This policy explains how CapitalFlow Ltd. collects, uses, stores, and protects your personal data when you use our website and services.
CapitalFlow Ltd. ("CapitalFlow", "we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we handle the personal data we collect from visitors to our website at capitalflow.com and users of our financial education, stock analysis, investment strategy, and portfolio management services.
CapitalFlow Ltd. is the data controller responsible for your personal data. We are a company registered in England and Wales (Company No. 10483572), with our registered office located at 48 Moorgate, London, EC2R 6EL, United Kingdom.
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). This policy applies to all personal data we collect through our website, email communications, contact forms, newsletter subscriptions, educational program enrolments, and any other interactions you have with our business.
By using our website or engaging with our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please refrain from using our website or providing personal data to us. We encourage you to read this document carefully and revisit it periodically, as we may update it to reflect changes in our practices or legal requirements.
We collect various types of personal data depending on how you interact with our website and services. The categories of data we may collect include:
Identity Data: Your first name, last name, and any professional title you choose to provide when filling out forms on our website, such as the portfolio assessment questionnaire or contact forms.
Contact Data: Your email address, telephone number, and postal address. We collect this data when you subscribe to our newsletter, register for a financial program, submit an enquiry through our contact form, or request a portfolio consultation.
Technical Data: Your Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, time zone setting, and browser plug-in types. This data is collected automatically when you visit our website through server logs and analytics tools.
Usage Data: Information about how you use our website, including pages visited, time spent on each page, navigation paths, click patterns, scroll depth, and the referring URL that brought you to our site. This helps us understand which content is most valuable to our visitors.
Communication Data: The content of messages you send to us through our contact form, email correspondence, or any feedback or enquiries you submit. This includes any documents or attachments you choose to share with our team.
Cookie Data: Information stored in cookies and similar tracking technologies placed on your device when you visit our website. Full details on our use of cookies are provided in Section 10 of this policy.
We do not collect any Special Categories of Personal Data about you (this includes details about your race, ethnicity, religious beliefs, political opinions, trade union membership, genetic data, biometric data, health information, or sexual orientation). We also do not collect information about criminal convictions or offences.
We use several methods to collect personal data from and about you:
Direct Interactions: You provide Identity and Contact Data directly when you fill out forms on our website, subscribe to our newsletter, request a portfolio consultation, enrol in one of our financial programs, send us an email, or communicate with us by telephone or post. Every form on our website clearly identifies which fields are mandatory and which are optional.
Automated Technologies: As you navigate through our website, we automatically collect Technical Data and Usage Data through server logs, cookies, and similar technologies. We use Google Analytics (with IP anonymisation enabled) to understand aggregate traffic patterns and user behaviour. If you have provided consent through our cookie banner, we may also use the Meta Pixel for the purpose of measuring the effectiveness of advertising campaigns directed to our website through Meta platforms.
Server Logs: Our web hosting provider records standard server log information each time a request is made to our website. This includes your IP address, the date and time of the request, the requested URL, the HTTP response code, and the referring page. These logs are retained for security and diagnostic purposes.
We do not purchase personal data from third-party data brokers or obtain it from public registries. All personal data we hold has been provided directly by you or collected automatically through the technologies described above during your use of our website.
Under the UK GDPR, we must have a valid legal basis for processing your personal data. The legal bases we rely on are as follows:
Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose. This applies to newsletter subscriptions, marketing communications, and the placement of non-essential cookies on your device. You may withdraw your consent at any time by clicking the unsubscribe link in our emails or by contacting us directly at the email address listed in Section 13.
Legitimate Interest (Article 6(1)(f)): Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights. This basis applies to website analytics (understanding visitor behaviour to improve our content and user experience), fraud prevention, and network security monitoring. We conduct a legitimate interest assessment for each processing activity that relies on this basis to ensure a fair balance is maintained.
Contract Performance (Article 6(1)(b)): Where processing is necessary to perform a contract we have with you, or to take steps at your request before entering into a contract. This applies when you enrol in one of our financial education programs, request a portfolio consultation, or engage our investment strategy services. We need your Identity and Contact Data to deliver the services you have requested.
Legal Obligation (Article 6(1)(c)): Where processing is necessary to comply with a legal obligation to which we are subject. This includes maintaining financial records for tax purposes, responding to lawful requests from regulatory authorities, and complying with anti-money laundering regulations where applicable to our advisory services.
We use the personal data we collect for the following purposes:
Service Delivery: To provide you with the stock analysis, financial education programs, investment strategy consultations, and portfolio management services you have requested. This includes sending you programme materials, scheduling consultations, delivering research reports, and processing your enrolments.
Communication: To respond to enquiries you submit through our contact form or via email, to send you service-related updates such as programme schedule changes or new research report availability, and to follow up on consultation requests you have initiated.
Marketing (with consent only): To send you our weekly newsletter containing curated stock analysis, market commentary, and educational content. We only send marketing communications to individuals who have explicitly opted in through our newsletter subscription form. Every marketing email includes a clear and functional unsubscribe mechanism.
Analytics and Improvement: To analyse aggregate usage patterns on our website so we can improve the structure, content, and functionality of our pages. We use this data to understand which research topics are most popular, how visitors navigate between sections, and where we can reduce friction in the user experience.
Security: To monitor our website for potential security threats, detect and prevent fraudulent activity, and maintain the integrity of our systems. This processing is essential to protect both our business and your personal data from unauthorised access.
