Privacy.

InStone is a London-based strategy and intelligence agency. This privacy policy explains what information we collect when you use this website or any of our services, how we use it, and the rights you have over it.

For the purposes of UK and EU data protection law, the data controller is InStone Agency Ltd, a company registered in England and Wales under company number 15710657, with its registered office in London.

General questions about this policy can be sent to info@instone.one and are acknowledged within 48 working hours. Formal data subject requests (access, deletion, portability) are handled under the process set out in Section 9 below and responded to within the 30-day statutory deadline.

We only collect information you volunteer through one of our forms. We do not purchase data, scrape data, or buy mailing lists.

Depending on what you sign up for, we collect some or all of the following: first and last name, email address, organisation name, role, the form field you complete when subscribing or enquiring, and the subscription or engagement you have signed up for.

For paid subscriptions and commissioned work, our payment processor additionally collects the billing information required to process your payment. We do not store your card number or payment credentials; that stays with the payment processor.

When you visit this website, our hosting infrastructure logs basic technical data (IP address, browser type, pages visited) for a short retention period, used only for security, debugging, and aggregate traffic understanding.

We use your information strictly to deliver the service you have asked for. The specific use depends on what you signed up for:

If you subscribe to a Free Brief (RedStone or BlueStone), we send you the brief every weekday morning and nothing else, unless you separately opt in.

If you subscribe to a Specialist Brief, we send you that brief on its weekly cadence, along with necessary service communications about the subscription (renewal, billing, changes).

If you commission a study or engagement, we use your information to deliver the agreed work and to respond to anything you send us.

If you register interest in a Hub, we contact you about that Hub and no other.

If you submit a brief through our contact form, we respond to it.

That is the extent of our use of your personal information. We do not sell your personal data to third parties, and we do not share your personal information in identifiable form with advertising networks or data brokers. We may use aggregate, anonymised data to understand how our services are read and to improve them.

Under UK and EU data protection law, we rely on the following legal bases to process your information:

Consent, for every email publication. You actively subscribe; you can unsubscribe at any time.

Contract, for paid subscriptions, commissioned studies, and engagements. We need to process your information to deliver the service you have contracted us for.

Legitimate interest, for responding to enquiries and for basic website operation. The interests balanced against yours are narrow and necessary: answering questions you have sent us, and keeping the site running.

Legal obligation, where law requires us to retain specific records (for example, accounting records for contracted work).

This website uses essential cookies to function. We may also use optional analytics cookies to understand how the site is read, in aggregate, so we can improve it.

We do not sell any data gathered through cookies, and we do not share personal information with third parties for behavioural advertising or profiling. Where we use first-party cookies or measurement tools to understand aggregate site behaviour, we configure them to minimise personal data collection.

You can decline optional cookies using the banner at the bottom of the page. Essential cookies cannot be declined because the site will not function without them.

We rely on a small number of standard infrastructure providers to deliver our services. Each processes data on our behalf under a written data processing agreement, uses your information only for the purpose we contract them for, and is never permitted to use it for their own purposes.

Categories of processors we use:

Hosting and website infrastructure providers.

Email delivery providers for publications and transactional email.

Payment processors for paid subscriptions and commissioned work.

Analytics providers for aggregate, privacy-respecting traffic understanding.

If you want the specific named providers we use at any given time, email info@instone.one and we will tell you.

Some of our processors may store or process data outside the United Kingdom and the European Economic Area. Where that happens, we rely on the safeguards that UK and EU law require: adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms.

We do not transfer personal data to jurisdictions without adequate safeguards in place.

We protect your information with the standard technical and organisational measures you would expect from a professional services agency: transport encryption, access control on administrative tools, and principle-of-least-privilege on who can see what internally.

No system is ever completely secure. If a breach occurs that puts your personal data at material risk, we will notify you and the relevant regulator in line with our legal obligations.

Under UK and EU data protection law, you have the following rights over the information we hold about you:

The right to know what we hold, and to be given a copy.

The right to have inaccurate information corrected.

The right to have your information deleted, subject to any legal retention requirement.

The right to restrict or object to our processing.

The right to have your information transferred to another provider in a machine-readable format.

The right to withdraw consent at any time, without needing to give a reason.

To exercise any of these rights, email info@instone.one. We respond within 30 days of receipt and will not charge you for doing so.

You also have the right to complain to the Information Commissioner's Office (ICO) in the UK, or to your local data protection authority in the EU, if you believe we are not handling your information properly. We would prefer you tell us first so we can fix it.

We keep your information only for as long as we need it for the purpose you gave it to us. In practice that means:

Publication subscribers: for as long as you remain subscribed, plus a short period after unsubscribe for auditing our compliance.

Enquirers: for two years after your last contact with us, after which we archive or delete.

Engagement and commissioned work clients: for the duration of the engagement, plus the period required by tax, company, and contract law (typically six years under UK rules).

If you ask us to delete your data sooner, we do so, except where we are legally required to retain it.

We update this policy from time to time as our services or the law change. Material changes will be announced to subscribers by email before taking effect.

The date at the top of this page shows when we last updated it. Older versions are available on request.

Questions, requests, or complaints about this policy or how we handle your data can be sent to info@instone.one.

Response times: general enquiries acknowledged within 48 working hours. Formal data subject requests handled within the 30-day statutory deadline (see Section 9).

If you would like this policy in a different format (large print or plain text), email us and we will send it.