Privacy Policy

Last updated: May 2026

1. Who we are

MB Retail Design ("MB", "we", "us", or "our") is the data controller responsible for the personal data processed through this website, in accordance with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the Data Protection Act 2018.

Contact: contato@mendesbadotti.com

2. What data we collect

We collect personal data in the following circumstances:

• Contact form: name, e-mail address, telephone number, company name (optional), and message — provided voluntarily by you.
• Newsletter: name and e-mail address, provided voluntarily when subscribing to our fortnightly curation, managed through the Substack platform.
• Browsing and analytics: aggregated and anonymised access data (pages visited, session duration, traffic source) collected by Google Analytics, subject to your consent.
• Privacy preferences: a record of your consent or refusal regarding the use of cookies, stored locally on your device.

We do not collect special category data (as defined in UK GDPR Art. 9), data relating to children under the age of 13, or data that is not necessary for the purposes set out in this Policy.

3. How we use your data

• To respond to your enquiry and conduct commercial discussions relating to MB's services.
• To send the newsletter — our fortnightly curation of strategy and creativity — following your voluntary subscription.
• To analyse website performance and improve the browsing experience, via Google Analytics.
• To comply with legal obligations and to establish, exercise, or defend legal claims where necessary.

4. Lawful basis for processing

• Consent (UK GDPR Art. 6(1)(a)): data collected via the contact form, newsletter subscription, and the use of analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate interests (UK GDPR Art. 6(1)(f)): essential cookies required for the operation of the website and information security measures. Our legitimate interests do not override your rights and freedoms in this context.
• Legal obligation (UK GDPR Art. 6(1)(c)): where processing is required by law or by a competent authority.

5. Sharing your data

Your personal data may be shared with the following third parties, strictly for the purposes described in this Policy:

• FormSubmit — processes and forwards messages submitted via the contact form.
• Substack Inc. — platform used to send and manage the newsletter. Subscribers' data is subject to Substack's Privacy Policy.
• Google LLC (Google Analytics) — analyses website traffic and performance, conditional on your consent. Data may be transferred to servers in the United States; Google relies on Standard Contractual Clauses and the UK's International Data Transfer Agreement (IDTA) framework as appropriate safeguards (UK GDPR Art. 46).
• Public authorities — where required by law, court order, or applicable regulation.

We do not sell, rent, or otherwise transfer your personal data to third parties for commercial or marketing purposes without your express consent.

6. Data retention

• Contact form: for as long as necessary to respond to your enquiry and, thereafter, for up to six years to address any follow-up queries or potential legal claims (consistent with the Limitation Act 1980).
• Newsletter: for as long as your subscription remains active. You may unsubscribe at any time via the link in each e-mail or by contacting us directly.
• Analytics data: in accordance with Google Analytics retention settings (up to 26 months).
• Cookie preferences: stored locally on your device with no pre-set expiry date; you may delete this data at any time by clearing your browser storage.

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, disclosure, or destruction, in accordance with UK GDPR Art. 32. The contact form is transmitted over HTTPS. No method of internet transmission is completely secure; however, should we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO and affected individuals as required by UK GDPR Art. 33 and 34.

8. Cookies

For detailed information about the cookies used on this website, please consult our Cookie Policy.

9. Your rights

Under the UK GDPR (Articles 15 to 22) and the Data Protection Act 2018, you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure of data that is no longer necessary or has been processed unlawfully.
• Restriction of processing in certain circumstances.
• Data portability — to receive your data in a structured, commonly used, machine-readable format.
• Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent at any time, without charge and without giving reasons.
• Rights in relation to automated decision-making, including the right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect.

To exercise any of these rights, please send a request to contato@mendesbadotti.com. We will respond within one calendar month, as required by UK GDPR Art. 12(3). If your request is complex or you have made several requests, we may extend this period by a further two months and will notify you accordingly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection, at ico.org.uk/make-a-complaint.

10. Third-party links

This website may contain links to third-party websites. MB is not responsible for the privacy practices or content of external sites. We recommend that you read the privacy policy of each website you visit.

11. Changes to this Policy

This Privacy Policy may be updated periodically. The date of the most recent update is shown at the top of this page. Where changes are material, we will publish a prominent notice on the website. Your continued use of the website following the publication of changes constitutes your acceptance of the revised Policy.

12. Contact

For questions, requests, or complaints relating to the processing of your personal data:

MB Retail Design
E-mail: contato@mendesbadotti.com