1. Important Information and Who We Are

2. Types of Personal Data We Collect About You

3. How Is Your Personal Data Collected?

4. How We Use Your Personal Data

5. Disclosures of Your Personal Data

6. International Transfers

7. Data Security

8. Data Retention

9. Your Legal Rights

10. Contact Details

11. Complaints

12. Changes to the Privacy Policy and Your Duty to Inform Us of Changes

13. Third Party Links

Important Information and Who We Are

Privacy policy

This privacy policy provides information about how we collect and use your personal data (also known as personal information or personally identifiable information in the United States) including through your use of our website (pentagram.com), or any of our services, or when you attend our events or sign up to our newsletters. This policy is designed to comply with privacy laws in the United States, United Kingdom, and European Economic Area.

Please note, this website is not intended or designed for children under the age of 13. We do not knowingly collect personal information from or about any person under the age of 13. If you are under 13 years old and wish to ask a question or use this site in any way which requires you to submit your personal information, please get your parent or guardian to do so on your behalf.

Controller

The Pentagram Group is made up of different legal entities based in the UK (Pentagram Design Limited in London), Germany (Pentagram Design GmbH & Co in Berlin), and the United States (Pentagram Design, Inc. in New York, New York and Pentagram Design, Inc. in Austin, Texas), and our holding company in Switzerland, Pentagram AG).

This privacy policy is addressed to individuals in the United States (including as required by state privacy laws), United Kingdom, and European Economic Area on behalf of the Pentagram Group as a whole so when we mention "Pentagram", "we", "us" or "our" in this privacy policy, we are referring to the relevant company in the Pentagram Group responsible for processing your data.

Customers located in the UK or EEA would usually be dealing with our UK or German companies respectively, in which case that company would be the relevant controller for the personal data you provide to us. However, please note that our New York entity is the controller and responsible for this website, www.pentagram.com.

If you have any questions about this privacy policy, including any requests to exercise your legal rights (paragraph 9 ), please contact us using the information set out in the contact details section (paragraph 10 ).

The Types of Personal Data We Collect About You

Personal data means any information about an individual from which that person could be identified.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes name and title.
• Contact Data includes address, email address and telephone numbers.
• Transaction Data includes details about previous services you have received from us.
• Technical Data includes your browser type and version, time zone setting and location, operating system and platform on the devices you use to access our website.
• Profile Data includes your preferences and feedback.
• Usage Data includes information about how you interact with and use our website and services.
• Marketing and Communications Data includes your preferences in receiving marketing and newsletters from us and our third parties and your communication preferences.
• CCTV Data collected if you visit us at our premises.

We also collect, use and share aggregated data such as statistical or demographic data which is not personal data as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific website feature in order to analyse general trends in how users are interacting with our website to help improve the website and our service offering.

We do not generally collect any special category data about you (i.e., information concerning a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person's sex life or sexual orientation). Similarly, we do not collect sensitive personal information as defined under applicable US state and federal privacy laws, which may include data such as social security numbers, financial account numbers, or precise geolocation. If we do need any such information we would seek your consent at the time of requesting it and explain why it is needed.

How Is Your Personal Data Collected?

We use different methods to collect data from and about you including through:

• Your interactions with us. You may give us your personal data by filling in online forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you :
  • enquire about our services or other opportunities to partner or work with us;
  • use our website;
  • engage our services;
  • subscribe to our publications or mailing lists;
  • register for and/or attend our events;
  • visit our offices;
  • request marketing to be sent to you;
  • engage with us on social media;
  • supply us with goods or services or otherwise partner with us; or
  • give us feedback or contact us.
• Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and similar technologies.
• Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
  • Third parties (including clients and or collaborators) wishing to invite you to events we host or organise.
  • Technical Data is collected from analytics providers such as Google based outside the UK.
  • Identity, Contact of Profile Data collected from publicly available sources, media reports or social media platforms.

How We Use Your Personal Data

Legal basis

The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:

• Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
• Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
• Legal obligation: We may use your personal data where it is necessary for compliance with alegal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
• Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter. For US residents, this includes obtaining consent as required by applicable state privacy laws. For UK and EEA residents, this means consent as required by national or EU data protection laws.
• Public Interest: If you are a US resident there may also be a legal basis under certain state laws in relation to processing that is necessary for the performance of a task carried out in thepublic interest or in the exercise of official authority vested in us.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use the various categories of your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

