Skip to main content

Privacy Policy

This privacy policy sets out how we collect and use personal information about you (“personal data”), in accordance with:

(i) national implementing laws, regulations and secondary legislation in the UK, including the Data Protection Act 2018 (which implemented the UK version of the General Data Protection Regulation (GDPR) 2018); and

(ii) the EU version of the General Data Protection Regulation (where applicable).

These are referred to, throughout this privacy policy, as the “Data Protection Legislation”.

We wish to be as open and transparent as possible about how we collect, process and use personal data, so please read this privacy policy carefully to understand our practices regarding your personal data and how we will treat it.

By using our website, products and services and/or otherwise providing us with personal data you agree that this privacy policy will apply to you.

Please note that we may change this privacy policy by updating these pages so do check back from time to time for the most current version. This privacy policy was last updated on February 8th 2024.


  1. About us
  2. Our legal grounds for processing your Personal Data
  3. Your individual rights
  4. Information Collection, Use and Storage
  5. Sharing personal information
  6. Marketing
  7. Contacting you
  8. How to contact us
  9. How to contact the appropriate authority


1.1. Hart Square Consulting Limited (“we”, “us”, “our” and “ours”) is a provider of consultancy services in the non-profit sector. We are registered in England and Wales under company number 15301843 and our registered office is at Solo House The Courtyard, London Road, Horsham, West Sussex RH12 1AT.

1.2. For the purpose of the Data Protection Legislation and this privacy policy, when:

1.2.1. we have a direct contract with you for our products and services or where you provide your personal data directly to us (in circumstances where we are not acting on behalf of someone else) for example, through use of our website, we will normally be considered to be a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.

1.2.2. where we have a contract with someone else instead of directly with you, for example a contract under which we provide that business with our products and services and, in connection with that contract, they provide us with your personal data (typically this will be a contract with another business – perhaps your employer, a membership organisation or another company which is providing our products or services to you or using them to deliver their products and services to you), we will normally be considered to be a “data processor”. In these circumstances, the other business will be the “data controller” and it will be responsible for deciding how we hold and use personal data about you. Our use of your personal data is governed by the terms of that contract.

1.3. Regardless of whether we are a data controller or a data processor, we take your privacy very seriously. We have appointed a person who is specifically responsible for assisting with any enquiries you may have in relation to this privacy policy or our treatment of your personal data. Their contact details are set out in section 8 of this privacy policy.

1.4. We have also, for the purposes of Article 27 of the EU GDPR, appointed an EU Representative. Their contact details are set out in section 8 of this privacy policy.


2.1. Where we are acting as a data controller:

2.1.1. we may process your personal data to enable us to comply with any instructions you give to us or any obligations we owe to you including enabling us to perform a contract with you or to comply with our legal obligations.

2.1.2. we may also process your personal data for the purposes of our own legitimate interests (provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data).

This includes processing for statistical, management and business development purposes, for example seeking your thoughts and opinions on the services we provide to you and notifying you about any changes to our products and services. It may also include processing for marketing purposes, such as providing you with information related to any our products or services which we think may interest you (subject to your rights set out in section 3).

2.1.3. we may also process your personal data for other purposes but (unless this is in circumstances where the reason for doing so is compatible with the original purpose or we have other lawful grounds for doing so) this will usually only happen where we have obtained your specific consent. If that is the case, then you also have the right to withdraw your consent, which you can do by contacting us in writing at the address set out in section 8.

2.1.4. Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

2.2. Where we are acting as a data processor:

2.2.1. the business that has provided your personal information to us is itself responsible for ensuring that it has lawful grounds to do so and for providing us with instructions as to the specific types of personal data we are permitted to process; and

2.2.2. the ground(s) upon which that business is entitled to process your personal data is determined by them not us (and may vary from organisation to organisation); and

2.2.3. unless Data Protection Legislation requires or permits otherwise, we will process that personal data only in accordance with their instructions and for the purposes of enabling us to perform our obligations under our contract with them.


Access to information

3.1. We want to make sure that you are fully aware of your data protection rights. These are set out in summary form in sections 3.5 – 3.13 below and apply to us in our role as a data controller. You can also obtain more detailed information about your rights under the Data Protection Legislation from the Information Commissioner’s office by clicking on this link – Our contact details for the purposes of requesting access to your personal data or exercising any of your other data protection rights are in section 8.

