Privacy Policy

(Version: 1.0 / Effective Date: 12 July 2025)

1. PREAMBLE AND STATUS OF THIS NOTICE

1.1 Valvasor Capital Ltd (“Valvasor”, “we”, “us” or “our”) is a private limited company registered in England and Wales under number 16505609 with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.
1.2 This Privacy Notice (“Notice”) is issued pursuant to, and is intended to satisfy the transparency obligations imposed by, the United Kingdom General Data Protection Regulation (“UK GDPR”), Regulation (EU) 2016/679 (“EU GDPR”) where applicable, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (“PECR”), and all other national or supranational laws regulating the processing of Personal Data.
1.3 Nothing in this Notice limits or excludes any statutory right you may enjoy under applicable law. Where the provisions of this Notice conflict with mandatory law, the latter shall prevail.

2. DEFINITIONS AND INTERPRETATION

For ease of reference the following capitalised terms shall bear the meanings ascribed below.
(a) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
(b) “Processing” (and its cognates) means any operation performed on Personal Data, whether or not by automated means, including collection, recording, structuring, storage, adaptation, retrieval, consultation, disclosure, dissemination, alignment, combination, restriction, erasure or destruction.
(c) “Controller” and “Processor” shall have the meanings assigned in Article 4 GDPR.
(d) “Services” refers collectively to our advisory, consultancy, investment-support and any ancillary services, together with all websites, digital assets, applications, social-media pages, events, marketing campaigns and lead-generation activities operated or sponsored by Valvasor.
(e) Other terms (e.g. “Consent”, “Legitimate Interest”, “Supervisory Authority”, “International Organisation”) shall be construed in accordance with the GDPR.

3. DATA CONTROLLER DETAILS AND DATA PROTECTION OFFICER

3.1 Controller: Valvasor Capital Ltd (company 16505609).
3.2 Correspondence address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
3.3 General privacy enquiries: info@valvasorcapital.com.

4. SCOPE OF PROCESSING ACTIVITIES

4.1 This Notice governs all Processing of Personal Data undertaken by Valvasor in connection with the Services, irrespective of medium, geography or method of acquisition.
4.2 Our acquisition channels are intentionally broad and include, without limitation:

  • paid social media (Meta, LinkedIn, TikTok, X, Snapchat, Reddit, Pinterest);
  • search-engine marketing and optimisation;
  • programmatic display, native, connected-TV and digital-out-of-home;
  • affiliate and partner networks;
  • content syndication, webinars, podcasts and thought-leadership publications;
  • physical and virtual events, trade shows and business seminars;
  • inbound and outbound telephone, VoIP, SMS, MMS, WhatsApp and other messaging platforms;
  • direct mail, electronic mail and newsletter subscriptions;
  • public registries (e.g. Companies House), professional networking sites and credible data brokers.
    4.3 We do not knowingly target, nor do we intentionally collect Personal Data from, persons under eighteen (18) years of age.

5. CATEGORIES OF PERSONAL DATA PROCESSED

5.1 The precise items of Personal Data processed depend on the particular interaction but may encompass:

  • identification and professional information (honorifics, name, job title, employer, business biography);
  • contact coordinates (business/private email address, physical address, telephone number, social-media handle);
  • marketing provenance (campaign tags, lead-source, referral-path, engagement metrics, CRM notes and scoring);
  • technical and device identifiers (IP address, MAC address, cookie ID, advertising ID, browser fingerprint, log files, time-stamp, geolocation approximations);
  • interaction artefacts (calendar invitations, meeting notes, recorded calls, voicemail, email headers and bodies, chat transcripts);
  • regulatory or compliance screenings (sanctions, politically exposed person checks, adverse-media results where mandated).
    5.2 We do not purposefully solicit or process Special Category Data. Any such data inadvertently received will be deleted or redacted save where retention is strictly required by law.

6. PURPOSES AND LAWFUL BASES

6.1 Every Processing activity is anchored to at least one lawful basis under Article 6 GDPR. The principal pairings are set out below.
(a) Negotiating or performing a contract — Article 6 (1)(b): evaluating your requirements, furnishing proposals, executing mandates, administering accounts, managing billing and collections.
(b) Consent — Article 6 (1)(a): deploying non-essential cookies, delivering electronic marketing to individuals in jurisdictions where PECR mandates prior consent, processing Facebook Lead Ads and analogous opt-in forms, and any other Processing for which law or good practice dictates an affirmative permission. Withdrawal of consent shall not affect the lawfulness of prior Processing.
(c) Legitimate Interests — Article 6 (1)(f): B2B direct marketing, enrichment and qualification of leads, analytics, A/B testing and service optimisation, fraud prevention, cyber-defence and business continuity. Each such Processing operation is supported by a documented Legitimate Interest Assessment evidencing that our interests are not overridden by your fundamental rights and freedoms.
(d) Legal obligation — Article 6 (1)(c): compliance with statutory or regulatory provisions (e.g. data-protection accountability, tax record-keeping, money-laundering checks, lawful disclosures to courts or authorities).
6.2 Where required by Article 9 GDPR we shall obtain explicit consent or rely upon another lawful derogation before Processing any Special Category Data.

