Skip to main content

Privacy Policy

Last update: June 2026

1. About this Privacy Policy 

This Privacy Policy explains how Hawthorn Advisors Group ('we', 'us', 'our') collects, uses, shares and protects personal data when you interact with us, whether as a client, prospective client, supplier, job applicant, or other individual. It also sets out your legal rights and how you can exercise them.
We are committed to handling your personal data lawfully, fairly and transparently, in compliance with applicable data protection laws, including primarily:

  •  the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018;
  • where applicable, the EU General Data Protection Regulation (EU GDPR) in respect of data subjects located in the European Economic Area.

For individuals located in the European Economic Area (EEA), or the United Arab Emirates, see Appendix A at the end of this Policy. Where different technical definitions are used under the local laws of those jurisdictions, this Policy shall be read as meaning the equivalent term under the relevant local law.
This Policy should be read alongside any other privacy information we provide at the point of data collection (for example, our Candidate Privacy Notice or any Client Engagement Letters or services agreements).
 

2. Who we are (Controller) 

The following entities act as controllers in respect of your personal data. 

The lead controller for UK-based processing is: 

Entity name: Hawthorn Advisors Limited
Registered address: Fifth Floor, Partnership House, Carlisle Place, London, United Kingdom, SW1P 1BX
Company number: 08355056
ICO registration number: ZA711906
 

For our Middle East operations, we operate through: 

Entity name: Hawthorn Advisors Limited
Registered address: Office 2902, Floor 29, Sky Tower, Al Reem Island, Abu Dhabi, UAE
Company number: 29327
 

Email: info@hawthornadvisors.com - please include “Privacy” in the subject line for any queries regarding this policy and for rights requests.
 

Any other international operations are run centrally via Hawthorn Advisors Limited in the UK. 

Each entity is an independent controller in respect of personal data processed in connection with its own operations and client relationships. Where we share data between group entities, we do so under appropriate intra-group data sharing arrangements

3. Personal data we collect

The categories of personal data we collect depend on your relationship with us. These may include:

3.1  Clients and Prospective Clients

Hawthorn works with a range of corporates and high-profile individuals. In the course of our work, we also may collect information relating to counterparties and other relevant individuals.

 

  • Identity data: full name, job title, employer, professional biography
  • Contact data: business and personal email addresses, telephone numbers, business and home addresses
  • Financial and commercial data: billing information, company registration details, information about your legal or regulatory matters
  • Sensitive or confidential business information: commercially sensitive, market-sensitive or embargoed information disclosed to us in the course of providing services
  • Special categories of personal data: in limited circumstances, we may process data that reveals political opinions, health information or other special category data where this is relevant to the communications or litigation advice we are providing, special adjustments we may need to make if you have a disability or dietary requirements for an event - we will always seek your explicit consent or rely on another specific legal basis in these cases
  • Communications data: records of calls, emails, meetings, correspondence and instructions, and occasionally account credentials for individuals whose communications we have been authorised to manage as part of our services
  • Due diligence information: for AML/KYC purposes, identity documents, source of funds information, PEP and sanctions screening results

3.2  Suppliers and Professional Contacts

  • Identity and contact data (name, role, business address, email, phone)
  • Financial data (bank account details for payment purposes)
  • Professional information and correspondence

3.3  Job Applicants

Employee and applicant data is addressed in more detail in our separate Employee Privacy Policy and Candidate Privacy Notice.

3.4  Website Visitors

  • Technical data: IP address, browser type and version, operating system
  • Usage data: pages visited, time spent, referring URLs
  • Contact form submissions

Please refer to our Cookie Policy for further information about how we use cookies and similar technologies.

4. How we collect personal data 

We collect personal data:

  • directly from you - such as when you make an enquiry, engage our services, apply for a role, connect with us at an event or correspond with us;
  • from your employer or authorised representatives - such as where a corporate client engages our services;
  • from third parties - including publicly available sources, professional networking platforms (including when you engage with our content-led lead generation campaigns on LinkedIn), introducers, recruitment agencies, and background screening providers;
  • automatically - through our website and IT systems (including cookies, server logs and security monitoring tools); and
  • via publicly available sources - including Companies House, court records, professional registers, news and online media, website search engine and LLM search content 
     

5. How we use your personal data (Purposes and Legal Bases)

Under UK GDPR (and EU GDPR where applicable), we must have a lawful basis for each use of your personal data. The table below sets out the main purposes for which we process personal data and the legal basis we rely upon.

