legal Obligation

We process your data when required by law — for example, retaining financial records for tax purposes or responding to lawful requests from authorities.

We share your data with trusted third-party service providers who process it on our behalf. These companies are bound by contractual obligations to use your data only for the services they provide to us.

Current Processors

• Amazon Web Services — Hosting and deployment — Server logs, IP addresses — United States
• Google LLC — Analytics (GA4) and tag management — IP addresses, browser info, click data, pages visited — United States
• Strapi SAS — Headless CMS and content management — Website content — France / European Economic Area
• Snowflakes CDN — Asset delivery (images, logos, fonts) — None (anonymous asset requests) — Global (CDN)
• HubSpot Inc. — CRM and form processing — Contact form submissions, email addresses — United States
• Atlassian Inc. — Project management and collaboration (Bitbucket, Jira, Confluence) — Server logs, deployment metadata — United States

We do not share your data with third parties for their own marketing purposes. If we ever do, we will ask for your explicit consent first.

Some of our processors are located outside the European Economic Area (EEA). When we transfer your data internationally, we ensure it receives an equivalent level of protection as under GDPR through one of these mechanisms:

Standard Contractual Clauses (SCCs)

For transfers to the United States (Google, HubSpot, AWS, Atlassian), we rely on the EU Commission Standard Contractual Clauses. These are legally binding contracts that impose data protection obligations on the recipient.

Adequacy Decisions

Transfers to countries with an EU adequacy decision (for example, the United Kingdom, Canada, Japan) are considered to provide adequate protection and do not require additional safeguards.

If you request details about the safeguards we use for international transfers, contact us through our contact form and we will provide copies of the relevant clauses.

We do not keep your data longer than necessary. Here is how long we retain different types:

Website Visitors

• Analytics data — 14 months (Google Analytics default setting)
• Server logs — 90 days
• Cookie preferences — 12 months

Enquiries

• Unconverted enquiries — 24 months from last contact (then anonymised or deleted)

Marketing

• Newsletter subscribers — Until you unsubscribe
• Marketing consent records — Until consent is withdrawn plus 1 year

We review retention periodically and delete or anonymise data that is no longer needed. Anonymised data (stripped of identifiers) may be retained for analytics purposes.

We take the security of your data seriously. As a technology company, we practice what we preach:

• All data in transit is protected with HTTPS and TLS encryption
• Our site is hosted on Amazon Web Services (AWS) with industry-standard security controls
• We use AWS WAF (Web Application Firewall) and CloudFront to filter and monitor traffic
• We conduct regular security reviews to identify and address vulnerabilities
• We will not sell your data. Ever. That is not our business.

Our site is not directed to children under 13. We do not knowingly collect personal data from children. We comply with the Children's Online Privacy Protection Act (COPPA) in the United States, the UK Age-Appropriate Design Code, and equivalent protections in EU member states. If you believe your child has provided us with personal data, please contact us through our contact form and we will take steps to delete it.

Under GDPR and UK data protection law, the following rights apply:

Right of Access

You can request a copy of the personal data we hold about you. We will respond within one month. There is no fee for this request.

Right to Rectification

If your data is inaccurate or incomplete, you can ask us to correct it. We will update it as soon as reasonably practicable.

Right to Erasure (Right to Be Forgotten)

You can ask us to delete your personal data in certain circumstances, such as when:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there is no overriding legitimate interest
• The data was processed unlawfully

Note: We may not be able to delete all data if we are required to retain it for legal or regulatory reasons.

Right to Restrict Processing

You can ask us to suspend processing of your data in certain situations, such as while we verify its accuracy or resolve a dispute.

Right to Data Portability

If we process your data based on consent, you can request a copy of your data in a structured, machine-readable format. We will provide it in CSV or JSON.

Right to Object

You can object to processing based on legitimate interests or direct marketing. If you object to direct marketing, we will stop immediately.

Right to Lodge a Complaint

You have the right to complain to a data protection authority. In the UK, that is the Information Commissioner Office (ico.org.uk). In the EU, it is the supervisory authority in your member state. We would rather resolve issues directly, but your right to complain is unconditional.

Our site uses cookies and similar technologies to:

• Essential cookies — Keep you logged in, remember your preferences, enable core functionality. These do not require consent.
• Analytics cookies — Google Analytics cookies that help us understand how visitors use our site. These require consent.
• Marketing cookies — Used to track the effectiveness of our marketing campaigns. These require consent.

When you first visit our site, you will see a cookie banner where you can accept or reject non-essential cookies. You can change your preferences at any time by contacting us through our contact form.

You can also manage cookies through your browser settings. Most browsers let you block or delete cookies, though doing so may affect site functionality.

Some cookies are set by third parties we work with (Google, HubSpot). Their privacy policies govern their use.

Our site may contain links to third-party websites, including case studies, portfolio items, and external resources. We are not responsible for the privacy practices of these sites. We encourage you to review the privacy policies of any third-party sites you visit through links on ours.

If you have any questions about this Privacy Policy, how we handle your data, or want to exercise your rights, get in touch through our contact form.

Data controller: Dendelion Blu Ltd (operating as Blu Frame) Address: 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom

We will respond within one month.

You have the right to complain to a data protection authority. In the UK, that is the Information Commissioner Office (ico.org.uk). In the EU, it is the supervisory authority in your member state. We would rather resolve issues directly, but your right to complain is unconditional.