7. AUTOMATED DECISION-MAKING, PROFILING AND TARGETED ADVERTISING

7.1 We utilise sophisticated advertising and martech stacks, encompassing look-alike modelling, behavioural retargeting, propensity scoring, predictive lead grading and automated contact-cadence scheduling.
7.2 None of these automated processes produces decisions that have legal or similarly significant effects within the meaning of Article 22 GDPR without human review. Nonetheless, you retain an unconditional right to object to profiling for direct-marketing purposes at any time.
7.3 For Facebook Lead Ads and comparable mechanisms, Valvasor and the relevant platform provider act as joint controllers for the initial acquisition and matching of lead data; thereafter each party processes the data as an independent controller in accordance with its own privacy documentation.

8. DISCLOSURE OF PERSONAL DATA AND INTERNATIONAL TRANSFERS

8.1 We disclose Personal Data strictly on a need-to-know basis to:

  • contracted service providers (CRM software, email-service providers, cloud-hosting, data-analytics, call-tracking, AI-modelling, payment services, document-management systems) who act as Processors under Article 28 GDPR and are bound by robust confidentiality and security undertakings;
  • professional advisers (legal counsel, auditors, insurers) under fiduciary or contractual confidentiality;
  • governmental, regulatory or judicial authorities where compelled by law or where necessary to establish, exercise or defend legal claims;
  • prospective or actual acquirers and their professional advisers in connection with any merger, acquisition, sale of assets, bankruptcy or similar corporate restructuring, subject to appropriate confidentiality obligations.
    8.2 Where a recipient is situated in a country outside the United Kingdom or European Economic Area that is not the subject of an adequacy regulation, we implement one or more appropriate safeguards, including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (2021/914 EU) and, where applicable, adherence to the EU-US or UK-US Data Privacy Framework, supplemented by technical and organisational measures in accordance with the Schrems II requirements and subsequent regulatory guidance.

9. DATA SECURITY

9.1 Valvasor maintains an information-security management framework aligned with ISO/IEC 27001 principles, incorporating:

  • transport-layer security (TLS 1.2+);
  • encryption of data at rest (AES-256 or stronger);
  • least-privilege, role-based access controls and multi-factor authentication;
  • routine vulnerability scanning, penetration testing and intrusion-detection monitoring;
  • segregation of production and development environments;
  • incident-response and breach-notification procedures meeting the timelines of Articles 33 and 34 GDPR;
  • mandatory staff training and confidentiality undertakings.

10. DATA RETENTION AND DESTRUCTION

10.1 We retain Personal Data only for so long as is necessary for the purposes for which it was collected or as required by law. By way of indicative guidance:

  • marketing leads are ordinarily retained for twenty-four (24) months from the last meaningful interaction (e.g. email open, link click, telephone conversation) unless you exercise your right to object sooner;
  • contractual and transactional records are stored for seven (7) years following termination of the client relationship, or longer where legal limitation periods or regulatory requirements dictate;
  • call recordings are preserved for up to six (6) months, subject to extension where a dispute, audit or investigation is ongoing;
  • server logs, analytic datasets and cookie-derived identifiers are kept for periods ranging from thirty (30) days to twenty-four (24) months depending on operational necessity and consent status.
    10.2 At the end of the relevant retention period we securely erase or irreversibly anonymise the Personal Data.

11. COOKIES, SDKs AND SIMILAR TECHNOLOGIES

11.1 Our digital assets deploy both first-party and third-party cookies, web beacons, pixel tags, Software Development Kits (“SDKs”) and other device-tracking technologies.
11.2 Essential technical cookies (e.g. load-balancing, session authentication) operate under the Legitimate Interest basis and are installed automatically. All non-essential technologies (e.g. analytics, advertising, social-media sharing) are activated only after you have provided informed consent through our cookie banner, which also offers granular controls.
11.3 Detailed information regarding individual cookies, their purposes and lifespans is set out in our Cookie Policy, which forms an integral part of this Notice.

12. YOUR RIGHTS AS A DATA SUBJECT

12.1 You may invoke the following rights under the GDPR, subject to the conditions and exemptions set out therein:

  • right of access;
  • right to rectification;
  • right to erasure (‘right to be forgotten’);
  • right to restriction of processing;
  • right to data portability;
  • right to object to Processing carried out on the basis of Legitimate Interests or for direct-marketing purposes;
  • right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects;
  • right to withdraw consent at any time.
    12.2 Requests must be submitted to the DPO using the contact details in Section 3. We will respond without undue delay and, in any event, within one (1) calendar month of receipt unless extensions are permissible under Article 12 GDPR.
    12.3 We may require proof of identity where reasonable, and we reserve the right to charge a reasonable administrative fee for requests that are manifestly unfounded or excessive.

13. COMPLAINTS AND SUPERVISORY AUTHORITIES

13.1 We encourage you to contact us in the first instance so that we may address any concern.
13.2 You also have the right to lodge a complaint with the UK Information Commissioner’s Office (“ICO”) or, if you habitually reside in the EEA, with your local Supervisory Authority.

  • ICO: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom · www.ico.org.uk · +44 (0)303 123 1113.

14. CHANGES TO THIS NOTICE

14.1 We may amend this Notice at any time to reflect changes in law, practice or our Processing activities. The updated version will be posted on our website and, where changes are material, may be notified to you by email or other conspicuous method. The “Effective Date” at the head of this document will be revised accordingly.
14.2 Your continued interaction with us after any such modification signifies acceptance of the updated terms.

15. GOVERNING LAW AND JURISDICTION

15.1 This Notice, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation, shall be governed by and construed in accordance with the laws of England and Wales.
15.2 The courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim, save that Valvasor retains the right to seek injunctive or equitable relief in any competent jurisdiction to protect its confidential information or intellectual property, or to enforce data-transfer safeguards.