Privacy Policy

2. Data we collect

We collect personal data that you choose to provide and limited technical data that is generated when you use the website. We do not ask for sensitive categories of data (such as health data, political opinions, or biometric identifiers) and we ask that you do not submit such data via our forms.

Data you provide

Full name (so we can address you and keep records of enquiries).
Email address (so we can respond and maintain an enquiry thread).
Phone number only if you choose to call us directly; our website forms do not require phone numbers.
Message content you send, including project details you decide to include.
Consent selections where a form requires an acknowledgement about use of contact details.

Technical and usage data

IP address and approximate location derived from IP (for security and basic analytics).
Browser and device information (device type, OS version, browser type, language settings).
Usage and behavioural data (pages viewed, referring pages, time on page, interaction events) when analytics cookies are accepted.
Cookie identifiers and similar technologies to remember preferences and measure traffic.
Server logs such as request time, requested URL, and response status codes.

We do not intentionally collect special category data. If you include sensitive personal data in your message, you are providing it voluntarily. If we identify such data, we may delete it from our records where practical, unless retention is required for legal reasons.

3. How we collect data

We collect data through direct interactions and through automated technical processes that are typical for operating a website. We aim to keep collection proportionate to the purpose and to explain what happens in clear terms.

3.1 Web forms and enquiries

When you submit a form on our website, we receive the details you entered. Our current site is designed to open your email client to send an email to us. If you contact us directly via email, we will receive your email address and message contents. We use this information to respond and to manage the enquiry.

If we proceed to a project discussion, additional information may be exchanged by email or phone. That information will be handled under this policy to the extent it contains personal data. For contractual work, separate documentation may apply, including confidentiality terms.

3.2 Cookies and similar technologies

Cookies are small text files stored on your device. We use a cookie banner that allows you to accept or reject non-essential cookies. Strictly necessary cookies help the site operate and remember your cookie preference. Analytics cookies, where enabled, help us understand traffic and improve content. Marketing cookies are only used if you consent and if the relevant tools are implemented.

Our cookie banner stores your choice in your browser using local storage so we can remember your preference. You can also control cookies through your browser settings. More detail is provided in Section 10.

3.3 Analytics tools and pixels

We may use Google Analytics 4 (GA4) to understand website performance and improve content. If we run advertising campaigns, we may also use the Meta Pixel to measure whether ads lead to site visits or enquiries. These tools typically collect event and device data, and may use cookies or similar identifiers. We only enable non-essential analytics or marketing tracking where required by law and where you have provided consent through the cookie banner.

Even when analytics is enabled, we avoid collecting unnecessary data, and we configure tools to reduce risk where possible. For example, we do not intentionally send form message content to analytics platforms.

3.4 Server logs

Our hosting infrastructure generates logs to operate the site and keep it secure. These logs can include IP address, requested pages, time stamps, and error diagnostics. We use this data to monitor performance, detect abuse, and troubleshoot. Access to logs is limited to those who need it for operational security and maintenance.

4. Legal bases for processing (GDPR Article 6)

Under GDPR and UK GDPR, we process personal data only when we have a lawful basis. The appropriate basis depends on what data we process and why. Below we describe the main bases we rely on and how they apply to different situations.

4.1 Consent (Art. 6(1)(a))

We rely on consent when you make a clear choice to allow optional processing. This includes consent for non-essential cookies and for marketing technologies where they are used. If you consent, you can withdraw it at any time by changing cookie settings in your browser and clearing site data, or by contacting us.

Where consent is the legal basis, we will not process the relevant optional data if you reject cookies. Essential site functions remain available.

4.2 Contract or steps prior to contract (Art. 6(1)(b))

When you contact us to ask about services, we may process your contact details and message to take steps at your request prior to entering into a contract. If a project proceeds, we may process personal data necessary to perform the contract, such as maintaining a point of contact, scheduling meetings, and issuing invoices where relevant.

This basis typically applies to enquiry management and project communications that are necessary to deliver agreed work.

4.3 Legitimate interests (Art. 6(1)(f))

We may process limited personal data where it is necessary for our legitimate interests and those interests are not overridden by your rights. Legitimate interests can include operating and securing the website, preventing fraud or misuse, maintaining records of enquiries for continuity, and understanding aggregate site performance to improve content.

