Privacy Policy
Laurel & Seal · Version 1.0 · Effective 15 June 2026 · Last reviewed 15 June 2026
A note before the detail
We print certificates for institutions. Doing that properly means handling information: about the organisations we work for, about the people who deal with us on their behalf, and on occasion about the individuals whose names appear on the documents we produce. A house whose entire trade rests on the integrity of credentials cannot afford to be loose with data, and we are not.
This policy sets out, at length and without evasion, what we collect, why we hold it, the legal grounds on which we process it, who we allow to touch it, where in the world it travels, how long we keep it, how we secure it, and what you are entitled to demand of us. It is a long document. It is long because the subject deserves it and because a thin policy is usually a sign of thin practice. Read the sections that concern you. The headings are honest, so you will find what you need.
Nothing in this policy is decoration. Every commitment in it is one we intend to keep.
1. The controller, and who answers for your data
For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), the UK GDPR and the Data Protection Act 2018, and applicable laws of other jurisdictions, the controller of the personal data described in this policy is:
Laurel & Seal Ltd, trading as Laurel & Seal
Registered in England and Wales under company number 15482907
Registered office: 27 Old Bond Street, London W1S 4QE, United Kingdom
Correspondence and privacy contact: privacy@laurelandseal.com
A controller is the party that determines the purposes and means of processing personal data, and is the party held accountable for it under law. Where, in the narrow circumstances described at section 8, we process data on behalf of and under the instructions of an institution, we act as a processor and the institution is the controller. We are clear throughout this policy about which hat we are wearing, because the distinction governs who is responsible to you.
If at any point you wish to raise a matter concerning your personal data, the contact above reaches a person, not a void. We answer.
2. The scope of this policy, and the people it covers
This policy governs the personal data we process in the ordinary conduct of our business. The people whose data we handle fall into four groups, and we treat each according to its sensitivity.
Institution representatives. The individuals who contact us, request samples or quotes, negotiate, place orders, approve proofs, arrange payment, or otherwise correspond with us on behalf of an organisation. This is the largest body of data we hold and is, in the main, ordinary professional contact information.
Certificate recipients. The individuals named on certificates we are instructed to produce. We would rather not receive this data at all, for the reasons given at section 8, and where we do, we hold it under tight constraints and as a processor on the institution's behalf.
Website visitors. Anyone who loads a page of our website, whose technical data we may process by virtue of that visit alone.
Suppliers and contacts. Individuals at the companies we work with, and other business contacts, whose information we hold to manage those relationships.
This policy does not extend to the practices of any other organisation. Where our site links to a third party, or where an institution we serve operates its own privacy regime, those practices are theirs to answer for, not ours.
3. The categories of personal data we process
We process the following categories. We have set them out fully rather than gesture at them, because you are entitled to know precisely what we hold.
Identity and contact data. Names, job titles or roles, business email addresses, business telephone numbers, and postal addresses, of the people who deal with us.
Institutional data. The registered or operating name of the institution, its address, its registration, licensing, or accreditation particulars, evidence of its standing as a legitimate and authorised body, and the identity and authority of the person empowered to instruct us. Much of this concerns the organisation rather than a person and so falls outside data protection law, but where it identifies an individual, it is covered here.
Engagement and order data. The content and history of our correspondence, the specifications of an order, the branding and artwork supplied to us, proofs and approvals, delivery instructions, and the record of the engagement from first enquiry to final delivery.
Certificate content data. Where an institution instructs us to personalise certificates, the recipient names and any further detail to be printed on the documents. This is addressed in full and separately at section 8.
Financial and transaction data. Billing details, the record of sums invoiced and paid, and the limited transaction information we retain for accounting and audit. Full payment card and bank account details are handled by our payment processor and are not stored by us.
Verification and due diligence data. The records we generate and retain when we satisfy ourselves that an institution is legitimate and authorised to issue the credentials it asks us to produce. This is addressed at section 7.
Technical and usage data. IP address, browser type and version, operating system and device information, referring pages, the pages viewed on our site, and the dates and times of access, collected through ordinary web infrastructure and, where applicable, through cookies and similar technologies as described at section 14.
Communications data. The records of our email, telephone, and other correspondence with you, retained so that we have an accurate account of what was agreed.
We do not seek special category data, meaning data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, or data concerning a person's sex life or orientation. We are conscious that some institutions we serve are religious, cultural, or otherwise sensitive in character, and that the mere fact of an engagement might imply something about the institution. We do not infer anything about an individual from the nature of the organisation that employs them, and we treat such engagements with the same discretion as every other.
4. What we do with your data, why, and on what lawful basis
We do not process personal data without a purpose and a lawful basis. The entries below set out, for each purpose, the data involved, the lawful basis we rely on under the GDPR and UK GDPR, and the broad retention position. The retention detail is expanded at section 11.
