CRITERION CAPITAL LIMITED

PRIVACY POLICY

Website: www.criterioncapital.co.uk
Type: Corporate Finance & Investment
Effective Date: 4 July 2025
Last Updated: 4 July 2025

  1. CONTROLLER INFORMATION

Data Controller: legal@criterioncapital.co.uk
Criterion Capital Limited
Registered Office: 16 Babmaes Street, London, SW1Y 6AH
Company Registration Number: 05887591
Email: legal@criterioncapital.co.uk
Telephone: 0207 432 2444

Data Protection Contact: legal@criterioncapital.co.uk
For all data protection matters, please contact our Data Protection Team at legal@criterioncapital.co.uk or the above address.

  1. INTRODUCTION AND SCOPE

This Privacy Policy explains how Criterion Capital Limited (“we”, “us”, “our”) collects, uses, stores, and protects your personal data when you:

  • Visit our website www.criterioncapital.co.uk
  • Interact with our services
  • Contact us for business purposes
  • Attend our events or receive our communications

We are committed to protecting your privacy and complying with all applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as amended by the Data (Use and Access) Act 2025.

  1. LEGAL BASIS FOR PROCESSING

We process personal data under the following legal bases:

3.1 Legitimate Interests (Article 6(1)(f) UK GDPR)

  • Website operation, security, and analytics
  • Business development and relationship management
  • Fraud prevention and security monitoring
  • Internal administration and record-keeping

3.2 Consent (Article 6(1)(a) UK GDPR)

  • Marketing communications and newsletters
  • Optional cookies and tracking technologies
  • Event invitations and updates

3.3 Contract (Article 6(1)(b) UK GDPR)

  • Providing services you have requested
  • Managing our contractual relationships
  • Processing payments and fulfilling obligations

3.4 Legal Obligation (Article 6(1)(c) UK GDPR)

  • Compliance with financial services regulations
  • Anti-money laundering requirements
  • Tax and accounting obligations
  • Court orders and legal proceedings
  1. PERSONAL DATA WE COLLECT

4.1 Information Collected Automatically

When you visit our website, we automatically collect:

  • IP address and approximate location
  • Browser type, version, and language settings
  • Operating system and device information
  • Pages visited, time spent, and referring URLs
  • Date and time of access
  • Screen resolution and viewport size

The legal basis is for legitimate interests (website security, performance analysis, and user experience optimization).

4.2 Information You Provide to Us

We collect personal data when you:

  • Complete contact forms or inquiry requests
  • Subscribe to our newsletter or updates
  • Register for events or webinars
  • Apply for positions with us
  • Provide feedback or testimonials

Data may include:

  • Full name and title
  • Email address and phone number
  • Company name and job title
  • Business address
  • Professional background and interests
  • Communication preferences
  • Any other information you choose to provide

Legal Basis: Legitimate interests (business communications) / Consent (marketing communications)

4.3 Information from Third Parties

We may obtain personal data from:

  • Professional networks and industry contacts
  • Publicly available sources (company websites, LinkedIn, etc.)
  • Event organizers and business partners
  • Referrals from existing clients or contacts

Legal Basis: Legitimate interests (business development and relationship management)

  1. HOW WE USE YOUR PERSONAL DATA

5.1 Business Operations

  • Responding to your inquiries and requests
  • Providing information about our services
  • Managing business relationships
  • Conducting due diligence and risk assessments
  • Maintaining accurate records

5.2 Marketing and Communications (with consent)

  • Sending newsletters and market updates
  • Inviting you to events and webinars
  • Sharing industry insights and thought leadership
  • Conducting client satisfaction surveys

5.3 Website and Security

  • Ensuring website functionality and security
  • Analysing website performance and user behaviour
  • Preventing fraud and unauthorized access
  • Improving user experience and content

5.4 Legal and Regulatory Compliance

  • Meeting anti-money laundering requirements
  • Complying with financial services regulations
  • Maintaining records as required by law
  • Responding to legal proceedings and investigations
  1. DATA SHARING AND DISCLOSURE

6.1 Internal Access

Personal data is accessible only to authorized employees who require access for legitimate business purposes. All personnel are bound by strict confidentiality obligations and receive regular data protection training.

6.2 Third-Party Service Providers

We may share personal data with carefully selected service providers who process data on our behalf:

Technology Providers:

  • Website hosting and maintenance services
  • Email marketing platforms (with consent)
  • Customer relationship management systems
  • IT security and backup services

Professional Services:

  • Legal advisors and counsel
  • Accounting and audit firms
  • Compliance consultants
  • Due diligence providers

All third-party processors are bound by strict contractual obligations to protect your data and use it only for specified purposes.

6.3 Legal and Regulatory Disclosures

We may disclose personal data when required by law or regulation, including:

  • Court orders and legal proceedings
  • Regulatory investigations and inquiries
  • Anti-money laundering reporting obligations
  • Tax and accounting requirements

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to appropriate safeguards and notification requirements.

6.5 Professional Privilege

As a professional services firm, certain communications may be protected by legal professional privilege. We will assert privilege where appropriate to protect client confidentiality.

  1. INTERNATIONAL DATA TRANSFERS

Some of our service providers may process data outside the UK. When this occurs, we ensure adequate protection through:

  • UK Adequacy Decisions: Countries recognized as providing adequate protection
  • International Data Transfer Agreements (IDTAs): Standard clauses approved by the ICO
  • Binding Corporate Rules: Internal policies ensuring consistent protection standards
  • Appropriate Safeguards: Additional contractual and technical measures

We conduct regular assessments to ensure ongoing adequacy of protection for international transfers.

