top of page

Legal Statements

Please contact us at if you have any questions, comments or requests regarding this Privacy Policy. 

You can also view and download the individual documents here:


Website Terms of Use

Website Privacy

Data Protection

Information Security

Records Management



We want to protect your privacy and confidentiality. We understand that all users of our web site are quite rightly concerned to know that their data is being used lawfully. We take our responsibilities under Data Protection legislation, including GDPR, very seriously and we want to comply with the spirit and the letter of the guidance provided by the Information Commissioners Office

You can find information about ICO at their website

We regret that if there are one or more points below with which you are not happy, your only recourse is to leave our web site immediately.

We do not share, or sell, or disclose to a third party, any personally identifiable information collected at this site.

The law requires us to determine how we process different categories of your personal information, and to notify you of the basis for each category. If a basis on which we process your personal information is no longer relevant, then we shall immediately stop processing your data.

1.1 Information we process because we have a contractual obligation with you

When you buy a product or service from us, or otherwise agree to our terms and conditions, a contract is formed between you and us. In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information.

We may use it in order to:

  • verify your identity for security purposes

  • sell products to you

  • provide you with our services

  • provide you with suggestions and advice on products, services and how to obtain the most from using our website

We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter into a legal contract. We shall continue to process this information until the contract between us ends or is terminated by either party under the terms of the contract.

1.2 Information we process with your consent 


Where there is no contractual relationship between us, such as when you browse our website or ask us to provide you more information about our business, including our products and services, you provide your consent to us to process information that may be personal information. Wherever possible, we aim to obtain your explicit consent to process this information, for example, by asking you to agree to our use of cookies.

Sometimes you might give your consent implicitly, such as when you send us a message by e-mail to which you would reasonably expect us to reply. Except where you have consented to our use of your information for a specific purpose, we do not use your information in any way that would identify you personally. 

We continue to process your information on this basis until you withdraw your consent, or it can be reasonably assumed that your consent no longer exists.

You may withdraw your consent at any time by instructing us

1.3 Information we process because we have a legal obligation 

We are subject to the law like everyone else. Sometimes, we must process your information in order to comply with a statutory obligation. This can include your personal information.

1.4 Website usage information 

We may use software embedded in our website (such as JavaScript) to collect information about pages you view and how you have reached them, what you do when you visit a page, the length of time you remain on the page, and how we perform in providing content to you. We do not associate such information with an identifiable person.


Our website: (the website) uses cookies to distinguish you from other users of the website. This helps us to provide you with a good experience when you browse the website and also allows us to make improvements. 

If you do not consent to the cookies used on the website, please disable them.

2.1 What is a 'cookie'
A cookie is a small file of text and numbers which is created by the website. When you visit the website, the cookie is attached to your computer or other device but does not access your hard drive. If you revisit the website, the cookie will be recognised. 

Cookies are widely used to do things such as identifying the type of device you are using (PC or a phone for instance) to access website, store items in the shop basket and help you navigate pages more easily. They can also help you translate web pages, log into the website or remember your region or country preferences. Cookies can also be used to help us find out how people use the website and the number of visitors to it. 

Cookies aren't harmful to your computer and don't pose a security or virus risk to your computer, nor do they store any personal identifiable information about you. If you'd like to know more about what cookies are, or how to control or delete them, then you may choose to visit for more detailed guidance. 

2.2 Cookies which we use

 There are several types of cookies which we may use from time to time: 

  • Necessary cookies
    These are necessary for the website to function. If you don't allow these cookies, the website will not operate for you. 

  • Performance cookies
    These cookies allow us to recognise visitors to our website and see how they use it. We also use these cookies to help us improve the way in which the website works, for example, making it easy for people to find what they're looking for. 

  • Functionality cookies
    These are used to remember you when you revisit our website, and enable us to personalise content for you in order to enhance your experience, welcome you by name or to remember your preference such as your language choice or region. 

  • Targeting cookies
    These cookies will record your visit to the website, pages you visited and any links that you followed. Generally, this information is used to make the website and any advertising relevant to your interests. 


The cookie specifications for this website are as follows:

Google Analytics


We use Google Analytics to collect information about how visitors use and access the website. This information is used to compile reports to help us improve the site performance and enhance your user experience. Google Analytics uses first-party cookies to report on visitor interactions. These cookies collect anonymous information about visitors such as: number of visitors, new or returning visitors, referring sites and pages they have visited. Google Analytics uses the following cookies as detailed below: 

_utma 1st Party Persistent Cookie
This cookie is used to determine unique visitors to the website. This is written the first time a user visits the site and is updated with each visit. If deleted, a new unique cookie will be written during the next visit. 

_utmb 1st Party Persistent Cookie 
This is used to establish and to continue a user session on the site. Each time a user visits a different page on the site the cookie is updated. If you have deleted this cookie, a new one is written and a new session is established each time you visit.

_utmc 1st Party Session Cookie
This cookie is operated in conjunction with the
_utmb cookie to determine whether or not to establish a new session for the user and expires when exiting the site.  


_utmz 1st Party Persistent Cookie
This cookie stores the referral type used by the visitor to reach the website, whether via a direct method, referring link, site search, or campaign such as adwords or an email link. It's used to calculate search engine traffic, ad campaigns and page navigation within the site. The cookie is updated with each page view on the site. 

