Privacy Policy
Effective date: 14 May 2026. Version 1.2. How Ambrose and Bell Limited collects, uses, and protects personal data.
1. Who we are
This privacy policy is issued by Ambrose and Bell Limited ("Ambrose and Bell", "we", "us", "our"). Ambrose and Bell Limited is a company registered in England and Wales.
| Company number | 14451928 |
|---|---|
| VAT number | GB 455 3504 96 |
| Registered office | 167-169 Great Portland Street, 5th Floor, London W1W 5PF |
| info@ambrosebell.com | |
| Telephone | +44 203 996 9671 |
Ambrose and Bell Limited is the controller of personal data processed in connection with this website and our professional services. We are not currently required to register a Data Protection Officer with the Information Commissioner's Office (ICO), but we operate as if we were one for the purposes of accountability. Our point of contact for any data protection matter is info@ambrosebell.com, marked for the attention of the Data Protection Lead.
This policy explains what personal data we collect through ambrosebell.com, why we collect it, what we do with it, and what rights you have. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. The site at a glance
ambrosebell.com is a brochure website with a single contact form. It exists so that prospective clients, partners, candidates and members of our network can read about our advisory work and contact us directly. The site does not host an account area, a member portal, an e-commerce checkout or a digital download library.
In practical terms this means we collect very little personal data through the site itself. The only data submitted directly through the site is what you choose to send us via the contact form at /contact/ (described in section 3.1). Most personal data we hold about you, if we hold any, will have been provided by you in correspondence (typically email or LinkedIn) or, in a B2B prospecting context, sourced from professional data providers in the manner described in section 5.
3. What personal data we collect via this site
3.1 Data you give us directly
If you contact us using the email address or telephone number published on the site, we will hold the following:
- your name (if you provide it)
- your email address or telephone number
- your employer or professional context (if you provide it)
- the content of your message and any subsequent correspondence
We also operate a contact form at /contact/. If you submit the form, the following fields are collected:
- first name (required)
- last name (required)
- email address (required)
- the content of your message (required, freetext)
The contact form is the only data-collection mechanism on the site. We do not operate a booking widget, a newsletter sign-up or any account-creation flow. If we add any of these features in future we will update this policy and clearly describe the additional data collected at the point of collection.
The form includes a hidden anti-spam field (a "honeypot") which is not visible to ordinary users and is not a cookie. If a submission completes that hidden field (which only automated scripts typically do) the submission is silently rejected and no data from it is retained.
Contact form submissions are not stored in any database. They are transmitted, by email, to info@ambrosebell.com via the processors named in section 6, and from that point onwards they are handled as ordinary inbound correspondence (see section 8 on retention).
3.2 Data collected automatically when you visit the site
When you visit ambrosebell.com our hosting provider records standard server log information, which may include:
- your IP address (truncated where supported)
- your browser type and version
- the pages you viewed and the time of your visit
- the referring URL (if any)
This information is processed for the limited purpose of operating the website securely, debugging errors and protecting against abuse.
3.3 Cookies and similar technologies
The site uses a small number of strictly necessary cookies set by our hosting provider (Cloudflare) for bot management and platform security. We do not set any analytics, advertising, marketing or functional cookies. Because no non-essential cookies are set, the site does not display a cookie consent banner. The full list of cookies that may be set, with names, purposes and lifetimes, is in our Cookie Policy, which forms part of this privacy notice. If we ever introduce a cookie that is not strictly necessary, we will update both this policy and the Cookie Policy and capture your consent before the cookie is set.
The contact form's anti-spam honeypot is not a cookie. It does not write to your browser, does not track you across pages, and stores no client-side state. It is simply a hidden form field; if it is filled in by an automated script, the submission is rejected.
3.4 Analytics
ambrosebell.com is served through Cloudflare and uses two privacy-friendly analytics services. Neither sets a cookie. Neither identifies you personally. Neither tracks you across sites.
Cloudflare. All visitor requests are routed through Cloudflare's network. Cloudflare records request-level metadata about every request for security, performance and abuse-prevention purposes. That metadata may include your IP address, country, request path, response status, user agent and the request timestamp. We use the aggregate analytics dashboard that Cloudflare provides; we do not access individual visitor records. We may also enable Cloudflare Web Analytics on top of the dashboard. Cloudflare Web Analytics is cookieless and does not fingerprint visitors. Cloudflare's privacy notice is at https://www.cloudflare.com/privacypolicy/.
Plausible Analytics. We use Plausible to understand how readers find and engage with our published material. For each page view, Plausible records the page URL, the referring URL, the country, region and city (derived from the IP address), the device type, the operating system and the browser. The IP address itself is not stored: it is combined with the website domain, the user agent and a server-side salt that is rotated and deleted every twenty-four hours, and only the resulting hash is kept. Plausible does not set cookies, does not store IP addresses, does not use cross-site tracking, and processes all visitor data on infrastructure located in the European Union. Plausible's data policy is at https://plausible.io/data-policy.
