Legal

Privacy Policy

Effective 19 April 2026

Ben Lewis Studios (“BLS”, “we”, “us”, or “our”) operates benlewisltd.com and the services offered under the Ben Lewis Studios brand, including content production and distribution for DTC brands. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA) as applicable.

Data controller: Ben Lewis Simpson, trading as Ben Lewis Studios, United Kingdom. Contact: ben@benlewisltd.com.

1. What data we collect

We only collect the minimum data needed to operate the services you engage with.

When you submit the free spec ad form or the Work page lead form:

  • Your name
  • Your email address
  • Your brand name and/or brand URL
  • Any additional context you voluntarily provide

When you visit benlewisltd.com:

  • Standard server logs (IP address, user agent, referrer, timestamps) retained by our hosting provider (Vercel) for security and analytics purposes
  • No first-party cookies or tracking pixels are set by BLS
  • We do not run retargeting scripts, analytics tags with personal identifiers, or advertising trackers

When BLS uses the LinkedIn API on behalf of authorised accounts:

  • The LinkedIn member ID of the authorising user (for post authorship)
  • OAuth access tokens provided by LinkedIn (stored securely and used solely to publish content on behalf of the authorising user)
  • We do not read, store, or export LinkedIn connections, messages, or profile data beyond the authorising user’s own identifier

2. How we use your data

We use your data only for the purposes below, and only where we have a lawful basis under UK/EU GDPR (Article 6(1)(a) consent, 6(1)(b) contract, or 6(1)(f) legitimate interest):

  • To deliver the spec ad, UGC video, or other creative you’ve requested
  • To respond to enquiries and schedule discovery calls
  • To publish content to social platforms (Instagram, LinkedIn) on behalf of authorising users via their connected accounts
  • To secure and improve the benlewisltd.com service (fraud prevention, performance monitoring)
  • To comply with legal obligations where required

We do not use your data for automated profiling, ad targeting, or decisions producing legal effects.

3. How we share your data

We do not sell your personal data. Ever.

We share limited data with the following service providers that help us operate, and only to the extent necessary:

  • Vercel — hosting and edge delivery of benlewisltd.com
  • FormSubmit — processing contact form submissions on a transactional basis
  • Make.com — content distribution automation to Instagram and LinkedIn on behalf of authorising users
  • LinkedIn, Meta (Instagram) — social platforms we interact with via their official APIs only when explicitly authorised by the account holder
  • Calendly — booking discovery calls when you schedule one

Each provider is bound by its own privacy policy and, where applicable, a data processing agreement. We only share what is strictly required for the service to function.

4. LinkedIn data — specific disclosures

BLS operates applications that use the LinkedIn API in accordance with the LinkedIn API Terms of Use.

  • We request only the minimum OAuth scopes needed to publish content on the authorising user’s behalf (typically openid, profile, w_member_social, r_liteprofile)
  • We do not access connections, messages, groups, recommendations, employment history, education, or any LinkedIn content beyond the authorising user’s own public identifier
  • We do not share LinkedIn data with any third party
  • Authorising users may revoke our access at any time at linkedin.com/mypreferences/d/data-sharing-for-permitted-services
  • OAuth access tokens are stored securely and never logged, cached, or exposed in client-side code
  • On revocation or account deletion request, any stored tokens and member identifiers are deleted within 30 days

5. Data retention

We retain personal data only for as long as needed to fulfil the purpose it was collected for, plus any period required by law:

  • Lead form submissions: retained up to 24 months for follow-up, then deleted unless you become a client
  • Client data: retained for the duration of the engagement plus 6 years for UK tax and commercial record-keeping requirements
  • LinkedIn OAuth tokens: retained only while the app integration is active. Deleted within 30 days of revocation or account deletion
  • Server logs: 30 days (handled by our hosting provider)

6. Your rights

Under UK and EU GDPR you have the following rights. Under CCPA, California residents have similar rights. You can exercise any of these by emailing us at ben@benlewisltd.com:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your personal data (“right to be forgotten”)
  • Restriction — ask us to limit how we process your data
  • Objection — object to processing based on legitimate interests
  • Portability — request your data in a machine-readable format to transfer elsewhere
  • Withdraw consent — where processing is based on consent, withdraw it at any time
  • Complain — lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local data protection authority

We respond to all rights requests within 30 days.

7. International transfers

Some of our service providers are based outside the UK/EEA (notably the United States). When we transfer your data internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions where applicable.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including TLS encryption in transit, access controls on hosting infrastructure, and minimal data retention. No method of transmission or storage is 100% secure. In the event of a personal data breach affecting your rights, we will notify the UK ICO within 72 hours and you as soon as reasonably practical.

9. Children

Our services are directed at businesses and adults. We do not knowingly collect personal data from anyone under 16. If you believe we hold data about a child, please contact us and we will delete it.

10. Cookies

benlewisltd.com does not set first-party cookies or tracking pixels. The only storage used is sessionStorage to avoid showing the lead capture popup multiple times in a single visit. This data stays in your browser and is cleared when you close the tab.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we update the “Effective” date at the top of this page. Material changes will be announced on the site. Your continued use of our services after an update means you accept the revised policy.

12. Contact

For any privacy-related enquiry, data request, or concern: