Privacy Policy

We are a specialist due diligence firm providing advisory and investigation services to purchasers of online businesses (the "Services"). We recognise the sensitivity of the information we receive and handle in the course of our work and are committed to protecting the privacy, integrity and confidentiality of that information.

This Privacy Policy explains: (a) the categories of personal and business data we collect; (b) how and why we process that data; (c) the legal bases on which we rely; (d) how we store and secure data; and (e) the rights available to data subjects, including EU data subjects under the General Data Protection Regulation ("GDPR").

This Policy applies to all personal data processed by us in connection with our Services and our website. References to "you" or "your" include prospective clients, clients, vendors, job applicants, and visitors to our website.

Depending on the circumstances, we may act as a controller (deciding why and how personal data is processed), and/or as a processor (processing personal data on behalf of a client). When we process client confidential data under instruction, the relevant client will typically remain the controller and we will act as processor pursuant to a written contract.

We process the following categories of data depending on the Services requested:

Personal Data (general)

• Contact details: name, email address, telephone number, job title, company name.
• Account and billing information: billing address, payment card / invoicing details (where applicable), tax identifiers.
• Identity verification data: copies of identity documents where required to comply with KYC or anti-fraud checks.

Usage & Technical Data

• IP address, browser type and version, operating system, pages visited, timestamps and referral source.
• Cookies and similar technologies used to operate the website and perform analytics (see section 11).

Client Confidential & Transactional Data

(Usually supplied to us under an NDA or Service Agreement and subject to additional contractual protections.)

• Financial statements, tax returns and accounting records;
• Customer and supplier lists, sales and revenue data;
• Contracts, leases, IP documents, employment records and HR information;
• Access credentials or system logs supplied for the purposes of technical review (always transferred on a secure basis);
• Other commercially sensitive information and trade secrets provided during the due diligence process.

If you are an EU data subject, we process personal data only where we have a valid lawful basis under the GDPR. The lawful bases we typically rely on include:

• Performance of a contract: to provide the Services you have requested;
• Legal obligation: to comply with legal, tax or regulatory obligations (e.g., anti-money laundering, tax reporting);
• Legitimate interests: for our internal business administration, fraud prevention, network and information security, and direct marketing, where those interests are not overridden by your rights; and
• Consent: where required (for example, where we send certain optional marketing communications or process special categories of personal data where consent is necessary).

Where we rely on legitimate interests, we will carry out and maintain a documented Legitimate Interests Assessment (LIA) demonstrating that the interest is lawful and balanced against the rights and freedoms of the data subject.

We use your personal data for the following purposes:

• To perform the Services and fulfil contractual obligations (e.g., analyse documents, prepare reports, engage with counterparties).
• To communicate with you about our Services, requests, and updates.
• To verify identity, carry out anti-fraud and anti-money laundering checks where applicable.
• To bill and collect payment for Services and to meet accounting obligations.
• To improve our Services, develop new services, perform internal analytics and detect, investigate and prevent fraud or abuse.
• To send marketing communications where lawful — see section 10 on marketing and your choices.
• To respond to legal requests, defend our legal rights and meet regulatory obligations.

We recognise that clients will provide highly sensitive and confidential information. Such data will be handled according to the terms of the relevant Service Agreement and NDA. The following practices apply as a baseline:

• We will process confidential client data only on the documented instructions of the client where we act as processor.
• Access to confidential data is restricted on a strict need-to-know basis to authorised personnel who have executed confidentiality obligations.
• Transfers of confidential data to third-party experts (e.g., forensic accountants, legal counsel) will be made only with prior client consent or where permitted under the Service Agreement, and subject to a written data processing addendum.
• We do not use confidential client documents for marketing or any other purpose unrelated to the performance of the contracted Services unless you expressly agree in writing.
• On completion or termination of the engagement, we will return or securely destroy confidential materials in accordance with the Service Agreement unless retention is required by law.

Security Measures

We implement administrative, technical and physical measures designed to protect personal and confidential data against unauthorised access, disclosure, alteration and destruction. These measures include:

• Encryption of data in transit (TLS) and at rest where technically feasible;
• Multi-factor authentication and role-based access controls for internal systems;
• Use of secure file transfer mechanisms (SFTP, encrypted client portals) for receiving sensitive documents;
• Regular security testing, vulnerability scanning and third-party security audits;
• Employee training, background checks, and contractual confidentiality obligations;
• Data minimisation and pseudonymisation where feasible.

Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy legal, regulatory, tax or accounting requirements and to resolve disputes. Typical retention periods are set out below but may be extended where necessary (e.g., litigation, regulatory investigation):

• Client engagement files (including confidential due diligence materials): retained for the period specified in the Service Agreement, typically 7 years after completion.
• Billing and accounting records: 7 years (or as required by local law).
• Marketing and newsletter subscriber data: retained until consent is withdrawn or the subscriber unsubscribes; inactive marketing contacts may be deleted after 3 years.
• Website analytics and logs: retained for up to 24 months unless aggregated or anonymised earlier.
• Recruitment records: retained for 6–12 months after the recruitment process concludes unless otherwise required.

Please contact us to request deletion or to discuss retention where you believe our retention period should be adjusted in light of your circumstances.

We operate internationally and may transfer personal data to countries outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we will put in place appropriate safeguards, such as:

• European Commission approved standard contractual clauses (SCCs) or equivalent safeguards;
• Transfers to countries subject to an EU adequacy decision;
• Binding corporate rules (where applicable); or
• Other legally permitted mechanisms under the GDPR.

Where transfers rely on SCCs, we maintain records of the transfer and conduct risk assessments to ensure that the protections are effectively enforced in practice.

We engage third-party service providers to support our operations (for example, cloud hosting, payment processing, analytics and email providers). These providers may process data on our behalf and are permitted to process personal data only in accordance with our instructions and under appropriate contractual safeguards.

Examples of categories of third parties:

• Cloud infrastructure and storage providers (e.g., AWS, Azure, Google Cloud);
• Secure file transfer and document review platforms;
• Payment processors and accounting platforms;
• Professional advisors and expert consultants engaged on a case-by-case basis;
• Analytics providers, email and marketing platforms.

We maintain a current list of subprocessors and will make that information available on request. Where required by law or contract, we will obtain appropriate assurances and written agreements to protect personal data.

We may use your contact details to send information about our services, industry insights and event invitations. Where EU law requires, we will rely on consent or legitimate interest for such communications. For prospective clients and business contacts, we may rely on legitimate interests after completing an internal balancing test.

You may opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us directly. Opting out of marketing will not prevent us from sending you transactional or service communications necessary for the performance of our contract with you.

Where we seek consent for marketing (for example, for newsletters), we will record and retain records of such consent. You have the right to withdraw consent at any time.

Our website uses cookies and similar technologies to operate the site, provide basic functionality, remember your preferences and to perform analytics. We distinguish between strictly necessary cookies and non-essential cookies (analytics, advertising and performance).

Where required by EU law, we will obtain consent prior to placing non-essential cookies on your device and will provide an easy mechanism to manage your cookie preferences.

For more detail on the specific cookies we use and their purposes, please consult our Cookie Policy (link to separate cookie policy or cookie banner settings).

If you are located in the EU, you have certain rights under the GDPR in relation to your personal data. These include:

• Right of access — obtain confirmation whether we process your personal data and a copy of that data.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of personal data in certain circumstances.
• Right to restriction of processing — request restriction of processing in certain scenarios.
• Right to data portability — receive your personal data in a structured, commonly used and machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right not to be subject to automated decision-making — where applicable, request human intervention insofar as automated profiling produces legal or similarly significant effects.

To exercise any of these rights, please contact our Privacy Officer using the contact details in Section 16. We will respond to requests without undue delay and in any event within one month, unless the request is complex (in which case we will inform you of any extension).

We maintain an incident response plan. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and where required, notify affected data subjects without undue delay.

Our Services are intended for use by adults and professional clients. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected personal data of a child under 16 without parental consent, we will take steps to delete the data.

We may update this Policy from time to time. Material changes will be notified via the website and, where appropriate, by email. Please review this page regularly to remain informed of any updates.

Questions, requests or complaints regarding this Privacy Policy or our data handling practices should be directed to our Privacy Officer at:

If you are an EU data subject, you also have the right to lodge a complaint with the supervisory authority in the EU Member State where you live, work, or where an alleged infringement occurred.

Legal Disclaimer

This Privacy Policy is provided for general guidance only and does not constitute legal advice. You should obtain independent legal advice to ensure the policy meets your specific legal and regulatory obligations.