Lawful basis. We process this aggregate analytics data under Article 6(1)(f) UK GDPR (legitimate interest) for the purpose of understanding and improving the website. The processing is low-impact: the data is aggregate, the analytics services are cookieless, and we do not combine the data with any directly identifying information that we hold. You can object to this processing at any time by emailing info@ambrosebell.com; we will configure our analytics to exclude further visits from you to the extent technically possible.
No consent banner for analytics. Because neither analytics service sets a cookie or any other client-side identifier, regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) does not require us to obtain your consent before the analytics scripts run. The only cookies that may be set on the site are the strictly necessary Cloudflare cookies described in our Cookie Policy, which are exempt from the consent requirement under PECR regulation 6(4).
3.5 Data we do not collect
We do not collect special category data (health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, sex life or sexual orientation) or criminal-offence data through this website. We do not knowingly collect personal data from children. The site is aimed at business audiences.
4. Why we process your personal data, and the legal basis we rely on
| Purpose | Categories of data | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Replying to enquiries you send us | Identification and contact data; correspondence content | Legitimate interest (Art. 6(1)(f)): handling enquiries we receive |
| Receiving and replying to contact form submissions | First name, last name, email address, message content | Legitimate interest (Art. 6(1)(f)): handling enquiries we receive; alternatively, your consent (Art. 6(1)(a)), evidenced by your voluntary act of submitting the form |
| Managing professional relationships and pipeline | Identification, contact and professional context data | Legitimate interest (Art. 6(1)(f)): operating our business |
| B2B prospecting and outreach to decision-makers in our target market | Business contact data (name, title, employer, work email, work phone, LinkedIn URL) | Legitimate interest (Art. 6(1)(f)). Balancing test recorded internally |
| Operating and securing the website | Server logs, essential cookies | Legitimate interest (Art. 6(1)(f)): network and information security; legal obligation under PECR for essential cookies |
| Aggregate website analytics via Plausible (cookieless) | Page URL, referrer, country/region/city derived from IP (IP not stored), device type, browser, operating system | Legitimate interest (Art. 6(1)(f)): understanding how readers use the site |
| Aggregate website analytics and security via Cloudflare (cookieless analytics; strictly necessary cookies for bot management) | Request-level metadata: IP address, country, request path, response status, user agent, timestamp | Legitimate interest (Art. 6(1)(f)): network and information security, abuse prevention, understanding how readers use the site; PECR reg. 6(4) for strictly necessary cookies |
| Compliance with our legal and regulatory obligations | Any of the above | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests we have carried out, and recorded, a balancing test that weighs our interest against your rights and freedoms. You can ask for a summary of that assessment at any time.
5. B2B prospecting. Where the data comes from
We carry out a low-volume, targeted business-to-business outreach programme aimed at senior decision-makers in organisations we believe may benefit from our services. Some of the contact data used in that programme was originally obtained from third-party professional data providers (for example Apollo) during a 2023 to 2024 engagement. We have since reset the operating model: no new data is purchased from third-party providers, and our forward outreach is built on direct relationships and our own CRM.
If you receive an outreach message from us and we hold your data on this basis, the first message we send you carries a short notice that:
- identifies us as the controller
- explains the source of the data
- explains the legal basis (legitimate interest)
- gives you a one-click way to object and be added to our suppression list
This is our way of meeting Article 14 UK GDPR. If you would like to be removed before you receive any message from us, email info@ambrosebell.com with the words "do not contact" in the subject line.
6. Who we share your personal data with
We share your data only with the small number of providers who help us run the business, and only to the extent necessary. In particular:
- Hosting and email: Microsoft 365 (Microsoft Ireland Operations Limited), for email and document storage.
- Website hosting and edge functions: Cloudflare, Inc. (San Francisco, USA, with UK and EEA points of presence) hosts ambrosebell.com and runs the Pages Function that processes contact form submissions in transit. Cloudflare acts as a processor for the brief moment a contact form submission travels through the function on its way to our email provider; it does not retain the submission.
- Cloudflare Web Analytics: Cloudflare, Inc. provides aggregate, cookieless analytics on top of the request data already processed through its CDN. Disclosed under "Website hosting and edge functions" above; no separate transfer mechanism is required.
- Plausible Analytics: Plausible Insights OÜ, an Estonian company that processes aggregate visitor analytics for us. Data is hosted on infrastructure located in the European Union. As an EEA-based processor there is no third-country transfer.
- Transactional email: Resend (Resend, Inc., Delaware, USA) is the email-delivery provider that takes a contact form submission from the Cloudflare Pages Function and delivers it as an email to info@ambrosebell.com. Resend acts as a processor for the period the message is in its sending pipeline.