1. 1. Purpose/ Use: To register you as a new customer
   2. Type of Data:
      1. Identity
      2. Contact
   3. Legal Basis: Performance of a contract with you
2. 1. Purpose/ Use: To enable you to visit our premises and participate in meetings or conferencecalls
   2. Type of Data:
      1. Identity
      2. Contact
      3. CCTV
   3. Legal Basis:
      1. Performance of a contract with you
      2. Necessary for our legitimate interests (to keep our offices secure and for health andsafety reasons in the event of an incident)
3. 1. Purpose/ Use: To provide our services and process and deliver your project including:
      1. To manage the project on an ongoing basis (including day-to-day correspondence with you)
      2. To manage payments and collect and recover money owed to us
   2. Type of Data:
      1. Identity
      2. Contact
      3. Transaction
      4. Marketing and Communications
   3. Legal Basis:
      1. Performance of a contract with you
      2. Necessary for our legitimate interests (to recover debts due to us)
4. 1. Purpose/ Use: To manage our relationship with you which will include:
      1. Notifying you about changes to our terms or privacy policy
      2. Dealing with your requests, complaints and queries
   2. Type of Data:
      1. Identity
      2. Contact
      3. Profile
      4. Marketing and Communications
   3. Legal Basis:
      1. Performance of a contract with you
      2. Necessary to comply with a legal obligation
      3. Necessary for our legitimate interests (to keep our records updated and manage our relationship with you)
5. 1. Purpose/ Use: To invite or register you as an attendee at one of our events and allow you to attend the event in question
   2. Type of Data:
      1. Identity
      2. Contact
      3. Profile
      4. Marketing and Communications
   3. Legal Basis:
      1. Performance of a contract with you
      2. Necessary for our legitimate interests (to organise and host events for our clients and contacts and their invitees)
      3. Your consent (e.g., where you provide us with dietary or accessibility requirements before you attend our events)
6. 1. Purpose/ Use: To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
   2. Type of Data:
      1. Identity
      2. Contact
      3. Technical
   3. Legal Basis:
      1. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
      2. Necessary to comply with a legal obligation
7. 1. Purpose/ Use: To use data analytics to improve our website, products/ services, customer relationships and experiences
   2. Type of Data:
      1. Technical
      2. Usage
   3. Legal Basis: Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our strategy)
8. 1. Purpose/ Use: To send you marketing communications
   2. Type of Data:
      1. Identity
      2. Contact
      3. Marketing and Communications
   3. Legal Basis:
      1. Necessary for our legitimate interests (to carry out direct marketing, develop our products/ services and grow our business)
      2. Consent, having obtained your prior consent to receiving direct marketing communications (e.g., our newsletter)
9. 1. Purpose/ Use: To seek feedback
   2. Type of Data:
      1. Identity
      2. Contact
      3. Profile
   3. Legal Basis: Necessary for our legitimate interests (to study how customers use our services and to help us improve and develop our products and services).

CCTV

We use CCTV inside our buildings to keep our premises and our staff secure. The footage is stored locally for a short period of time before it is deleted. We would not share CCTV footage unless we were required to do for legal reasons, for example to cooperate with law enforcement agencies to investigate a specific crime or incident. For further information about our respective offices’ uses of CCTV please contact us.

Direct marketing

You will receive marketing communications from us if you have subscribed to our newsletter on our website.

Cookies & third-party video content

Necessary cookies enable basic site features, such as secure log-in or consent preferences. These cookies don’t store any personally identifiable data.

Third parties like Google Analytics also place analytics cookies on our website to collect information about how you got to the site, the pages you visit and how long you spend on each page, and what you click on. For more information, see the Google Privacy Policy. To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

Our site contains some video content. If you don't enable video player cookies, video content will appear as standard links, which will take you to YouTube and Vimeo to watch the videos. YouTube and Vimeo may set cookies when you use their sites. Or, if you enable video player cookies, you'll see videos embedded in our pages and YouTube and Vimeo may receive information about the videos you watch for analytics and advertising purposes. For more information see the Vimeo Cookies Policy.]

[A cookie is a small text file that a website stores on your computer or mobile device when you visit the site. To learn more about our use of cookies or similar technology please check our Cookie Policy.]

Disclosures of your personal data

We may share your personal data where necessary with the parties set out below for the purposes set out in the table above. If you are a US resident, your rights regarding data sharing may be governed by applicable state privacy laws, including the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and other state privacy laws.

• Other companies within the Pentagram Group (based in the UK, Germany, [Switzerland, ]and the United States).
• Third party organisations or individuals who perform functions or services on our behalf, including IT Service Providers such as:
  • our cloud computing and data storage providers based in the UK and US;
  • our website hosting and management provider based in the US;
  • our data analysis, back-up and security service providers based in the UK;
  • our customer database software based in the US;
  • other service consultants and providers related to security, finance and software development and support, and error monitoring based in the UK, EEA, US and elsewhere.
• We may disclose and exchange information with our professional advisors (legal, audit, accounting etc) and with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations or to establish, exercise or defend our legal rights.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

In the event that: (a) you are resident of the State of California; (b) we have received personal information from you; (c) we fall within the definition of “business,” as defined by the CCPA; and (d) we disclose your personal information to any third party (e.g., our affiliates) for our business purposes, we will enter into a written agreement with the third party that contains the applicable privacy provisions required by the CCPA.

For more detailed information about the specific third parties to whom we have disclosed your personal data please contact us.