_utmv 1st Party Persistent Cookie
This cookie is used to analyse custom user segments and is used for displaying custom statistical information in google analytics on site visitor trends and usage patterns.  

You can find out more about Google’s position on privacy with regard to its analytics service by clicking here: Google Privacy Policy 

Please note that Third Parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical or performance cookies or targeting cookies

2.3 How can you manage cookies? –

Most browsers automatically accept cookies, but you can usually disable cookies by adjusting your browser settings. Please note that if you do turn cookies off, this may limit the service that we can provide to you and may affect your experience of the website

If you have any queries concerning your personal information or any questions on our use of cookie data, please contact us at 


website – refers to this website: unless otherwise stipulated

cookie/s – small file of text and numbers created by the website to capture date and enhance the web user experience

Terms of Use – refers to the rules and requirements set out within this page

Privacy Policy – refers to the policy stipulated within this page



Thank you for visiting our website: 

These Terms of Use and any documents referred to in it set out our terms for your use of the website. If you continue to browse and use the website you are agreeing to comply with and be bound by these Terms of Use, which together with our Privacy Policy, Cookies Policy and Terms & Conditions of Service govern our relationship with you in relation to the website


If you don't consent to the cookies used on the website, please disable them.


Sugar Buttons Creative,
whose office is at 108 Constitution Hill, Norwich, NR3 4BB. 


These Terms of Use refer to the following additional terms, which also apply to your use of the website

  • our Privacy Policy, which sets out the terms on which we process any personal data we collect from you, or that you provide to us 

  • our Cookies Policy, which sets out information about the cookies on the website 

3.1 Website Access 

We grant access to users of our website on a temporary basis only. We're entitled to restrict access to the website at any time and will not be liable to you if the website is unavailable. We may limit the availability of the website or any service described on the website to any person or geographic area at any time. 

You're responsible for ensuring that you have appropriate equipment and arrangements to allow you to use the website. If persons other than you will access the website using your internet connection, you're responsible for bringing these Terms of Use to their attention and ensuring that they abide by them. 

3.2 Using the website 

You agree that your use of the website will not be in such a way which could cause: 

  • the website to be interrupted, damaged or impaired (by uploading a virus or otherwise)

  • offence or detriment to any other person who uses the website or any services offered

  • Sugar Buttons Creative, you or any other user of the website to be in breach of applicable law or regulation

  • detriment to any person who supplies services to Sugar Buttons Creative in connection with the website


Unauthorised use of this website may give rise to a claim for damages and/or be a criminal offence. 

t this doesn’t happen.

3.3 Relying on the content of this website 

The information and content on the website is for your general information only and no representations are made, or warranties or guarantees given, that the information and content is correct, up-to-date or complete. We reserve the right to alter content on the website as we deem necessary or appropriate. We're not obligated to keep any content or information on the website updated although it is our intention to do so. 

3.4 Security 

Your communications with us through the website are at your own risk and, due to the nature of the internet, we do not guarantee that any communication sent in this manner will reach us safely or without being intercepted. 

3.5 Viruses, hacking & other offences 

You're responsible for ensuring that you have effective virus protection software and we don't guarantee that our website is or will be free of viruses. You'll not knowingly introduce viruses or other malicious or technologically harmful material to our website, misuse our website, attempt to gain unauthorised access to our website by any means, or attack (or attempt to attack) our website with denial-of-service or distributed denial-of-service attacks. 

Any breach of this clause is a criminal offence under the Computer Misuse Act 1990 and your permitted use of the website will be withdrawn immediately. We'll treat any breach of this clause extremely seriously. Offences or attempted offences will be reported to the relevant authorities and we will fully support their investigations by any means necessary, including by disclosing your identity. 

We will not be liable for any loss or damage caused by a virus, distributed denial-of-service attack, or other technologically harmful material that may infect your computer equipment or other proprietary material due to your use of the website or due to your downloading of any content from it, or on any website linked to it. 

3.6 Linking to our website 

You're permitted to link to the homepage of our website, providing that the way in which you do so is fair and legal, our reputation is not damaged (or taken advantage of), or that you do not attempt to suggest that you're associated with us in any way, including any suggestion made that we endorse or approve you. 

For further enquiries, or if you wish to make any use of any other material on our website other than that stated above, please contact us at

3.7 Third party links from our website 

Links or information may appear on our website which belong to third parties. Such links and/or information are strictly for your information only. We will not be responsible for the content of third party website linked on the website and will not be liable for any loss or damage that may arise from your use of them as we don't have control over the content of the linked website or information. 

3.8 Intellectual Property 

This website and the material contained on it, is owned by, or licensed to, us. This material includes, but is not limited to content, designs, layout, look, appearance and graphics. Those works are protected by various intellectual property right laws and treaties around the world. All such rights are reserved. 

If you wish to use any content on the website, you must obtain our prior written consent. 

Any unauthorised reproduction or use of the website or the any material contained on it may be subject to prosecution, particularly for infringement of copyright. 

If you use any part of the website in breach of these Terms of Use, your right to use the website will cease immediately and you must, at our option, return or destroy any copies of the materials you have accessed through the website

3.9 Limitation of Liability 

Nothing in these Terms of Use excludes or limits our liability for death or personal injury arising from our negligence, our fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by English law. 

To the extent permitted by law, we exclude all conditions, warranties, representations or other terms which may apply to the website or any content on it, whether express or implied. You acknowledge that you're solely responsible for the use to which you put the website and all the information that you obtain from it. 

