Privacy Policy

TORNADO Privacy Policy

Last updated: 20th January 2026

At Tornado Digital Group Ltd ("Company," "we," "us," or "our"), we believe in being as clear and as open about how we collect data related to you. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services. By accessing and using our services, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy applies to:

  • Information we collect directly from you
  • Information collected through our website
  • Information collected through our services (email marketing, SMS marketing, landing pages, CRO)
  • Information collected through third-party platforms (Klaviyo, SMS providers, landing page builders, etc.)

2. Information We Collect

2.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

Contact Information:

  • Name, email address, phone number, and mailing address
  • Business name, industry, and website URL
  • Job title and role within your organization

Business Information:

  • Company size, revenue, and business objectives
  • Customer data and email lists (provided by you for marketing purposes)
  • Product information, pricing, and business metrics
  • Bank account or payment information (processed securely through third-party payment processors)

Communication Data:

  • Messages, feedback, and inquiries sent through our website or email
  • Notes from calls, meetings, or consultations
  • Support requests and customer service interactions

2.2 Information Collected Automatically

When you visit our website or use our services, we automatically collect certain information, including:

Device Information:

  • Device type, operating system, and browser type
  • IP address and device identifiers
  • Mobile device information (if applicable)

Usage Information:

  • Pages visited and content viewed
  • Time spent on pages and sections
  • Links clicked and actions taken
  • Referral source and exit pages
  • Search queries and filters used

Location Information:

  • General geographic location (country, city, region)
  • Location derived from IP address

This information is collected through:

  • Cookies and similar tracking technologies
  • Web beacons and pixels
  • Server logs and analytics tools
  • Third-party analytics providers (Google Analytics, Hotjar, etc.)

2.3 Information from Third Parties

We may receive information about you from:

  • Third-party platforms (Klaviyo, SMS providers, landing page builders, payment processors)
  • Business partners and service providers
  • Publicly available sources and business databases
  • Your referral sources

2.4 Sensitive Personal Data

We do not intentionally collect sensitive personal data (such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sex life information). If you provide such information, we will handle it in accordance with applicable data protection laws.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Providing, maintaining, and improving our services
  • Creating and managing your account
  • Processing payments and billing
  • Communicating with you about services, updates, and changes
  • Responding to your inquiries and support requests
  • Delivering email marketing, SMS marketing, landing pages, and CRO services

3.2 Marketing and Communications

  • Sending promotional emails, newsletters, and marketing materials
  • Informing you about new services, features, and offers
  • Conducting surveys, contests, and promotional activities
  • Personalizing your experience and marketing communications

3.3 Analytics and Improvement

  • Analyzing usage patterns and service performance
  • Identifying trends and improving our website and services
  • Conducting research and developing new services
  • Testing new features and functionality

3.4 Legal and Compliance

  • Complying with applicable laws, regulations, and legal obligations
  • Enforcing our Terms of Service and other agreements
  • Protecting our legal rights and preventing fraud
  • Responding to legal requests, court orders, and government inquiries
  • Maintaining records for accounting and audit purposes

3.5 Security and Safety

  • Detecting, preventing, and addressing fraud, abuse, and security incidents
  • Protecting against malicious, deceptive, or illegal activity
  • Enforcing our policies and protecting our rights and property

3.6 Business Operations

  • Managing our business, operations, and customer relationships
  • Conducting internal audits and compliance reviews
  • Training staff and improving service quality

4. Legal Basis for Processing (GDPR)

If you are located in the European Union or United Kingdom, we process your personal data based on the following legal bases:

  • Contractual Necessity — Processing is necessary to perform our services and fulfill our obligations to you
  • Legitimate Interests — Processing is necessary for our legitimate business interests, including marketing, analytics, fraud prevention, and service improvement
  • Consent — We have obtained your explicit consent for specific processing activities (e.g., marketing emails)
  • Legal Obligation — Processing is required by applicable laws or regulations
  • Public Task — Processing is necessary to perform a task in the public interest

5. Information Sharing and Disclosure

5.1 Service Providers

We share information with third-party service providers who assist us in delivering services, including:

  • Klaviyo (email marketing platform)
  • SMS providers and telecommunications companies
  • Landing page builders and hosting providers
  • Payment processors and financial institutions
  • Analytics providers (Google Analytics, Hotjar, etc.)
  • Cloud storage and backup providers
  • Customer support and communication platforms

These service providers are contractually obligated to use your information only as necessary to provide services to us and to maintain the confidentiality and security of your information.