International transfers

We may need to share your personal data within the Pentagram Group. This will involve transferring your data to our offices in UK, Germany[, Switzerland] and/or the United States.

As discussed in paragraph 5 above, we also transfer your personal data to selected service providers which carry out certain functions on our behalf. This can sometimes involve transferring personal data outside your country to countries which have laws that do not provide the same level of data protection.

For UK and EEA residents, whenever we transfer your personal data to service providers out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring that the following safeguards are in place:

• By ensuring that we only transfer your personal data to countries that have been deemed by the UK/European Commission to provide an adequate level of protection for personal data. For further details, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en; or
• By using specific standard contractual terms approved for use in the UK/EEA which give the transferred personal data the same protection, namely the namely the European Commission’s standard contractual clauses for international data transfers (and/or the UK’s equivalent documentation). To obtain a copy of these contractual safeguards, please contact us; or
• Where our partners or suppliers based in the US are certified as being part of the Data Privacy Framework, which requires them to self-certify that they will provide similar protection to personal data to that afforded under UK and EU privacy legislation. For further details, please see https://www.dataprivacyframework.gov/.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed, in compliance with applicable data protection laws in the UK, EU, and US (including state-specific requirements for reasonable security measures). In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Data retention

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

By law we have to keep basic information about our customers (including Contact, Identity and Transaction Data) for a number of years after they cease being customers for various purposes including tax. This period varies by jurisdiction - for example, according to US federal and state laws, UK laws, and/or EU regulations. The retention periods and requirements differ based on the Type of Data: and applicable laws in your jurisdiction. Please contact us if you have specific questions about retention periods that apply to your data.

In some circumstances you can ask us to delete your data. For EU/UK residents, this includes your right to erasure under GDPR in certain circumstances. For US residents, this includes deletion rights under applicable state privacy laws such as the CCPA/CPRA. See paragraph 9 below for further information about your privacy rights based on your jurisdiction.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Your legal rights

You have a number of rights under data protection laws in relation to your personal data.

You have the right to:

• Request access to your personal data (commonly known as a "subject access request" or "right to know" request). This enables you to receive a copy of the personal data we hold about you, how we use it, who we share it with, and to verify that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data in certain circumstances. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on our legitimate interests). In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
• You also have the absolute right at any time to object to processing for direct marketing purposes (see paragraph 4 for details of how to object to receiving direct marketing communications).
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data (see the table in section 4 for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
  • If you want us to establish the data's accuracy;
  • Where our use of the data is unlawful but you do not want us to erase it;
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Information-Sharing Disclosure, Shine the Light. Under California Civil Code Section 1798.83 (also known as Information-Sharing Disclosure, Shine the Light), if you are a California resident and your business relationship with us is primarily for personal, family, or household purposes, you may request certain data regarding our disclosure, if any, of personal information to third parties for the third-parties’ direct marketing purposes. To make such a request, use the applicable contact information set forth in paragraph 10 below. You may make such a request up to once per calendar year. In accordance with California Civil Code Section 1798.83, we will provide to you, by e-mail, a list of the categories of personal information disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year, along with the third parties’ names and addresses and any other information required by California Civil Code Section 1798.83.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

In most cases you will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless permitted by applicable law. For example, if you are a California resident, we may charge a reasonable fee as permitted under the CCPA. For residents of the UK, EEA and other US jurisdictions, however, we would only seek to charge a (reasonable) fee where your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances when permitted by applicable law.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Contact details

If you have any questions about this privacy policy or about the use of your personal data or you want to exercise your privacy rights, please contact us in the following ways:

If you are in the UK:

• Email address: london@pentagram.com
• Postal address: 11 Needham Road, London W11 2RP, United Kingdom
• Telephone number: +44 20 7229 3477

• Email address: info@pentagram.de
• Postal address: Geisbergstrasse 8 / L2, Berlin 10777, Germany
• Telephone number: +49 30 27 87 61 0

• Email address: newyork@pentagram.com
• Postal address: 250 Park Avenue South, 12th Floor, New York, NY 10003
• Telephone number: 212-683-7000

Complaints

You have the right to make a complaint at any time to your local data privacy supervisory authority or regulatory body.

UK: The Information Commissioner’s Office (ICO) is the UK regulator for data protection issues (www.ico.org.uk).

EEA: If you are in the EEA, you can contact your local supervisory authority.

US: If you are in the United States, you may file a complaint with the Federal Trade Commission (www.ftc.gov) or your state's Attorney General's office. For California residents, you may contact the California Privacy Protection Agency (cppa.ca.gov).

In all cases, however, we appreciate the chance to deal with your concerns before you approach a regulator so please contact us in the first instance.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was last updated in April 2025.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you, including through cookies and similar technologies. We do not control these third-party websites and are not responsible for their privacy statements or practices. When you leave our website, we encourage you to read the privacy policy of every website you visit. Please note that these third parties may be located in different countries with different privacy laws providing different levels of protection.