We'll not be liable to any user for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with: 

  • use of, or inability to use, the website 

  • use of or reliance on any content displayed on the website

  • any errors or omissions on the website 

  • any loss or damage caused by a virus, distributed denial-of-service attack

  • loss or damage from any third party website links 


Please note that in particular, we'll not be liable for: loss of profits, sales, contract, use, business, or revenue; business interruption; loss of anticipated savings; loss or corruption of data or information; loss of business opportunity, goodwill or reputation; pure economic loss; or any indirect or consequential loss or damage. 

3.10 Variations 

We may update these Terms of Use or any of the documents which are referred to herein from time to time and we'll do so by amending the relevant web page. You should occasionally check this page to check if there have been any changes as you'll be bound by them. We recommend that you print a copy of these Terms of Use for future reference. 

3.11 Severability 

If any part of these Terms of Use is found to be invalid by a court, tribunal or other forum of competent jurisdiction, or otherwise rendered unenforceable, that decision shall not invalidate or void the remainder of its terms. These Terms of Use shall be deemed amended by modifying or severing such part as necessary to render them valid, legal and enforceable whilst preserving their intent or, if that's not possible, by substituting another provision that's valid, legal and enforceable that gives equivalent effect to the parties intent. Any such invalid or unenforceable part or parts shall be severable from these Terms of Use in any other jurisdiction and the validity of the part(s) in question shall not be affected thereby. 

3.12 Jurisdiction & Applicable Law 

These Terms of Use, including any non-contractual obligations, are governed by English law and you agree to irrevocably submit to the exclusive jurisdiction of the courts of England and Wales. 

3.13 Queries –

If you have any queries about the website or these Terms of Use, please contact us at

website terms of use



We're advocates of data protection and effective privacy controls. 

This Privacy Policy together with our Terms of Use, and any other documents referred to in it, sets out how Sugar Buttons Creative uses and protects any information that you give us when you use (the website). 

Please read the following carefully to understand our views and practices regarding your personal data and how we'll treat it. 

4.1 Who are we? 

For the purposes of the Data Protection Act 1998 and the General Data Protection Regulations (Data Protection Legislation), Sugar Buttons Creative is the ‘data controller’ and the ‘data processor’. 

4.2 What are our key privacy principles 

Sugar Buttons Creative follows the following principles in order to protect your privacy: 

  1. we don't collect more personal data
    (i.e. information that can identify you) than is necessary 

  2. we don't use your personal data for purposes other than those specified when you provided that data 

  3. we don't keep your personal data if it's no longer needed

  4. we don't send your personal data to third parties

4.3 What personal data do we collect from you 

Whilst you can use the website without giving out your personal data, once you contact us via the website, Sugar Buttons Creative collects information about you, which may include: 

  • your name 

  • address 

  • email address 

  • telephone numbers (including mobile) 

  • social media details (for example, twitter, Facebook, LinkedIn, Slack web addresses / contact details / profile links) 


For any areas of the website which require login details, we may also capture ‘Forgotten Password’ details (e.g. mother’s maiden name) to assist with password recovery. Any payment details processed and/or retained pursuant to the provision of our services will be processed in accordance with all applicable laws and regulations. 

We may also collect technical information about you when you visit the website. This information may include the Internet protocol (IP) address used to connect your computer to the internet, your browser type and version, time zone setting, operating system and platform and browser plug-in types and versions. Information about your visit(s) to the website may also be collected. The collected information is used to provide an overview of how people are accessing and using the website. It's not used for any additional purpose, such as to profile those who access the website

4.4 What do we do with the information we collect? 

We may use your personal information: 

  • to process order requests for our services and to effectively provide our services 

  • to give you information that you request from us and to improve our services 

  • to notify you about changes to our services 

  • to allow us to operate the website efficiently 

  • any relevant troubleshooting, testing or statistical analysis as appropriate

  • to keep the website secure 


We may, where we have obtained your express permission, also use the information collected to: 

  • provide you with information about our services that we offer via promotional emails 

  • keep you up to date with features on the website

  • permit selected third parties to provide you with information about goods or services they feel may interest you (a list of such third parties are available on request) 


You can opt-out of any of these data uses at any time by emailing We'll only keep your information for as long as reasonably required (up to a maximum of three years), or as stated in the contract you have with us.  


Please note that we'll be unable to process any orders for our services if you don't provide us with your name, address and contact details. 

4.5 How do we protect your personal data 

When we collect information about you, we also make sure that your information is protected from unauthorised access, loss, manipulation, falsification, destruction or unauthorised disclosure. This is done through appropriate technical measures. 

However, you should be aware that providing information over the internet can never be guaranteed as being completely safe and if you choose to send such information to us via the internet, you do so at your own risk. 

4.6 How can you access the personal data we have on you? 

You have the right to request access to the personal information we have relating to you. You can do this by contacting us at We may make a small charge for information requests if we reasonable consider them to be excessive. In order to comply with your request, we may ask you to verify your identity. 

We will fulfil your request by sending a copy of your personal data electronically, unless the request expressly specifies a different method. 

4.7 How can you correct or delete your personal data? 

If you believe that the personal data we have about you is incorrect, you're welcome to contact us so we can update it and keep your data accurate. Any data that's no longer needed for the purposes specified will be deleted. If at any point you wish for us to delete information about you, you can simply email us at

3.8 When and how can we update this Privacy Policy? 

We may revise this Privacy Policy at any time by updating this webpage. We regularly review our Privacy Policy and strive towards making improvements. 

