Privacy Statement — Hartebridge

Introduction

This Privacy Statement is provided by Hartebridge Limited ("Hartebridge", "we", "us" or "our"). It is addressed to individuals outside our organisation with whom we interact, including (but not limited to) Candidates, Clients, Sources, Referees, and visitors to our website (together, "you").

Defined terms used in this Statement are explained in Section 15 below.

For the purposes of this Statement, Hartebridge is the Controller. Contact details are provided in Section 13.

Controller Identification

If you are a Candidate, the Controller of your Personal Data is Hartebridge Limited, the entity that contacts you in connection with the Services. If you are a Client, Source, or Referee, the Controller is Hartebridge Limited, the entity engaging with and managing the relationship with you. If you are a visitor to our website, the Controller is Hartebridge Limited.

This Statement may be amended or updated from time to time to reflect changes in our practices or in applicable law. We will notify you of any significant changes. We encourage you to check this page periodically.

Who We Are

Data Controller	Hartebridge Limited
Registered Office	5th Floor, 167–169 Great Portland Street, London W1W 5PF
Company Number	17134352
ICO Registration	ZA1375446
Contact	info@hartebridge.com
Specialisation	Executive search and leadership advisory firm helping clients successfully navigate leadership transitions. We find and validate CEOs, senior executives, non-executive directors, Trustees and Chairs across investment banking, energy and social impact sectors.

Collection of Personal Data

We may collect Personal Data about you from the following sources:

Directly from you, for example, where you contact us by email or telephone, provide your CV, or subscribe to our publications.
In the ordinary course of our relationship with you, for example, correspondence arising during a search process.
From our Clients, in connection with opportunities in which you are a Candidate.
From publicly available sources, including professional networking platforms such as LinkedIn (where your profile is publicly visible) and other social media platforms. Our use of LinkedIn is subject to LinkedIn's own privacy policy.
From third parties, including past employers and referees.
Via background checks, where we conduct pre-employment verification or other background checks, with your prior express written consent and in accordance with applicable law.
Via automated technologies, when you visit our website, your device and browser will automatically disclose certain information (such as device type, operating system, browser type, IP address, and language settings), some of which may constitute Personal Data.

Storage of Personal Data

Your data is stored on our secure database, compiled and hosted between Atlas and Google Drive (our "Subprocessors"). Further detail on our Processors and international transfer safeguards is provided in Sections 7 and 8.

Creation of Personal Data

We may also create Personal Data about you, such as records of interviews you attend and assessment reports.

Personal Data You Provide About Others

In some circumstances, you may provide us with Personal Data about others, for example, where you act as a Source or provide details of a Referee. If you do so, you must ensure that you are entitled to disclose that Personal Data to us, and that the individual concerned is aware of the matters detailed in this Statement.

Categories of Personal Data We Process

Standard Personal Data

Personal details: name, preferred name, gender, date of birth, nationality, photograph, marital status, passport/visa/work authorisation details (where applicable).
Contact details: home and work addresses, telephone numbers, email addresses, social media profile details.
Employment records: current and former positions, employers, dates of employment, job titles.
Referee details: name, contact information, relationship to you, and duration of acquaintance.
Marketing data: communication preferences and consent records.
Information Technology data: IP address, login data, browser type and version, operating system, time zone, and web analytics data.

Special Category Personal Data

We may also process Special Category Personal Data, including:

Health data: data relevant to reasonable adjustments or employment eligibility, where you voluntarily disclose this to us.
Racial or ethnic origin: data provided through voluntary participation in our equal opportunities monitoring.

Special Category Personal Data is stored exclusively in Google Drive (one of our Subprocessors). Further detail is provided in Section 7.

Lawful Basis for Processing

We identify a specific lawful basis for each processing purpose. Where we rely on Legitimate Interests, we have completed a Legitimate Interests Assessment (LIA); a summary is available on request by contacting info@hartebridge.com.

