Legal · Privacy

Privacy Policy

Last updated: 12 May 2026 · Version 1.0

This Privacy Policy explains how CSMC Ventures Limited ("CSMC Ventures", "we", "us" or "our") collects, uses, discloses and protects personal data when you visit csmcventures.com or otherwise interact with us. It is issued in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations 2003 (PECR).

1. Who we are

The data controller responsible for the processing of personal data described in this policy is:

CSMC Ventures Limited
A private limited company registered in England and Wales
Company number: 14665881
Registered office: Office 4, 3/F Coachworks Arcade, Northgate Street, Chester, CH1 2EY, United Kingdom
Email: info@csmcventures.com

Given the nature and scale of our processing, we are not required to appoint a statutory Data Protection Officer under Article 37 UK GDPR. All privacy matters are handled by our management team via the contact details above.

2. Scope of this policy

This policy applies to personal data we process when you:

visit, browse or otherwise access this website;
contact us by email or other electronic means;
interact with the cookie consent banner displayed on our website; or
communicate with us in the context of a prospective or existing business relationship.

This policy does not apply to third-party websites we link to. Those sites have their own privacy practices, and we encourage you to read them before submitting any personal data.

3. Personal data we collect

We seek to collect the minimum personal data necessary to operate this website and respond to enquiries. We do not knowingly process any "special category" personal data (Article 9 UK GDPR) through this website.

3.1 Data you provide directly

Contact and identification data — when you email us at info@csmcventures.com or contact us otherwise, we receive your name, email address, the content of your message and any attachments, and any further information you choose to share.
Business context data — where relevant, the company you represent, your role, and information you share about your project, product or business proposition.

3.2 Data collected automatically

Connection data / server log data — automatically transmitted by your browser and logged by our hosting provider for the purpose of delivering the website and ensuring its security. See section 6.
Cookie and consent data — where you give, refuse or withdraw consent through the cookie banner, we record your consent choices via our cookie consent management provider. See section 5.

We do not operate any first-party or third-party analytics, advertising, profiling or behavioural-tracking technologies on this website at the date stated above.

4. Purposes and legal bases for processing

We only process your personal data where one of the lawful bases set out in Article 6(1) UK GDPR applies. The table below sets out the principal processing activities, the data categories involved, the purpose, and the relevant legal basis.

Purpose	Data categories	Legal basis
Operating, securing and delivering this website to your device.	Connection data (IP address, user agent, referrer, requested URL, date/time of request, HTTP status code).	Legitimate interests — Art. 6(1)(f) UK GDPR. Our legitimate interest is presenting a functional, secure website and protecting it against attacks and misuse.
Responding to enquiries you send us by email.	Contact and identification data, business context data, message content.	Taking steps at your request prior to entering into a contract — Art. 6(1)(b) UK GDPR; and/or our legitimate interest in handling business correspondence — Art. 6(1)(f) UK GDPR.
Managing prospective and existing business relationships and engagements.	Contact, business context and correspondence data.	Performance of a contract or pre-contractual measures — Art. 6(1)(b) UK GDPR; or legitimate interests in B2B relationship management — Art. 6(1)(f) UK GDPR.
Operating the cookie consent banner and recording consent choices.	Consent ID, consent state, timestamp, browser/device information, IP address (anonymised where supported by the consent tool).	Legal obligation to obtain and evidence consent under PECR / Art. 7 UK GDPR — Art. 6(1)(c) UK GDPR; and/or legitimate interests in demonstrating compliance — Art. 6(1)(f) UK GDPR.
Compliance with statutory obligations (e.g. tax, accounting, anti-money-laundering, responding to lawful requests from public authorities).	Any data necessary to comply with the relevant obligation.	Compliance with a legal obligation — Art. 6(1)(c) UK GDPR.
Establishing, exercising or defending legal claims.	Any data necessary for the relevant claim.	Legitimate interests in protecting our legal position — Art. 6(1)(f) UK GDPR; or Art. 9(2)(f) UK GDPR where special category data is unavoidably involved.

Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests are not overridden by your interests, rights or freedoms. You can request further information about that assessment using the contact details in section 16.

5. Cookies and similar technologies

A cookie is a small text file that a website places on your device. We use cookies, and similar technologies such as local storage, only as described below.