Please check this page from time to time for any changes. Take note that where you've provided your consent to certain data processing activities we won’t change this Privacy Policy in a way which would affect these consents without seeking your permission first. 

We recommend that you print a copy of this page for your reference. 

4.9 How do we use cookies? 

This website uses cookies to help us recognise different users of the website and to provide users of the website with a good experience when using it. Please see our Cookies Policy for further information. 

4.10 How can you make a complaint? 

Please note that if you are not satisfied with the processing of your personal data as set out in this Privacy Policy, you have the right to issue a complaint with the Information Commissioners Office

4.11 How can you contact us? 

Please contact us at if you have any questions, comments or requests regarding this Privacy Policy. 

website privacy



Sugar Buttons Creative is registered with the Information Commissioners Office (ICO). We recognise the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is processed in compliance with this regulation from 25 May 2018, the date the regulation came into force. 

This Data Protection Policy is written specifically to ensure appropriate compliance with the GDPR and has used the ICO self-assessment guidance for small organisations as at February 2018 for guidance as to the requirements. 

Sugar Buttons Creative has adopted the GDPR compliance requirements of the ‘Data Controller’ and ‘Data Processor’. 

5.1 General Statement of Scope  –

Sugar Buttons Creative processes relevant personal data regarding our clients as part of our operation and shall take all reasonable steps to do so in accordance with this Policy. 

Should the scope of the business undertaken by Sugar Buttons Creative change, this Policy will be updated to reflect those changes in relation to compliance with the GDPR. 

5.2 Contracts with Third Party Data Processors –

Sugar Buttons Creative maintains signed contracts with Third Parties who are operating as Data Processors under the GDPR for the purpose of this Policy. 

Such processors are striving to be GDPR compliant.

5.3 Data Protection Training –

Sugar Buttons Creative undertakes appropriate and reasonable data protection training including the day to day aspects of data protection in the context of the GDPR. 

5.4 The Principles –

Sugar Buttons Creative shall so far as is appropriate and is reasonably practicable comply with the GDPR principles contained in Article 5 of the regulation which sets out the main responsibilities for organisations.


These state that personal data should be: 

  • processed lawfully, fairly and in a transparent manner in relation to individuals 

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that's incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes 

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they're processed 

  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay 

  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 

5.4 Personal Data & Sensitive Personal Data 

Personal data covers facts about an individual where that data identifies an individual. For example, it includes information necessary for: 

  • raising of client invoices for the payment of activity undertaken on behalf of the client 

  • the identification of customers and prospective customers for marketing purposes

Sugar Buttons Creative does not process sensitive personal data as is defined in the GDPR. If this position changes, this Policy will be updated. 

5.5 Processing of Personal Data 

Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to Third Parties with appropriate consent. 

Where Sugar Buttons Creative processes personal data for direct marketing purposes either for its own benefit or under the instruction of clients, data subjects have the right to request an opt-out to these activities, which will be respected. 

5.6 Rights of Access to Information 

Data subjects (clients and prospective clients) have the right of access to information held by Sugar Buttons Creative, subject to the provisions of the GDPR and the Freedom of Information Act 2000. Any data subject wishing to access their personal data should put their request in writing to the Sugar Buttons Creative. 

Sugar Buttons Creative will endeavour to respond to any such written requests as soon as is reasonably practicable and, in any event, within 40 days for access to records and 21 days to provide a reply to an access to information request. The information will be imparted to the data subject as soon as is reasonably possible after it has come to the attention of Sugar Buttons Creative and in compliance with the regulation. 

Sugar Buttons Creative is to be notified of all requests for information access. 

5.7 Data Sharing 

Sugar Buttons Creative recognises that it's important data entrusted to the business is only used for the purposes intended and that it's not shared beyond the consent received. 

Where data relates to Sugar Buttons Creative clients or prospective clients, the individuals are informed at outset as to how their data will be used and whether it will be shared. Sharing of data would require consent. 

Where a contractually bound client requests the sharing of their data in the normal course of business, this request will be fulfilled. 

Any other form of data request should be referred to Sugar Buttons Creative for review. A log will be maintained of data sharing requests which fall outside of the normal business processing. 

5.8 Data Transferability 

Sugar Buttons Creative supports the ability of data subjects to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. The process to be employed to facilitate such requests would be assessed at the time to ensure they were appropriate and reasonable whilst maintaining compliance under the GDPR. 

5.9 Automated Decision Making 

Sugar Buttons Creative does not undertake personal data automated decision making including profiling. 

5.10 Accuracy 

Sugar Buttons Creative will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects must notify the data processor of any changes to information held about them. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply. 

Periodically, client and prospective client marketing lists will be reviewed to ensure the data remains appropriate and up to date. This process may involve the prospective client being contacted to ascertain whether they wish to remain on the lists, or to be deleted. 

In addition, an annual Information Audit is undertaken to identify all sources of data, how and where the data is stored, used and deleted. This information audit is used to ensure that data held remains relevant, accurate and up to date. 

5.10 Enforcement and Personal Data Breaches  

If an individual believes that Sugar Buttons Creative has not complied with this Policy or acted otherwise than in accordance with the GDPR, the grievance should be raised with Sugar Buttons Creative. The grievance should also be notified to the ICO. 

