Alsvior Global
Consulting01
Partners02
Our thinking03About04Offices05

Legal · 01

Privacy Policy

This policy explains how the Alsvior Global group of companies (collectively “Alsvior Global”, “we”, “us”) collects, uses and safeguards personal data when you visit www.alsviorglobal.com, contact us, or engage our services. It is written to satisfy the UK GDPR, the EU General Data Protection Regulation (Regulation 2016/679), the UK Data Protection Act 2018, the ePrivacy Directive (2002/58/EC) as implemented in each EU member state, and the UK Privacy and Electronic Communications Regulations 2003 (PECR).

Effective: 7 May 2026

1. Who is the data controller

Alsvior Global operates through three separate legal entities. Which entity is your data controller depends on where you are when you interact with us:

If you are located inYour controllerIdentifier
The United KingdomAlsvior Global Limited
Churchill House, 31 Banbury Road, Ettington, Warwickshire, CV37 7SN, United Kingdom		Companies House number 13689323
VAT GB412134549
PortugalAlsvior Global - Portugal, Lda.
Rua do Engenheiro Ferreira Dias, n.º 924, 3.º R, 347, Ramalde, Porto, 4100-246, Portugal		NIPC 517254832
VAT PT517254832
Spain, the rest of the EU / EEA, and any other location not listed aboveAlsvior Global - Spain, S.L.
Carrer Romaguera 16, Sant Quirze del Vallès, 08192, España		CIF B10971539
VAT ESB10971539

Where the same personal data is shared between two of our entities (for example, an enquiry from the UK that is delivered by the Porto team), we act as joint controllers for that processing within the meaning of Article 26 UK / EU GDPR. The essential terms of our joint-controller arrangement are: each entity is responsible for compliance within its own jurisdiction; you may contact any of the entities to exercise your rights and we will route your request internally; the privacy contact below acts as a single point of contact regardless of which entity holds your data. A copy of the full arrangement is available on request.

EU representative (GDPR Article 27). Because Alsvior Global Limited is established outside the European Union but offers services to data subjects in the EU, it has appointed Alsvior Global - Spain, S.L. (Carrer Romaguera 16, Sant Quirze del Vallès, 08192, España) as its representative under Article 27 of the EU GDPR. EU data subjects may contact the representative on any matter relating to processing by the UK entity, in addition to or instead of contacting the UK entity directly.

Single privacy contact for all entities.

2. Personal data we collect

We only collect personal data that we need for a specific, declared purpose. The categories below describe what we collect, and the following section explains why.

2.1 Information you give us

  • Identity and contact data — name, business email, telephone number, employer, job title.
  • Engagement data — messages, briefs, meeting notes and any information you choose to share through our enquiry form, by email, on a call, or during an engagement.
  • Recruitment data — CVs, cover letters, right-to-work documentation and references where you apply for a position.

2.2 Information we collect automatically

  • Technical data — IP address (truncated where possible), device type, browser type and version, operating system, referring URL, language and timezone.
  • Usage data — pages visited, time on page, click interactions and approximate geographic region (country / city) where you have given consent for analytics cookies.
  • Cookies and similar technologies — see our Cookie Policy for the full list and your controls.

2.3 Information from third parties

  • Public business profiles (for example LinkedIn) where you have made information publicly available.
  • Calendar / scheduling providers when you book a call (Calendly, Microsoft Office 365 / Bookings, OnePlan).
  • Analytics providers (Google Analytics) where you have given consent.

We do not knowingly collect data from children under 16, and we do not seek special category data (health, ethnicity, political opinions, biometric data, etc.) through this website. Please do not send us such data unless we have specifically asked for it under a suitable lawful basis.

3. Why we use your data and our lawful bases

Under Article 6 of the UK and EU GDPR we must have a lawful basis for every processing activity. The table below sets out each purpose, the relevant data categories, and the lawful basis on which we rely.

PurposeData categoriesLawful basis
Responding to enquiries and proposalsIdentity, contact, engagementArticle 6(1)(b) — steps prior to entering a contract; and / or 6(1)(f) legitimate interest in providing professional services
Delivering consulting and managed-service engagementsIdentity, contact, engagement, technicalArticle 6(1)(b) — performance of a contract
Invoicing, accounting and tax record-keepingIdentity, contact, engagement metadataArticle 6(1)(c) — legal obligation (UK Companies Act 2006 and HMRC; the Spanish Código de Comercio; the Portuguese Código das Sociedades Comerciais and Autoridade Tributária rules)
Securing our website and infrastructureTechnical, usageArticle 6(1)(f) — legitimate interest in protecting our systems and users
Analytics and service improvementTechnical, usage, cookiesArticle 6(1)(a) — consent (PECR / ePrivacy regs require opt-in for non-essential cookies)
Direct marketing to existing business contactsIdentity, contactArticle 6(1)(f) legitimate interest, balanced with the PECR / ePrivacy soft opt-in for B2B email; you can object at any time
RecruitmentRecruitment dataArticle 6(1)(b) pre-contract; 6(1)(f) legitimate interest in hiring; consent for retention beyond a vacancy
Compliance, defending legal claimsAll categories as relevantArticle 6(1)(c) and 6(1)(f)

Where we rely on legitimate interests, we have carried out a legitimate-interests assessment to confirm that our interests are not overridden by your rights and freedoms. You can ask for a copy of that assessment by contacting privacy@alsviorglobal.com.

4. Cookies and tracking technologies

We only set non-essential cookies (including Google Analytics) after you have given affirmative, opt-in consent through our cookie banner. You can withdraw consent at any time by clicking “Cookie settings” in the footer. Strictly necessary cookies do not require consent. The full breakdown is in our Cookie Policy.