Purpose: Responding to enquiries, and preparing samples, mockups, and quotes.
Data: identity and contact data, engagement data, institutional data.
Lawful basis: our legitimate interest in responding to those who approach our business; and, where you ask us to take a specific step such as preparing a personalised mockup, steps taken at your request prior to entering a contract.
Retention: kept while the enquiry is live and for a reasonable follow-up period thereafter, then deleted.
Purpose: Verifying the institutions we agree to print for.
Data: institutional data, verification and due diligence data, identity and contact data of the authorising individual.
Lawful basis: our legitimate interest in operating lawfully, protecting the integrity of the credentials we produce, and safeguarding our business and reputation against involvement in fraud or forgery; and compliance with our legal obligations.
Retention: retained for the life of the relationship and for the limitation and record-keeping period afterwards, as our evidence of lawful conduct.
Purpose: Performing our contract, fulfilling and delivering orders.
Data: identity and contact data, engagement and order data, certificate content data where applicable, financial data, delivery data.
Lawful basis: performance of our contract with the institution; and our legitimate interest in conducting the engagement competently.
Retention: kept for the life of the relationship and the statutory record-keeping period afterwards.
Purpose: Taking payment and keeping financial records.
Data: financial and transaction data, identity and contact data.
Lawful basis: performance of contract; and compliance with our legal obligations under tax and accounting law.
Retention: the period required by applicable tax and accounting law, commonly six to ten years.
Purpose: Maintaining business records and defending legal claims.
Data: any of the above as relevant.
Lawful basis: compliance with legal obligations; and our legitimate interest in keeping accurate records and in establishing, exercising, or defending legal claims.
Retention: the applicable limitation period.
Purpose: Operating, securing, and improving our website.
Data: technical and usage data.
Lawful basis: our legitimate interest in a secure and functioning website; and, for any non-essential cookies, your consent.
Retention: a short period consistent with security and analytics needs.
Purpose: Sending business communications about our services.
Data: identity and contact data.
Lawful basis: our legitimate interest in marketing our services to business contacts; and consent where the law requires it.
Retention: until you object or withdraw consent.
Where we rely on legitimate interest, we have weighed our interest against your rights and freedoms and concluded that the processing is limited, expected within a professional context, and not such as to override your interests. You may nonetheless object in your particular circumstances, and section 13 explains how. Where we rely on consent, you may withdraw it at any time, and doing so does not affect the lawfulness of what we did before you withdrew it.
5. How we obtain your data
Most of what we hold comes directly from you, when you complete a form on our website, contact us, instruct us, or progress an order. A portion comes from the institution you represent. A further portion, relating to verification, we obtain from the institution and, where necessary, from public records, official registries, accreditation bodies, and reputable verification sources, in order to satisfy ourselves that the institution is what it claims to be. That verification is a deliberate and necessary feature of how we work, not an intrusion, and section 7 explains it. Technical data is collected automatically when you use our website.
6. How we handle each group of people
Because the four groups at section 2 differ in sensitivity, we state plainly how each is treated.
Institution representatives. We process your professional contact information and the record of our dealings to correspond, to verify the institution, to perform the engagement, and to keep proper records. This is ordinary business processing and you can expect it.
Certificate recipients. Where we receive your data at all, we process it solely to produce the order, on the instructions of the institution, as a processor, and we delete it in accordance with section 11. Section 8 sets this out in full.
Website visitors. We process your technical data to run and protect the site and, where you consent, to understand its use. We do not build profiles of visitors for sale or for intrusive advertising.
Suppliers and contacts. We process your information to manage the relationship, to receive the goods or services we engage you for, and to keep records.
7. Verification, due diligence, and anti-fraud processing
This section describes processing that is particular to our trade, and we set it out openly because it is central to who we are.
We do not print for all comers. Before we produce certificates carrying the name and authority of an institution, we verify that the institution is a genuine, registered, and authorised body, and that the person instructing us has authority to do so. To that end we collect and retain verification records, which may include registration and accreditation evidence, identity and authority of the instructing individual, and our assessment.
We process this data for three reasons: to protect the integrity of the credentials we produce; to comply with our legal obligations, including those concerned with fraud and the integrity of documents; and to protect our business and its reputation against misuse. The lawful bases are our legitimate interests in those aims and our compliance with legal obligations.
We retain these verification records for the life of the relationship and for the limitation and record-keeping period afterwards, because they are the evidence that we acted lawfully and they protect both us and the institution should a credential ever be questioned or a document ever be challenged. Where a competent authority makes a lawful request in connection with the prevention or investigation of fraud or forgery, we will cooperate and disclose our records to the extent the law requires. We regard this not as a burden but as the price of operating honestly in a field where dishonesty exists.