3.2. Please note that, in order to comply with any request, we may first require you to verify your identity and we will normally fulfil any request by sending information electronically, unless the request expressly specifies a different method. We will not charge a fee for responding to your request, other than in circumstances where you make a request which is manifestly unfounded or excessive or you request further copies of information which we have already provided to you. In that case, we are entitled to charge a reasonable administrative fee.

3.3. Please also note that, where we are acting as a data processor, we will not be responsible for answering your request ourselves but will pass it onto the business organisation that provided us with your personal data (in their role as data controller) so that they may then determine how best to respond to it.

Timescales for responding

3.4. If you make a request of us (in our role as a data controller), we will normally have one month to respond to you. If we need something from you to be able to deal with your request (e.g. an ID document), the time limit will begin once we have received this. This time limit may also be extended in certain circumstances so, if there is any reason why our response to you might take longer than a month, we will let you know.

Summary of your rights

3.5. Withdrawal of consent – where our legal ground for processing your personal data is based upon you having given us your consent to do so, you have the right, at any time, to withdraw that consent (please see section 2.1.3 above). Please note that this will not affect the lawfulness of any processing carried out before you withdraw your consent.

3.6. Right to be informed – you are entitled to be provided with information about certain matters relating to the processing of your personal data and for that information to be provided within certain timescales. This privacy policy already provides you with much of that information.

3.7. Right of access – you have the right to obtain:

3.7.1. confirmation that your personal data is being processed;

3.7.2. access to your personal data.

3.8. Right to rectification – you are entitled to have your personal data rectified if it is inaccurate or incomplete.

3.9. Right to erasure – (sometimes referred to as ‘the right to be forgotten’). The broad principle underpinning this right is to enable you to request the deletion or removal of your personal data whether there is no compelling reason for its continued processing.

3.10. Right to restrict processing – you are entitled to restrict the processing of your personal data if:

3.10.1. you are contesting the accuracy of the personal data (until the accuracy has been verified);

3.10.2. you object to the processing, in circumstances where the processing was necessary for the performance of a public interest task or on the grounds of our or someone else’s legitimate interests (whilst we consider whether those legitimate grounds override your interests).

3.10.3. the processing is unlawful but you have decided not to have it erased but requested restriction instead.

3.10.4. if we no longer need the personal data but still have it and you require it to establish, exercise or defend a legal claim.

3.11. Right to data portability – in certain limited circumstances, you are able to obtain and reuse your personal data for your own purposes across different services by being allowed to move, copy or transfer personal data easily from one IT environment to another.

3.12. Right to object – you are entitled to object to:

3.12.1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

3.12.2. direct marketing (including profiling); and

3.12.3. processing for purposes of scientific/historical research and statistics.

3.13. Rights relating to automated decision-making and profiling – these rights don’t apply to all circumstances but, where they do apply, they effectively provide you with safeguards against the risk that a potentially damaging decision is taken solely using or supported by automated means, without human intervention.


Information collection

4.1. If you contact us, we will keep a record of that correspondence.

4.2. We may also collect and process personal data that you provide by filling in forms or making requests for information on our website. This includes information provided at the time of registering to use our website, requesting information from us or subscribing to any of our services. It also includes material contributed through any interactive service, including information that you (or someone authorised by you on your behalf) input into our products and services.

Please also note that it is your responsibility (irrespective of whether you are acting as an individual or a business user of our products and services) to always ensure that when you provide us with any personal data relating to any third party, that third party has given their prior consent (or you have other lawful grounds) to enable you to do so.

Any personally identifiable information you elect to make publicly available on our website (e.g. posting comments on a blog page, if that type of facility is available for your use) will be visible to others.

4.3. As mentioned previously, we may (in our role as a data processor) be provided with information about you from another business or collect information about you or from you on their behalf.

4.4. We also use public sources of personal data such as professional registration lists and other publicly available information linked to individuals and their organisation (for example website and IP addresses and any connected social media accounts as well as information from Companies House and the electoral register).

4.5. It is important that the personal information we hold about you is as accurate and up to date as possible so, should your personal information change, please notify us of that change, in writing, as soon as possible.

4.6. Please note that personal data which has been anonymised or changed in such a way that it can no longer be associated with you will usually lose its status as “personal data”. If that happens, the data will not be covered by this privacy policy and we may use it for any purpose.