Processing Purpose	Lawful Basis (Art. 6)	Special Category Basis
Executive Search Services	Contract (Art. 6(1)(b)); Legitimate Interests (Art. 6(1)(f))	N/A
Equal Opportunity Monitoring	Legal Obligation (Art. 6(1)(c)); Explicit Consent (Art. 6(1)(a))	Explicit Consent (Art. 9(2)(a))
Client Relationship Management	Contract (Art. 6(1)(b)); Legitimate Interests (Art. 6(1)(f))	N/A
Market Research and Talent Mapping	Legitimate Interests (Art. 6(1)(f))	N/A
Database Maintenance	Legitimate Interests (Art. 6(1)(f))	N/A
Marketing and Communications	Consent (Art. 6(1)(a)) for new contacts; Legitimate Interests (Art. 6(1)(f)) for existing clients	N/A
Legal Compliance	Legal Obligation (Art. 6(1)(c))	Art. 9(2)(b) + DPA 2018 Sch. 1, para. 1 where applicable
Service Improvement	Legitimate Interests (Art. 6(1)(f))	N/A

Consent

Where we rely on consent, you may withdraw it at any time by contacting info@hartebridge.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Special Category Personal Data: Article 9 Conditions

Explicit consent (Art. 9(2)(a)): where you have given specific written consent.
Employment and social security law (Art. 9(2)(b) + DPA 2018, Sch. 1, para. 1): where processing is necessary for obligations under employment law.
Establishment, exercise or defence of legal claims (Art. 9(2)(f)): where necessary for legal proceedings.

Purposes for Which We Process Your Personal Data

Executive Search Services: to identify, assess, and present suitable Candidates for CEO, Senior appointment, non-executive roles, Trustee, and Chair positions.
Equal Opportunity Monitoring: to ensure our recruitment processes support equal opportunities. Diversity data is Special Category Personal Data; we will obtain your explicit consent before collecting it.
Client Relationship Management: to manage client relationships and deliver our services.
Market Research and Talent Mapping: to conduct market intelligence exercises and map available leadership talent.
Database Maintenance: to maintain a database of qualified Candidates for current and future opportunities.
Marketing and Communications: to send sector insights, leadership content, and information about our services. See Section 6A below for our PECR compliance obligations.
Legal Compliance: to meet regulatory obligations including right-to-work checks, financial record-keeping, and anti-money laundering requirements.
Service Improvement: to improve our services, website functionality, and user experience.

06A

Electronic Marketing and PECR Compliance

Where we send electronic marketing communications (including emails), we do so in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR), as well as UK GDPR.

New contacts: we will only send marketing to individuals who have given prior explicit consent. We record the date, method, and scope of that consent.
Existing clients and candidates: we may send relevant sector updates and service information to individuals with whom we have an existing professional relationship, where they have not opted out (PECR Regulation 22(3) soft opt-in).
Opt-out: you have an absolute right to opt out of all electronic marketing from us at any time, at no charge, and without giving a reason. You can do so by clicking the unsubscribe link in any email we send, or by contacting info@hartebridge.com with the subject line "Marketing Opt-Out". We will action opt-out requests within 5 working days.

We maintain a suppression list of all individuals who have opted out. We do not contact suppressed individuals for marketing purposes.

Disclosure of Personal Data to Third Parties

We do not sell Personal Data. We may disclose your Personal Data to the following categories of recipient:

Clients: Candidate information is shared with prospective employers for shortlisting and interview purposes.

Subprocessors (Database)

Your Personal Data is stored on our secure database, hosted between our Subprocessors: Atlas (Atlas Recruitment Technology Ltd, our AI-powered CRM and ATS) and Google Drive (Google Workspace, our document storage platform). Each Subprocessor acts as a data Processor under a written Data Processing Agreement meeting the requirements of Article 28 UK GDPR.

Our Data Processing Agreement with Atlas (Appendix D of the Atlas Service Agreement, dated 9 April 2026) further specifies: (i) Special Category Personal Data (UK GDPR Article 9) is not stored in Atlas. All such data is held in Google Drive only; (ii) on termination, Client Personal Data is made available for retrieval for 30 days, after which it is deleted, with full DPA-compliant deletion completed within 90 days.

Note on Atlas and AI Processing

Atlas uses OpenAI's models (accessed via API) to power certain features, including candidate/client database population and GPT-based querying. Under Atlas's agreement with OpenAI, your data is not used to train OpenAI's models, nor is your data used to train Atlas's own models. Data submitted to the OpenAI API forms part of a one-off prompt only.

ReEcho: ReEcho Group Limited provides legal, finance, and operational back-office support. Where ReEcho processes your Personal Data solely on our instructions, they act as a Processor under a written Data Processing Agreement.
Professional Advisors: accountants, auditors, and lawyers, where required for the provision of their services.
Legal and Regulatory Authorities: HMRC, law enforcement agencies, and courts, where required by law or necessary for legal claims.
Business Transfers: third parties in connection with any merger, acquisition, or transfer of business assets.

International Transfer of Personal Data

We primarily process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46. The safeguards we rely upon include:

The International Data Transfer Agreement (IDTA): issued by the UK Information Commissioner's Office, in force from 21 March 2022. This is the primary transfer mechanism for UK-to-third-country transfers.
The UK Addendum to EU Standard Contractual Clauses: approved by Parliament on 21 February 2022 (SI 2022/109), used where the receiving party already holds EU SCCs.
Adequacy Regulations: where the destination country has been recognised by the UK as providing an adequate level of data protection.

Third-party beneficiary rights

As a data subject, you are a third-party beneficiary under any IDTA or UK Addendum we have entered into in respect of your Personal Data, and may enforce its terms against the data importer in the receiving country.

A copy of the applicable transfer safeguard can be obtained by contacting info@hartebridge.com.

Automated Processing and Artificial Intelligence

We use AI-powered tools to support our executive search process. Our primary CRM and ATS, Atlas, uses AI for candidate and client database management, content extraction, opportunity matching, and market intelligence. Atlas accesses OpenAI's models via the OpenAI API. Under the terms of that API, your data is not used to train OpenAI's models, and Atlas does not use your data to train its own models.

This activity constitutes profiling within the meaning of Article 4(4) UK GDPR, in that automated tools are used to evaluate certain professional aspects relating to individuals.

However, we do not make final decisions about your suitability for a role, or any decision producing legal or similarly significant effects, based solely on automated processing. All assessments are subject to human review by Hartebridge before any recommendation is made to a Client.

You have the right to request that any significant assessment of you is reviewed by a human, to obtain an explanation of the assessment, and to contest any conclusion reached. Please contact us using the details in Section 13.

Data Retention

We retain Personal Data only for as long as is necessary for the purposes set out in this Statement. The 6-year retention period applicable to certain records reflects the Limitation Act 1980 and is consistent with convention in the UK executive search sector.

Data Category	Retention Period
Candidate records (CVs, correspondence)	6 years from last contact, unless you request earlier deletion or consent to longer retention.
Source data	Duration of the relevant search, plus 6 months to allow for follow-up.
Client search records	7 years, to support legal record-keeping obligations.
Financial records (invoices, payment data)	7 years, in line with HMRC requirements.
Diversity / equal opportunity monitoring data	Individual-level data deleted within 3 months of the conclusion of the relevant search. Aggregated, anonymised data may be retained indefinitely.
Background check data	6 months from the conclusion of the relevant search.
Website and IT data	Log data: 13 months. IP addresses anonymised within 26 months.
Marketing consent records	Duration of the marketing relationship plus 6 years.

Data Security

We implement appropriate technical and organisational security measures to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, and unauthorised access, consistent with our obligations under UK GDPR Article 32. These measures are reviewed periodically and updated to reflect changes in technology and regulatory guidance. A summary of our current measures is available on request.

