Services Case Studies How It Works Join Us Apply to Work With Us

Privacy Policy

How we collect, use, and protect your personal data.

1. Who We Are

This website, iconacquisition.com, is operated by Icon Acquisition (“we”, “us”, “our”).

Icon Acquisition is the data controller for the personal data processed through this website. We are a business-to-business (B2B) marketing agency that provides model recruitment services to webcam studios and OnlyFans/content creator agencies.

If you have any questions about this Privacy Policy or how we handle your data, you can contact us at: contact@iconacquisition.com

2. What Data We Collect

We collect personal data that you voluntarily provide when you complete our website contact form. This includes:

  • Personal identifiers: your full name, email address, and phone number
  • Business information: agency name, agency location, agency type (webcam studio, OnlyFans agency, or both), model capacity per month, countries you recruit from, website URL, current marketing budget, current recruitment method, and a description of your biggest recruitment challenge

We also automatically collect certain technical data when you visit our website:

  • Analytics data: IP address (anonymised), browser type, device type, pages visited, referring URL, and session duration, collected via Google Analytics
  • Cookies and similar technologies: see Section 9 below and our Cookie Policy for full details

We do not collect any special category data (such as racial or ethnic origin, health data, or sexual orientation). Our services are B2B in nature, and we only collect data from business representatives inquiring about our agency services.

3. How We Use Your Data

We use your personal data for the following purposes:

  • To respond to your inquiry: when you submit our contact form, we use your details to understand your agency’s needs and to follow up with you
  • To schedule calls: we use your name and email to arrange and conduct audit calls via our scheduling platform
  • To provide our services: if you become a client, we use your business information to deliver our model recruitment marketing services
  • To improve our website: we use analytics data in aggregate to understand how visitors use our site, improve user experience, and optimise our content
  • To run advertising campaigns: we may use aggregated or anonymised data to measure the performance of our Meta and Google advertising campaigns

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), we must have a lawful basis for processing your personal data. We rely on the following:

  • Legitimate interests (Article 6(1)(f)): processing your B2B inquiry data is necessary for our legitimate interest in responding to prospective clients, providing quotes, and conducting business development activities. We have conducted a legitimate interest assessment and concluded that this processing does not override your rights and freedoms, given the B2B context and the nature of the data involved.
  • Performance of a contract (Article 6(1)(b)): where you become a client, we process your data as necessary for the performance of our service agreement with you, or to take pre-contractual steps at your request.
  • Consent (Article 6(1)(a)): where we send you direct marketing communications (beyond responding to your initial inquiry), we will obtain your explicit consent beforehand. You may withdraw your consent at any time by contacting us at contact@iconacquisition.com or by using the unsubscribe mechanism in any marketing communication.
  • Legal obligation (Article 6(1)(c)): we may process your data where necessary to comply with a legal obligation to which we are subject, such as tax or accounting requirements.

5. Who We Share Your Data With

We do not sell your personal data. We share your data only with trusted third-party service providers (sub-processors) who assist us in operating our website and delivering our services. Each sub-processor is contractually required to process your data only on our instructions and to maintain appropriate security measures.

Sub-processorPurposeLocation
Webflow, Inc.Website hosting and deliveryUnited States
Cloudflare, Inc.Content delivery network (CDN), DDoS protection, and website securityUnited States / Global
Google LLC (Google Analytics)Website analytics and traffic measurementUnited States
Google LLC (Google Sheets)Storage and management of form submission dataUnited States
Google LLC (Google Ads)Advertising campaign measurement and conversion trackingUnited States
Meta Platforms, Inc.Advertising campaigns (Meta/Facebook/Instagram Ads) and conversion trackingUnited States
Typeform SLForm building and data collectionSpain (EU)
Cal.com, Inc.Scheduling of audit calls and meetingsUnited States

We may also disclose your personal data if required to do so by law, regulation, or legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

6. International Transfers

Several of our sub-processors are based in the United States or operate globally. When your personal data is transferred outside the United Kingdom or the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect your data, including:

  • EU-US Data Privacy Framework (DPF): where the sub-processor is certified under the EU-US Data Privacy Framework and/or the UK Extension to the EU-US DPF, we rely on that certification as providing adequate protection (e.g., Google LLC, Meta Platforms, Inc., Cloudflare, Inc.)
  • Standard Contractual Clauses (SCCs): where the DPF does not apply, we ensure that the sub-processor has entered into the European Commission’s Standard Contractual Clauses (as supplemented for UK transfers by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office), providing contractual safeguards for international data transfers

You may request a copy of the safeguards we have in place by contacting us at contact@iconacquisition.com.

7. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our specific retention periods are as follows:

  • Inquiry data (form submissions from non-clients): 24 months from the date of submission. After this period, the data is permanently deleted from our systems unless you have become a client.
  • Client data (data relating to active or former clients): for the duration of the contractual relationship plus 12 months following termination, to allow for any post-contract queries or obligations.
  • Analytics data: 26 months from the date of collection, in line with Google Analytics default data retention settings, after which it is automatically deleted.

At the end of the applicable retention period, your personal data will be securely deleted or anonymised so that it can no longer be linked to you.

8. Your Rights

Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

  • Right of access: you have the right to request a copy of the personal data we hold about you.
  • Right to rectification: you have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to erasure: you have the right to request that we delete your personal data where there is no compelling reason for us to continue processing it.
  • Right to restrict processing: you have the right to request that we restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data.
  • Right to data portability: you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to object: you have the right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: where we process your data based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: if you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113. If you are located in the EEA, you may also lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, please contact us at contact@iconacquisition.com. We will respond to your request within one month. In exceptional circumstances, we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it.

We will not charge a fee for handling your request unless the request is manifestly unfounded or excessive. We may request reasonable proof of your identity before processing your request.

9. Cookies

Our website uses cookies and similar tracking technologies to improve your browsing experience, analyse website traffic, and support our advertising efforts. Cookies are small text files that are placed on your device when you visit our website.

For full details about the cookies we use, how to manage your cookie preferences, and your choices regarding cookies, please see our Cookie Policy.

10. Security Measures

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • All data transmitted between your browser and our website is encrypted using TLS/SSL (HTTPS)
  • Access to personal data is restricted to authorised personnel on a need-to-know basis
  • Our sub-processors are contractually required to maintain industry-standard security practices
  • We use Cloudflare for DDoS protection and web application firewall services
  • Form submission data stored in Google Sheets is protected by Google’s enterprise-grade security infrastructure, including encryption at rest and in transit

While we strive to protect your personal data, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining the highest reasonable standard of data protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make changes, we will update the “Last updated” date at the bottom of this page.

We encourage you to review this Privacy Policy periodically. If we make material changes that significantly affect how we process your personal data, we will take reasonable steps to notify you, such as posting a prominent notice on our website or, where applicable, contacting you directly.

12. How to Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing activities, please contact us:

Last updated: February 2026