The grievance will then be monitored to a satisfactory conclusion by Sugar Buttons Creative with any remedial actions and training being identified and implemented. Satisfactory closure includes closure of the grievance by the ICO. 

5.11 Information Risk   

Sugar Buttons Creative manages information risk through the identification of areas of risk and the adoption of appropriate measures and processes to mitigate the risk. For example, the annual Information Audit is used to identify what data is stored, where, how it is used etc. One audit output is the identification of data flows from which information risk assessments are completed. 

Sugar Buttons Creative manages information risks in a structured way and understands the business impact of personal data related risks and manages them effectively, applying appropriate and reasonable mitigation processes. 

Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes and risk mitigation. 

5.12 Data Protection Impact Assessment (DPIA)    

Sugar Buttons Creative will undertake DPIA’s implementing appropriate and reasonable measures as a matter of its ongoing business and as developments occur, such as new clients, technology or processes. 

5.13 Information Security     

Sugar Buttons Creative will take appropriate technical and organisational steps to ensure the security of personal data. 

Sugar Buttons Creative are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data. 

An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems. 

Attention is also drawn to the existence of the Information Security Policy and the Records Management Policy, which provide more specific information on data protection processes. 

5.14 External Processors      

Sugar Buttons Creative must take reasonable and appropriate steps to ensure that data processed by external processors, for example, Third Party service providers, Cloud services including storage, web sites etc. are compliant with this Policy and the relevant legislation. 

5.15 Secure Destruction       

When data held in accordance with this Policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.


Secure destruction of data will take place within the timescales agreed between Sugar Buttons Creative and the client, including contractual timescales, if this is appropriate. 

The frequency of the secure destruction of data will depend upon it being an adhoc request from a Sugar Buttons Creative client, or during the Information Audit. 

5.16 Data Processing Suppression Requests        

Sugar Buttons Creative clients may request Sugar Buttons Creative to suppress the processing of specific data at any point. Sugar Buttons Creative will react to these requests as is reasonable and appropriate ensuring that the clients wish is met. 

It's not in the commercial interests of Sugar Buttons Creative to continue processing data which is not required, nor would it be compliant with the GDPR. 

5.17 Data Processing Suppression Requests         

Sugar Buttons Creative clients may request Sugar Buttons Creative to suppress the processing of specific data at any point. Sugar Buttons Creative will react to these requests as is reasonable and appropriate ensuring that the clients wish is met. 

It's not in the commercial interests of Sugar Buttons Creative to continue processing data which is not required, nor would it be compliant with the GDPR. 

5.18 Retention of Data          

Sugar Buttons Creative may retain data for differing periods of time for different purposes as required by the business, best practice or regulation. We may store some data indefinitely, such as client invoices. 

5.19 CCTV           

Sugar Buttons Creative does not currently operate CCTV. 

data protection



Sugar Buttons Creative is registered with the Information Commissioners Office (ICO). 

Sugar Buttons Creative has an ethical, legal and professional duty to ensure the information he holds conforms to the principles of confidentiality, integrity and availability. In other words, the information Sugar Buttons Creative is responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it. 

This Information Security Policy outlines Sugar Buttons Creatives approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of data and information systems. 

Sugar Buttons Creative considers information to be a strategic asset that is essential to his core business and objectives. He has a responsibility to manage effectively the risks around protecting the confidentiality, integrity and availability of data and in complying with all statutory, regulatory and legal requirements. 

Sugar Buttons Creative recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is stored and processed in compliance with this regulation from 25 May 2018, the date the regulation comes into force. 

6.1 Statement of Intent            

The main purpose of this Policy is to describe the minimum level of protection that Sugar Buttons Creative expects of all Sugar Buttons Creative information systems to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems. 

A secondary but very relevant purpose of this Policy is to ensure that all users understand their responsibilities for protecting the confidentiality and integrity of the data that they handle, including making users aware of relevant legislation. 

The overarching objectives set out in the Policy are: 

  • to support the business objectives in a flexible and effective way 

  • to maintain adequate regulatory compliance 

  • to protect Sugar Buttons Creative information assets 

  • to maintain business continuity 


The policy of Sugar Buttons Creative is to protect information systems from unauthorised access, use, disclosure, destruction, modification, disruption or distribution. 

Sugar Buttons Creative will ensure business, legal, regulatory requirements and contractual information security obligations are met. 

Information security management system will be monitored regularly with reporting of the status and effectiveness at all levels. 

6.2 General Statement of Scope             

This Policy is applicable and will be communicated to all relevant client 3rd parties who interact with information held by Sugar Buttons Creative and the information systems used to store and process it. This Policy applies to Sugar Buttons Creative. 

6.3 Roles and Responsibilities  


6.3.1 Responsibilities of every user of Sugar Buttons Creative IT resources – Appropriate use of IT resources 

Sugar Buttons Creative and any other authorised users of Sugar Buttons Creative IT resources are expected to meet the acceptable usage policies and related terms and conditions of the services provided by Sugar Buttons Creative and by any Third Party on our behalf under licensing agreements. – Confidentiality of passwords  

Users must manage passwords with care and processes should be in place to ensure confidentiality from the initial creation, storage in applications, communication and day to day usage. 