8. Certificate recipient data, and our role as processor
We treat this as the most sensitive data we may handle, and we deal with it accordingly.
Wherever possible, we prefer that institutions personalise certificates themselves, so that recipient names never reach us. Where an institution nonetheless supplies recipient details for us to print, the following governs that data without exception.
We process it only to produce the specific order for which it was supplied. We act strictly on the institution's instructions and as a processor of that data on the institution's behalf, the institution remaining the controller of it. We do not use it for any other purpose. We do not disclose it except to the production and delivery partners necessary to fulfil the order. We do not retain it beyond the period at section 11. We apply the security measures at section 12 to it.
If you are an individual named on a certificate and you have a question or a request concerning your data, the institution that engaged us is the controller and your first point of contact. We will support any legitimate request that institution makes of us, and we will not obstruct the exercise of your rights.
9. The parties with whom we share data, and our processors
We do not sell personal data. We have not built, and will not build, a business that trades in it. We disclose data only in the limited circumstances that follow, and only to the extent necessary.
Our processors and service providers. A small number of providers process data on our behalf, under written contract, on our instructions, and for no purpose of their own. They currently comprise: Cloudflare Inc. (website hosting, CDN, and edge security); Google Workspace (business email and document storage); Postmark (transactional email delivery); Stripe Payments Europe Ltd (payment processing); and Plausible Analytics (privacy-preserving website analytics). We keep this list accurate as our arrangements change.
Our production and fulfilment partners. To make and deliver certificates we engage our printing facility and our shipping and customs partners. They receive only what is necessary to produce and deliver the order, which may include certificate content and delivery details. They are bound to protect it and to use it only for that purpose.
Our professional advisers. Our accountants, auditors, lawyers, and insurers may process data where necessary to advise us, under their own duties of confidence.
Authorities and legal process. We will disclose data where compelled by law, where a competent authority makes a valid request, where disclosure is necessary to comply with a legal obligation, or where it is necessary to prevent or investigate fraud or to establish, exercise, or defend legal claims. Given our trade, we take lawful anti-fraud and law-enforcement cooperation seriously.
Successors in a business transfer. If the business is sold, merged, or reorganised, data may pass to the successor, who will be bound to the protections in this policy or equivalent ones.
Every party that processes personal data on our behalf does so under a contract that obliges it to protect the data, to act only on our instructions, to impose equivalent terms on any sub-processor, and to assist us in meeting our own obligations.
10. International transfers of personal data
We are an international house. We are established in the United Kingdom, our clients are spread across the world, and some of our providers and production partners are located in countries other than your own, which may include countries outside the European Economic Area and the United Kingdom.
In consequence, your data may be transferred to, stored in, or accessed from a jurisdiction whose data protection laws differ from those of your own. We do not pretend this away. Where we transfer personal data out of the EEA or the UK to a country that has not received a formal finding of adequacy, we put in place a lawful transfer mechanism before doing so. In most cases this means the European Commission's Standard Contractual Clauses, or the United Kingdom's International Data Transfer Agreement or Addendum, together with any supplementary measures the circumstances require following an assessment of the destination. Where a country benefits from an adequacy decision, we rely on it.
Stated plainly: we move data across borders because printing and delivering your certificates requires it, and when we do, we use the legal instruments designed to carry your protection with it. If you wish to know the specific safeguard applied to a transfer that concerns you, ask, and we will tell you and, where appropriate, provide a copy of the relevant mechanism.
11. How long we retain data
We keep data no longer than we need it, and we resist the habit of keeping things indefinitely.
Enquiries that do not become engagements: retained while live and for 24 months after last contact, then deleted or anonymised.
Order and relationship records, including institutional and engagement data: retained for the life of the relationship and afterwards for the period required by tax, accounting, and limitation law in the relevant jurisdictions, commonly six to ten years.
Verification and due diligence records: retained on the same basis as order records, deliberately, as our evidence of lawful conduct and as protection should a credential be challenged.
Financial and transaction records: retained for the period required by applicable tax and accounting law, presently seven years from the end of the relevant accounting period.
Certificate recipient data: deleted within 90 days of the order being completed and delivered, save where it is embedded in a transaction record that is itself subject to a statutory retention period.
Technical and website data: retained for a short period consistent with security and analytics needs, ordinarily no longer than 13 months.
When data reaches the end of its life with us, we delete it or irreversibly anonymise it. Where deletion is not immediately possible, for example because data is held in backups, we isolate it and delete it on the next ordinary cycle.
12. How we secure data
We apply technical and organisational measures appropriate to the risk, including controlling who may access data and limiting it to those who need it for their work, securing the files and systems in which data is held, selecting providers who maintain proper security, protecting transmissions where appropriate, and reviewing our measures as our business changes.
