Privacy Policy

Last Updated: February 2026

Effective Date: February 2026

This Privacy Policy sets out how Harrison Brand Experts Ltd collects, uses, processes, and protects personal data. We are committed to transparency regarding our data handling practices and to protecting the privacy of individuals whose data we process. This policy complies with the UK Data Protection Act 2018 and UK GDPR (General Data Protection Regulation).

1. Who We Are

Data Controller: Harrison Brand Experts Ltd

Address: 47 Great Marlborough Street, Soho, London, W1F 7JP, United Kingdom

Registration Number: 12847596

Email:

Phone:

We are the data controller responsible for personal data processing described in this policy. If you have queries about our privacy practices or wish to exercise your data rights, please contact us using the details above.

2. What Personal Data We Collect

Data Collected Directly From You

We collect personal data that you voluntarily provide to us, including:

• Contact Information: Name, job title, organisation name, email address, telephone number, postal address
• Service Enquiry Data: Details about your service requirements, project scope, timeline and budget information you provide when enquiring about our services
• Engagement Data: Communications, documents, and information shared during service engagements
• Website Interaction Data: Information you provide through our website contact forms
• Communication Data: Correspondence, emails, and communications with our team

Data Collected Automatically

When you visit our website, we may automatically collect:

• Website Usage Data: Pages visited, time spent on pages, referral sources, and website interaction patterns through standard web server logs
• Device Information: Browser type, device type, operating system and IP address
• Cookie Data: Information collected through cookies (see our Cookie Policy for detailed information)

Data We Do Not Collect

We do not collect sensitive personal data (race, ethnicity, religious beliefs, political opinions) unless specifically necessary for a legitimate engagement purpose and with explicit consent. We do not collect special category data beyond what is necessary for service delivery.

3. Legal Basis for Data Processing

Under UK GDPR, we process personal data only where we have a lawful basis to do so. Our lawful bases include:

Contractual Performance (Article 6(1)(b))

We process data necessary to perform services you have engaged us to provide. This includes processing contact details, engagement information, and communications necessary to deliver professional services.

Legitimate Interests (Article 6(1)(f))

We process data where we have legitimate interests in doing so, including:

• Responding to service enquiries and assessing whether we can assist
• Maintaining business records and accounts
• Improving our services and website functionality
• Preventing fraud and protecting our business interests
• Complying with legal obligations

Explicit Consent (Article 6(1)(a))

For certain processing activities (such as marketing communications), we obtain explicit consent. You can withdraw consent at any time.

Legal Obligation (Article 6(1)(c))

We process data as necessary to comply with legal obligations, including Companies House reporting, tax legislation, and other UK business law requirements.

4. How We Use Your Data

Service Delivery

We use personal data to deliver the professional services you have engaged us to provide, including analysis, strategy development, reporting, and professional advice.

Communication and Enquiry Response

We use contact information to respond to your enquiries, discuss your requirements, and provide information about our services. This is essential to address your questions and determine how we can assist your organisation.

Contract Management

We use data to establish and manage service agreements, including proposal development, contract execution, invoicing, and payment processing.

Business Records and Compliance

We maintain records of client interactions and engagement data to comply with legal requirements, support business operations, and provide evidence of service delivery.

Service Improvement

We use aggregated and anonymised data to understand how our website is used, identify areas for improvement, and enhance our services. This data does not identify individuals.

Marketing and Business Development

Where you have consented, we may contact you with information about our services, industry insights, or relevant updates. You can opt out of marketing communications at any time.

Legal Compliance and Fraud Prevention

We process data as necessary to comply with legal obligations, prevent fraud, and protect our business interests.

5. Who We Share Your Data With

Internal Sharing

Within Harrison Brand Experts Ltd, personal data is shared only with team members who need access to provide services or support business operations. Access is restricted to those with a legitimate need to know.

Service Providers and Processors

We may share data with third-party service providers who help us deliver our services, including:

• IT and website hosting providers
• Accounting and financial service providers
• Communication and email service providers
• Legal and compliance advisors

All service providers are subject to data processing agreements requiring compliance with data protection regulations.

