This Privacy Policy explains how OmniFound Limited (the company that operates the AgencyIndex trading name) handles personal data in connection with the AgencyIndex directory and its associated services at marketingagencyindex.com. We operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who we are
The data controller for personal data collected through AgencyIndex is:
- Company name: OmniFound Limited (trading as AgencyIndex)
- Registered office: 20 Wenlock Road, London, N1 7GU, United Kingdom
- Companies House number: 15980245
- ICO registration: ZC157519 (OmniFound Limited, trading as Agency Index, Tier 1, registered 26 May 2026). Verifiable on the public ICO data protection register.
- Data protection contact: [email protected]
AgencyIndex is a UK marketing agency directory. It is free to browse for buyers, free to claim for verified agency representatives, with an optional paid Featured tier for premium placement.
What we collect
We only collect personal data that is necessary to operate the directory and provide the services you ask us for. The data we hold depends on how you interact with the site.
Browsing the directory
Most pages can be visited without providing any personal data. Standard server logs (IP address, user agent, requested URL, timestamp) are kept for security and operational diagnostics, retained for up to 30 days.
Newsletter subscription
If you sign up to The Dispatch (our newsletter), we store your email address and an opt-in timestamp. You can unsubscribe from any newsletter we send via a one-click link in the footer of each email.
Contact, advisory, and buyer-enquiry forms
When you use a form on the site we collect the fields you choose to provide (typically your name, email, company, and message). For buyer enquiries on an agency profile, your enquiry is routed to the listed agency and a copy is retained for editorial review.
Registering an agency account
When you register as an agency representative, we collect your full name, email address, the name and website of the agency you represent, and a brief confirmation that your email domain matches the agency's website (where relevant). This data is held against a user account in our content management system.
Claiming, listing, or editing an agency
When you submit a listing, claim, or edit request, we collect the information you provide about the agency (name, services, industries, locations, contact details, social profiles, etc.) plus a record of who submitted it and when, for editorial review and audit.
Featured tier (paid subscriptions)
When you upgrade an agency listing to the Featured tier, payment is processed by Stripe. We do not see or store your card details directly. Stripe shares with us your email, your billing name and address (used by Stripe for VAT compliance and fraud prevention), and a reference (the Stripe customer and subscription identifiers) so we can match the payment to the correct listing. We retain billing data as required by HMRC (six full tax years).
Cookies and similar technologies
We use a small set of strictly-necessary cookies to operate the site (session and access cookies) and, with your consent, analytics cookies via Google Analytics. Full details are in our Cookie Policy.
How we use your data
We use personal data for the following purposes:
- To operate your account— authentication (magic-link sign-in), session management, account dashboard, listing edit access.
- To process listings, claims, and edits— editorial review of submissions and approvals/rejections, with email notifications to you about the outcome.
- To facilitate buyer enquiries— route the enquiry to the verified agency representative on the listing.
- To process Featured tier subscriptions— payment (via Stripe), card-update reminders, renewal notices, cancellation confirmations, payment-failure prompts.
- To deliver newsletters and product communications— only when you have opted in. Each newsletter contains an unsubscribe link.
- To improve and secure the service— operational logs, error tracking, abuse prevention, analytics (with consent).
- To meet our legal obligations— tax record-keeping (HMRC), responding to lawful requests, exercising or defending legal claims.
We do not use your personal data for automated decision-making that produces legal effects, nor do we sell or rent your data to third parties.
Legal basis for processing
Under UK GDPR we rely on the following legal bases, depending on what we are doing:
- Contract— processing necessary to provide the services you have signed up for (account management, listing operations, Featured subscription delivery and billing).
- Consent— newsletter subscriptions, non-essential cookies (analytics). You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Legitimate interest— operating and securing the directory, fraud prevention, responding to direct enquiries you initiate, measuring aggregate usage of the service. We balance our interest against your rights and do not rely on this basis where the impact on you would outweigh the benefit.
- Legal obligation— tax record-keeping, responses to lawful regulatory or court requests.
International transfers
Some of our processors are based outside the United Kingdom or the European Economic Area. Where personal data is transferred internationally, we rely on one of the following safeguards:
- UK adequacy regulations— for transfers to countries the UK Government has determined provide an adequate level of protection (notably the EEA, including Ireland for Google Ireland Limited and Norway for Sanity).
- UK Extension to the EU-US Data Privacy Framework— for transfers to United States organisations that have self-certified their compliance under the Framework (currently relevant to SendGrid / Twilio and Google's onward processing to Google LLC).
- Standard Contractual Clauses (SCCs)— the UK International Data Transfer Agreement (IDTA) or the EU SCCs with the UK Addendum, applied to transfers to the United States where the recipient is not certified under the Data Privacy Framework (currently relevant to Railway).
- Supplementary measures— encryption in transit (TLS) and at rest, and processor self-assessments of the receiving jurisdiction.
Stripe Payments UK Limited (our payments processor) is registered in England and Wales and processes payment-related personal data within the United Kingdom; no international transfer occurs for the contracting relationship, though Stripe may use its own affiliates as sub-processors under its published service-providers register.
How long we keep it
We hold personal data only for as long as we need it for the purposes set out in this Policy. Indicative retention periods:
- User accounts: for as long as the account is active, then deleted within 12 months of account closure (subject to billing retention below where applicable).
- Billing records: six full tax years after the end of the tax year in which the transaction occurred (HMRC requirement).
- Newsletter subscribers: until you unsubscribe, then deleted within 30 days.
- Contact and enquiry submissions: 24 months from submission, or longer if a live conversation continues.
- Listing data: for as long as the listing is in the directory. Removed within 30 days of delisting.
- Server logs: up to 30 days, then deleted automatically.
- Analytics data:retained per Google Analytics' default (currently 14 months) when consent is given.
Your rights
Under UK GDPR you have the following rights in relation to your personal data:
- Right of access— a copy of the personal data we hold about you.
- Right to rectification— correction of inaccurate or incomplete data.
- Right to erasure— deletion of your data where there is no compelling reason for continued processing (commonly known as the "right to be forgotten").
- Right to restriction of processing— ask us to limit the use of your data in certain circumstances.
- Right to data portability— receive your data in a machine-readable format or have it transmitted to another controller.
- Right to object— object to processing based on legitimate interests, and to processing for direct marketing.
- Right to withdraw consent— where processing is based on consent (e.g. analytics, newsletter), you can withdraw at any time.
To exercise any of these rights, email us at [email protected] with the subject line "Data request". We aim to respond within one calendar month.
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office: ico.org.uk.
Security
We take reasonable technical and organisational measures to protect your personal data, including TLS encryption for all data in transit, encryption at rest on our processors' infrastructure, scoped access controls within our application, and limited human access to production data. No system is completely secure; we encourage you to use a strong, unique password if you choose to use one, and to keep us informed of any email address changes that would prevent magic-link sign-ins from reaching you.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our service, our processors, or applicable law. The "Last updated" date at the top of this page shows the effective date of the current version. For material changes affecting you, we will notify you by email (where we hold your contact details) at least 14 days before the change takes effect.
Contact us
Questions about this Privacy Policy or how we handle your personal data should go to:
- Email: [email protected]
- Post: OmniFound Limited, 20 Wenlock Road, London, N1 7GU, United Kingdom
To complain to a supervisory authority, please contact the UK Information Commissioner's Office: ico.org.uk/make-a-complaint.