  1. DATA RETENTION

We retain personal data only for as long as necessary for the purposes outlined in this policy:

Website Data:

  • Analytics data: 26 months
  • Contact form submissions: 3 years from last interaction
  • Newsletter subscriptions: Until you unsubscribe plus 1 year

Business Communications:

  • Client communications: 7 years (regulatory requirement)
  • Prospective client data: 5 years from last meaningful contact
  • Employee data: 7 years after termination

Legal and Regulatory Records:

  • Compliance records: As required by applicable regulations
  • Legal proceedings: Until resolution plus 7 years
  • Financial records: 7 years from transaction completion

We conduct regular reviews to ensure data is not kept longer than necessary and implement secure deletion procedures when retention periods expire.

  1. DATA SECURITY

We implement comprehensive technical and organizational measures to protect your personal data:

9.1 Technical Safeguards

  • End-to-end encryption for all data transmissions (TLS 1.3)
  • Advanced encryption for data at rest (AES-256)
  • Multi-factor authentication for all system access
  • Regular security assessments and penetration testing
  • Automated backup systems with encryption
  • Network security monitoring and intrusion detection

9.2 Organizational Measures

  • Role-based access controls with regular review
  • Mandatory data protection training for all staff
  • Clear data handling procedures and protocols
  • Regular security awareness programs
  • Incident response and breach notification procedures
  • Third-party security assessments for all vendors

9.3 Physical Security

  • Secure office premises with access controls
  • Locked storage for physical documents
  • Clean desk policy and secure document disposal
  • Visitor access controls and monitoring
  1. YOUR RIGHTS UNDER UK GDPR

You have the following rights regarding your personal data:

10.1  Right to Be Informed

You have the right to clear information about how we collect and use your personal data (provided in this Privacy Policy).

10.2  Right of Access

You can request a copy of the personal data we hold about you, along with information about how we use it.

10.3  Right to Rectification

You can request correction of inaccurate or incomplete personal data.

10.4 Right to Erasure

You can request deletion of your personal data in certain circumstances, including:

  • The data is no longer necessary for the original purpose
  • You withdraw consent (where consent is the legal basis)
  • The data has been unlawfully processed
  • Deletion is required for compliance with legal obligations

10.4  Right to Restrict Processing

You can request that we limit how we use your personal data in certain circumstances.

10.5  Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format.

10.6  Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

10.7  Rights Related to Automated Decision-Making

You have rights regarding automated decision-making and profiling (currently not applicable to our processing).

To exercise your rights: Contact us at legal@criterioncapital.co.uk with your request. We will respond within one month, though this may be extended in complex cases.

  1. COOKIES AND TRACKING TECHNOLOGIES

11.1 Essential Cookies

We use strictly necessary cookies for website functionality, which do not require consent:

  • Session management and security
  • Load balancing and performance
  • User preference settings

11.2 Analytics Cookies

We use Google Analytics to understand website usage patterns. These cookies:

  • Track page views and user journeys
  • Measure website performance
  • Help us improve user experience
  • Require consent – managed through our cookie banner

11.3 Marketing Cookies

We may use marketing cookies only with your explicit consent for:

  • Targeted advertising (where applicable)
  • Social media integration
  • Email marketing optimization

11.4 Cookie Management

You can manage your cookie preferences through:

  1. COMPLAINTS PROCEDURE

12.1 Internal Complaints Process

If you have concerns about our data processing, please contact us at legal@criterioncapital.co.uk. We will:

  • Acknowledge your complaint within 3 working days
  • Investigate thoroughly and impartially
  • Provide a full response within 21 days
  • Escalate to senior management if necessary
  • Keep detailed records of all complaints and resolutions

12.2 Regulatory Complaints

If you’re not satisfied with our response, you can lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Online: ico.org.uk/make-a-complaint
  1. CHILDREN’S PRIVACY

Our services are not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will:

  • Delete it immediately
  • Investigate how it was collected
  • Implement additional safeguards to prevent recurrence

Parents or guardians who believe we have collected their child’s personal data should contact us immediately.

  1. DATA PROTECTION IMPACT ASSESSMENTS

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:

  • New technology implementations
  • Large-scale data sharing arrangements
  • Processing of special categories of data
  • Automated decision-making systems

DPIAs help us identify and mitigate privacy risks before processing begins.

  1. BREACH NOTIFICATION

In the event of a personal data breach, we will:

  • Assess the severity and likely impact within 24 hours
  • Notify the ICO within 72 hours if required by law
  • Inform affected individuals without undue delay if there is a high risk to their rights and freedoms
  • Maintain detailed records of all breaches and remedial actions
  1. UPDATES TO THIS POLICY

We review this Privacy Policy regularly and may update it to reflect:

  • Changes in our processing activities
  • New legal requirements
  • Technological developments
  • Best practice recommendations

When we make material changes, we will:

  • Update the “Last Updated” date
  • Notify you via email (if you have subscribed to our communications)
  • Post a prominent notice on our website
  • Provide reasonable notice before changes take effect
  1. CONTACT INFORMATION

For all data protection matters:

For general inquiries:

Response Times:

  • General inquiries: Within 5 working days
  • Data protection requests: Within 1 month
  • Urgent matters: Within 24 hours

18. GOVERNING LAW

This Privacy Policy and all data processing activities are governed by the laws of England and Wales. Any disputes will be subject to the exclusive jurisdiction of the English courts.

This Privacy Policy demonstrates our commitment to protecting your privacy and complying with the highest standards of data protection law. We regularly review and update our practices to ensure ongoing compliance with evolving legal requirements and industry best practices.