PurposeCategories of dataLawful basis (UK/EU GDPR)
Providing communications, crisis management, litigation support and advisory services to clientsIdentity, contact, observed data, business and matter data (which may include political opinions and other more sensitive data). This data may relate to clients, counterparties and other relevant individuals.Art. 6(1)(b) - performance of contract; Art. 6(1)(f) - legitimate interests (provision of professional services / protection of our clients’ interests)
Related media, social media, search and generative engine monitoringIdentityArt. 6(1)(b) - performance of contract; Art. 6(1)(f) - legitimate interests (provision of professional services / protection of our clients’ interests)
Client onboarding, KYC and anti-money laundering complianceIdentity, financial and due diligence data. This data may relate to clients, counterparties and other relevant individuals.Art. 6(1)(c) - legal obligation
Managing client accounts, invoicing and payment; debt collectionIdentity, contact, financial dataArt. 6(1)(b) - performance of contract; Art. 6(1)(f) - legitimate interests (protection of business interests); Art. 6(1)(c) - legal obligation (protection of legal interests)
New business development and marketing communications (to existing and prospective clients, including via LinkedIn content-led lead generation)Identity and contact dataArt. 6(1)(f) - legitimate interests; where required, consent (Art. 6(1)(a))
Recruitment and hiringIdentity, contact, employment history, right to workArt. 6(1)(b) - steps prior to contract; Art. 6(1)(c) - legal obligation
Compliance with legal, regulatory and court obligationsAll relevant categoriesArt. 6(1)(c) - legal obligation
Website analytics and improving our servicesTechnical and usage dataConsent (where required by PECR); Art. 6(1)(f) - legitimate interests
Supply chain managementIdentity, financial and due diligence dataArt. 6(1)(b) - performance of contract; Art. 6(1)(f) - legitimate interests (supply chain management)
Administration and business administration, including for insurance coverage and professional adviceAll relevant categoriesArt. 6(1)(f) - legitimate interests (effective management and protection of business interests); Art. 6(1)(c) - legal obligation (protection of legal interests)
Gifting, events, couriers and travel bookingsIdentity, contact and address dataArt. 6(1)(f) — legitimate interests

 

Where we rely on legitimate interests as our lawful basis, we carry out a balancing test to ensure that our interests are not overridden by your rights and interests. 

Where we process special category data, we will additionally rely on an Article 9 condition, most commonly:

processing necessary for the establishment, exercise or defence of legal claims (Art. 9(2)(f)); or

explicit consent (Art. 9(2)(a)).
 

6. Sharing your personal data - Third-party suppliers and partners

We share personal data with trusted third-party suppliers and service providers to the extent necessary to deliver our services and run our business. All third parties with whom we share personal data are required to handle it securely and in compliance with applicable data protection law and are subject to contractual data processing or data sharing agreements.

The key categories of third-party systems and services we use include:

  • IT infrastructure, user accounts, hardware, tenant management, cybersecurity services
  • Website build and maintenance services
  • Internal communications and client work collaboration tools
  • Core productivity, communications and document management tools (with AI-assisted features)
  • AI drafting, summarisation, document analysis and research tools
  • Cloud accounting software
  • Payment processing and invoice and receipt capture (cloud) tools
  • Social networks, e.g. LinkedIn - company page, job listings, business networking, content-led lead generation
  • Web search engines and LLM search 
  • Enterprise social media, media and LLM monitoring and sentiment analysis tools 
  • Journalists
  • Taxis, document and item courier services
  • Postal services (for gifting and documentation)
  • Video conferencing and webinars
  • Client and staff gifting
  • Design and document creation tools (including AI features)
  • Designers, printers and events companies / venues

We may also share personal data with:

  • professional advisers (lawyers, accountants, auditors) where necessary for legal, compliance or financial purposes;
  • regulatory and law enforcement authorities where required by law or regulation;
  • courts, tribunals and arbitration bodies in connection with legal proceedings;
  • potential buyers or sellers in connection with a business sale, merger or restructuring; and
  • other group entities (see Section 2) for operational and service delivery purposes.

We do not sell personal data to third parties, and we do not share personal data for third-party direct marketing purposes without your consent.

7. Legal, regulatory and compliance disclosure 

Due to the nature of our business activities, we may be required or permitted by law to disclose personal data to:

  • the Financial Conduct Authority (FCA), the Solicitors Regulation Authority (SRA) or other professional regulators;
  • HMRC and other tax authorities;
  • the National Crime Agency, law enforcement and intelligence agencies in connection with legal or regulatory obligations;
  • courts and legal proceedings (including as part of disclosure obligations in litigation);
  • Companies House and other public registers; and
  • overseas regulators and authorities where our New York and Abu Dhabi operations require compliance with local legal obligations.

Where possible, we will notify you of any such disclosure unless we are legally prohibited from doing so or this would undermine the purpose for which we are processing the data.

8. International transfers of personal data 

8.1  Transfers from the UK

As a UK-headquartered business, many of our transfers of personal data outside the UK arise from our use of cloud-based software and AI tools operated by US-based providers (see Section 7). We also have operations in Abu Dhabi, to which personal data may be transferred if relevant.

