Data Controller
Those Aren't Mountains Ltd is the data controller responsible for your personal data. We are registered in England and Wales (Company Number: 10073193) with our registered office at 4th Floor, 86-90 Paul Street, Hackney, London, England, EC2A 4NE.
For any questions about this Privacy Policy or our data practices, please contact us at: waves@thosearentmountains.com
Personal Data We Collect
We may collect and process the following categories of personal data:
Information you provide directly
- Identity Data: Full name, title, position, company name
- Contact Data: Email address, telephone number, business address, WhatsApp contact details
- Professional Data: CV/resume, work history, portfolio information, professional qualifications
- Financial Data: Bank account details, payment information (for invoicing and contract purposes only)
- Communications Data: Content of emails, messages, meeting notes, and other correspondence
Information collected automatically
- Technical Data: IP address, browser type and version, operating system, device information
- Usage Data: Pages visited, time spent on pages, navigation paths, referral sources
- Analytics Data: Aggregated statistics about website usage via privacy-respecting analytics (Vercel Analytics)
Information from third parties
- Professional networking platforms (LinkedIn) when you connect with us
- Referrals and introductions from mutual contacts (with their consent)
- Publicly available business information and company registries
Legal Basis for Processing
Under UK GDPR and EU GDPR, we process your personal data on the following legal bases:
- Contract Performance (Article 6(1)(b)): Processing necessary to perform our consultancy agreements, provide advisory services, or take pre-contractual steps at your request
- Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, including managing client relationships, business development, network introductions, and improving our services, provided these interests do not override your fundamental rights
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, including tax reporting, anti-money laundering regulations, and regulatory requirements
- Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for specific purposes, such as receiving updates about our portfolio companies
How We Use Your Data
We use your personal data for the following purposes:
Service delivery
- Providing consultancy and advisory services
- Managing ongoing client and portfolio relationships
- Facilitating introductions to our network of investors, executives, and partners
- Conducting due diligence for potential investments or partnerships
- Preparing and executing contracts and agreements
Business operations
- Invoicing and payment processing
- Maintaining accurate business records
- Complying with legal and regulatory obligations
- Managing our internal administration
Communications
- Responding to your enquiries and requests
- Providing updates on matters relevant to our engagement
- Sharing opportunities that may be of interest (with consent)
Website and analytics
- Operating and maintaining our website
- Analysing website usage to improve user experience
- Ensuring website security and preventing fraud
Data Sharing and Disclosure
We may share your personal data with the following categories of recipients:
- Portfolio Companies and Partners: Where necessary to facilitate introductions or partnerships you have requested or agreed to
- Professional Advisers: Lawyers, accountants, auditors, and insurers who provide professional services to us
- Service Providers: Third-party providers who assist with our operations, including cloud hosting (Vercel), analytics, and communication tools, all bound by contractual confidentiality obligations
- Regulatory Authorities: When required by law or to protect our legal rights
- Business Transfers: In connection with any merger, acquisition, or sale of company assets
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
International Data Transfers
Your personal data may be transferred to and processed in countries outside the United Kingdom and European Economic Area (EEA), including:
- United Arab Emirates (Dubai office operations)
- Qatar (Doha office operations)
- United States (cloud infrastructure providers)
Where we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner's Office
- Adequacy decisions where the destination country provides adequate data protection
- Binding corporate rules or other approved certification mechanisms
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including:
- Client and engagement records: 7 years after the end of our business relationship (for legal and regulatory compliance)
- Financial and tax records: 7 years (as required by HMRC)
- Prospective client enquiries: 2 years from last contact (unless you request earlier deletion)
- Website analytics: 26 months (aggregated, anonymised data)
- Contract documentation: Duration of limitation period plus 1 year (typically 7 years)
Your Rights
Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:
- Right of Access (Article 15): Request a copy of the personal data we hold about you
- Right to Rectification (Article 16): Request correction of inaccurate or incomplete data
- Right to Erasure (Article 17): Request deletion of your personal data in certain circumstances
- Right to Restriction (Article 18): Request restriction of processing in certain circumstances
- Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format
- Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making (Article 22): Not be subject to decisions based solely on automated processing
- Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
To exercise any of these rights, please contact us at waves@thosearentmountains.com. We will respond to your request within one month.
Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls limiting data access to authorised personnel
- Regular security assessments and updates
- Secure cloud infrastructure with enterprise-grade security
- Confidentiality agreements with all staff and contractors
- Incident response procedures for potential data breaches
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, inform you directly.
Children's Privacy
Our services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information.
Third-Party Links
Our website may contain links to third-party websites, including portfolio company websites, LinkedIn profiles, and partner organisations. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal data.
Complaints
If you have concerns about how we handle your personal data, please contact us first so we can address your concerns. You also have the right to lodge a complaint with a supervisory authority:
- United Kingdom:Information Commissioner's Office (ICO) ico.org.uk
- European Union: Your local Data Protection Authority
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. We will post any changes on this page with an updated revision date. For significant changes, we will provide prominent notice or direct notification where appropriate.
This policy was last updated on 19 April 2025.
Contact Us
For any questions, requests, or concerns regarding this Privacy Policy or our data practices, please contact:
Those Aren't Mountains Ltd4th Floor, 86-90 Paul Street
Hackney, London
England, EC2A 4NE
Email: waves@thosearentmountains.com
Company Number: 10073193