Privacy Policy
Last updated: 16th May 2026
1. Who We Are
Commissioning Desk (commissioningdesk.com) is an independent editorial publication covering digital project commissioning, technology procurement, and supplier management for organisations across the globe.
The data controller for this website is:
Commissioning Desk
Kazimierza Cepurskiego 8/3
63-900 Rawicz
Poland
Email: [email protected]
For the purposes of this policy, “we”, “us”, and “our” refer to The Commissioning Desk. “You” refers to any person who visits or uses this website.
2. What Laws Apply
As the data controller is based in Poland, this policy is written in accordance with the EU General Data Protection Regulation (EU GDPR) 2016/679. Where we process the personal data of individuals in the United Kingdom, we also comply with the UK GDPR as retained in UK law by the Data Protection Act 2018.
Your personal data is not sold, rented, or traded. We collect only what we need and keep it only as long as we need it.
3. What Data We Collect and Why
3.1 Visiting the Website (No Account)
When you visit Commissioning Desk, we do not collect any personally identifiable information about you. We use Independent Analytics, a self-hosted, privacy-first analytics plugin. This tool:
- stores all data locally on our own server (no data is sent to third parties);
- does not use cookies;
- does not track you across websites;
- records only aggregated, non-identifiable information such as page views, referral sources, and approximate country-level geography.
Legal basis: Legitimate interests (EU GDPR Article 6(1)(f)) — understanding how our content is used so we can improve it, without intruding on your privacy.
3.2 Creating an Account
You may register for an account on Commissioning Desk. An account allows you to save bookmarks and follow categories. Registration is voluntary.
Data collected:
- Email address
- Password (stored in encrypted form — we never see your password in plain text)
We do not collect your name, address, phone number, or any payment information at registration. Your account is not linked to our newsletter list or to any analytics system.
Legal basis: Performance of a contract (EU GDPR Article 6(1)(b)) — your account exists to deliver the features you have signed up for.
Age requirement: You must be at least 18 years old to register for an account. By registering, you confirm that you meet this requirement. We do not knowingly collect data from anyone under 18. If we become aware that we hold data relating to a person under 18, we will delete it promptly.
Retention: Your account data is retained for as long as your account remains active. If your account has been inactive for 12 consecutive months, we may delete it at our discretion after providing reasonable notice. You may request deletion of your account at any time by contacting us at [email protected].
3.3 Subscribing to Our Newsletter
We offer an opt-in email newsletter via Mailchimp (operated by Intuit Inc.). If you subscribe, we collect:
- Your email address
- The date and method of subscription (for our records)
Your email address is stored on Mailchimp’s systems. Mailchimp is based in the United States. Intuit Inc. participates in the EU–US Data Privacy Framework and processes EU personal data under Standard Contractual Clauses approved by the European Commission, providing an adequate level of protection.
You can unsubscribe at any time using the link included in every newsletter, or by contacting us directly at [email protected]. On unsubscription, your email address will be removed from our active mailing list. Mailchimp may retain suppression records (to prevent accidental re-subscription) in line with their own retention policy.
Your newsletter subscription is entirely separate from your site account, if you have one.
Legal basis: Consent (EU GDPR Article 6(1)(a)). You may withdraw consent at any time without affecting the lawfulness of any processing that took place before withdrawal.
3.4 Comments
Commenting uses the standard website comments system. Guest commenters are asked to provide a display name, an email address, and their comment text. Email addresses will not be published.
Legal basis (when enabled): Legitimate interests (EU GDPR Article 6(1)(f)) — enabling editorial discussion and reader engagement on published content.
3.5 Contact Enquiries
When a contact form is used, any information you submit (such as your name, email address, and enquiry) will be sent to our team inbox and used solely to respond to your enquiry. Enquiry data will not be added automatically to any CRM system or marketing list.
Legal basis (when enabled): Legitimate interests (EU GDPR Article 6(1)(f)) — responding to legitimate editorial and business enquiries.
Retention (when enabled): Enquiry correspondence will be retained for up to 12 months and then deleted, unless there is an ongoing relationship or legal reason to retain it longer.
4. Cookies
We use only strictly necessary cookies — those required to operate the website and deliver the features you use.