No transmission over the internet or method of electronic storage is entirely secure. Whilst we take all reasonable steps to protect your Personal Data, we cannot guarantee absolute security. You are responsible for ensuring that any Personal Data you send to us is transmitted securely.

Your Legal Rights

Subject to applicable law, you have the following rights regarding the processing of your Personal Data:

Access: the right to request a copy of the Personal Data we hold about you.
Rectification: the right to request correction of inaccurate Personal Data, or completion of incomplete data.
Erasure: the right to request deletion of your Personal Data on legitimate grounds.
Restriction: the right to request that we restrict processing of your Personal Data in certain circumstances.
Portability: the right to receive your Personal Data in a structured, commonly used, machine-readable format, where processing is based on consent or contract.

Right to Object

Qualified right to object (Art. 21(1)): where we rely on Legitimate Interests, you may object on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds.
Absolute right to object to direct marketing (Art. 21(3)): you have an unconditional right to object to the processing of your Personal Data for direct marketing purposes at any time, without giving a reason. We will action this immediately.

Other Rights

Withdraw Consent: where we process your Personal Data on the basis of consent, you may withdraw that consent at any time without prejudice to the lawfulness of prior processing.
Lodge Complaints: the right to lodge a complaint with the Information Commissioner's Office (see Section 14).

To exercise any of these rights, please contact info@hartebridge.com. We will respond within one month. Where requests are complex or numerous, we may extend this period by a further two months; we will notify you of any extension within one month of receiving your request.

Contact Details

If you have any questions or concerns about this Statement, or about the processing of your Personal Data by Hartebridge, please contact:

Hartebridge Limited
5th Floor, 167–169 Great Portland Street, London W1W 5PF
Email: info@hartebridge.com
ICO Registration: ZA1375446

Complaints

If you are dissatisfied with how we handle your Personal Data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). We would, however, appreciate the opportunity to address your concerns before you contact the ICO. Please contact us in the first instance at info@hartebridge.com.

Website	ico.org.uk
Helpline	0303 123 1113
Address	Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Definitions

Term	Meaning
"Candidate"	A candidate, or potential candidate, for a position with a Client.
"Client"	A client of Hartebridge.
"Controller"	The entity that decides how and why Personal Data is processed. Hartebridge is the Controller for the purposes of this Statement.
"Database"	Our secure database of Personal Data, compiled and hosted between our Subprocessors (Atlas and Google Drive).
"Data Protection Authority"	An independent public authority legally tasked with overseeing compliance with applicable data protection laws. In the UK, this is the Information Commissioner's Office.
"IDTA"	The International Data Transfer Agreement, issued by the UK Information Commissioner's Office, effective 21 March 2022.
"Personal Data"	Any information relating to an identified or identifiable natural person.
"Process" / "Processing"	Any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, and deletion.
"Processor"	Any person or entity that processes Personal Data on behalf of the Controller, solely on the Controller's instructions.
"Referee"	An individual whose contact details have been provided by a Candidate as a professional reference.
"Source"	Any person who provides views or opinions regarding a Candidate's qualities or suitability for a role.
"Special Category Personal Data"	Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, data concerning health, or data concerning sex life or sexual orientation.
"Subprocessor"	A data Processor engaged by Hartebridge to host or process Personal Data on our behalf, specifically Atlas and Google Drive.
"UK GDPR"	The UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

Cookies and Social Media

Cookies

This website uses only essential cookies required for basic functionality. We do not use analytics cookies or any third-party tracking technologies. No cookie consent banner is required.

Social Media

Our website includes a link to LinkedIn. Visiting LinkedIn is governed by LinkedIn's own privacy policy, available at linkedin.com/legal/privacy-policy.

Your Obligations

If you are a Candidate, we rely on you to provide complete and accurate Personal Data about you so that we can provide appropriate services to you and to our Clients.

If you are a Source or Referee, we rely on you to ensure that you are lawfully entitled to disclose Personal Data about others to us.

Last updated: April 2026 | Hartebridge Limited | ICO Registration: ZA1375446