Use of Cookies, web/analytics tools and links to other Websites

4.7. When you visit our website, we may collect information from you automatically through cookies or other similar technology. Cookies are small text files that may be placed on your computer when you visit a website or click on a URL. Cookies (and other similar technologies) may collect your IP address, support security and authentication services, gather information from visitors to websites such as pages visited and how often they are visited and also enable certain features on the website. Cookies may include “single-session cookies” which generally record information during only a single visit to our website and then are erased, and “persistent” cookies, which are generally stored on your computer or other device unless or until they are deleted or are set to expire. We may use our own cookies or third party cookies.

4.8. We may also use various web/analytics tools to understand how our website is being used in order to improve user experience (such as web beacons, which are a technique delivered through a web browser or in an email, to unobtrusively – an usually invisibly – check that a user has accessed some content and/or track the journey of the user navigating through the website or a series of websites) as well as tools to provide us with statistics relating to the use of our

4.9. Please see our cookie policy – here – for further information about the types of cookies and other similar technology we use, what your options are in respect of each type, and the impact of exercising those options.

More information about what cookies are and how to delete or block them can be found here:

(please note that, because the management of cookies differs as between different browsers, you should consult the documentation of your own browser in order to manage your cookies).

Please also note that if you delete or block cookies which are necessary to enable our website to carry out certain functions, this may cause you to be unable to use all or part of our website and/or services.

4.10. Our website may also contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, please note that we do not accept any responsibility for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by our privacy policy. Always exercise caution and check the privacy statement applicable to the website in question.

The types of information we hold about you

4.11. When we are acting as a data controller, the information we hold about you may include the following:

4.11.1. your personal details (such as your name, address, email address, landline and/or mobile phone number(s));

4.11.2. details of any contact we have had with you (for example, when you make an enquiry of us or we provide you with a quote for our products or services);

4.11.3. details of any products or services provided to you, as well as any associated payment-related information;

4.11.4. IP addresses, tracking and/or other cookie data [and/or data collected via our mobile app (if any)] (please see our cookies policy [and our mobile app policy]); and, of course,

4.11.5. any information you input into our products and services.

4.12. When we are acting as a data processor, the information we hold may include the following:

4.12.1. your business contact details and/or the business contact details of your customers or other end users (such as name, job title, address, email address, landline and/or mobile phone number(s));

4.12.2. details of any contact we have had with you (for example, when you make an enquiry of us or we provide you with a quote for our products or services);

4.12.3. details of any products or services provided to you, as well as any associated payment-related information;

4.12.4. all of the various types of personal data which (irrespective of whether you are acting as a data controller or a data processor) you have expressly or implicitly (taking into account the nature of the products and services we are providing to you) authorised us to process under any contract between you and us;

4.12.5. IP addresses, tracking and/or other cookie data please see our cookies policy and, of course,

4.12.6. any information you input into our products and services.

4.13. We also collect, store and process data which may not be directly about you but relates to your use of our products and services. We typically use this for statistical, research, business and product development purposes.

How long do we hold personal data for?

4.14. Where we are acting as a data controller, we will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. Normally this will result in personal data being deleted from our systems no later than 12 months from the date it was last processed (other than to the extent that we need to retain it for the purposes of complying with our legal or contractual obligations including those relating to our statutory and regulatory obligations and our financial, business and tax affairs).

4.15. In assessing whether any longer retention period is appropriate for your personal data, we take into consideration:

4.15.1. the purposes for which we originally collected the personal data;

4.15.2. the lawful grounds on which we based our processing;

4.15.3. the type of personal data we have collected;

4.15.4. the amount and categories of your personal data; and

4.15.5. whether the purpose of the processing could reasonably be fulfilled by other means.

4.16. Where we are acting as a data processor, we will retain personal data for the period agreed in our contract with the business that engaged us for that purpose (unless otherwise required or permitted by the Data Protection Legislation).

4.17. Please note that, if you or we terminate any service we provide to you, then (irrespective of whether we are acting as a data controller or a data processor) we do not accept any obligation to retain any or all of the personal data provided to us in connection with or processed by that service and we may delete it from our systems at any time.

Storage and Security

4.18. Information (including personal data) collected through our website and services may be stored and processed in the UK, Europe, the United States, or any other country in which we or our subsidiaries, group companies, affiliates or service providers maintain facilities.

4.19. Regardless of where data is stored and processed, we are committed to taking all reasonable steps to ensure that your personal data is secure. In order to prevent unauthorised access or disclosure, we put in place suitable technological, physical, electronic and managerial procedures to safeguard and secure all personal data stored and processed by us. We also ensure that any subcontractor or other service provider which we engage to support our business activities or help deliver our products and services and which has access to your personal data, commits to us, in writing, to do the same.