5. Who we share data with

We do not sell personal data. We share it only with categories of recipient who help us run the business under written instructions and appropriate safeguards:

  • Within the Alsvior Global group Alsvior Global Limited, Alsvior Global - Spain, S.L. and Alsvior Global - Portugal, Lda. share data internally where needed to deliver an engagement, run group-wide systems, or comply with the law. Intra-group transfers are governed by an internal data-sharing agreement.
  • Hosting and infrastructure — Microsoft Azure (Microsoft Ireland Operations Ltd / Microsoft Corporation), Amazon Web Services (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.), Google Cloud (Google Ireland Ltd / Google LLC) and Atlassian (Atlassian B.V. / Atlassian, Inc.) for website hosting, application hosting, content delivery and platform infrastructure.
  • Email and productivity — Microsoft Office 365 (Microsoft Ireland Operations Ltd) for internal communications, document storage and meeting notes.
  • Scheduling and project tooling — Calendly LLC (only when you choose to book through the Calendly widget), Microsoft Office 365 (Microsoft Ireland Operations Ltd) and OnePlan (OnePlan, LLC) for meeting scheduling and engagement / project planning.
  • Analytics — Google Ireland Ltd / Google LLC for Google Analytics 4 (only after consent; IP anonymisation enabled where supported).
  • Professional advisers — lawyers, accountants and auditors bound by professional secrecy.
  • Authorities — public bodies, regulators or law enforcement where required by law (for example, an HMRC, Agencia Tributaria or Autoridade Tributária request, an ICO / AEPD / CNPD investigation, or a court order).

6. International transfers

Some of our service providers process data outside the UK or EEA (notably in the United States). When this happens we rely on at least one of the following safeguards required by Chapter V of the UK / EU GDPR:

  • A European Commission adequacy decision or a UK adequacy regulation (for example, the EU-US Data Privacy Framework and the UK extension to it for certified US recipients).
  • The UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the European Commission 2021 Standard Contractual Clauses, supported by a transfer impact assessment.
  • Where applicable, your explicit, informed consent to the specific transfer (Article 49(1)(a)).

Transfers between Alsvior Global Limited (UK) and Alsvior Global - Spain, S.L. or Alsvior Global - Portugal, Lda. (EEA) are protected by the European Commission’s adequacy decision for the United Kingdom (28 June 2021) for as long as that decision remains in force, and by SCCs / IDTA-equivalent clauses thereafter. You can request a copy of the safeguards we have in place by emailing privacy@alsviorglobal.com.

7. How long we keep your data

We keep personal data only for as long as we need it for the purpose it was collected. Indicative retention periods:

  • Enquiry / proposal records — up to 24 months after last contact, unless you become a client.
  • Client engagement records — the duration of the engagement plus the longer of (a) 6 years (UK), (b) 6 years (Spain, art. 30 Código de Comercio) and (c) 10 years (Portugal, art. 40 Código Comercial), to meet statutory limitation, tax and audit requirements.
  • Accounting and tax records — the longest of the periods set by the UK Companies Act 2006, the Spanish General Tax Law, and the Portuguese tax code (typically 6–10 years).
  • Analytics data — up to 14 months at the event level; aggregated reports may be kept longer.
  • Recruitment data — 6 months after a decision, longer only with your consent.
  • Backups — up to 90 days, after which they roll off our systems.

8. Your rights

Under the UK and EU GDPR you have the following rights, exercisable free of charge in most cases:

  • Access — obtain a copy of the personal data we hold about you (Article 15).
  • Rectification — ask us to correct inaccurate or incomplete data (Article 16).
  • Erasure — ask us to delete your data where one of the grounds in Article 17 applies (the “right to be forgotten”).
  • Restriction — ask us to pause processing in certain circumstances (Article 18).
  • Portability — receive data you provided in a structured, machine-readable format (Article 20).
  • Objection — object to processing based on legitimate interests, including direct marketing, at any time (Article 21).
  • Withdrawal of consent — withdraw consent for any processing that relied on it (Article 7(3)). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
  • Automated decisions — we do not carry out solely automated decision-making with legal or similarly significant effects (Article 22). If this changes, you will have the right to obtain human intervention.

To exercise any right, email privacy@alsviorglobal.com. We will respond within one month, with a possible two-month extension for complex requests, and we may need to verify your identity before responding.

9. Complaints and supervisory authorities

If you believe we have not handled your data correctly, please contact us first so we can put it right. You also have the right to complain to a supervisory authority. The relevant authority depends on which of our entities is your controller:

EU data subjects may also complain to the supervisory authority of their habitual residence, place of work, or the place where the alleged infringement occurred (a list is maintained by the European Data Protection Board at edpb.europa.eu).

10. Security

We apply technical and organisational measures appropriate to the risk, as required by Article 32 GDPR. These include encryption in transit (TLS 1.2+), encryption at rest for production stores, role-based access controls, principle of least privilege, multi-factor authentication on administrative accounts, vendor security reviews, and a documented incident-response process. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, the affected individuals without undue delay.

11. Changes to this policy

We review this policy at least annually and whenever a material change is needed. The “Effective” date at the top of the page shows the version currently in force. Where changes are material, we will provide additional notice (for example a banner on the website or an email to active contacts).

12. Contact

Questions about this policy or about how we handle your personal data should be sent to:

  • Email: privacy@alsviorglobal.com (single point of contact for all three entities)
  • Post: Any of the registered offices listed in section 1 above.