- CRM: our internal customer relationship management system.
- Professional advisors: accountants, auditors, legal advisors, insurers, all under professional duties of confidence.
We do not sell your personal data, and we do not share it with advertising networks or data brokers. If you contact us by phone, the call may be handled by our telephony provider (currently a UK-based business line); we do not record calls.
If we introduce a new processor that involves international transfer of your data, we will update this policy and rely on an appropriate transfer mechanism.
7. International transfers
Our primary processing is in the UK and the European Economic Area (EEA). Some of our processors are established in the United States. In particular:
- Cloudflare, Inc. (USA). Website hosting and the contact form's edge function. Traffic is typically served from a UK or EEA point of presence, but the controlling entity is in the USA.
- Resend, Inc. (USA). Transactional email delivery for contact form submissions.
- Microsoft 365. May involve transfer to the United States in limited circumstances.
For each of these transfers we rely on:
- the UK Government's adequacy regulations where they apply (including the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified), or
- the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, supported by a transfer risk assessment.
You can ask us for the safeguards we rely on for any specific transfer.
8. How long we keep your personal data
We keep personal data only for as long as we need it for the purposes set out above. As a general rule:
| Data category | Retention period |
|---|---|
| Contact form submissions (delivered to us by email) | Treated as enquiry correspondence: retained as inbound email for 24 months from last contact, unless an engagement or active pipeline relationship follows, in which case the longer period for that category applies |
| Enquiry correspondence (no engagement follows) | 24 months from last contact |
| Active client correspondence and engagement records | 7 years from end of engagement (to support contractual, tax and professional indemnity requirements) |
| Pipeline / prospect records (no engagement) | 3 years from last meaningful interaction, or until you ask to be removed (whichever is sooner) |
| Suppression list (do-not-contact) | Indefinite. This is the record that you have objected, and we keep it so we honour your objection |
| Server logs | 30 days |
| Honeypot-rejected submissions | Not retained (silently discarded at the edge function) |
| Plausible analytics data | Held by Plausible Analytics (Plausible Insights OÜ) under their data policy; no personal data is exported to us |
| Cloudflare request logs and analytics | Held by Cloudflare under Cloudflare's privacy notice; we access aggregate dashboards only |
Where we have a legal obligation (for example, retention of accounting records under HMRC rules), we keep the data for the period the law requires.
9. Your rights
Under UK GDPR you have the following rights in relation to your personal data. They are not absolute, but where they apply we will respect them:
- Right of access (Art. 15). Ask us for a copy of the personal data we hold about you.
- Right to rectification (Art. 16). Ask us to correct data that is wrong or incomplete.
- Right to erasure (Art. 17). Ask us to delete your data, subject to the limited exceptions in the law (for example, where we still need it to comply with a legal obligation or to defend a legal claim).
- Right to restriction (Art. 18). Ask us to pause processing while a question about your data is resolved.
- Right to data portability (Art. 20). Where the processing is based on consent or contract and is automated, ask us to provide your data in a portable format.
- Right to object (Art. 21). Object at any time to processing based on legitimate interest, including direct marketing. If you object to direct marketing we will stop, full stop.
- Right not to be subject to a solely automated decision (Art. 22). We do not currently make any solely automated decisions with legal or similarly significant effects, so there is nothing to object to here, but the right is recorded for completeness.
- Right to withdraw consent. Where we rely on your consent (for example, analytics cookies), you can withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
These rights apply to any personal data we hold about you, including any data you sent us via the contact form. To exercise any of these rights, email info@ambrosebell.com with "Data subject request" in the subject line. We will acknowledge within 7 days and respond in full within one calendar month, as the law requires. We may need to verify your identity before we can act.
10. Right to complain to the ICO
If you are not satisfied with how we have handled your personal data you have the right to complain to the UK supervisory authority:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Web: ico.org.uk
We would, of course, prefer that you raise the issue with us first so that we can put it right.
11. Security
We protect personal data with measures appropriate to the size and nature of our business. Those measures include access controls on our systems, strong authentication, encryption in transit, vendor due diligence on processors, and a documented data-handling protocol for our team. No system is perfectly secure; if we ever become aware of a personal data breach that meets the threshold in Article 33 UK GDPR we will notify the ICO and, where required, the affected data subjects, in line with the law.
12. Changes to this policy
We will update this policy when our processing changes or when the law changes. The "Effective date" at the top of the policy will move forward when a material change is made. Where the change is material we will, where we have a way to reach you, draw it to your attention. Older versions are kept on file and can be requested.
13. Contact
For any question about this policy or about how we handle your personal data:
Ambrose and Bell Limited
167-169 Great Portland Street, 5th Floor, London W1W 5PF
Email: info@ambrosebell.com
Telephone: +44 203 996 9671
This policy should be read together with our Cookie Policy and our Website Terms of Use.