Legal Compliance: To fulfil our legal and regulatory obligations, including record-keeping requirements, responding to lawful data access requests, and cooperating with regulators or law enforcement where legally compelled to do so.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods we apply are as follows:
| Data Type | Retention Period |
|---|---|
| Contact form submissions | 2 years from submission |
| Newsletter subscriber data | Until unsubscription, then deleted within 30 days |
| Programme enrolment records | 6 years from programme completion (accounting obligations) |
| Portfolio consultation data | 3 years from the last consultation session |
| Website analytics data | 26 months (Google Analytics default) |
| Cookie data | 13 months maximum (see Section 10) |
| Server logs | 90 days |
Once the retention period for a given data set expires, we securely delete or anonymise the data so that it can no longer be associated with you. In some circumstances, we may anonymise your data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you, as the data will no longer identify you personally.
We do not sell, rent, or trade your personal data to any third party. We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:
Hosting Provider: Our website is hosted on secure servers provided by a reputable hosting company based in the United Kingdom. They process Technical Data and server logs on our behalf under a data processing agreement that requires them to protect your data in accordance with the UK GDPR.
Analytics Provider: We use Google Analytics (operated by Google LLC) with IP anonymisation enabled to collect aggregate Usage Data. Google processes this data as a data processor on our behalf. You can learn more about how Google handles data by visiting Google's privacy documentation.
Email Service Provider: Our newsletter and service-related emails are sent through a third-party email delivery platform. This provider processes your email address and first name solely for the purpose of delivering emails on our behalf, under a data processing agreement compliant with UK GDPR requirements.
Payment Processor: If you purchase a financial education programme or paid consultation service, your payment is handled by a PCI DSS-compliant payment processor. We do not store your full credit or debit card details on our servers. The payment processor receives only the data necessary to process the transaction and verify your identity for fraud prevention.
Professional Advisors: We may share your data with our legal advisors, accountants, or auditors where necessary for the management of our business, legal claims, or regulatory compliance.
Regulatory and Law Enforcement Bodies: We may be required to disclose your personal data to regulators, courts, or law enforcement authorities if compelled to do so by law, by a court order, or in connection with any legal proceedings.
Some of the third-party service providers we work with are based outside the United Kingdom and the European Economic Area (EEA). Specifically, Google LLC (our analytics provider) is based in the United States.
When personal data is transferred outside the UK, we ensure that appropriate safeguards are in place to protect your data to the standard required by the UK GDPR. These safeguards include:
Adequacy Decisions: Where the UK Secretary of State has determined that a country provides an adequate level of data protection, we may transfer data to recipients in that country without additional safeguards.
Standard Contractual Clauses (SCCs): For transfers to countries that do not benefit from an adequacy decision, we use the International Data Transfer Agreement (IDTA) or the Addendum to the EU Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO). These contractual clauses impose obligations on the data recipient to protect your data and provide you with enforceable rights.
You may request a copy of the specific safeguards we have in place for international data transfers by contacting our privacy team using the details in Section 13.
Under the UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions as set out in the legislation:
Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it. We will provide this information free of charge within one month of receiving your verified request.
Right to Rectification (Article 16): You have the right to request that we correct any inaccurate personal data or complete any incomplete personal data we hold about you. We will make corrections promptly upon verification of the correct information.
Right to Erasure (Article 17): You have the right to request that we delete your personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing based on legitimate interests and there are no overriding legitimate grounds for the processing.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.
Right to Data Portability (Article 20): Where we process your personal data based on consent or contract performance, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit it directly to another data controller where technically feasible.
Right to Object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis, including any profiling based on legitimate interests. You also have an absolute right to object to direct marketing at any time.
Right to Withdraw Consent: Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of any processing carried out before the withdrawal.
To exercise any of these rights, please contact our privacy team at [email protected] or write to us at the postal address listed in Section 13. We will respond to your request within one calendar month. In complex cases, we may extend this period by an additional two months, and we will inform you of any extension within the first month.
Right to Lodge a Complaint: If you believe that we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. The ICO can be contacted at ico.org.uk or by telephone at 0303 123 1113.
Our website and services are not directed at individuals under the age of 16. We do not knowingly collect, solicit, or process personal data from children under 16 years of age. Our financial education programmes, stock analysis reports, and investment strategy consultations are designed for adults who are legally capable of making investment decisions.
If we become aware that we have inadvertently collected personal data from a child under 16 without appropriate parental or guardian consent, we will take immediate steps to delete that data from our systems. If you believe that a child under 16 has provided personal data to us, please contact us immediately at [email protected] so that we can investigate and take corrective action.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you by email or by displaying a prominent notice on our website.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Minor changes, such as clarifications or formatting adjustments, may be made without specific notification. However, any change that materially affects your rights or the way we process your data will be communicated to active newsletter subscribers and service users at least 14 days before the changes take effect.
Your continued use of our website or services after the effective date of any updated Privacy Policy constitutes your acknowledgement of the changes. If you disagree with the updated terms, you should discontinue use of our services and contact us to request deletion of your personal data.
If you have any questions about this Privacy Policy, wish to exercise any of your data protection rights, or need to report a data protection concern, please contact us through any of the following methods:
We aim to respond to all privacy-related enquiries within 5 working days and to fulfil formal data subject access requests within one calendar month, as required by the UK GDPR. If your enquiry is urgent or involves a potential data breach, please indicate this in the subject line of your email so we can prioritise your request accordingly.
Our privacy team is available to assist you with any enquiry related to your personal data.