Privacy Policy

1. Introduction

Bugajski Consulting Limited (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Given the nature of our work in security consulting and intelligence advisory, we apply particularly rigorous standards to the handling of all personal data. Our approach to data protection is informed by the same operational security principles that govern our client engagements. For further information on our approach to discretion and information handling, please refer to our Confidentiality Statement.

2. Data Controller

Bugajski Consulting Limited is the data controller responsible for your personal data.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity Data: name, title, position
• Contact Data: email address, postal address, company or organisation name
• Technical Data: IP address, browser type and version, time zone setting, operating system
• Usage Data: information about how you use our website, including pages visited and navigation patterns
• Communications Data: messages you send us via our contact form or email correspondence

4. Client Engagement Data

In the course of delivering our professional services, we may process additional categories of data provided by or on behalf of our clients. This may include information relating to individuals who are subjects of due diligence investigations, risk assessments, or other intelligence-led engagements.

The processing of such data is governed by specific engagement agreements, including non-disclosure arrangements, and is subject to enhanced security controls commensurate with its sensitivity. Where special category data (as defined under Article 9 of UK GDPR) is processed, this is done only where a lawful basis and an appropriate condition for processing exist, such as the establishment, exercise, or defence of legal claims, or reasons of substantial public interest.

Client engagement data is handled on a strictly need-to-know basis. Access is limited to personnel directly involved in the relevant engagement, and all team members are bound by contractual confidentiality obligations. For further details on our information handling protocols, please see our Confidentiality Statement.

5. How We Collect Your Data

We collect personal data through:

• Direct interactions: when you submit our contact form, correspond with us by email, or provide information during consultations and engagement discussions
• Automated technologies: as you navigate our website, we may automatically collect Technical Data using strictly necessary cookies
• Client-provided materials: information furnished to us in the course of a professional engagement, subject to the terms of the governing engagement agreement

6. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: where you have given us explicit consent to process your data for specific purposes
• Contractual necessity: where processing is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract
• Legitimate interests: where processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms
• Legal obligation: where we are required by law to process your data
• Substantial public interest: in limited circumstances relating to the prevention or detection of unlawful acts, where applicable

7. How We Use Your Data

We use your personal data to:

• Respond to your enquiries and provide our professional services
• Manage our relationship with you, including engagement administration
• Conduct due diligence and risk assessments as part of our service delivery
• Improve our website, services, and security measures
• Comply with legal and regulatory requirements applicable to our operations
• Protect our legitimate business interests and the interests of our clients
• Detect and prevent fraud, money laundering, or other unlawful activity where relevant to our engagements

8. Data Sharing & Third Parties

We do not sell your personal data. We may share your data with:

• Vetted service providers: who assist us in operating our website and delivering services, bound by strict confidentiality agreements and subject to security vetting commensurate with their access level
• Professional advisers: including lawyers, auditors, and accountants where necessary, subject to professional duties of confidentiality
• Specialist subcontractors: engaged on a need-to-know basis for specific engagement tasks, bound by equivalent confidentiality and data protection obligations
• Regulatory authorities: where required by law or in response to lawful requests from public authorities

All third parties with access to personal data are subject to thorough due diligence, contractual data protection obligations, and access controls aligned with the sensitivity of the data concerned.

9. International Transfers

Bugajski Consulting maintains representative offices in Casablanca and Geneva. Your personal data may be transferred to, and processed in, countries outside the United Kingdom in connection with our operations.

When we transfer your data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner’s Office, UK adequacy regulations, or other lawful transfer mechanisms, to protect your data in accordance with this Privacy Policy.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Contact form submissions are retained for up to 3 years unless you request earlier deletion.

For determining the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your data, and applicable legal requirements. Client engagement data is retained and destroyed in accordance with the terms set out in the governing engagement agreement and our Confidentiality Statement.

11. Data Security

We have implemented technical and organisational security measures that reflect both regulatory requirements and the operational security standards expected of a firm operating in the security and intelligence sector. These measures include:

• Encryption of data in transit and at rest
• Role-based access controls operating on a strict need-to-know basis
• Regular security assessments and vulnerability testing
• Personnel vetting and ongoing security awareness training
• Secure destruction protocols for data no longer required
• Incident response procedures aligned with regulatory and operational requirements

No method of transmission over the Internet is completely secure, and we cannot guarantee absolute security. However, we continuously review and enhance our security measures to address evolving threats.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner’s Office without undue delay, and where feasible, within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing you with information about the nature of the breach and the measures taken or proposed to address it.

13. Automated Decision-Making & Profiling

We do not use automated decision-making or profiling processes that produce legal effects or similarly significantly affect you. All assessments, analyses, and recommendations delivered by Bugajski Consulting are produced by qualified professionals exercising informed human judgement.

14. Your Rights

Under UK GDPR, you have the following rights:

• Right of access: to obtain a copy of your personal data
• Right to rectification: to correct inaccurate or incomplete data
• Right to erasure: to request deletion of your data in certain circumstances
• Right to restrict processing: to limit how we use your data
• Right to data portability: to receive your data in a structured, machine-readable format
• Right to object: to object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent, at any time

To exercise any of these rights, please contact us at [email protected]. We will respond within one month. In certain circumstances, we may need to verify your identity before processing your request.

15. Cookies

Our website uses strictly necessary cookies to ensure proper functionality. For detailed information about the cookies we use and your choices regarding cookies, please see our Cookie Policy.

16. Children’s Data

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that information as soon as practicable.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational circumstances. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically to stay informed about how we protect your data.

18. Complaints

If you have concerns about how we handle your personal data, please contact us first at [email protected]. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues:

19. Contact Us

For any questions about this Privacy Policy or our data practices, please contact us: