PRIVACY AND DATA PROTECTION POLICY

1. Introduction

Welcome to www.downtoncapital.com (the “Site”), operated by Downton Capital Ltd (“we,” “us,” or “our”). We take your privacy and the protection of your personal data very seriously. This Policy explains how we collect, use, retain and share your information when you browse our Site or engage with us as a client, prospect or partner.

2. Definitions

• Personal Data: Any information that directly or indirectly identifies a natural person (e.g., name, date of birth, address, email, telephone number, IP address).
• Processing: Any operation performed on personal data (collection, recording, consultation, use, transfer, storage, etc.).
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Processor: Any entity that processes personal data on our behalf, bound by a data-processing agreement and confidentiality obligations.

3. Data Controller

Downton Capital Ltd, registered in England (No. 13043353) with its registered office at 128 City Road, London EC1V 2NX, is the data controller for personal data collected via the Site and in connection with our services.
For any questions: ✉️ info@downtoncapital.com (subject: “Data Protection”)

4. Legal Bases for Processing

We process your data only if one of the following applies:

1. Consent: You have given consent for the collection and processing of your data (e.g., non-essential cookies, marketing).
2. Contract Performance: Processing is necessary to provide our services (appointment scheduling, billing, support).
3. Legal Obligation: To comply with accounting, tax, or anti-money-laundering laws.
4. Legitimate Interests: For the management, security and improvement of our Site and services, and to prevent fraud.

5. Data Collected & Purposes

5.1 Data You Provide

• Forms: Name, contact details, subject of inquiry.
• Appointment Scheduling (Calendly): Your data are transferred to our Calendly account and retained until the appointment is completed or you request deletion (legal bases: consent + legitimate interests).
• Service Delivery: Data used for support, correspondence, invoicing, and legal obligations (legal bases: contract performance + legal obligation).
• CRM & Cloud Storage: Stored in Perfex CRM, Google Drive, Dropbox (legal basis: legitimate interests).

5.2 Automatically Collected Data

• Browsing Data: IP address, pages visited, session duration (legal basis: legitimate interests).
• Hosting & CMS: Data stored on Hostinger and WordPress servers (legal basis: legitimate interests).
• Web Fonts: Google Fonts, Font Awesome (legal basis: legitimate interests).

5.3 Cookies & Trackers

We use essential cookies (legal basis: legitimate interests) and non-essential cookies (legal basis: consent). For details, see our dedicated Cookie Policy.

6. Recipients & Transfers

• Internal: Access restricted to authorized and trained personnel bound by confidentiality.
• Processors: Calendly, Hostinger, Perfex CRM, Google, Dropbox, accounting partners, etc., all under data-processing agreements.
• Transfers Outside the EEA: Protected by appropriate safeguards (e.g., standard contractual clauses).

7. Data Retention Periods

• Contractual & Legal Data: Retained for the duration of our relationship plus 10 years (legal archives, invoices).
• Logs: Stored for up to 13 months.
• Marketing Data: Kept until you withdraw consent.
  After these periods, data are deleted or anonymized, unless legal obligations require longer retention.

8. Security & Internal Organization

We implement and maintain appropriate technical and organizational measures:

• TLS/SSL encryption
• Access controls on a need-to-know basis
• Regular reviews of access rights
• Ongoing staff training
• Internal compliance audits
• Data-breach notification procedures: notify the ICO and affected individuals within 72 hours.

9. Client Obligations & Roles

Under our Agreement (Article 10 – Data Protection):

• The Client remains the data controller of any data it provides.
• Downton Capital Ltd acts as processor on the Client’s behalf, under its instructions and a processing agreement.
• The Client retains all rights, title and interest in its data and is responsible for its legality, reliability, integrity, accuracy and quality.
• The Client acknowledges that its data may be transferred or stored outside the UK, EEA or its country of residence to perform our services.
• The Client warrants it has the right to transfer such data and has informed and obtained consent from data subjects.
• Downton Capital will process those data only under the agreement and the Client’s lawful instructions.
• Both Parties shall implement measures to protect against unauthorized processing, loss, destruction or accidental damage.

10. Marketing & Advertising

• We send marketing communications (email, SMS) only if you have consented, with an option to unsubscribe at any time.
• We conduct targeted advertising (Google Ads, Facebook Ads) and use Google Analytics (legal bases: consent + legitimate interests).

11. External Links

The Site may contain links to third-party websites. We do not control their content or privacy practices—please review their own policies.

12. International Specifics

• USA: Comply with Shine the Light, COPPA, CAN-SPAM, TCPA, DNT.
• Canada: PIPEDA.
• Mexico: LFPDPPP/INAI.
  In case of conflict, the strictest provision applies.

13. Changes

Effective since 15/01/2025. Last updated: 05/05/2025. Any changes will be marked with a new version date.

For questions or to exercise your rights: ✉️ info@downtoncapital.com (subject: “Data Protection”)