Where we rely on legitimate interests (Art 6(1)(f)), we have carried out and documented a Legitimate Interests Assessment (LIA), weighing our interests against the rights and freedoms of the data subject. We do not use legitimate interests where our interests are overridden by your rights.

Where processing is based on consent, you may withdraw your consent at any time, without affecting the lawfulness of prior processing (Art 7(3)).

If you refuse to provide certain personal data that is necessary (e.g. for compliance or contract), we may be unable to proceed with your application or relationship.

5. Recipients / Disclosure / Third parties / International Transfers

We may share your personal data with:

• Service providers & processors (e.g. cloud hosting, IT providers, CRM, email/marketing platform, analytics, legal / accounting / audit)
• Portfolio companies, co-investors, syndication partners, prospective investors — in the context of due diligence, reporting, syndication
• Regulators, tax authorities, courts, government bodies — where required by law or regulation
• Professional advisors, legal counsel, auditors, insurers — for legal, accounting or risk purposes
• Acquirers, successors, or during business reorganisations / mergers — if we restructure or sell all or part of our business
• Other third parties — only where you have given consent or where legally required

All third parties or processors engaged by us are bound by contracts (data processing agreements) requiring them to comply with confidentiality, security, and applicable data protection law.

International / cross-border transfers

If we transfer personal data to countries outside the UK / EEA, we will ensure that suitable safeguards are in place (such as:

• UK Standard Contractual Clauses (SCCs) / International Data Transfer Addendum
• Binding Corporate Rules
• Adequacy decisions by the UK government
• Other lawful mechanisms

We will inform you (either in this Notice or at the time of collection) should we transfer data to jurisdictions without adequacy.

6. Retention / deletion

We retain personal data only for as long as is necessary for the purposes for which it was collected (or as required by law). Criteria used to determine retention periods include:

• The nature and purpose of processing
• Any legal, regulatory or contractual retention requirements
• Whether the data continues to be needed for ongoing relationships, claims, or audits

Typical retention durations (subject to review):

• Marketing / newsletter data: until you withdraw consent or unsubscribe
• Application / pitch data: up to 7–10 years after decision or closure
• Investment / transaction records: at least 6–10 years (or longer if legal/tax obligations demand)
• Website analytics / log data: e.g. 1 to 3 years
• Legal / compliance records: as long as necessary for disputes, regulatory obligations

Once retention is no longer needed, data will be securely deleted or anonymised.

7. Security & Safeguards

We adopt appropriate technical and organisational measures to safeguard your data, including:

• Encryption in transit (TLS/HTTPS) and encryption at rest where practicable
• Access controls, role-based access, strong passwords, multi-factor authentication
• Regular security testing, vulnerability scanning, penetration testing
• Network monitoring, logging, intrusion detection
• Data minimisation, pseudonymisation or anonymisation where feasible
• Secure backups, disaster recovery, segregation of data
• Physical security for paper records and secure disposal, shredding, secure deletion
• Requiring our processors to implement equivalent security measures via contractual obligations

We review and update security practices periodically to maintain appropriateness.

8. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have rights in relation to your personal data:

• Right of access — request a copy of your personal data and supplementary information (Art 15)
• Right of rectification — ask us to correct inaccurate or incomplete data (Art 16)
• Right to erasure (“right to be forgotten”) — in certain cases request deletion (Art 17)
• Right to restrict processing — request suspension of processing (Art 18)
• Right to data portability — if processed by automated means based on consent or contract, ask for data in structured, machine-readable form (Art 20)
• Right to object — e.g. to processing based on legitimate interests or direct marketing (Art 21)
• Right to withdraw consent — at any time if consent is the basis (Art 7(3))
• Right to lodge complaint — with the Information Commissioner’s Office (ICO) in the UK

To exercise any of these rights, please contact us at the contact details in Section 2. We will respond without undue delay and within one month (which may be extended by up to two further months in complex cases, with notice) (Art 12(3)–(4)).

Note: some rights may be restricted or limited (e.g. for legal claims or compliance purposes).

9. Cookies & Similar Technologies

We use cookies, web beacons, tracking pixels, local storage, and similar technologies to collect data about your use of our website (e.g. pages visited, links clicked, session duration). Some cookies are strictly necessary; others support analytics, performance, advertising, or functionality.

• On your first visit (or periodically), we will present a cookie banner / consent notice to you, providing clear information and choice (if required)
• You may withdraw or modify your consent via cookie settings or your browser
• Please refer to our Cookie Policy (linked from our website) for full details of the cookies used, their purposes, durations, and how to manage them

We do not use cookies to collect personal data beyond what is necessary or lawful.

10. Children / Minors

Our services are directed at adults. We do not knowingly collect personal data from children under age 16 without parental consent. If we become aware of such collection, we will take steps to delete the data promptly.

11. Automated decision‑making / profiling

We do not currently rely on fully automated decision‑making (i.e. solely by a machine) that produces legal or materially binding effects regarding you. To the extent we perform profiling (for analytics, segmentation, marketing), we ensure safeguards are in place, including the possibility to object. Should we adopt AI / generative model tools in the future, we will provide you with details of logic, significance, envisaged consequences, and rights to challenge (in line with UK GDPR / EDPB guidelines).

12. Changes to this Notice

We may update this Privacy Notice occasionally (e.g. due to legal, regulatory, or operational changes). The “Last Updated” date at the top will reflect the current version. Where a change is material, we will notify you (for example, by email) if you are a contact in our systems. We encourage you to review this Notice periodically.

13. Third‑party links & embedded content

Our website may link to or embed external websites or content (e.g. social media, YouTube, third‑party widgets). This Privacy Notice does not cover those external sites or services. Please review their privacy policies before providing personal data.

14. International visitors

If you access our services from outside the UK, your data may be transferred to the UK or other jurisdictions for processing, under the safeguards described in Section 5. By using our services, you consent to such transfers.

15. Contact & Supervisory Authority

If you have any questions, requests or complaints about how we use your personal data or about this Notice, please contact us using the contact details in Section 2.

If you believe we have not handled your personal data lawfully or fulfilled your rights, you may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (https://ico.org.uk).