This Privacy Policy explains how Thorn Kapsted ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our website at thornkapsted.co.uk. We are committed to protecting your privacy and complying with the UK GDPR, the Data Protection Act 2018, and applicable EU data protection legislation.
1. Who We Are
Thorn Kapsted operates the website thornkapsted.co.uk. For the purposes of data protection law, we are the data controller of the personal information we collect about you.
If you have any questions about this policy or wish to exercise your rights, you may contact us at: privacy@thornkapsted.co.uk
2. What Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
- Full name
- Email address
- Phone number (including country code)
- Consent records (date, time, checkbox state)
2.2 Data Collected Automatically
- IP address (collected via ipify.org at time of form submission)
- Browser type and version
- Pages visited and time spent on site
- Referring URL and UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, click_id)
- Device type and operating system
- Geographic location (country-level, derived from IP)
2.3 Cookie Data
We use cookies and similar tracking technologies. Please see our Cookie Policy for full details.
3. How We Use Your Data
We use your personal data for the following purposes:
- Service delivery: To process your registration and provide access to the Thorn Kapsted platform
- Communications: To contact you about your account, platform updates, and investment opportunities you have consented to receive
- CRM management: Your lead data is passed to our CRM partner (Trackbox) to manage client onboarding and follow-up
- Analytics: To understand how users interact with our website and improve our services
- Legal compliance: To comply with our legal and regulatory obligations
- Marketing attribution: To measure the effectiveness of our advertising campaigns via UTM parameters
4. Legal Basis for Processing
We process your personal data on the following legal bases:
- Consent (Art. 6(1)(a) UK GDPR): Where you have given explicit consent, including checking the consent checkbox on our registration form
- Legitimate interests (Art. 6(1)(f) UK GDPR): For fraud prevention, website security, and improving our services
- Legal obligation (Art. 6(1)(c) UK GDPR): Where we are required to process data to comply with applicable law
5. Data Sharing and Third Parties
We may share your personal data with the following categories of third parties:
- Trackbox CRM: Our customer relationship management platform, which receives lead data for client onboarding purposes
- Cloudflare: Our CDN and security provider, which processes traffic data
- ipapi.co: Used to detect your country code for phone prefix auto-population (no personal data stored)
- ipify.org: Used to retrieve your IP address at the time of form submission
- Google Analytics: For website analytics (if applicable; see Cookie Policy)
- Legal authorities: Where required by law or court order
We do not sell your personal data to third parties.
6. International Data Transfers
Some of our service providers may process your data outside the UK or European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK ICO or European Commission, or equivalent transfer mechanisms.
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including:
- Active account data: retained for the duration of our relationship plus 6 years
- Marketing consent records: retained for 3 years from the date of consent or last interaction
- Website analytics data: typically retained for 26 months
After the applicable retention period, data is securely deleted or anonymised.
8. Your Rights
Under UK and EU data protection law, you have the following rights:
- Right of access: Request a copy of your personal data
- Right to rectification: Request correction of inaccurate data
- Right to erasure: Request deletion of your data ("right to be forgotten")
- Right to restrict processing: Request that we limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent: Withdraw consent at any time without affecting prior lawful processing
To exercise any of these rights, contact us at privacy@thornkapsted.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include 256-bit SSL/TLS encryption for all data in transit, access controls, and regular security reviews.
10. Children's Privacy
Our platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Material changes will be communicated via email or a prominent notice on our website.
12. Contact Us
For any privacy-related queries or to exercise your rights: