Privacy Policy

Unite the People (UTP) is the controller of your personal data. For more information on controllers and their responsibilities please see Information Commissioners Office guidance on data protection principles, definitions, and key terms .

This privacy notice tells you what to expect us to do with your personal information, in the following sections:

  • Contact details

  • What information we collect, use, and why

  • Lawful basis and data protection rights

  • Where we get personal information from

  • How long we keep information

  • Who we share information with

  • Sharing information outside the UK

  • How to complain

 Contact details

Email info@unitethepeople.uk

What information we collect, use, and why

Your use of the UTP website depends on “cookies” – small pieces of data which are stored in your web browser. There are essential and optional cookies. The latter help UTP monitor and improve the website. If you link to UTP social media via the website, third party cookies may be installed. UTP does not use advertising cookies. The optional website performance cookies record your network address so we can identify unique visitors to the site and what visitors find useful, if you grant permission.

A list of cookies used by our website provider Squarespace can be found here .

If you complete the “Join” form, we collect or use the following information for service updates or marketing purposes:

•     Names and contact details (email address, phone number)

•     A record of consent to storage of your data, where appropriate

•     Marketing preferences

•     Location data (based on constituency / town boundaries, not street address)

•     Information relating to donations / sponsorship, where applicable

In due course, Unite the People may set up an online store selling merchandise, bulk publicity materials and other goods. In that case, we will collect or use the following information to provide services and goods, including delivery:

•     Name and contact details

•     Unique street addresses

•     Purchase or account history

•     Account information

•     Website user information (including user journeys through the online store)

•     Payment details, including card or bank information for transfers and direct debits are collected and passed to third party payment processors. This data is not stored by UTP.

Lawful basis and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out briefly below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

  • Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

  • Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.

  • Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

  • Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

    If you unsubscribe from UTP email newsletters, your data will be deleted from our systems automatically. If you make a data access request, we must respond to you without undue delay and in any event within one month. To make a full data protection rights request, please contact us using the contact details at the top of this privacy notice, with the subject line “Data Protection Request”.

Our lawful basis for the collection and use of your data

Our lawful bases for collecting or using personal information for service updates or marketing purposes are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time, by clicking “unsubscribe” in one of our emails to you.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

  • Name and email are collected to provide regular newsletters. Mobile phone number is collected to add subscribers to WhatsApp groups, with their additional consent. Additional optional information is collected to provide targeted communications based on interests, skills or location. Location data is limited to large areas such as constituency, or town / city, except for address data for deliveries.

  • Our lawful bases for collecting or using personal information to provide services and goods are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

Our legitimate interests are that: Name and address and email are required to send physical goods and update customers about orders. Financial information (e.g. credit or debit card) is collected and passed to third party payment processors to complete orders. UTP does not retain credit or debit card data. Order history is collected to track income and identify customers eligible for special offers or marketing updates.

Where we get personal information from

We may get personal information directly from you, or (rarely) from publicly available sources – for example contact details on public websites in the UTP network.

How long we keep information

UTP will retain your personal data for as long as you are subscribed to our newsletters, or, in the case of our online store, until you ask us to delete it. If UTP is closed down then all personal data will be deleted and we will take reasonable steps to inform you beforehand.

If UTP merges with another organisation involved in anti-racism, then you will be contacted to ask if you agree to your personal data being transferred to the new organisation. If you do not explicitly consent, your data will be deleted.

Who we share information with

To run our website, UTP depends on third-party data processors, including Squarespace and Alphabet. For processing donations and orders through our online store we share data with third-party payment processors, such as Stripe, and third-party delivery companies. UTP takes reasonable steps to ensure that these third parties have robust data privacy policies and procedures in place to store and process your data securely.

The Squarespace data processing addendum is in Appendix 1 of this policy. If you consent to UTP using Google Analytics to monitor website usage, the Google (Alphabet) data safeguarding statement applies – see https://support.google.com/analytics/answer/6004245?hl=en

If you use our social media accounts, there will be independent privacy policies for each social media platform. These are outside UTP control.

Under very limited circumstances UTP may be required by law to share personal information with certain government departments and law enforcement.

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place. Squarespace is our web services provider and intermediate payment processor and they store data in the USA. Squarespace are compliant with the UK GDPR – see Appendix 1. Squarespace use Stripe for payment processing and some data is stored in the USA. Stripe’s Data Processing Agreement is here .

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice. UTP will take reasonable steps to understand, address and learn from your complaint. We will tell you what actions, if any, we intend to take to address your complaint. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:          

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

This policy was last updated on 12/Feb/2026

Appendix 1

Squarespace Data Processing Addendum

Effective Date: January 31, 2025

This Squarespace Data Processing Addendum (this "DPA") forms part of, and is subject to the provisions of, the Squarespace Terms of Service. Capitalized terms that are not defined in this DPA have the meanings set forth in our Terms of Service.

1.     Additional Definitions.

The following definitions apply solely to this DPA:

a. the terms "controller," "data subject," "personal data," "process," "processing" and "processor" have the meanings given to these terms in the GDPR and shall also include any different but similar term used in any other Data Protection Laws.

b. “Breach” means a breach of the Security Measures resulting in access to Squarespace’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by Squarespace on your behalf and instructions through the Services.

c. “CCPA” means the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 - 1798.199), as may be modified from time to time, including by the California Privacy Rights Act.

d. “Covered Data” means your End User Data, domain name registration contact information and any other User Content, including without limitation text, photos, images, audio, video, code, and any other materials provided to us by or on behalf of you or an End User in connection with Your Site or the Services.

e. “Data Protection Laws” means any data protection or data privacy law or regulation applicable to Processing of Personal Data and any laws or regulations ratifying, implementing, adopting, or supplementing such laws, as any of the foregoing may be updated, amended or replaced from time to time. Data Protection Laws shall include without limitation: (i) European Data Protection Laws; (ii) US Data Protection Laws; (iii) Canada’s Federal Personal Information Protection and Electronic Documents Act; and (iv) Brazil’s Lei Geral de Proteção de Dados. In no event will Data Protection Laws or this DPA include or cover any Industry-Specific Regulation.

f. “European Data Protection Laws” means any data protection or data privacy law or regulation of Switzerland, the United Kingdom ("UK") or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including: (i) the GDPR; and (ii) the e-Privacy Directive 2002/58/EC.

g. “GDPR” means the EU General Data Protection Regulation 2016/679. References to GDPR and its provisions include the GDPR as amended and/or incorporated into UK law.

h. “Security Measures” means the technical and organizational security measures set out here.

i. “Sub-Processor” means an entity engaged by Squarespace to process Your Controlled Data.

j. “US Data Protection Laws” means any data protection or data privacy law or regulation of any state in the US applicable to Your Controlled Data, including: (i) CCPA; (ii) Virginia Consumer Data Protection Act; (iii) Colorado Privacy Act; (iv) Connecticut Act Concerning Personal Data Privacy and Online Monitoring; (v) Utah Consumer Privacy Act; (vi) Montana Consumer Data Privacy Act; (vii) Oregon Consumer Privacy Act; (viii) Texas Data Privacy and Security Act; (ix) Florida Digital Bill of Rights; and (x) once effective, similar comprehensive data protection or data privacy laws or regulations of other US states.

k. “Your Controlled Data” means any personal data included in the Covered Data. Your Controlled Data is data for which you determine the purposes and means of processing and for which Squarespace acts on your behalf as a processor, service provider or similar term under applicable Data Protection Laws.

 2.     Applicability.

This DPA only applies to you if and to the extent Squarespace and the Services process Your Controlled Data on your behalf. This DPA does not apply to you if: (a) your Covered Data does not include any personal data; or (b) Data Protection Laws do not apply to your Covered Data.

Section 6 of this DPA only applies to you to the extent Your Controlled Data includes personal data of data subjects located within the EEA, UK or Switzerland.

Portions of the Services are intended to enable you to share User Content and other Covered Data publicly, including without limitation on social media and the open web. Additionally, the Services include integrations with Third Party Services that enable or require storage or other processing of Covered Data by third parties. You agree that Squarespace is not responsible for personal data that you have elected to process through Third Party Services or otherwise outside of the Services, including the systems of any other third party cloud services, offline or on-premises storage.

3.     Details of Data Processing.

3.1. Subject Matter. The subject matter of the data processing under this DPA is Your Controlled Data.

3.2. Duration. As between you and us, the duration of the data processing under this DPA is determined by you. 

3.3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by you from time to time. In connection with providing the Services, we may process Your Controlled Data for business purposes such as: (a) maintaining and servicing your Account(s); (b) serving and rendering your websites to End Users; (c) enabling you to transact and communicate with your End Users; (d) providing analytics, auditing or verifying events related to your End Users’ visits to your websites; (e) ensuring the security and integrity of the Services; and (f) debugging, and improving the Services.

3.4. Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.

3.5. Type of Personal Data. Your Controlled Data relating to you, your End Users or other data subjects whose personal data is included in Covered Data which is processed as part of the Services in accordance with instructions given through the Services.

3.6. Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Covered Data.

4.    Processing Roles and Activities.

4.1. Squarespace as Processor and You as Controller. You are the controller and Squarespace is the processor of Your Controlled Data.

4.2. Squarespace as Controller. Squarespace may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Site, you receive that as an independent data controller and are responsible for compliance with Data Protection Laws in that regard.

4.3. Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services (as further described in Section 3.3), as may be used, configured or modified through the Services (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on Your Site; or (b) email your End Users on your behalf.

4.4. Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data (including Data Protection Laws) and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including Data Protection Laws). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this DPA. Squarespace will not access or use Your Controlled Data except: (a) as provided in the Agreement; (b) as necessary to maintain or provide the Services; (c) as necessary to protect our or others’ rights, property or interests; (d) as necessary to comply with the law or binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body; or (e) as necessary to comply with ICANN Specifications and Policies, Registry Policies (as such terms are defined in our Domain Registration Agreement) or other ccTLD or registrar policies.

5.     Our Processing Responsibilities.

5.1. How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through the Services. We will not “Sell” or “Share” (as such terms are defined under US Data Protection Laws) Your Controlled Data. You agree that the Agreement and the instructions given through the Services are your complete and final documented instructions to us in relation to Your Controlled Data. With respect to domain registration contact information included in Your Controlled Data, your instructions include requesting we disclose your domain registration contact information in order to comply with ICANN Specifications and Policies, Registry Policies or other ccTLD or registrar policies. Additional instructions outside the scope of this DPA require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe Data Protection Laws, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.

5.2. CCPA. To the extent you and Your Controlled Data are subject to the CCPA (such personal data, “CCPA Data”), with respect to such CCPA Data: (a) Squarespace acts as a “Service Provider” and you are a “Business” (as such terms are defined under the CCPA); and (b) Squarespace and you shall comply with our and your respective obligations under the CCPA. Squarespace will not use Your Controlled Data outside of its direct business relationship with you, or for purposes other than the business Purpose, unless otherwise permitted by the CCPA. Notwithstanding the foregoing, you agree that in accordance with the CCPA, Squarespace may: (i) use CCPA Data internally to build and improve the quality of the Services; or (ii) combine personal data of the End Users of you or other businesses for which Squarespace is a service provider for the purposes of detecting data security incidents or protecting against fraudulent or illegal activity. This combined personal data includes IP addresses, preferences, web pages visited prior to coming to your or another business’ website, information about browser, network or device (such as browser type and version, operating system, internet service provider, preference settings, unique device IDs and language and other regional settings), and information about how End Users interact with your or another business’ website (such as timestamps, clicks, scrolling, browsing times and load times).

5.3. Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under Data Protection Laws. We will, to assist you in complying with your notification obligations under Data Protection Laws (including Articles 33 and 34 of the GDPR), provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section 5.3 is not and will not be construed as an acknowledgement by Squarespace of any fault or liability of Squarespace with respect to the Breach. Despite the foregoing, Squarespace’s obligations under this Section 5.3 do not apply to incidents that are caused by you, any activity on your Account(s) and/or Third Party Services.

5.4. Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving: (a) an inquiry or complaint from an End User or other individual whose personal data is included in Your Controlled Data; or (b) a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data.

5.5. Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Data Protection Laws (including Chapter 3 of the GDPR), taking into account the nature of the Services and information available to us. To the extent required by Data Protection Laws, you may ask us to assist you by verifying that we no longer retain or use any of Your Controlled Data related to a data subject who has made a valid request to you to delete their personal data. You will be responsible for our reasonable costs arising from our provision of any such assistance.

5.6. Security Measures and Safeguards. We will maintain the Security Measures and the safeguards set out here. We may change or update the Security Measures or safeguards but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.7. Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this DPA, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to privacy@squarespace.com. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to privacy@squarespace.com. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate the Services or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.7, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.7. Except as set forth in this Section 5.7 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. Please note that: (a) if you are a Non-US User, Squarespace, Inc. is one of our Sub-Processors; and (b) if you are a US User, Squarespace Ireland is one of our Sub-Processors. Squarespace will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause Squarespace to breach any of Squarespace’s obligations under this DPA, solely to the extent that Squarespace would be liable under the Agreement if the act or omission was Squarespace’s own.

5.8. Squarespace Audits. Squarespace may (where required by Data Protection Laws) use external or internal auditors to verify the adequacy of our Security Measures or as otherwise required by Data Protection Laws.

5.9. Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing Squarespace to carry out the audit described in Section 5.8. You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If Squarespace does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with Data Protection Laws by means other than reviewing a report from such an audit, you may only request a change in the following way:

a. First, submit a request for additional information in writing to Squarespace, specifying all details required to enable Squarespace to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures or as otherwise required by Data Protection Laws.

b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Squarespace to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Squarespace to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Squarespace or our users’ information.

You will pay our costs in considering and addressing any Request. Any information and documentation provided by Squarespace or its auditors pursuant to this Section 5.9 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.

5.10. Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this DPA, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with Data Protection Laws). The information to be made available by Squarespace under this Section 5.10 is limited to solely that information necessary, taking into account the nature of the Services and the information available to Squarespace, to assist you in complying with your obligations under applicable Data Protection Laws in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we share any such information with you. 

5.11. Requests. You can delete or access a copy of some of Your Controlled Data through the Services. For any of Your Controlled Data which may not be deleted or accessed through the Services, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which we maintain in order to comply with applicable law or as otherwise set forth in the Agreement). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy.

6.     Data Transfers.

6.1. Taking into account, in particular, the Security Measures and safeguards provided for in this DPA and the specific circumstances, you authorize Squarespace to transfer Your Controlled Data away from the country in which such data was originally collected to other countries globally in which Squarespace or any Sub-Processors operate, including in particular, to the US.

6.2. Squarespace, Inc. complies with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework (each individually and collectively, the “Data Privacy Frameworks”). Squarespace, Inc. has certified to the U.S. Department of Commerce its adherence to the Data Privacy Frameworks regarding the processing of personal information received from the EEA, Switzerland and/or the UK. You can find Squarespace, Inc.’s certification here. Squarespace, Inc. is committed to treating personal information received from the EEA, Switzerland and/or the UK pursuant to the applicable Data Privacy Framework in accordance with the principles thereof (the “DPF Principles”). You can learn more about the Data Privacy Frameworks and DPF Principles by visiting https://www.dataprivacyframework.gov/.

6.3. Squarespace will use the applicable Data Privacy Framework to lawfully transfer personal information received from the EEA, Switzerland and/or the UK, and ensure that it provides at least the same level of protection to such personal information as is required by the DPF Principles and will let you know if it is unable to comply with this requirement.

6.4. If European Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Frameworks do not cover the transfer to Squarespace, Inc. in the US and/or the applicable Data Privacy Framework is invalidated), the standard contractual clauses, approved by the European Commission decision 2021/914, dated 4 June 2021 (and with respect to the UK, the international data transfer addendum to the European Commission’s standard contractual clauses approved by the Information Commissioner’s Office, effective March 21, 2022) will be incorporated by reference and form part of the Agreement.

6.5. Unless such transfer is otherwise permitted under European Data Protection Laws, transfers to a Sub-Processor in any country not recognized under European Data Protection Laws as providing an adequate level of protection for Your Controlled Data shall proceed pursuant to (a) the processor to processor (module 3) standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR and approved by the European Commission decision 2021/914, dated 4 June 2021 (and with respect to the UK, the international data transfer addendum to the European Commission’s standard contractual clauses approved by the Information Commissioner’s Office, effective March 21, 2022); or (b) such other standard contractual clauses for the transfer of personal data to third countries that are recognized under the applicable European Data Protection Laws in the EEA, UK or Switzerland. In order to facilitate an efficient and coordinated service, all communication with Squarespace and any Sub-Processor (including Squarespace, Inc.) in connection with such standard contractual clauses will, to the extent possible, be coordinated and directed through Squarespace Ireland Limited.

7.     Liability.

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by Squarespace Ireland or Squarespace, Inc. in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under the Agreement, this DPA or Data Protection Laws shall reduce as applicable, Squarespace Ireland’s and/or Squarespace, Inc.'s maximum aggregate liability to you in the same amount as such regulatory penalties, claims and/or liability incurred by us as a result.

8.    Conflict.

In the event of a conflict between this DPA and the rest of the Agreement, this DPA will control.

9.     Miscellaneous.

You are responsible for any costs and expenses arising from Squarespace Ireland’s and Squarespace, Inc.'s compliance with your instructions or requests pursuant to the Agreement (including this DPA) which fall outside the standard functionality made available generally through the Services.

10.  Modifications to this DPA.

We may modify this DPA from time to time, and will post the most current version on our site. If a modification meaningfully reduces your rights, we may notify you in accordance with the procedures set forth in our Terms of Service. By continuing to use or access the Services after any modifications come into effect, you agree to be bound by the modified DPA. If you disagree with our changes, then you must stop using the applicable Services and cancel the applicable Paid Services.