When we rely on legitimate interests, we assess necessity and proportionality and aim to minimise risk. You have the right to object to processing based on legitimate interests. Section 9 explains how to exercise that right.

4.4 Legal obligation (Art. 6(1)(c))

In limited cases, we may need to process or retain data to comply with legal obligations, such as record-keeping requirements, responding to lawful requests, or establishing, exercising, or defending legal claims. This basis is not used for marketing.

5. Purposes of processing

We process personal data for specific purposes that relate to running this website and providing our services. We do not use personal data for unrelated purposes without a lawful basis and appropriate notice. The main purposes are:

Responding to enquiries and providing information about KJWT’s research and advisory services, including scheduling calls and following up on requests.
Service delivery where a project proceeds, including communications, document exchange, and project administration.
Customer support such as resolving issues with access to information, clarifying requests, and maintaining continuity of conversations.
Website operations and security including performance monitoring, preventing abuse, and investigating suspicious activity.
Analytics and site improvement using aggregated insights (for example, which pages are most visited) to improve clarity and usefulness, where you have accepted analytics cookies.
Marketing only where you have provided consent, for example by accepting marketing cookies or by explicitly opting in to communications in a context where consent is appropriate.
Legal compliance including responding to lawful requests and maintaining records required by law.

We do not use your enquiry information to create profiles about you for sensitive targeting. Any advertising measurement is focused on aggregate conversion signals, not identifying individual visitors.

6. Retention periods

We keep personal data only for as long as necessary for the purposes described above, unless longer retention is required by law or needed to establish, exercise, or defend legal claims. Retention periods can vary depending on the type of data and the context of the relationship.

Retention schedule (typical)

Form submissions and enquiry emails

Up to 2 years from last contact, to maintain continuity, handle follow-up questions, and demonstrate an accurate record of what was requested.

Client project communications

Up to 6 years after project completion where needed for contractual record keeping and to support future project continuity, subject to any agreed confidentiality obligations.

Analytics data (GA4, where enabled)

14 months, then aggregated or deleted according to platform settings and our configuration.

Cookie preferences

Stored in your browser until you clear site data or change settings. This allows us to remember your choice.

Security and server logs

Typically 90 days, unless longer retention is needed to investigate security incidents or persistent abuse.

Email list (if you opt in)

Until you unsubscribe, plus 30 days to complete suppression and ensure the request is honoured across systems.

If you request deletion, we will delete or anonymise data where we can, unless retention is required for legal reasons. If deletion is not possible (for example, where data is stored in certain backups), we will restrict access and delete it when the backup lifecycle allows.

7. Data sharing and processors

We share personal data only when it is necessary to operate the website, deliver services, or comply with legal obligations. We do not sell personal data, and we do not share it for third-party marketing purposes. Where we use service providers, we select reputable suppliers and use contracts that include confidentiality and data protection requirements.

Common categories of recipients

Hosting and infrastructure providers that store and serve the website and related logs.
Email and communication providers used to send and receive messages and manage calendars.
Analytics providers such as Google Analytics 4, where analytics cookies are accepted.
Advertising measurement providers such as Meta, where marketing cookies are accepted and tools are implemented.
Professional advisers (legal, accounting) where necessary for compliance and business operations.

How we control sharing

We share the minimum data required for the purpose.
We restrict access based on need to know.
We use contracts and platform settings to reduce risk where possible.
We do not send form message content to advertising platforms.
We honour cookie choices, so optional data collection does not occur if you reject it.

Some third-party platforms act as independent controllers for the data they collect (for example, when cookies are enabled and a platform processes event data for its own purposes under its terms). In those cases, their privacy policies also apply. We recommend reviewing the relevant vendor policies where you enable optional cookies.

8. International transfers

We are based in the United Kingdom. Some of our service providers may process data outside the UK and the European Economic Area (EEA), including in the United States. When personal data is transferred internationally, we take steps to ensure an appropriate level of protection.

Where required, we rely on recognised transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) and/or the EU Standard Contractual Clauses (SCCs), together with supplementary measures where appropriate. Where a destination country benefits from an adequacy decision (for example, under the EU-U.S. Data Privacy Framework for participating organisations, where applicable), we may also rely on that mechanism.

You can request more information about international transfers and the safeguards we use by contacting [email protected].

9. Your rights under GDPR and UK GDPR

Depending on your location and the applicable law, you may have rights in relation to your personal data. We respect these rights and provide ways to exercise them. In some cases, rights are subject to legal limitations, for example where fulfilling a request would infringe the rights of others or where we must retain data for legal reasons.

9.1 Rights you can request

Right of access: request a copy of personal data we hold about you.
Right to rectification: request correction of inaccurate or incomplete data.
Right to erasure: request deletion of personal data in certain circumstances.
Right to restriction: request that we limit processing in certain circumstances.
Right to data portability: request transfer of certain data to you or another controller in a structured, commonly used format, where the legal basis is consent or contract and processing is automated.
Right to object: object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent: where processing is based on consent, you can withdraw it at any time without affecting earlier processing.

9.2 How to exercise your rights

To make a request, email [email protected] with enough information for us to identify you and understand the request. We may ask for additional information to verify identity, particularly for access or deletion requests, to protect your data from unauthorised disclosure.

We aim to respond within one month, though this period can be extended for complex requests. If we cannot fulfil a request, we will explain why, and we will provide information about options to complain.

9.3 Complaints to a supervisory authority

If you are in the UK and believe our processing infringes data protection law, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

ICO contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. You can also use the ICO’s website to submit a concern. We encourage you to contact us first so we can try to resolve the issue directly.

10. Cookie policy

This website uses cookies and similar technologies to operate and to understand usage. We provide a cookie banner that allows you to accept or reject non-essential cookies. Your choice is stored in your browser so we can remember it on future visits.

Strictly necessary

These are required for basic site functionality and to remember your cookie preference. Without them, some parts of the site may not work as intended. Typical duration: until you clear site data in your browser.

Examples: storing your cookie choice, maintaining basic security features.

Analytics

Analytics cookies help us understand how the site is used, such as which pages are popular and whether content is easy to navigate. We may use Google Analytics 4 (GA4). Typical duration: up to 14 months, depending on configuration.

Examples: page views, engagement events, aggregated traffic sources.

Marketing

Marketing cookies may be used to measure advertising performance and to understand whether ads result in visits or enquiries. We may use the Meta Pixel if we run Meta Ads. Typical duration varies by platform settings and your browser.

Examples: conversion events, aggregated campaign measurement.

Managing cookie choices

You can manage cookies in several ways: (1) use our cookie banner when it appears, (2) clear site data in your browser to remove saved preferences, and (3) adjust browser settings to block or delete cookies. If you block all cookies, some features may not work. If you previously accepted cookies and want to withdraw consent, clearing site data and revisiting the site will prompt the banner again.

If you contact us for assistance with cookie settings, we can explain what the site does, but we cannot provide device-specific technical support for every browser version.

11. Children’s privacy

This website and our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact [email protected] so we can take appropriate steps, which may include deleting the information.

If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take reasonable steps to remove it from our records and prevent further processing.

12. Policy updates

We may update this Privacy Policy from time to time to reflect changes to the website, legal requirements, or the services we use. When we make material changes, we will update the “Last Updated” date at the top of this page. Where appropriate, we may also provide an additional notice on the website, such as a banner.

If you have provided contact details for an ongoing relationship and a change materially affects how we use your data, we may notify you by email where reasonable. Continued use of the website after changes become effective indicates you have read the updated policy.

13. Contact and Data Protection contact

If you want to exercise a right, request deletion, ask a question about cookies, or discuss how we handle personal data, contact our privacy email. For postal enquiries, use our registered address. We aim to respond promptly and within legal time limits.

Privacy contact

Email: [email protected]

Phone: +44 20 3807 6432

Mailing address

KJWT
22 Bishopsgate
London, EC2N 4AJ
United Kingdom

Data deletion and unsubscribe

To request deletion of enquiry records, email [email protected] with the email address you used to contact us. If you are subscribed to any updates, you can unsubscribe using the link in the email, or request removal via the same privacy contact. We will confirm completion where appropriate.