Skip to content
ustwoLogo written in handwriting style

Privacy and Security Policy

Who We Are and What We Do

Our sites and applications are run by ustwo Studio Holdings Ltd ("we", "us", "our"). ustwo Studio Holdings Ltd is the data controller responsible for your personal information and is registered with the UK Information Commissioner's Office under registration number 00011494664. We are an English company registered under number 05286528, with our registered office at 154–158 Shoreditch High St, London, E1 6HU.

Security at ustwo

Security and privacy are part of how we work, not extras we tack on. Protecting the information people share with us helps build trust with our clients, partners, and communities. We are ISO/IEC 27001:2022 certified, which means our Information Security Management System meets a recognised international standard for safeguarding data.

We take a layered approach that covers people, processes, and technology. We set clear policies, assign responsibilities, and carry out regular risk assessments to stay ahead of threats. Every ustwobie has a role to play in protecting information, supported by training, screening, and confidentiality obligations that make security part of everyday practice.

Our studios and equipment are protected through physical and environmental controls such as access management and responsible disposal of devices. On the technical side, we use measures including encryption, access controls, vulnerability scanning, and a secure development lifecycle to protect systems and services.

We actively monitor for risks and respond quickly when vulnerabilities are identified. Our incident response process is tested and reviewed, and we regularly audit and improve our approach as technologies and threats evolve. While no system can ever be completely risk free, we work hard to reduce risks to an appropriate and proportionate level.

Privacy at ustwo

Privacy goes hand in hand with security. We respect the privacy of everyone who interacts with ustwo, whether you visit our websites, use an application we've built, take part in research, or work with us as a client or partner.

We aim to be clear about what personal data we collect, why we collect it, and how we use it. We only process personal data where we have a lawful basis to do so.

Data We Collect

We collect and process only the personal data needed for specific purposes. This may include:

  • Name, email address, and contact details
  • Job title, company, or organisation details
  • Information submitted through contact forms or applications
  • Research participation data, including recordings or transcripts where you have given consent
  • Technical data such as IP address, browser type, and usage statistics

Providing personal data is sometimes necessary to allow us to respond to enquiries, deliver services, or include you in research or events. If you choose not to provide certain information, it may mean we are unable to proceed with those activities.

Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contract, where processing is needed to deliver services or take steps before entering into a contract
  • Consent, where you have clearly agreed to specific processing such as research participation or optional tracking
  • Legitimate interest, where processing supports our business operations and does not override your rights
  • Legal obligation, where we must process data to comply with the law

Where processing is based on consent, you can withdraw that consent at any time.

Automated Decision Making

We do not use automated decision making or profiling that produces legal or similarly significant effects on individuals. If this changes, we will update this policy and clearly explain what it means and what rights apply.

Data Sharing and Processors

We may share limited personal data with trusted third parties who support our operations, such as secure cloud storage providers, event partners, or analytics services. These partners act as data processors under written contracts that require them to protect personal data and meet UK GDPR standards. We do not sell personal data.

If personal data is transferred outside the United Kingdom or the European Economic Area, we use recognised safeguards such as standard contractual clauses to ensure appropriate protection.

Data Retention

We keep personal data only for as long as necessary for the purposes described in this policy, or as required by law or contract. For example:

  • Contact enquiries are generally retained for up to two years
  • Marketing preferences are kept until you opt out
  • Research data is retained only for the duration needed for the agreed project

We regularly review the data we hold and securely delete or anonymise information when it is no longer needed.

Cookies and Similar Technologies

Our websites use cookies and similar technologies. Details of the cookies we use and how to manage your preferences are explained in our Cookie Policy.

Children's Data

Our services are not directed to children under the age of 16, and we do not knowingly collect personal data from them. If we become aware that we have collected personal data from a child, we will remove it promptly.

Your Rights

Under data protection law, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion or restriction of processing
  • Object to certain processing activities
  • Request data portability where applicable
  • Withdraw consent at any time where processing is based on consent

To exercise these rights, or if you have questions about how we handle personal data, contact privacy@ustwo.com. We may ask for information to verify your identity before responding. We aim to respond within one month.

If you are based in the UK, you can raise concerns with the Information Commissioner's Office. If you are outside the UK, you may contact your local data protection authority.

Accountability and Continuous Improvement

This policy is reviewed annually and shared publicly to ensure accountability. Anyone can raise questions or concerns about our practices by contacting csr@ustwo.com. We remain open to feedback and committed to learning.

Ustwobies can find a more extensive version of this policy in our guide.