Visitor comments may be checked through an automated spam detection service.
Last updated: 01st March 2026
This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.
We use Your Personal data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
Interpretation
The words of which the initial letter is capitalised have meanings defined under the following conditions.
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
● You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
● Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Black Vault Partners Limited.
● Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
● Account means a unique account created for You to access our Service or parts of our Service.
● Website refers to Black Vault Partners Limited, accessible from {Website Adress}
● Service refers to the Website.
● Country refers to: United Kingdom
● Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used.
● Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
● Personal Data is any information that relates to an identified or identifiable individual.
● Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
● Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
● Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Types of Data Collected
Personal Data
While using Our Service, we may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
● Email address
● First name and last name
● Phone number
● Address, Town/City, County, Postal code
● Usage Data
Usage Data
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information.
Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.
You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, you may not be able to use some parts of our Service.
Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.
We use both session and persistent Cookies for the purposes set out below:
Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies identify if users have accepted the use of cookies on the Website.
Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy.
The Company may use Personal Data for the following purposes:
● To provide and maintain our Service, including to monitor the usage of our Service.
● To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
● For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
● To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
● To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
● To manage Your requests: To attend and manage Your requests to Us.
We may share your personal information in the following situations:
● With Service Providers: We may share Your personal information with Service Providers to monitor and analyse the use of our Service, to contact You.
● For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
● With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honour this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
● With Business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
● With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, your contacts on the Third-Party Social Media Service may see You name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.
We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.
The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of Your data and other personal information.
Business Transactions
If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
Law enforcement
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
● Comply with a legal obligation
● Protect and defend the rights or property of the Company
● Prevent or investigate possible wrongdoing in connection with the Service
● Protect the personal safety of Users of the Service or the public
● Protect against legal liability
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, we cannot guarantee its absolute security.
Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from Our servers.
If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent’s consent before We collect and use that information.
Our Service may contain links to other websites that are not operated by Us. If You click on a third-party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.
We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
If you have any questions about this Privacy Policy, you can contact us:
By email: ask@blackvaultpartners.co.uk
By phone number: 09124666299
Black Vault Partners Limited – (Referred to as ‘the company’)
The Company needs to gather and use certain information about individuals. This can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
This data protection policy ensures the company:
● complies with data protection law and follows good practice
● protects the rights of all individuals’ data
● is open about how it stores and processes individuals’ data in line with individuals’ rights
● protects itself from the risks of a data breach
The General Data Protection Regulations describe how organisations— must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically or otherwise. To comply with the law, personal information must be:
● processed lawfully, fairly and in a transparent manner in relation to individuals;
● collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
● adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
● accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
● kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
● processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Record Keeping
A range of information must be detailed in our internal records of processing activities. Such areas include:
● name and details of the organisation
● include, if appropriate, details of other data controllers, the organisation’s representative and data protection officer
● purposes of processing the data
● description of the categories of individuals and the categories of personal data
● categories of the recipients of personal data
● details of transfers of data to third parties or abroad, including details of safety mechanisms
● retention schedules
● technical and organisational security measures
The company ensures that records of these activities are kept and are updated accordingly. Individuals’ data is kept on file for 6 years in line with the Financial Conduct Authorities record keeping rules. After which point, personal data is retracted to the point it is unidentifiable and used for statistical purposes only.
Under GDPR, it is a requirement that the company has a valid lawful basis to process personal data, this should be documented. Most lawful bases require that processing is ‘necessary’. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever the company process personal data:
Processing is lawful under GDPR as:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The company has chosen this basis for processing data as it is requested from the individuals that we capture data before entering into a contract (e.g. provide a quote for finance).
Special categories of data may be captured by the company, for example, information about an individual’s:
● race
● ethnic origin
● politics
● religion
● trade union membership
● genetics
● biometrics (where used for ID purposes)
● health
You need to identify both a lawful basis for general processing and an additional condition for processing this type of data. If you are processing criminal conviction data or data about offences, you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
The company acts as a data Controller and data Processor. All staff are responsible for ensuring that the highest data standards and best practices are met on a continual basis. Although a Data Protection Officer (DPO) has not been appointed as the company does not fall within the scope, the Directors and Owners of the Business are accountable and responsible for compliance with GDPR and will take on the tasks appointed to them as if they were a DPO.
The company has a general obligation to implement technical and organisational measures to demonstrate that data protection is integrated into our processing activities. A Data Protection Impact Assessment is conducted each time the company consider implementing using new technologies.
The DPIA will pertain at least to:
● a description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller;
● an assessment of the necessity and proportionality of the processing in relation to the purpose;
● an assessment of the risks to individuals;
● the measures in place to address risk, including security and to demonstrate that you comply.
