Privacy Policy

Effective Date: May 2026
Last Reviewed: May 2026

Website: cliffordhamiltonandco.com
Email: governance@cliffordhamiltonandco.com

Clifford Hamilton and Co. Ltd is committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use it, how long we keep it, when we share it, and your rights under UK data protection law, including the UK GDPR and the Data Protection Act 2018.

This Privacy Policy applies to personal data processed through our website, business development activities, marketing communications, enquiries, events, resources, referrals and client engagements. It should be read together with any engagement letter, statement of work, data processing terms or confidentiality provisions that apply to services we provide to a client.

1. Data Controller and Our Role

Clifford Hamilton and Co. Ltd is the data controller responsible for personal data processed for our own business purposes, including:

Website operation
Enquiries
Marketing
Business development
Client relationship management
Billing and administration
Legal and regulatory compliance

Registered Address
Union House
111 Union Street
Coventry
CV1 2NT
United Kingdom

Website: www.cliffordhamiltonandco.com
Email: governance@cliffordhamiltonandco.com

For most business operations and client relationship management, we act as an independent controller.

In some client engagements, depending on the nature of the services and client instructions, we may act as a processor. Where we act as a processor, processing will be governed by appropriate Article 28 UK GDPR-compliant data processing terms.

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

Identity Data

First name
Last name
Job title
Role
Senior manager function or governance responsibility
Organisation name

Contact Data

Email address
Telephone number
Business address
Postal address
Preferred contact method

Professional Data

Firm type
Regulatory status
Areas of governance responsibility
Professional background
Business function
Sector
Areas of interest
Professional interactions with us

Enquiry and Correspondence Data

Contact form submissions
Emails
Telephone notes
Meeting notes
Requests and communications

Client-Provided Engagement Data

This may include personal data contained within:

Board papers
Committee papers
Governance materials
Regulatory correspondence
Audit reports
Policies
Frameworks
Risk registers
Incident logs
Complaints records
Role profiles
Reporting structures

Marketing and Preference Data

Marketing preferences
Event registrations
Resource downloads
Subscription preferences
Unsubscribe records

Website and Usage Data

IP address
Browser type
Device information
Pages visited
Referral sources
Cookie identifiers
Analytics data

We do not intentionally collect special category data or criminal offence data during our normal marketing and business development activities.

3. How We Collect Your Data

We collect personal data through:

Direct Interactions

When you:

Complete a contact form
Download a resource
Request a governance review
Attend meetings
Contact us by email or telephone

Website Activity

Including:

Enquiry forms
Analytics tools
Resource downloads
Cookies and tracking technologies

Professional Networks

Including:

LinkedIn
Professional forums
Industry networks

Events and Meetings

Such as:

Webinars
Conferences
Training sessions
Roundtables

Referrals

Where a third party introduces you to our services.

Clients and Advisers

When engagement documents and materials are supplied to support consultancy work.

Public Sources

Including:

Companies House
FCA registers
PRA registers
Public websites
Professional directories

4. Purposes and Legal Basis for Processing

We process personal data for the following purposes:

a) Delivering Our Services

To provide:

Governance advisory services
AI governance reviews
Board-level consultancy
Regulatory governance support
Documentation reviews
Training
Reports and recommendations

Lawful Basis: Contract, legitimate interests, legal obligation.

b) Reviewing Client Materials

To assess:

Governance arrangements
Accountability frameworks
Board documentation
Policies and controls
Risks and incidents

Lawful Basis: Contract, legitimate interests, legal obligation.

c) Responding to Enquiries

To respond to:

Questions
Consultation requests
Meeting requests
General enquiries

Lawful Basis: Legitimate interests.

d) Providing Requested Resources

To provide:

Guides
Templates
Briefings
Downloads

Lawful Basis: Legitimate interests or pre-contractual steps.

e) Marketing and Communications

To send:

Newsletters
Insights
Event invitations
Service updates

Lawful Basis: Consent or legitimate interests.

f) Legal, Tax and Regulatory Compliance

To comply with:

Tax obligations
Accounting requirements
Regulatory duties
Insurance requirements

Lawful Basis: Legal obligation and legitimate interests.

g) Managing Business Relationships

Including:

Client accounts
Supplier relationships
Billing and payments
Conflict checks
File management

Lawful Basis: Contract, legitimate interests, legal obligation.

h) Improving Our Services and Website

To improve:

Website performance
User experience
Service quality
Security

Lawful Basis: Legitimate interests.

i) Protecting Rights, Security and Confidentiality

To protect:

Our business
Clients
Systems
Confidential information

Lawful Basis: Legitimate interests and legal obligation.

5. Marketing, Resources and Opt-Outs

We may contact professional contacts and prospective clients with:

Industry insights
Event invitations
Updates
Information about our services

You may opt out at any time by:

Clicking the unsubscribe link in our emails
Contacting governance@cliffordhamiltonandco.com

6. How We Share Your Data

We do not sell personal data.

We may share personal data with:

Service Providers

Such as:

CRM systems
Email marketing platforms
Website hosting providers
IT support providers
Cloud storage providers

Professional Advisers

Including:

Solicitors
Accountants
Auditors
Insurers

Clients and Representatives

Where necessary to deliver services.

Regulators and Authorities

Including:

HMRC
Companies House
ICO
FCA
PRA

Business Transactions

Including mergers, acquisitions or restructures.

7. Data Retention

We retain data only as long as necessary.

Typical Retention Periods

Data Type	Retention Period
Client engagement records	7 years
Client working papers	Up to 7 years
Enquiry records	2 years
Marketing records	Until withdrawn
Website analytics	Up to 26 months
Tax and accounting records	6–7 years

8. International Data Transfers

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

UK adequacy regulations
UK International Data Transfer Agreement (IDTA)
UK Addendum to EU Standard Contractual Clauses
Other UK GDPR-compliant safeguards

9. Data Security and Confidentiality

We implement appropriate technical and organisational measures, including:

Access controls
Encryption
Password protection
Secure systems
Supplier due diligence
Staff awareness training

Where a personal data breach creates a risk to individuals, we will notify the ICO and affected individuals where required by law.

10. Use of AI Tools and Subcontractors

We may use technology tools, including AI-assisted systems, to support:

Research
Analysis
Document management
Productivity

We will not intentionally upload client confidential information into public or unmanaged AI tools unless authorised or protected by appropriate safeguards.

Clients may request restrictions on: