Privacy Policy

The Kite Factory is committed to protecting your personal information and this Privacy Policy tells you how we collect your personal data, how we store it, how we use it, and how we keep it safe.

As a business, we are committed to respecting and protecting the privacy of all individuals with whom we interact. We will always process your personal information in accordance with applicable privacy and data protection laws, including the General Data Protection Regulation (GDPR).

This policy was last reviewed in July 2022.


The Kite Factory Ltd are committed to ensuring your personal information is kept secure and confidential and not kept for longer than is necessary for each specific purpose.

From time to time we may ask other third-party service providers to help us manage our information technology systems. We will only transfer your information to a third-party service provider where we are satisfied that adequate levels of protection are in place to protect the integrity and security of any information being processed and compliance with applicable privacy and data protection laws.

Using web analytics software, we store data about to this site such as IP address, browser type, referring page and time of visit.  Most of this data cannot be used to identify visitors individually, however as your IP address is now classed as personal data, you have the opportunity to opt out by contacting us.

We are ISO 27001 Certified and will take appropriate organisational and technical measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Any changes to our Privacy Policy will be placed here and will supersede this version of our Policy. We will take reasonable steps to draw the attention of visitors to any changes in our Policy. We suggest that you read this document each time you use the website to ensure that our use meets with your approval.

If you have any questions about our Privacy Policy, or if you want to know what information we have collected about you, please contact us. You can also correct any factual errors in that information or require us to remove your details from any list under our control.

What we collect about you

We process the personal data of clients, prospects, enquirers, suppliers and workers.  We may collect, store and use the following personal information about you:

  • Information that you provide to us when entering into a contract with us
  • Information that you provide to us when requesting information from us
  • Information that you provide to us when attending an event (or any other PR/Marketing related activity)
  • Any other information you choose to provide to us, including business cards
  • Information you choose to give us when making an application to work for us

Please let us know if the personal data we hold about you needs to be corrected or updated.

The data you provide to use includes:

  • Name
  • Address
  • Postcode
  • Country
  • Email address
  • Fax number
  • Telephone number
  • How you heard about us
  • Suppliers, clients, charities, Company name, trading address, registered address, registration number, website, VAT number, trade reference
  • Work experience and interview notes when you apply to work for us
  • Any other personal information that you choose to send us
  • You may only pass us another individual’s personal data if you have that person’s consent to do so on the understanding that their personal data will be processed as described in this policy.

We may also collect information about you from other sources, including demographic information such as postcode, preferences and interests.

We collect information from your computer and about your visits to and use of this website.  This includes collecting unique online identifies such as IP addresses, which are numbers that uniquely identify a specific computer or other device on the internet. Please see our Cookies section for more details.

What we do with your information

We shall use your personal data for the following purposes:

  • To provide our services to you
  • To provide you with information about our services, and to deal with enquiries and requests about them
  • To improve our products and services
  • To send you marketing communications relating to our business which we believe to be of interest to you
  • To send you email notifications and newsletters
  • To maintain your contact preferences
  • For marketing research purposes, surveys and responding to your website visits
  • To fulfil a contract with you if you are a customer, supplier or worker
  • To administer our website, personalise it to you and keep it secure
  • To prevent fraud
  • To verify compliance with the terms and conditions governing the use of our website
  • For internal accounting processes

Our legal basis for processing your personal information

We promise that we shall only use your data in the way you wish, and we shall always respect your privacy.  We process your data under the following legal grounds:

  • The processing is necessary to meet contractual obligations into which you have entered as a client, charity, worker or supplier.
  • We have a legitimate interest in responding to queries from you about our services.
  • The lawful justification for sending you marketing communications about our business, services and news is because we have a legitimate business interest for your data to be used for this specific purpose. You are in complete control of your data and can choose not to receive these messages, either when you first provide your data, or in every communication we send you afterwards.  These marketing communications include:
  • Email notifications and letters where you have provided us with your email address
  • Postal / telephone marketing, though we shall always check telephone numbers against the Telephone and Corporate Telephone Preference Services and will only make telephone calls to you where your number is listed if you have told us that we may do so.

Disclosing your personal data

We may share your personal data with:

  • Workers who deliver our services
  • Third parties who provide a service to us:1) Virtual IT who provides us with IT technical support2) MailChimp, who distributes our emails and hosts our client database

    3) Mustard who administers our finance applications

  • When it is our legal duty, for example to disclose your details to government bodies such as HMRC or law enforcements agencies

We shall keep your personal data within The Kite Factory and our trusted third parties except where disclosure is required by law, for example to government bodies and law enforcement agencies.

How long we keep your personal information

All your personal data will be held in accordance with our company retention and deletion policy. We only keep your personal information for a long as it is needed for each of the purposes described in this privacy policy. Where your information is no longer required or is no longer relevant, we will ensure it is disposed of securely. We will also keep your data for as long as is required to meet our legal or regulatory obligations.

Cookie Policy

Your Internet browser is likely to have a facility for storing small files called “cookies” that hold information which may allow a website to recognise an individual computer. This information cannot however identify you as an individual. Our website may take advantage of this facility to enhance your experience. You have the ability to prevent your computer from accepting cookies but, if you do, certain functionality on the website may be impaired.