6.3.2 Responsibilities specific to Sugar Buttons Creative – Appropriate use of IT resources   

Sugar Buttons Creative and any third parties authorised to use Sugar Buttons Creative systems are accountable for understanding and following Sugar Buttons Creative information security policies, as well as promoting safe practices within their teams and monitor compliance. – Asking for help, reporting a concern    

Sugar Buttons Creative and authorised third parties are responsible for asking for assistance when in doubt about how to proceed or interpret a policy and also to report any concern or suspect activity encountered. 

6.3.3 Responsibilities of senior management – Risk ownership     

Sugar Buttons Creative owns the overall risk management process, and the prioritisation and acceptance of risks. – Risk Acceptance      

Sugar Buttons Creative has the accountability for taking a stance on risks ensuring the business operates in line with his expectations and within regulation. – Risk Treatment      

Sugar Buttons Creative will identify and mitigate risks taking advice from other sources in assessing and managing risk. Ultimately, the responsibility for risk lies with Sugar Buttons Creative. – Policies and education      

Sugar Buttons Creative is responsible for communicating acceptable levels of risk and mitigation practices to any authorised Third Parties via policy, standards and awareness programs. – Incident response       

Sugar Buttons Creative is responsible for effectively responding to significant information security related incidents. 

6.3.4 Responsibilities specific to Third Party providers – Meeting terms of service/contract agreements, right to audit.      

Third Party shall adhere to the IT acceptable usage policy as well as any other requirements specified in the service contract. 

6.4 Policy  

6.4.1 Organisation of information security – Ultimate accountability for security      

Sugar Buttons Creative has the ultimate accountability for implementing information security in his businesses. – Information security reviews      

A regular review of information security shall be established and led by Sugar Buttons Creative. The review will be completed annually. 

Sugar Buttons Creative will review and discuss information security issues regularly, including delivering policy and awareness training / updates as required. – Information Security Manager       

It's not currently appropriate for Sugar Buttons Creative to have the role of Information Security Manager due to the small scale of the business. – Segregation of duties        

Conflicting duties and areas of responsibility are unlikely to arise given the current scope and scale of Sugar Buttons Creative. However, it is recognised by Sugar Buttons Creative that segregation of duties is good business practice to reduce opportunities for unauthorized or unintentional modification or misuse of the business assets.


6.5 Policy management, education and awareness   

6.5.1 Policies as minimum expectation, need for risk management   

Managing risks is an essential part of the business activity at all levels of management. The information security policies are the minimum expectation to address information security risks according to well established practice. 

Sugar Buttons Creative should assess the business, legal, contractual and corporate social responsibility risks and requirements in each relevant jurisdiction to decide on the need for additional controls or exceptions and be able to justify and be accountable for these decisions. 

6.5.2 Policy issuing, communication and updating    

Policies and procedures for information security and data protection will be maintained, approved by management, published and communicated to relevant authorised external parties. These Policies should be reviewed and updated at least annually. 

6.5.3 Trust, but verify     

The Policy statements are necessary but not sufficient on their own. Sugar Buttons Creative should demonstrate the application of the controls and best practice. 

6.5.4 Awareness and education on policies and procedures      

Sugar Buttons Creative should ensure external authorised parties working with Sugar Buttons Creative systems and data are formally aware of and educated on the policies and procedures they must be compliant with. This is a fundamental step to establishing any individual’s accountability. 

6.6 Human Resource Security  

Sugar Buttons Creative does not currently have any employees. 

6.7 Data / assets management  

6.7.1 Data classification       

Sugar Buttons Creative must identify the data being used for fulfilling tasks and adopt processes appropriate to protect the information according to its risk. It should be assumed that all information is critical. 

6.7.2 Retention of information        

Sugar Buttons Creative will have processes in place to safely dispose of information as required by law or, within legal compliance, when it is no longer necessary to retain. 

Data stored by Sugar Buttons Creative electronically, is stored on local laptops, or stored with Third Party software providers. When electronic data is required to be deleted, this is completed locally from laptops ensuring that all relevant data is removed or is completed via the 3rd party software following their standard deletion routines. 

Generally, retention periods are defined by Sugar Buttons Creative and by the clients of Sugar Buttons Creative, but always in accordance with the relevant regulation. 

Hard copies of data stored by Sugar Buttons Creative may be retained and stored in a locked filing cabinet within a locked office. 

6.7.3 Safe storage, use and disposal of electronic media and surplus hardware         

Sugar Buttons Creative has the responsibility to securely store and dispose of media and hardware using best practice, such as: 

Storage, use: 

  • devices to be password protected 

  • individual files to be password protected 

  • devices to be stored securely when not in use, out of direct sight of windows etc. 

  • operating system to be kept updated with manufacturer recommended updates

  • only manufacturer approved and recommended software updates to be applied 

  • operating system firewall to be turned on 

  • anti-virus protection to be installed 

  • regular sweeps for virus and malware to be conducted 



  • device to be reset to factory settings to eliminate all traces of data 

  • where possible, hard drive to be removed for destruction 


Sugar Buttons Creative recognises the environmental impacts of the disposal of media and hardware and would employ best practice at the time of disposal to limit the impact. Arrangements need to be dealt with on a case by case basis. 

6.7.4 Use of removable media          

Sugar Buttons Creative accepts that in certain circumstances the use of removable media is necessary. Where this use is defined as being required, the media device should be rest to factory settings before and after use (to remove all traces of previous / current data). The use of encryption will be considered on a case by case basis. The removable media is to be securely stored. 