When transferring personal data outside the UK, we rely on one of the following mechanisms:

  • adequacy regulations - where the UK Government has determined that the destination country provides an adequate level of protection;
  • International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) together with the UK Addendum to these; or
  • binding corporate rules or other approved transfer mechanisms.

8.2  Transfers from the UK to the US

Several of our key software platform providers are based in the United States (including Microsoft, Anthropic and others). We rely on the UK extension to the EU-US Data Protection Framework or IDTAs or the UK Addendum to EU SCCs as the transfer mechanism for these transfers.

8.3  Transfers to and from our Abu Dhabi Entity

Our Abu Dhabi entity is based in the Abu Dhabi Global Market (ADGM) and is subject to the ADGM Data Protection Regulations 2021. Transfers of personal data between the UK entity and the Abu Dhabi entity are governed by an intra-group data transfer agreement.

8.4  Transfers in Connection with Client Services

We may transfer personal data internationally where client matters require it, for example, where a client engagement involves cross-border litigation, regulatory proceedings or communications in multiple jurisdictions. In such cases, transfers will be made only to the extent necessary and subject to appropriate safeguards.

9. How long we keep your personal data 

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law or regulation. The key retention periods we apply are:

Category of dataRetention period Reason / authority
Client matter files, contracts and correspondence

For client matter files and correspondence, 7 years from matter close.

For client contracts, 7 years from completion of contractual obligations or contract term. (In either case, longer if required by specific legal obligation)

Statutory limitation periods; professional regulatory obligations
Financial records7 years from the date of the relevant financial year (or such other period required by specific legal obligation)Taxation and corporations law requirements
Marketing contact recordsNo more than 3 years from last contact, unless reconsented, or until opt-out (provided that suppression lists will be held for so long as needed to fulfil our legal obligations not to market to opted out users) Regulator guidance and applicable data protection and ePrivacy laws
Website analytics dataAs set in our Cookie PolicyRegulator guidance and applicable data protection and ePrivacy laws
Due diligence / KYC records5 years from end of client relationshipAnti-money laundering, sanctions, terrorism and persons of significant control (PSC) laws  

Following the expiry of the applicable retention period, we will securely delete or anonymise your personal data, unless we are required to retain it for longer by law or where we need to retain it in connection with actual or threatened legal proceedings or to protect or defend our legal rights.

 

10. Your rights 

Under UK GDPR (and EU GDPR where applicable), you have a number of rights in relation to your personal data. These are summarised in the table below.

RightWhat it means
Right of accessThe right to request a copy of the personal data we hold about you (subject access request).
Right to rectificationThe right to ask us to correct inaccurate or incomplete personal data.
Right to erasure ('right to be forgotten')The right to request deletion of your personal data in certain circumstances (e.g. where we no longer need it). Note that this right is not absolute and may be overridden by our legal obligations.
Right to restrictionThe right to ask us to restrict processing of your data in certain circumstances.
Right to data portabilityWhere processing is based on consent or contract and carried out by automated means, the right to receive your data in a portable format.
Right to objectThe right to object to processing based on legitimate interests or for direct marketing purposes. To object to direct marketing, follow the unsubscribe link in any marketing email, or contact us.
Rights re: automated decision-makingThe right not to be subject to solely automated decisions that have a significant legal or similar effect. We do not carry out such decision-making. Contact us if you have concerns.
Right to withdraw consentWhere processing is based on consent, the right to withdraw that consent at any time. Use the unsubscribe mechanism in any communication, or contact us

 

To exercise any of the above rights, please contact us at info@hawthornadvisors.com with “Privacy” in the subject line. We will typically respond within one calendar month, unless we are entitled to an extension. We may need to verify your identity before processing your request. This service is free of charge, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

11. Cookies and similar technologies 

We may send you information about our services, insights, events and news where:

  • you have given your consent; or
  • you are an existing client or contact and we are marketing similar services to those you have engaged us for, and you have not opted out (the 'soft opt-in' under PECR, where applicable, and legitimate interests under applicable data protection laws); or
  • you are a business contact who has not opted out from receiving marketing communications from us, on the basis of legitimate interests under applicable data protection laws.

You can opt out of marketing communications at any time by:

  • clicking the 'unsubscribe' link in any marketing email;
  • emailing us at info@hawthornadvisors.com with “unsubscribe” or “privacy” in the subject line; or
  • writing to us at our registered address.

Opting out of marketing will not affect your receipt of service-related communications or legal notices.

12. Direct Marketing 

We may send you information about our services, insights, events and news where:

  • you have given your consent; or
  • you are an existing client or contact and we are marketing similar services to those you have engaged us for, and you have not opted out (the 'soft opt-in' under PECR, where applicable, and legitimate interests under applicable data protection laws); or
  • you are a business contact who has not opted out from receiving marketing communications from us, on the basis of legitimate interests under applicable data protection laws.