Our website does not store any information that would, on its own, allow us to identify individual users of this service without their permission. Any cookies that may be used are used either solely on a per session basis or to maintain user preferences. Cookies are not shared with any third parties.

This is a simple token used by Java applications to identify your unique session on the website. Typically used to maintain the integrity of your session while transacting information with a website (accessing secure areas, forms submissions etc).

Google Analytics: We use Google Analytics to monitor traffic levels, search queries and visits to this website. Google Analytics stores IP address anonymously on its servers in the US, and neither CIVIC or Google associate your IP address with any personally identifiable information. These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session. You can opt-out of the Google Analytics Advertising Features by going to Google Analytics’ currently available opt-outs.

Data Transfers

Your personal data may be stored, processed, and transferred outside the UK or EEA, so that we can use your personal data as described in this policy.

We will make sure that any transfers of your personal information from one country to another comply with those data protection and privacy laws which apply to us. UK and European data protection laws include specific rules on transferring personal information outside the EEA.

When transferring personal information outside the UK or EEA, we will:

  • Include standard data protection clauses approved by the ICO for transferring personal information outside the UK, EEA into our contracts with those third parties as required under the General Data Protection Regulation (UK GDPR)); or
  • Ensure that the country in which your personal information will be handled has been deemed “adequate” by the ICO

Your Rights and Control over your Personal Data

Under the General Data Protection Regulation, you have the following rights: 

  • The right to be informed – you have the right to know what we are collecting and how we are collecting it.
  • Right of access– you have the right to know whether we are processing your personal data, and what we are processing.
  • Right to rectification – you have the right to have any incorrect personal data corrected or completed if it is incomplete.
  • Right to erasure – this right, often referred to as the right to be forgotten, allows you to ask us to erase personal data where there is no valid reason for us to keep it. However, we will retain just enough of your personal data to ensure that we hold about you that the restriction is respected in the future.
  • Right to restrict processing – you have the right to ask us to restrict processing of your data
  • Right to object – you have the right to object to our processing of your personal data based on:
    legitimate interests, or for the performance of a task in the public interests/exercise of official authority (including profiling);
    – direct marketing (including profiling); and- for purposes of scientific/historical research and statistics.

The right to make a compliant to the data protection regulator

To exercise any of these rights, please contact or our Data Protection Officer

If you wish to lodge a complaint or seek advice from a supervisory authority, please contact the Information Commissioner’s Office.  The ICO is the UK’s independent body set up to uphold your rights to data privacy.  The ICO can be contacted at The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.  Tel: +44 (0) 01625 545 745  Website:

The Kite Factory Ltd is registered with the ICO as a data controller, reg no: Z9562303.
Our registered address is: 55 New Oxford Street, London WC1A 1BS

Brand Safety Process

We have put in place strict exclusions when running activity in the DSP we use. In line with industry best practice, we approach this in two ways using 2 different vendors:

  • Bottom-up – Pre-bid filtering to exclude any impressions from our programmatic campaigns using content category filtering tools
  • Top-down – 3rd party measurement and analytics tools for post-delivery insights into the quality of inventory which allow us to remove any sites or placements that may be seen as harmful to the brand

Pre-bid Content Filtering

Four types of pre-bid filters are being applied:

  • DSP content category exclusions, 3rd party content category exclusions (IAS or Adloox), URL keyword & blocked sites

IAS and Adloox are an MRC accredited 3rd party specialist technology that is integrated into the DSP and bought on a cost per thousand impressions basis. The IAS and Adloox category exclusions are set to exclude anything that is of ‘moderate and high risk’, which is the highest level it can be set at. These categories include:

  • Adult, Alcohol, Illegal Downloads, Drugs, hate Speech, Offensive Language, Violence, Unrateable & Suspicious

3rd Party Verification – Post-Delivery Insight

We also use Adloox to monitor the quality of online advertising. We use the measurement to track viewability and engagement. These insights allow us to improve the quality and effectiveness of advertising through block listing at an agency or client level.  We have determined benchmarks for each of the core metrics and will be filtering out domains that fall below this benchmark.

  • Human and Viewable % – below 20%
  • Invalid Traffic % (IVT – otherwise known as non-human) – over 5%
  • Brand Safety % – above 10% (with exceptions)
    • Grapeshot is an independent context analysis engine which is fully integrated with MOAT. It goes beyond URLs, analysing the actual content on the page to determine its context.
  • In View Time – below 5”

The site list process is similar to the blocklist process, but reversed. We analyse Adloox data, looking at ‘Human & Viewable Rate’, ‘In-View Time’, ‘Invalid Traffic Rate’, and ‘Brand Safety’ by site. If these metrics are seen as worse than the Adloox benchmark for a site, then we will not look to include it in a site list. We then also use general principles to confirm whether a site is legitimate or not. These include: checking the connection is secure, ensuring the URL contains ‘https’ at the start, checking /ads.txt on the site and also whether the ads render correctly/click through correctly on site. Also, simply, whether the publisher is well known.

Takedown Policy

If The Kite Factory discovers or is made aware that an online advertisement for a client has appeared on a site that contains or links to inappropriate content, we shall use reasonable endeavours to remove the online advertisement from the site as soon as possible and within a maximum of 2 business days of discovery or notification.