6.7.5 Physical security, controlled areas          

Sugar Buttons Creative is responsible for ensuring the security of it’s hardware, systems and media, protecting them against intentional or accidental physical damage. 

6.8 Security by design, secure architecture, acquisition and development   

6.8.1 Governance on approved technology and security design principles        

Should the use of new technology be required in a specific project or assignment, generally Sugar Buttons Creative will determine if the suggested approach and technologies are acceptable. 

6.8.2 Information security in new projects         

Information security shall be considered for any new project which falls outside of the standard processing techniques or systems. 

6.8.3 Separation of Environments          

Due to the nature of the current Sugar Buttons Creative business model, system environments, for example test and production, are not required. 

6.8.4 Protection from malware           

As referred to in 6.4.3 the default approach is that all Sugar Buttons Creative hardware should have detection, prevention and recovery controls to protect against malware combined with appropriate user awareness. Exceptions need to be formally approved on a case by case basis by Sugar Buttons Creative. 

6.8.5 Minimum security features in systems            

Systems should be developed/acquired and configured with the security features necessary to enable enforcement of the following: 

  • authorised users can only access data and functionality for which they are authorised 

  • accountability for usage is maintained via appropriate audit trails

6.8.6 Installation of software, patching            

Recommended software updates should be kept current. To facilitate this, ‘updates’ should always be set to auto-update. 

6.8.7 Testing of security             

Whilst Sugar Buttons Creative has no formal security testing procedure, periodically testing of security may be undertaken as part of the regular business as usual. 

6.9 Technical and operational security    

6.9.1 Control requirements for remote and mobile access / working         

Due to the nature and scale of Sugar Buttons Creative there are no additional control requirements for remote access. 

With regards to mobile access and working, Sugar Buttons Creative will be aware of surroundings and take any appropriate measures to ensure security, including but not limited to, the physical security of the hardware and data. 

6.9.2 Encryption of data          

Sugar Buttons Creative does not currently regularly encrypt data unless it is required for specific projects. Data is generally transferred electronically through known channels / systems. Where there are exceptions to this, the circumstances and need for encryption will be determined on a case by case basis. 

6.9.3 Logging and auditing          

As such, Sugar Buttons Creative does not actively log or audit systems use due to the nature of the business model as previously described. Therefore, only manufacturer, software or 3rd party logging is completed. For example, website hosting provided by third parties maintains an audit of changes to pages and content. 

6.9.4 Physical and environmental security           

As previously described in this Policy, it is the responsibility of Sugar Buttons Creative to provide physical and environmental security for devices, hardware and hard copies of data. Exceptions to this are considered on a case by case basis. 

6.9.5 Data backup and restore procedures            

Currently, third party storage providers are used by Sugar Buttons Creative for the storage of some client data. 3rd party systems maintain their own backups. 

System backups and restore procedures are not performed explicitly by Sugar Buttons Creative, rather, these are inherent in the operating systems and software employed by the business. 

6.10 Access management     

6.10.1 Due diligence before granting access          

Access to systems and information, including setting up permanent network connectivity solutions, will be granted to third parties/service providers only after a due diligence assessment has been performed and after the employment or service contracts, including confidentiality and accountability clauses has been agreed in writing. 

6.10.2 User accountability for security           

All third parties using Sugar Buttons Creative systems are accountable for understanding and following Sugar Buttons Creative security policies, in particular on how to protect their accounts and passwords from misuse. 

6.10.3 Privileged access to systems            

All privileged/administrator activity (e.g., providing access to data, maintenance, and support) will be traceable to the individuals through the 3rd party software / system providers routines. 

6.11 Incident management      

6.11.1 Incident response           

Sugar Buttons Creative incident management will be maintained by Sugar Buttons Creative. The incident response will be determined on a case by case basis. 

6.11.2 Contact with authorities            

Appropriate contacts with relevant authorities and external parties shall be maintained. In case of an incident, contacts will be nominated who are authorised to liaise with authorities and external parties. 

6.12 Continuity management       

6.12.1 Secure operations in contingency            

People, assets and information services need to be protected in a disaster situation. Should such situations arise, each will be treated on a case by case basis. 

6.12.2 Business management responsibility for security             

Sugar Buttons Creative is responsible for security and, where appropriate, the availability of systems/data. 

6.13 Compliance, validation and certification        

6.13.1 Compliance with the law             

Sugar Buttons Creative are accountable for operating within the law, and it is their responsibility to be aware of legal and contractual requirements and implement the controls within their remits to comply. 

6.13.2 Information security in contracts with Third Parties              

Sugar Buttons Creative contracts with 3rd parties, including contracts with Sugar Buttons Creative clients, will contain appropriate security and regulatory or contractual obligations. Where Sugar Buttons Creative has no powers to set or amend the contractual wording of 3rd party providers, the appropriateness of each contract will be considered on a case by case basis. 

6.13.3 Supplier service delivery management               

Sugar Buttons Creative assume responsibility for monitoring and reviewing supplier service delivery where this is appropriate. 

6.13.4 Management controls                

When appropriate, Sugar Buttons Creative should review the compliance of information processing and procedures against this security policy. 

6.13.5 Internal and independent security reviews                 

Internal security reviews may be undertaken at the instruction of Sugar Buttons Creative. Independent security reviews are considered unlikely to be required given the current Sugar Buttons Creative business model, however they remain an option should an appropriate situation arise. 

information security



Sugar Buttons Creative is registered with the Information Commissioners Office (ICO). 