Legal Requirements

We may disclose data if required by law, court order, or other legal process. We will inform you of such disclosure where legally permitted to do so.

No Third-Party Marketing

We do not share personal data with third parties for marketing purposes without your explicit consent. You are not sold to marketers or included in third-party mailing lists.

Confidentiality Commitments

Beyond legal requirements, we treat client information as confidential and do not disclose details of our client relationships or projects without explicit permission.

6. International Data Transfers

Most data processing occurs within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including data processing agreements meeting UK GDPR requirements. We do not transfer personal data to jurisdictions without adequate data protection unless appropriate legal mechanisms are in place.

7. Data Retention

Client Engagement Data

For clients we have provided services to, we retain engagement data for six years following the conclusion of services. This period reflects legal requirements for business records and accounting purposes.

Enquiry Data

For service enquiries that do not result in engagement, we retain contact information and enquiry details for two years to support ongoing business relationship management and follow-up opportunities.

Website Usage Data

Aggregated website usage data is retained for twelve months. Individual identifying data is deleted sooner unless there is a specific operational reason to retain it.

Marketing Communications

If you have opted into marketing communications, we retain your contact details until you unsubscribe or request deletion. You can unsubscribe at any time.

Legal Hold

If there is legal dispute or legal hold, we retain relevant data for the duration of the legal proceedings and any required retention period thereafter.

Data Subject Requests for Deletion

If you request deletion of your data, we delete it within 30 days unless we have a legal obligation to retain it or there is legitimate business reason for retention.

8. Your Data Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access (Article 15)

You have the right to request a copy of personal data we hold about you. We will provide this within 30 days of your request in a clear, commonly used format.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. We will correct data within 30 days.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data, subject to certain exceptions (such as legal obligations to retain data). We will delete data within 30 days unless there is legitimate reason to retain it.

Right to Restrict Processing (Article 18)

You have the right to request that we restrict how we process your data whilst you contest accuracy, unlawfulness, or other matters.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used format and to transmit that data to another controller.

Right to Object (Article 21)

You have the right to object to processing on grounds of legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

Rights Related to Automated Decision Making (Article 22)

You have rights regarding decisions made wholly by automated processing. We do not use purely automated decision-making affecting you.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact us at or by post at 47 Great Marlborough Street, Soho, London, W1F 7JP. We will respond to your request within 30 days. You may need to provide proof of identity to verify your request.

9. Data Security

We take data security seriously and maintain appropriate technical and organisational measures to protect personal data from unauthorised access, alteration, disclosure, or destruction. Security measures include:

• Secure, encrypted data storage systems
• Restricted access to personal data on need-to-know basis
• Secure communication channels for sensitive data transmission
• Regular security reviews and updates
• Staff training on data protection and security practices
• Incident response procedures for potential security breaches

Whilst we maintain robust security measures, no system is completely secure. We cannot guarantee absolute security of data, but we are committed to maintaining security standards appropriate to the sensitivity of the data we process.

10. Data Breaches

If a personal data breach occurs that poses risk to individuals' rights and freedoms, we will notify affected individuals and the Information Commissioner's Office (ICO) as required by UK GDPR. Notification will include information about the breach, likely consequences, and measures we are taking to mitigate harm.

11. Cookies and Tracking Technologies

Our website uses cookies to provide functionality and improve user experience. For detailed information about cookies we use, their purposes, and how to manage cookie preferences, please see our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be notified to you by posting the updated policy on our website with a new effective date. Your continued use of our website after changes indicates acceptance of the updated policy.

13. Contact Information

Data Protection Queries

For questions about our privacy practices or to exercise your data rights, please contact:

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have breached your data protection rights. You can contact the ICO at:

14. Related Policies

This Privacy Policy should be read in conjunction with our other policies:

• Cookie Policy - Information about cookies and tracking technologies used on our website
• Terms and Conditions - General terms governing use of our website and services
• Legal Notice - Legal information about our business