Individuals now have more rights under GDPR. The company, these are:
● the Right to be Informed
● the Right of Access
● the Right to Rectification
● the Right to Erasure
● the Right to Restrict Processing
● the Right to Data Portability
● the Right to Object
● rights in relation to automated decision making and profiling
The company provides every customer with a Privacy Notice at the point data is captured. The information supplied in this notice demonstrates how the company is transparent over our data processing. The notice is:
● concise, transparent, intelligible and easily accessible
● written in clear and plain language, particularly if addressed to a child, and free of charge
We include details of (but not limited to): the Data Controller, the lawful reason for processing data, if any third parties have legitimate interests, categories of personal data, categories of recipients such as banks and credit unions, the data retention periods, the individuals’ rights; including the right to withdraw, where the individual can complain about how the data is processed with a supervisory authority, source of data when it comes from a third party and where personal data is part of a contractual requirement or obligation.
Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the company has disclosed the personal data in question to third parties, then we will inform them of the rectification where possible. The company will respond to this request within one month or extended by two months where the request for rectification is complex.
Erasure
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
● where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
● when the individual withdraws consent
● when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
● the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
● the personal data must be erased to comply with a legal obligation
● the personal data is processed in relation to the offer of information society services to a child
Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
The company may refuse to comply with a request for erasure where the personal data is processed for the following reasons:
● to exercise the right of freedom of expression and information
● to comply with a legal obligation for the performance of a public interest task or exercise of official authority
● for public health purposes in the public interest
● archiving purposes in the public interest, scientific research, historical research or statistical purposes
● the exercise or defence of legal claims
If the company has disclosed the personal data in question to third parties, a notification will be sent, informing them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Restrict Processing
The company will restrict the processing of personal data in the following circumstances:
● where an individual contests the accuracy of the personal data, processing should be restricted until the accuracy of the personal data is verified
● where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and the organisation is considering whether legitimate grounds override those of the individual
● when processing is unlawful, and the individual opposes erasure and requests restriction instead
● if you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim
If any data has been disclosed to third parties, the company will notify them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so.
Portability
For personal data an individual has provided to a controller, where the processing is based on the individual’s consent or for the performance of a contract, and when processing is carried out by automated means, the company must provide the personal data in a structured, commonly used and machine-readable form, e.g., CSV files. Machine-readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The company must provide this service free of charge. If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. The company will respond without undue delay, and within one month or extended by two months where the request is complex or there are multiple requests.
Objecting
If an individual has objected to processing data or direct marketing, the company will cease to process the data. Individuals must have an objection on “grounds relating to his or her particular situation”. The company will stop processing the personal data unless:
● compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
● the processing is for the establishment, exercise or defence of legal claims
This is brought to the attention of the data subject at the first point of communication and in our privacy notice. This is separated out from any other information.
Direct Marketing Purposes
As soon as an objection is received, the company will stop processing personal data for direct marketing purposes. This will be actioned at any stage and is free of charge.
Automated Decision Making Including Profiling
The company understands that any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse, or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour falls under this right. Where this is conducted, the rules and guidance of the ICO will be adhered to and followed. To date, the company does not conduct automated decision making including profiling.
Subject Access Requests (SAR)
Individuals who are the subject of personal data held by the company are entitled to:
● confirmation that their data is being processed
● access to their personal data
● other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
Individuals contacting the company requesting this information is called a Subject Access Request. The company will provide a copy of the information free of charge. However, a ‘reasonable fee’ may be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive. A reasonable fee may also be charged to comply with requests for further copies of the same information. The fee is based on the administrative cost of providing the information only.
Once the identity of the person making the request has been verified, the information will be provided within 1 month; this will be extended to 2 months if the request is complex. Notification will be made to the individual if this is the case.
Complaints
It is made clear that data subjects who wish to complain about how their personal data has been processed can raise this with the company complaints procedure. If the data subject is still not satisfied, then the complaint can be referred to the Information Commissioners Office.
Data Security and Storage
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see or have access to it. These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
● when not required, the paper or files should be kept in a locked drawer or filing cabinet
● employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer
● data printouts should be shredded and disposed of securely when no longer required
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
● data should be protected by strong passwords or encryption products
● if data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used
● data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services
● servers containing personal data should be sited in a secure location, away from general office space
● data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures
● data should never be saved directly to laptops or other mobile devices like tablets or smartphones
● all servers and computers containing data should be protected by approved security software and a firewall
The point that personal data is accessed is when it can be at greatest risk of loss, corruption, theft, unlawful access. The company will:
● when working with personal data, employees should ensure the screens of their computers are always locked when left unattended
● personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure
● data must be encrypted before being transferred electronically
● personal data should never be transferred outside of the European Economic Area unless contractual arrangements are in place highlighting adequate safeguards and protection to the rights of individuals
● employees should not save copies of personal data to their own computers. Always access and update the central copy of any data