Sugar Buttons Creative recognises the General Data Protection Regulation (GDPR) and will endeavour to ensure that all personal data is processed in compliance with this regulation from 25 May 2018, the date the regulation comes into force. 

This Records Management Policy is written specifically to ensure appropriate compliance with the GDPR and has used the ICO self-assessment guidance for small organisations as at February 2018 for guidance as to the requirements. 

7.1 General Statement of Sugar Buttons Creative Scope             

Sugar Buttons Creative processes relevant personal data regarding clients and prospective clients, as part of its operation and shall take all reasonable steps to do so in accordance with this Policy. 

Should the scope of the business undertaken by Sugar Buttons Creative change, this Policy will be updated to reflect the changes in relation to compliance with the GDPR. 

This Policy applies to Sugar Buttons Creative. 

7.2 Purposes of this policy              

Sugar Buttons Creative records are important sources of client information, and therefore crucial to the current and future operations of the business. This Policy has been implemented to help the business: 

  • meet its legal obligations under the appropriate regulations 

  • support the objective of maintaining the business as an effective and developing going concern

  • manage information resources effectively, by making sure records can be located, accessed, interpreted, trusted and maintained 


Sugar Buttons Creative believes that administrative and management processes benefit from a system of records management that enables it to meet the purposes listed above. 

This Policy should be read in conjunction with the Data Protection Policy and the Information Security Policy. 

7.3 Responsibility for Records Management   

Sugar Buttons Creative will create, store, receive and use records as follows: 

  • treat all records as a Sugar Buttons Creative resource 

  • ensure as far as practicably possible that records are accurate and filed in such a way that they can be easily located, either electronically or physically

  • keep records no longer than they are needed 

  • keep confidential records in a secure environment 

  • keep records stored in a safe and cost-effective way 

  • allow people to access information only if they need or have a right to do so

  • create records that are accurate and that do not defame another individual, expose the business to unnecessary risk or to tamper with records in a way that risks them becoming inaccurate 

  • save long term records in an open source or archival format to ensure readability even if systems change 


Sugar Buttons Creative shall ensure that records kept are secure and in line with the Information Security Policy and relevant regulation. In addition, new procedures for records management will take account of the Information Security Policy. 

Sugar Buttons Creative will be responsible for the business being compliant with regulations and professional standards which are relevant to the area of records management. 

7.4 Standards and Processes    

The following standards and processes are employed by Sugar Buttons Creative in relation to records management undertakings: 

7.4.1 Creation and storing of records       – Sugar Buttons Creative client records               

Paper or electronic records related to Sugar Buttons Creative clients, or potential clients, can only be established with written consent from the client, typically this will be in the form of a signed contract. Any deviation from this standard will be on a case by case basis and with the approval of Sugar Buttons Creative. – Permissions capture                

Where client or prospective client data is being captured electronically, typically through sign up forms on websites, the standard Sugar Buttons Creative approach is to use ‘double opt-in’ which is compatible with the GDPR principles. The use of double opt-in is accepted by existing clients and will be the approach recommended to new clients going forward. 

Where client customer or prospective customer data is being captured manually, the appropriate disclosures are made at the point of capture. Generally, once collected, the manual records are captured electronically with a double opt-in request subsequently being issued. – Electronic record keeping systems                 

Sugar Buttons Creative electronic recording keeping largely comprises of data related to clients (e.g. for raising of invoices, access to software and systems) and to prospective clients (e.g. for marketing purposes). 

Electronic data is stored across a number of systems. Sugar Buttons Creative will conduct an information audit with associated data flows to identify the systems on which it has data stored. The information audit is retained centrally and updated at least annually. – Data is accurate, adequate, relevant and not excessive                  

Sugar Buttons Creative will strive to ensure that the personal data it collects is accurate, adequate, relevant and not excessive. 


Where data relates to Sugar Buttons Creative clients and prospective clients, only the minimum required to perform the relevant task is collected and stored. – Retention and deletion of records                   

Sugar Buttons Creative will only retain records for the purpose of his business, that is, records related to the completion of client tasks, within regulatory guidelines. 

Generally, retention periods are defined by Sugar Buttons Creative and by the clients of Sugar Buttons Creative, but always in accordance with the relevant regulation. 

Hard copies of data stored by Sugar Buttons Creative may be retained and stored in a locked filing cabinet within a locked office. 

Deletion of records will employ best practice as is appropriate at the time. Generally, manual records will as a minimum be shredded, with electronic records being deleted and removed from any history files (deletion from Third Party systems will utilise the Third Party deletion routines). 

7.5 Training     

Sugar Buttons Creative will be responsible for organising an appropriate amount and level of records management training. Training will be delivered periodically alongside related training (Data Protection and Information Security). 

Training will be tailored to meet the requirements and structure of the business.


7.6 Contractual Requirements      

Written agreements with clients and with Third Party service providers will include information security conditions where this is considered to be appropriate. 

Where Sugar Buttons Creative has control over contractual arrangements, for example, contracts with its clients, Sugar Buttons Creative will endeavour to ensure that appropriate information security conditions are considered and accepted. 

Where Sugar Buttons Creative generally has no control over contractual conditions with Third Party service providers, Sugar Buttons Creative will review the contractual terms and consider on a case by case basis whether it is appropriate to agree to the terms or to seek another provider. 

records management
bottom of page