5.2 Business Partners

We may share information with business partners, resellers, and affiliates to:

  • Provide joint services or offerings
  • Conduct joint marketing activities
  • Facilitate business transactions

5.3 Legal Requirements

We may disclose information when required by law or when we believe in good faith that disclosure is necessary to:

  • Comply with applicable laws, regulations, and legal processes
  • Respond to lawful requests from government agencies or law enforcement
  • Enforce our Terms of Service and other agreements
  • Protect the security and integrity of our services
  • Protect the rights, privacy, safety, and property of our company, users, and the public

5.4 Business Transfers

If Tornado Digital Group Ltd is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 Aggregated and De-Identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with third parties for marketing, analytics, research, and other purposes.

5.6 With Your Consent

We may share information with third parties when you explicitly consent to such sharing.

6. Data Retention

6.1 Retention Periods

We retain personal information for as long as necessary to:

Provide our services and fulfill our obligations to you

  • Comply with applicable laws and regulations
  • Resolve disputes and enforce our agreements
  • Protect our legal rights and interests

Specific Retention Periods:

  • Account Information — Retained for the duration of your engagement and for 7 years after termination (for accounting and legal purposes)
  • Customer Data — Retained as long as you authorize us to manage it; deleted upon your request or service termination
  • Marketing Communications — Retained until you unsubscribe
  • Website Analytics — Retained for up to 26 months
  • Payment Information — Retained for 6 years (as required by UK tax law)
  • Support Communications — Retained for 3 years

6.2 Data Deletion

Upon termination of services, we will:

  • Delete or return your personal information as requested
  • Retain information necessary for legal, accounting, or contractual purposes
  • Permanently delete information that is no longer necessary

You may request deletion of your information at any time by contacting us (see Section 11).

7. Your Rights and Choices

7.1 GDPR Rights (EU and UK Residents)

If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right of Access — You have the right to request access to your personal data and receive a copy of the information we hold about you.

Right to Rectification — You have the right to request correction of inaccurate or incomplete personal data.

Right to Erasure — You have the right to request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, contractual necessity).

Right to Restrict Processing — You have the right to request that we limit how we use your personal data.

Right to Data Portability — You have the right to request your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

Right to Object — You have the right to object to processing of your personal data for marketing, analytics, or other purposes.

Right to Withdraw Consent — If we process your data based on consent, you have the right to withdraw that consent at any time.

Right to Lodge a Complaint — You have the right to lodge a complaint with the Information Commissioner's Office (ICO) or your local data protection authority.

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

Right to Know — You have the right to request what personal information we collect, use, and share.

Right to Delete — You have the right to request deletion of personal information we have collected from you.

Right to Opt-Out — You have the right to opt-out of the sale or sharing of your personal information.

Right to Correct — You have the right to request correction of inaccurate personal information.

Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA rights.

7.3 Marketing Communications

You have the right to:

  • Opt-out of promotional emails by clicking the "unsubscribe" link in any email
  • Opt-out of SMS marketing by replying "STOP" to any SMS message
  • Manage your communication preferences by updating your account settings
  • Request removal from our mailing lists

7.4 Cookies and Tracking

You have the right to:

  • Disable cookies in your browser settings
  • Opt-out of analytics tracking through Google Analytics opt-out tools
  • Use "Do Not Track" signals (if your browser supports them)

8. Cookies and Tracking Technologies

8.1 Cookies

We use cookies to:

  • Remember your preferences and login information
  • Analyze website usage and performance
  • Deliver personalized content and marketing
  • Prevent fraud and enhance security

Types of Cookies:

  • Essential Cookies — Required for website functionality
  • Analytics Cookies — Used to understand how you use our website
  • Marketing Cookies — Used to deliver targeted advertising and marketing
  • Third-Party Cookies — Set by third-party services (Google Analytics, Hotjar, etc.)

