TDM·SPACE

— Legal

Privacy Policy.

Last updated: June 2026 · Effective from: June 2026

1. Who we are

TDM.Space is a trading name of Tom D Morgan Ltd, a company registered in England and Wales. We are a retail photography and videography production studio based in London, operating internationally.

For the purposes of the UK GDPR and EU GDPR, Tom D Morgan Ltd is the data controller for personal data collected through this website.

Contact

Email: [email protected]
Website: https://tdm.space

2. What data we collect

Contact & brief submissions

When you fill in a contact form or submit a brief on this website, we collect:

  • Your name and email address
  • Your brand or agency name
  • Project details you choose to share (location, timeline, scope, reference files)
  • Your IP address (logged server-side for fraud prevention; not stored permanently)

Client portal sessions

If you access a client portal (e.g. chanel.tdm.space, nike.tdm.space), we store:

  • A session token in a browser cookie (HttpOnly, Secure, SameSite=Lax) that expires after 7 days
  • Your name, email address, and brand association in our database
  • An audit log of login events, image selections, comments, and download actions linked to your session

Newsletter subscriptions

If you subscribe to our newsletter, we collect your email address (and optionally your name and company) via Mailchimp. See Section 5 for Mailchimp's role as a processor.

Automatic technical data

Like all websites, our hosting infrastructure (Cloudflare) logs standard request data: IP address, browser user-agent, referring URL, and response codes. These logs are retained for up to 30 days and used solely for security monitoring and abuse prevention.

We do not use third-party analytics trackers (e.g. Google Analytics) on this website.

3. How we use your data

  • To respond to enquiries and briefs — we use your contact details to get back to you about potential or ongoing projects. Legal basis: legitimate interests (pre-contractual communication).
  • To manage client portal access — session data lets you view your project galleries, leave comments, and mark image selections securely. Legal basis: contract performance.
  • To send our newsletter — only if you opted in. Legal basis: consent. You can unsubscribe at any time via the link in any email.
  • To protect the security of our services — audit logs help us detect unauthorised access. Legal basis: legitimate interests.

We do not use your data for automated decision-making or profiling, and we do not sell your data to any third party.

4. Cookies and local storage

This website uses a minimal set of browser storage:

  • Theme preference — we save your light/dark mode choice in localStorage under the key tdm-theme. This stays on your device; we never read it server-side.
  • Portal session cookies — if you log into a client portal, a tdm_session_{"{brand}"} cookie is set. It is HttpOnly (not readable by JavaScript), Secure (HTTPS only), and expires after 7 days. These are strictly necessary for portal functionality; no consent banner is required.

We do not set advertising cookies, tracking pixels, or third-party analytics cookies.

5. Third-party processors

We share data with the following processors, all bound by data processing agreements:

  • Cloudflare, Inc. — our CDN, DNS, and hosting provider. Processes all web requests. EU Standard Contractual Clauses in place. Cloudflare Privacy Policy.
  • Slack Technologies, LLC — form submissions and portal activity notifications are sent to our internal Slack workspace. Data is not stored by Slack beyond standard message retention. Slack Privacy Policy.
  • Mailchimp (Intuit Inc.) — newsletter subscriber management. Operated under a Data Processing Addendum. Mailchimp Privacy Policy.
  • Vimeo, Inc. — embedded video player on project pages. If you interact with a Vimeo player, Vimeo may set cookies. Vimeo Privacy Policy.
  • Google Fonts / Fontshare — fonts loaded from Google and Indian Type Foundry servers. Your IP is transmitted to load fonts. We use the standard embed method; no personal data is stored by Google beyond standard CDN logs.

6. Data retention

  • Contact form submissions — retained in our Slack workspace and email for as long as necessary to respond and maintain records of client communications, typically up to 3 years.
  • Portal session records — active sessions expire after 7 days. Audit log entries (login events, selections) are retained for 12 months, then purged.
  • Newsletter data — held in Mailchimp until you unsubscribe, at which point your record is anonymised within 30 days.
  • Server / CDN logs — up to 30 days, then automatically deleted by Cloudflare.

7. Your rights

Under the UK GDPR and EU GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data (subject to legal retention obligations).
  • Restriction — ask us to limit how we process your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests.
  • Withdraw consent — where processing is consent-based (newsletter), you can withdraw at any time with no adverse effect.

To exercise any right, email [email protected] with the subject line Data Request. We will respond within 30 days. If you are unsatisfied with our response, you may lodge a complaint with the UK Information Commissioner's Office (ICO).

8. International transfers

Your data may be processed by our processors (Cloudflare, Slack, Mailchimp) on servers outside the UK and EEA. All such transfers are covered by Standard Contractual Clauses or equivalent adequacy decisions.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page will always reflect the most recent revision. Material changes will be communicated via email to active newsletter subscribers.