Our Privacy Policies

How do we collect your information?

All personal information we process is provided to us directly by you for one of the following reasons:

— You have made a general enquiry with us.
— You subscribe to business service information.
— You have applied for a job with us.
— You are representing your organisation.

We may also receive personal information indirectly for example:

Where you have made your contact information available on your organisation's website and we use this to contact you for a legitimate purpose.

Privacy Notice updates

If a significant change is made to this Privacy Notice, the effective date is revised, and a new notice is published on our website.

The previous version of our Privacy Notice is available here:

Do we share your information?

We will not share your information with any third parties for the purposes of direct marketing. We use various data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances, we are legally obliged to share information. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

Do we send your information outside the UK?

Many of our external third-party processors are based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK, and sometimes outside the EEA. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards are in place:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and UK government.

Where we use providers based in the US or in other non-adequate countries, we will transfer data under specific Standard Contractual Clauses that ensure their obligations align with our local data protection laws.

What about links to other websites?

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

Do we process children’s information?

We do not provide services directly for children or proactively collect their personal information.

How do we protect your personal information?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

How long will we store your personal data?

Throughout this privacy notice, we have indicated the retention periods for personal data collected in different ways. Be rest assured - we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory or reporting requirements. In some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

What happens when you contact 999 Design?

Purpose and lawful basis for processing - Under the UK General Data Protection Regulation, the lawful bases we rely on for these communication activities is either consent or legitimate interest.

Calling our main line

When you call our main office (0141 229 1800), we collect Calling Line Identification (CLI) information. This is the phone number you are calling from (if it’s not withheld). We hold a log of the phone number, date, time and duration of the call, but do not audio record the call itself. This information is processed using UK telecoms provider Horizon and is deleted after 6 months. We use this information to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line.

Social Media

We have various third-party links on our site, such as; LinkedIn, Twitter, Instagram and Facebook. Your personal information will not be shared with any other social media organisations. When contacting 999 Design through a social media platform, we suggest you also familiarise yourself with the privacy information of each third party platform.


We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. We use machine learning tools to review the content of emails sent to us. We use this information to train our systems and improve their performance. We’ll also monitor emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law. Opting Out - You can ask us to stop sending you marketing communications at any time by following the ‘unsubscribe’ links on any marketing message. Please note: this will not apply to service-related communications.

How do we track visitors on our website?

Purpose and lawful basis for processing

The purpose for implementing the above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The lawful basis we rely on to process your personal data is either consent for the ‘optional’ cookies, or legitimate interests for ‘necessary’ cookies.


We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set and are not deleted by the tool. Cookies will either be Session, Persistent or Third-party and can be managed via the cookie tool. You can read more about how we use cookies, and how to change your cookie preferences on our Cookies Preference Centre.

Security and performance

We use a third-party web application firewall to help maintain the security and performance of our website. The service checks traffic to our site is behaving as would be expected. The service will block traffic that is not using the site as expected. To provide this service, Dyn processes site visitors’ IP addresses. We host our website in Microsoft Azure in the UK and keep traffic information for 12 months.


When you visit www.999design.com, we may collect Personal Data and other information from you, as further described below. We collect Personal Data from you when you submit web forms or interact with our websites, for example signing up for a webinar, or requesting customer support. We may ask for your email address, first and last name, job title, and other similar business information. You are free to explore our website without providing any Personal Data about yourself. When you register for an event, we collect information such as name, address, phone number, and email address. We use this information to communicate with you and in some cases facilitate your registration. Where we do collect personal data through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.


When you visit www.999design.com we use a third-party services such as; LinkedIn, Twitter and Google Analytics to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow LinkedIn, Twitter or Google to make, any attempt to find out the identities of those visiting our website.

How do we welcome visitors to our office?

If you arrive with or without an appointment, you will be asked to e-sign our Envoy visitors log. These logs store your name and are deleted every 90 days. Sometimes we may ask visitors to show a form of ID. The ID is for verification purposes only, we don’t record this information.

Closed-circuit television (CCTV) operates inside and outside the building for security purposes. The information is recorded and is kept for 30 days. The purpose of processing this information is for security and safety reasons.

We have Wi-Fi on-site for the use of visitors. We’ll provide you with the address and password. We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received. We don’t ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on-site, and we don’t ask you to provide any information to get this service. The purpose of processing this information is to provide you with access to the internet whilst visiting our site. We sometimes record audio and/or video sessions for the purposes for training or service-related purposes. We don’t do this without the prior agreement and no recordings are shared outside of 999 Design.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. For full information on your rights please visit ICOs website. You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to 999 Design processing (using) your personal data at any time. This effectively means that you can stop or prevent the organisation from using your data. However, it only applies in certain circumstances.

Your right to data portability

The right to data portability gives you the right to receive personal data you have provided to Equator in a structured, commonly used and machine-readable format. It also gives you the right to request that Equator transmits this data directly to another controller.

Your job application

What will we do with the information you give us?

We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you employment with us or to fulfil legal or regulatory requirements if necessary. We will not share any of the information you provide with any third parties for marketing purposes. We’ll use the contact details you give us to contact you to progress your application. We may also contact you to request your feedback about our recruitment process.

What information do we ask for, and why?

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it may affect your application if you don’t. We will use any feedback you provide about our recruitment process to develop and improve our future recruitment campaigns.

Application stage

We ask you for your personal details including your name and contact details. We’ll also ask you about previous experience, education, referees and for answers to questions relevant to the role. Our recruitment team will have access to all this information.


We may ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us. If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, we would proactively contact you should any further suitable vacancies arise. If you say no, it will be removed within 1 month.

Conditional offer

If we make a conditional offer of employment, we’ll ask you for information so that we can carry out further employment checks. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability. You must therefore provide:

— Proof of your identity – you will be asked to attend our office with original documents; we’ll take copies
— Proof of your qualifications – you will be asked to attend our office with original documents; we’ll take 
— Your email address, which will be used to complete an application for a Basic Criminal Record check via the
    Disclosure Checking Service, which will verify your declaration of unspent convictions.
— We’ll contact your referees, using the details you provide in your application, directly to obtain references
— We’ll also ask you to complete a questionnaire about your health to establish your fitness to work.

During the onboarding process, we’ll also ask you for the following:

— Bank details – to process salary payments
— Emergency contact details – so we know who to contact in case you have an emergency at work

How do we make decisions about recruitment?

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.

Any online testing is marked and a result is generated automatically. However, if you wish to challenge the mark you have received, the result can be checked by the hiring manager.

You can ask about decisions on your application by speaking to your contact in our recruitment team.

Your rights

As an applicant, you have certain rights regarding your own personal data. For more information on your rights, please see ‘Your data protection rights’ above.

Do we use any data processors?

Yes – we use carefully selected data processors to provide elements of our recruitment service, such as recruitment sites and partners. We encourage you to read the privacy notices on the other websites you visit when you're viewing a 999 Design job advert or when engaging via a recruitment agency. We also operate our online application system via 999design.com. We will from time to time produce anonymised management information about campaigns.