We will not claim that any system is perfectly secure, because that claim is never true and we do not insult you with it. What we commit to is that we treat security as a continuing obligation and not a slogan, and that we hold our providers to the same.
13. Your rights, and how to exercise them
Depending on where you are, you hold rights over your personal data. Under the EU GDPR and UK GDPR these are:
the right to be informed, which this policy serves; the right of access to the data we hold about you and to a copy of it; the right to rectification of inaccurate or incomplete data; the right to erasure in the circumstances the law allows; the right to restrict processing in certain cases; the right to object to processing carried out on the basis of legitimate interest, and an absolute right to object to direct marketing; the right to data portability where processing is by automated means and based on consent or contract; the right to withdraw consent where we relied on it; and rights in respect of automated decision-making, addressed at section 15.
If you are a resident of California, you hold rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the right to know the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of recipients; the right to access and to delete your personal information; the right to correct it; the right to opt out of the sale or sharing of personal information; and the right not to suffer discrimination for exercising your rights. We do not sell or share personal information within the meaning of that law.
To exercise any right, write to privacy@laurelandseal.com. We will respond within the period the law sets, ordinarily one month under the GDPR, extendable where the law permits and where we will tell you. We do not charge for a reasonable request. We may first need to verify your identity, which protects you as much as us. Where we cannot do as you ask, we will explain why and tell you what recourse you have. We will not treat you adversely for making a request.
14. Cookies and similar technologies
Our website may use cookies and similar technologies. Some are strictly necessary to make the site function and to keep it secure, and these operate without your consent because the site cannot work without them. Others, if used, help us understand how the site is used, and we deploy these only where the law permits and, where consent is required, only after you have given it.
At present, our website uses only strictly necessary cookies to maintain session continuity and to protect against abuse, together with privacy-preserving analytics (Plausible Analytics) that do not set cookies on your device and do not track you across sites. We do not use advertising cookies, cross-site tracking pixels, or third-party social embeds that profile visitors. If this changes, we will update this section and, where required, present a consent mechanism before any non-essential technology is deployed.
15. Automated decision-making and profiling
We do not ordinarily make decisions about you by solely automated means that produce legal or similarly significant effects. Our verification decisions are made by people. If that ever changes, we will tell you, we will explain the logic involved and the significance of it, and we will provide the safeguards the law requires, including the ability to obtain human intervention and to contest the decision.
16. Children
Our business is conducted with institutions and the adults who represent them. Our website and services are not directed at children, and we do not knowingly collect children's personal data for our own purposes. Where an institution provides recipient data that relates to minors, for example a school issuing certificates to its pupils, we process that data only as a processor on the institution's instructions, solely to produce the order, and subject to the protections in this policy, the institution remaining the controller and bearing the controller's obligations. If you believe we hold a child's data outside that narrow case, tell us and we will deal with it.
17. Third-party links
Our website may link to other sites. We provide such links for convenience and we do not control those sites or endorse their privacy practices. When you leave our site, this policy ceases to apply, and you should read the privacy policy of any site you visit.
18. Representatives, data protection officer, and regulatory particulars
We are established in the United Kingdom. For the purposes of Article 27 of the EU GDPR, our appointed representative in the European Union is:
EU-Rep.Centre GmbH
Hopfenstrasse 8, 80335 Munich, Germany
laurelandseal@eu-rep.centre
We are not at present required under Article 37 of the EU GDPR or UK GDPR to appoint a statutory Data Protection Officer. We have nonetheless designated an internal Privacy Lead, reachable at privacy@laurelandseal.com, who owns the matters described in this policy. Should the statutory obligation arise as our activities expand, this section will be updated and the policy reissued.
19. Complaints
If you consider that we have handled your personal data improperly, we ask that you raise it with us first, at privacy@laurelandseal.com, so that we may investigate and, where we are at fault, put it right. You are also entitled to complain to a supervisory authority. In the European Union, that is the data protection authority of the member state of your residence, place of work, or the place of the alleged infringement. In the United Kingdom, it is the Information Commissioner's Office. In California, it is the California Privacy Protection Agency or the Attorney General. We will not retaliate against any person for making a complaint, and we would always prefer the chance to resolve a matter directly.
20. Changes to this policy
We will revise this policy when our practices change, when the providers or partners we use change, or when the law changes. Material revisions will be marked by an updated effective date and, where appropriate, brought to your attention. The version published on our website is the version in force. We keep prior versions and will provide an earlier version on reasonable request.
21. How to reach us
For any matter arising under this policy, to exercise a right, or to raise a concern, write to:
Laurel & Seal Ltd, trading as Laurel & Seal
27 Old Bond Street, London W1S 4QE, United Kingdom
privacy@laurelandseal.com
We read what we are sent. We reply.
End of Privacy Policy