4.20. If we transfer your personal data to any country outside of the UK for processing, please be assured that we will only do so in compliance with the Data Protection Legislation.


5.1. Where we are acting as a data processor, we will share your personal data with the business that provided your personal data to us (or authorised us to collect that data on their behalf) in the manner and to the extent set out in the contract between them and us. That business may be the data controller of your personal data or it may be another data processor interposed between the data controller and us.

5.2. Regardless of whether we are acting as a data processor or a data controller, we may need to share your personal data from time to time with other organisations, typically those which provide services to us in support of our business activities and/or delivery of the products and services which we provide to you. This may include third parties such as technology service providers, third party subcontractors, payment service providers and businesses that help us manage our customer relationships and marketing activities. If this is the case, we will do in accordance with the protections that are afforded to you under the Data Protection Legislation and we will always ensure that we have a written contract in place with them before we allow them access to your personal data or provide your personal data to them.

5.3. We may also share your personal data with other members of our group of companies for financial, management or administrative purposes.

5.4. We may share your personal data with third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. If this kind of change happens then (unless they are legally entitled to do otherwise or you agree something different with them) the new owners of that business or assets may use your personal data in the same way as set out in this privacy policy. Alternatively, we may seek to acquire other businesses or merge with them. If this kind of change happens then (unless we are legally entitled to do otherwise or you agree something different with us) we may use the personal data that you provided to them in the same way as set out in their privacy policy [and also this privacy policy].

5.5. Other than as set out above, we do not rent, sell or distribute your personally identifiable information to third parties unless we have your permission or are required or permitted by law to do so.


6.1. We would like to send you information about our products and services from time to time as well as announcements, articles and press releases that we think you might like (including those of our group companies).

6.2. We may engage marketing companies to help us do this and we may use our (and their) software tools to help us track your engagement with us and monitor our marketing campaigns.

6.3. In some circumstances we may have a legal right to send you marketing material, in others you may have given us your consent to do so. Either way, you always have the right, at any time, to stop us from contacting you for marketing purposes or to stop us passing your personal data to third parties for marketing purposes (assuming you have previously given your consent to us to that). You can do this by opting out from our marketing emails at any time by clicking on ‘unsubscribe’ or by simply contacting us (see section 8) in writing.


7.1. If we wish to contact you we may do so by phone, email, text, fax or post.

7.2. If you have notified us of a preferred method of communication, we will always try to comply with that. Please let us know if we don’t so that we can then check and, where necessary, update our records.


UK and non-EEA enquiries

8.1. If you are based in the UK or outside of the EEA and have any questions about our privacy policy, the data we hold about you, or you would like to exercise one of your data protection rights (including opting out of marketing communications), please do not hesitate to contact us.
Email us at:
Call us: +44 344 567 8790
Write to us at: Data Protection Officer, Hart Square Consulting Limited, Scott House, Waterloo, London SE1 7LY

EEA enquiries:

8.2. As a result of the UK leaving the EU, there are circumstances where the EU GDPR requires us to have an EU Representative to act as a point of contact to:
8.2.1. facilitate the exercise of data subjects’ rights within the EEA; and
8.2.2. co-operate with the competent supervisory authorities in respect of any action, investigation or claim under the EU GDPR.
8.3. To that end, we have appointed an EU Representative, which is Portrilio Solutions, part of Trillium Limited, which is a member of the ClearCourse Partnership LLP group of companies. If you wish to contact them (instead of us directly) they can be contacted as follows:
Email us at:

Call us: +351 21 122 6881
Write to us at: Portrilio Solutions, Rua Julio Dinis, Centro Empresarial Sala 402, n561, 4 4050-460 Porto.

8.4. We always work hard to treat our customers fairly and hope that you will not experience any reason to make a complaint about the way in which we have collected, stored or processed any of your personal data. However, if you do wish to make a complaint please always contact us, in the first instance, and we will endeavour to resolve the matter as quickly as we can.


UK and non-EEA enquiries:

9.1. If you are based in the UK or outside of the EEA and wish to report a complaint or if you feel that we have not addressed a concern that you may have about our data processing activities in a satisfactory manner, you may contact the Information Commissioner’s Office.
Phone number: 0303 123 1113

EEA Enquiries:

9.2. If you are based within the EEA and wish to report a complaint or if you feel that we have not addressed a concern that you may have about our data processing activities in a satisfactory manner, you may contact your local Supervisory Authority (who may then contact our EU Representative).