8.2 Cookie Management

You can control cookies through:

  • Browser settings and preferences
  • Cookie consent tools on our website
  • Third-party opt-out tools and services

8.3 Other Tracking Technologies

We may use:

  • Web beacons and pixels to track email opens and link clicks
  • Server logs to record IP addresses and usage patterns
  • Third-party analytics tools to analyze website performance

9. Data Security

9.1 Security Measures

We implement reasonable technical, administrative, and physical security measures to protect your personal information, including:

  • Encryption of data in transit (SSL/TLS) and at rest
  • Secure password authentication and access controls
  • Regular security audits and vulnerability assessments
  • Employee training and confidentiality agreements
  • Firewalls, intrusion detection, and monitoring systems
  • Secure data storage and backup systems

9.2 Third-Party Security

We require our service providers (Klaviyo, SMS providers, payment processors, etc.) to implement appropriate security measures. However, we cannot guarantee the security of information transmitted to or stored by third parties.

9.3 Data Breaches

In the event of a data breach, we will:

  • Investigate the breach and assess the impact
  • Notify affected individuals and relevant authorities as required by law
  • Implement remedial measures to prevent future breaches
  • Cooperate with law enforcement and regulatory authorities

10. International Data Transfers

10.1 Data Transfers

Your personal information may be transferred to, stored in, and processed in countries other than the United Kingdom, including countries that may not have data protection laws equivalent to the UK.

10.2 Adequacy Decisions

For transfers to countries with adequacy decisions (e.g., EU/EEA), your information is protected under those frameworks.

10.3 Standard Contractual Clauses

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses (SCCs) or other appropriate safeguards approved by the UK Information Commissioner's Office (ICO).

10.4 Your Consent

By using our services, you consent to the transfer of your personal information to countries outside the United Kingdom as described in this Privacy Policy.

11. Contact Information and Data Subject Requests

11.1 Data Protection Officer

We have appointed a Data Protection Officer to oversee our data protection practices. You may contact our Data Protection Officer regarding any privacy concerns or data subject requests.

11.2 Contact Information

For privacy inquiries, data subject requests, or to exercise your rights, please contact:

Tornado Digital Group Ltd
Data Protection Officer
Email: Brandon@tornadoagency.com
United Kingdom

11.3 Response Time

We will respond to data subject requests within 30 days of receipt (or as required by applicable law). If your request is complex or requires additional information, we may extend the response time to 60 days.

12. Children's Privacy

12.1 Age Restriction

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected information from a child under 18, we will delete such information promptly.

12.2 Parental Consent

If you are under 18 and have provided information to us, please have your parent or guardian contact us immediately.

13. Third-Party Links and Services

13.1 External Links

Our website may contain links to third-party websites and services. We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any third-party services before providing your information.

13.2 Third-Party Platforms

When you use third-party platforms (Klaviyo, SMS providers, landing page builders, etc.) through our services, you are subject to their privacy policies and terms of service. We are not responsible for their privacy practices.

14. California Privacy Rights

14.1 "Shine the Light" Law

California residents have the right to request information about the categories of personal information we share with third parties for their direct marketing purposes. To make such a request, please contact us (see Section 11).

14.2 Online Privacy Protection Act (OPPA)

We comply with the California Online Privacy Protection Act (OPPA) and do not track users across third-party websites for targeted advertising purposes.

15. Updates to This Privacy Policy

15.1 Policy Changes

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

  • Posting the updated Privacy Policy on our website
  • Updating the "Last Updated" date at the top of this policy
  • Sending you an email notification (if the change is material)

15.2 Continued Use

Your continued use of our services after updates to this Privacy Policy constitutes your acceptance of the updated policy.

16. Additional Information

16.1 Legitimate Interests Assessment

We have conducted Legitimate Interests Assessments (LIAs) for our processing activities. Copies of these assessments are available upon request.

16.2 Data Protection Impact Assessment

For high-risk processing activities, we conduct Data Protection Impact Assessments (DPIAs) to ensure compliance with GDPR and other applicable laws.

16.3 Compliance with Laws

We comply with applicable data protection laws, including:

  • General Data Protection Regulation (GDPR)
  • UK Data Protection Act 2018
  • California Consumer Privacy Act (CCPA)
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Other applicable privacy laws

Updates to this Policy

Document Version: 1.0
Effective Date: January 20th 2026
Next Review Date: January 21st 2027

You can find the date we updated this policy in the header of this page.