These include:
| Cookie | Purpose | Duration |
|---|---|---|
| WordPress session cookie | Keeps you logged in to your account during a browsing session | Session (deleted on browser close) |
| WordPress auth cookie | Remembers your login across sessions if you select “Remember me” | Up to 14 days |
| WordPress security nonce | Protects against cross-site request forgery | Session |
We do not use:
- Advertising cookies
- Analytics cookies (Independent Analytics is cookieless)
- Social media cookies
- Any third-party cookies, except those set by Mailchimp on the newsletter sign-up page (where applicable — see Mailchimp’s own cookie policy)
Because we use only strictly necessary cookies, we are not required under ePrivacy rules to obtain your consent before setting them. We do not display a cookie consent banner for this reason. If we introduce any non-essential cookies in the future, we will update this policy and implement appropriate consent mechanisms.
5. Infrastructure and Data Location
All personal data processed by Commissioning Desk is stored on servers located within the European Economic Area (EEA).
Specifically:
- Website and account data is hosted on servers located in Germany, with a company subject to EU law.
- Media files (images, documents) are stored on Cloudflare, a cloud storage product operated by Cloudflare, Inc. No personal data is stored in R2.
- Website traffic is proxied through Cloudflare’s CDN and Web Application Firewall (WAF). Cloudflare may process your IP address and request metadata in order to deliver content and protect the site from malicious traffic. Cloudflare participates in the EU–US Data Privacy Framework and processes data in accordance with Standard Contractual Clauses. Cloudflare’s processing is transient and is not used to track individuals.
- Newsletter data is held by Mailchimp / Intuit Inc., as described in Section 3.3 above.
We do not transfer your personal data to any other third parties, except as required by law.
6. Your Rights
Under the EU GDPR (and, where applicable, the UK GDPR), you have the following rights in relation to your personal data:
Right of access — You may request a copy of the personal data we hold about you.
Right to rectification — You may ask us to correct inaccurate or incomplete data.
Right to erasure — You may ask us to delete your data. We will comply unless we have a lawful reason to retain it (for example, to defend a legal claim).
Right to restriction — You may ask us to restrict processing of your data in certain circumstances, for example while a dispute is being resolved.
Right to object — Where we rely on legitimate interests as our legal basis, you have the right to object to that processing. We will comply unless we have compelling legitimate grounds that override your interests.
Right to data portability — Where we process your data on the basis of consent or contract, and by automated means, you may request a machine-readable copy of your data.
Right to withdraw consent — Where processing is based on your consent (e.g. newsletter subscription), you may withdraw that consent at any time.
To exercise any of these rights, contact us at [email protected]. We will respond within one month. If your request is complex or numerous, we may extend this by a further two months, and will notify you accordingly.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
7. Right to Lodge a Complaint
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority.
As the data controller is based in Poland, the relevant supervisory authority is:
Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warsaw, Poland https://uodo.gov.pl
If you are based in the United Kingdom, you may also contact:
Information Commissioner’s Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF https://ico.org.uk Helpline: 0303 123 1113
We would always encourage you to contact us directly first so that we can address your concern.
8. Security
We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse. These include:
- Encrypted password storage (your password is never stored in plain text)
- HTTPS encryption across the entire website, enforced via Cloudflare
- Cloudflare WAF protection against malicious traffic
- Server-side security hardening by Parrot Creative Ltd
No method of transmission or storage is completely secure. If you have reason to believe your data has been compromised, please contact us immediately at [email protected].
9. Links to Other Websites
Our articles may link to external websites. We are not responsible for the privacy practices of those sites and this policy does not apply to them. We recommend reading the privacy policy of any external site you visit.
10. Embedded Content
We do not currently embed any third-party content (such as YouTube videos or social media posts). We may embed YouTube videos in future articles where relevant. YouTube videos embedded on this site would be served by Google and subject to Google’s own privacy policy. Where we do embed such content, we will use privacy-enhanced embedding options where they are available.
11. Changes to This Policy
We may update this policy from time to time — for example, when we introduce new features such as comments or contact forms. The date at the top of this page indicates when the policy was last revised. For significant changes, we will take reasonable steps to notify registered users.
Continued use of the site after any update constitutes acceptance of the revised policy.
12. Contact
For any questions, concerns, or requests relating to this privacy policy or our handling of your personal data, please contact us:
By email: [email protected]
By post (worldwide): Commissioning Desk, Kazimierza Cepurskiego 8/3, 63-900 Rawicz, Poland.
By post (UK-only): Commissioning Desk, c/o Parrot Creative Ltd, 160 Aztec West, Bristol, BS32 4TU, United Kingdom.
We aim to respond to all enquiries within 10 working days.