You can opt out of marketing communications at any time by:

  • clicking the 'unsubscribe' link in any marketing email;
  • emailing us at info@hawthornadvisors.com with “unsubscribe” or “privacy” in the subject line; or
  • writing to us at our registered address.

Opting out of marketing will not affect your receipt of service-related communications or legal notices.

13. Our use of Artificial Intelligence Tools 

We use certain artificial intelligence (AI) and machine learning tools to support our work and improve the efficiency of our services. This section explains how and when AI tools may be used, in particular when this is in connection with personal data.

13.1  AI Tools Currently in Use

We currently use enterprise versions of the following AI-enabled tools:

  • Microsoft 365 and Microsoft Copilot — AI-assisted productivity features integrated within our Office 365, SharePoint and Teams environment;
  • Claude (Anthropic) — used for research, drafting, document analysis and communications support;
  • ChatGPT (OpenAI) — used for drafting, summarisation and research assistance;
  • Canva — AI-assisted design and document creation features; and
  • Adobe Creative Cloud (Photoshop, Illustrator) — AI-assisted creative and image editing features.

13.2  What Data May Be Processed by AI Tools

Various aspects of our work may be supported by AI-enabled tools.  It is our policy to not process highly sensitive client data (including personal data) using AI tools, including information subject to legal privilege, embargo or market sensitivity, unless these have been sufficiently anonymised or we have notified our clients of this. 

13.3  Safeguards and Controls

We have implemented the following safeguards in connection with our use of AI tools:

  • Staff training: all staff are trained on the appropriate and responsible use of AI tools, including restrictions on inputting confidential or personal data;
  • Acceptable use policies that set out which tools may be used for which purposes, and the controls that apply;
  • Data processing agreements: we have entered into (or are in the process of reviewing and entering into) data processing agreements with the providers of the AI tools we use, as required under UK GDPR;
  • Microsoft Copilot: data processed within Microsoft 365 and Copilot remains within our Microsoft 365 tenant and is subject to Microsoft's enterprise data protection commitments and the Microsoft Data Processing Addendum;
  • ChatGPT (OpenAI) and Claude (Athropic): encrypt all data at rest and in transit between us (Hawthorn) and them (OpenAI/Claude), as well as between them and their service providers.Under the ChatGPT Business plan and Claude for Team plan, as at the date of this Policy, OpenAI and Claude state that they do not use customer data, including prompts, uploads, and outputs, to train its models by default and we have not opted in to this;
  • No autonomous AI decision-making: we do not use AI tools to make solely automated decisions that produce significant legal or similarly significant effects on individuals, without human oversight and, where required, your explicit consent.

14. How to raise a concern or complaint 

14.1  Contacting Us

If you have any questions, concerns or complaints about how we handle your personal data, please contact us in the first instance:

By email: info@hawthornadvisors.com

By post: Fifth Floor, Partnership House, Carlisle Place, London, United Kingdom, SW1P 1BX 

FAO: Data Protection Lead

14.2  Right to Complain to the ICO

If you are located in the UK and are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14.3  EU Data Subjects

If you are located in the EEA and have a complaint relating to our processing of your personal data, you may also have the right to lodge a complaint with the supervisory authority in your country of residence.

15. Changes to this privacy notice 

We review and update this Privacy Policy at least once a year, and whenever our data processing activities change materially. The version number and effective date at the top of this document will be updated whenever changes are made.

Where changes are significant, we will notify you by email or by a prominent Policy on our website. We encourage you to check this page periodically.

Appendix A - Additional information for specific data subjects 

A.1  EEA Data Subjects - Additional Rights

Where EU GDPR applies to our processing of your data (e.g. where you are located in the EEA), in addition to the rights set out in Section 10, you have the right to:

  • contact or complain to the supervisory authority in your Member State of habitual residence, place of work or the place of the alleged infringement; and
  • seek an effective judicial remedy against a supervisory authority or against us where you consider your rights have been infringed.

A.1  ADGM Data Subjects - Additional Rights

Where applicable data protection and privacy laws in the Abu Dhabi Global Market (ADGM), including the ADGM Data Protection Regulations 2021 (‘ADGM Data Laws’), apply to our processing of your data (e.g. where you are located in the ADGM), instead of the rights set out in Sections 10 and 14, you have:

  • broadly comparable rights to those under Section 10 – see the ADGM Data Protection Regulations 2021 for further information;
  • the right to contact or complain to the ADGM Office of Data Protection, which oversees data protection compliance under the ADGM Data Protection Regulations 2021; and
  • the right to claim compensation from a controller or a processor if you have suffered damage as a result of them breaking data protection law by making a claim in the ADGM courts.