Legal

Privacy Policy

Last updated: 22 April 2026

This Privacy Policy explains how halcroft (“we”, “us”, “our”) collects, uses, and safeguards personal information when you visit halcroft.co (the “site”) or otherwise interact with us in connection with the site. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy covers the public marketing website only. Personal and business data processed during paid advisory or build engagements is governed by a separate Data Processing Agreement executed with each client.

1. Who we are

The data controller for information collected via this site is [Company Name], with company number [Company Number] and registered office at [Registered Office Address] ( “halcroft”).

For any privacy-related question, request, or complaint, contact us at harry@halcroft.co.

2. Information we collect

2.1 Information you give us

We currently do not operate contact forms, newsletter sign-ups, or chat widgets on this site. If you choose to email us, book a call, or contact us through a third-party platform such as LinkedIn or Cal.com, you share the information contained in that communication with us directly.

2.2 Information collected automatically

When you browse halcroft.co, our hosting provider automatically receives technical information that is typical of any web request:

  • IP address (in truncated or hashed form where possible)
  • Browser type, version, and operating system
  • Referring URL and pages requested
  • Date and time of the request

This information is used to operate and secure the site (for example, to mitigate abuse) and is retained only for a short period in line with our hosting provider's defaults.

2.3 Cookies and similar technologies

We do not set our own cookies, run analytics, or deploy advertising or tracking pixels on halcroft.co. The site loads typefaces from Google Fonts, which may set cookies on the fonts.googleapis.com or fonts.gstatic.comdomains under Google's own privacy policy. If this changes in future — for example if we add analytics — this policy will be updated and, where required, consent will be requested.

3. How we use your information

We use the information described above to:

  • Operate, secure, and improve the site;
  • Respond to enquiries you send us;
  • Discuss, arrange, and deliver advisory or build engagements if you become a client; and
  • Comply with legal and regulatory obligations applicable to us in the United Kingdom.

4. Legal bases for processing

Under UK GDPR Article 6, we rely on the following legal bases:

  • Legitimate interests — for operating and securing the site, maintaining business records of correspondence, and preventing abuse. We balance these interests against your rights and only use the minimum information needed.
  • Consent — where you choose to contact us, book a call, or otherwise voluntarily provide information. You may withdraw consent at any time by contacting us.
  • Contract — where we need to process information to enter into or perform a contract with you (for example, to arrange and deliver a paid engagement).
  • Legal obligation — where we are required to retain or disclose information to comply with applicable UK law.

5. Third parties and sub-processors

We use the following third parties to run halcroft.co. Each is bound by their own terms and privacy policies:

  • Vercel Inc. — hosting and content delivery. Vercel processes connection metadata to serve and secure the site.
  • Supabase Inc. — database for publicly displayed content such as case studies and testimonials. We do not write visitor information to Supabase.
  • Cal.com, Inc. — calendar booking. If you use the Cal.com link to schedule a call, information you enter in that booking flow is processed by Cal.com under its own privacy policy.
  • Google LLC (Google Fonts) — webfont delivery.
  • LinkedIn (Microsoft Ireland) — we link to a LinkedIn profile from the footer; no personal information is transferred unless you click through and interact with LinkedIn.

6. International transfers

Some of the third parties above are based in the United States. Where personal data is transferred outside the United Kingdom, we rely on appropriate safeguards recognised by the UK GDPR — including the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, adequacy regulations, or another lawful transfer mechanism — as applicable to each provider.

7. Data retention

We keep personal information only for as long as necessary for the purposes set out in this policy, which typically means:

  • Technical server logs — kept for a short period (typically up to 30 days) by our hosting provider;
  • Business correspondence and records — kept while a relationship is live and for a reasonable period afterwards to meet tax, accounting, and legal obligations;
  • Information tied to a signed engagement — kept for the term of that engagement and as specified in the relevant engagement agreement and Data Processing Agreement.

8. Your rights

Under UK GDPR you have the following rights in respect of personal data we hold about you:

  • The right to be informed about how we use your data;
  • The right of access to your data;
  • The right to rectification of inaccurate data;
  • The right to erasure (“right to be forgotten”);
  • The right to restrict processing;
  • The right to data portability;
  • The right to object to processing based on legitimate interests;
  • The right not to be subject to a decision based solely on automated processing;
  • The right to withdraw consent at any time.

To exercise any of these rights, email harry@halcroft.co. We will respond within one month of receiving a valid request and may need to verify your identity before acting.

9. Children

Halcroft.co is a business-to-business website and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has sent us personal data, contact us and we will take reasonable steps to delete it.

10. AI and our services

Halcroft provides AI advisory and AI system build services. Any processing of personal data that occurs when delivering those services — including processing of client or end-user data through large language model providers, automation tooling, or analytical systems — is outside the scope of this website privacy policy.

Where we process personal data on behalf of a client, we do so as a data processor under a written Data Processing Agreement that sets out the sub-processors we use, the purposes of processing, retention, international transfers, and security measures specific to that engagement. Prospective clients can request our standard DPA by emailing harry@halcroft.co.

Information sent to us on this website is not used to train any AI model, ours or a third party's.

11. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. No system is perfectly secure, but we take steps that are proportionate to the limited personal data this website collects.

12. Changes to this policy

We may update this Privacy Policy from time to time. The date at the top of this page indicates when it was last updated. Material changes will be communicated through a visible notice on the site.

13. Complaints

If you are unhappy with how we have handled your personal information, please contact us first so we can try to resolve the issue. You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

14. Contact

Questions about this policy or our privacy practices: harry@halcroft.co.

← Back to home