5.1 Categories of cookies

Strictly necessary cookies — required to operate the website and to record your cookie preferences. These cookies do not require consent under regulation 6(4) PECR and are set on the basis of our legitimate interest in providing a functioning website.
Non-essential cookies (e.g. analytics, marketing, personalisation) — set only after you have given prior, freely given, specific, informed and unambiguous consent through our cookie banner. At the date stated above, this website does not set any non-essential cookies. If this changes, the cookie banner and the cookie list below will be updated accordingly before any such cookie is set.

5.2 Consent management — CookieYes

We use CookieYes, a consent management platform provided by CookieYes Limited, 3 Warren Yard, Warren Park, Wolverton Mill, Milton Keynes, MK12 5NW, United Kingdom (www.cookieyes.com), to display the cookie banner, collect and document your consent choices, and to selectively block non-essential technologies until you have consented.

When you interact with the banner, CookieYes processes, on our behalf as a processor under Article 28 UK GDPR, a consent identifier, your consent decisions per category, the timestamp, the consent banner version, your browser type and (in truncated form where supported) your IP address. This processing is necessary to demonstrate compliance with our duty to obtain and evidence consent under PECR and Article 7 UK GDPR (legal basis: Art. 6(1)(c) and (f) UK GDPR).

CookieYes' own privacy notice is available at cookieyes.com/privacy-policy.

5.3 Withdrawing or changing consent

You may withdraw or change your consent at any time, with effect for the future, by re-opening the cookie banner using the button below or via the consent icon displayed on the page. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

Manage cookie preferences

You can also block or delete cookies in your browser settings. Doing so may affect the functionality of this and other websites.

6. Server logs and hosting

When you access this website, your browser automatically transmits certain information to our hosting provider, which is logged in temporary server log files. Each such log entry typically contains:

the IP address of the requesting device;
the date and time of the request;
the requested URL and the HTTP method;
the HTTP status code returned;
the amount of data transferred;
the referring URL (if any); and
the user agent string of your browser and operating system.

This data is processed strictly to deliver the website, ensure its stability and security, detect and prevent attacks (e.g. denial-of-service, brute-force or injection attacks) and resolve faults. The legal basis is our legitimate interest under Article 6(1)(f) UK GDPR in operating a secure and functional website. Log data is not combined with other data sources for the purpose of profiling.

7. Recipients and processors

We do not sell personal data. We disclose personal data only to the limited categories of recipients listed below, and only to the extent necessary for the purposes described in this policy.

7.1 Processors acting on our instructions

Web hosting and infrastructure providers — to host this website and store associated log data. Such providers act as processors under written data processing agreements meeting the requirements of Article 28 UK GDPR.
CookieYes Limited — as described in section 5.
Email and productivity providers — to receive, store and respond to email correspondence sent to us, and for general office productivity. These providers process data on our instructions under Article 28 UK GDPR agreements.
Professional advisers — accountants, auditors, lawyers, insurers and similar advisers, where they act as processors rather than as independent controllers.

7.2 Independent third parties

Google Fonts — this website uses the "Inter" web font, delivered through Google Fonts (a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). When the font is loaded, your browser establishes a connection to Google's servers, which receives your IP address and standard HTTP request data. The use of Google Fonts is based on our legitimate interest under Article 6(1)(f) UK GDPR in presenting our website in a consistent, accessible typography. Information about Google's processing is available at policies.google.com/privacy.
Public authorities, courts, regulators and law enforcement — where disclosure is required by law, court order or comparable legal process, or is necessary to establish, exercise or defend legal claims.
Prospective acquirers, investors and successors — in the event of a sale, restructuring, merger, insolvency or similar corporate event, in which case the recipient will be bound to handle the data in accordance with this policy.

8. International transfers

We aim to process personal data within the United Kingdom or the European Economic Area (EEA). Where personal data is transferred to a third country outside the UK (for example because a processor or sub-processor is located in, or supports operations from, such a country), we ensure that one of the following safeguards under Articles 44–49 UK GDPR is in place:

the country benefits from UK "adequacy regulations" made under section 17A DPA 2018;
the transfer is covered by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supplemented (where necessary) by a transfer risk assessment and additional technical and organisational measures;
the transfer is necessary for the performance of a contract with you, or in your interest, or to establish, exercise or defend legal claims (Art. 49 UK GDPR derogations); or
you have given your explicit consent to the proposed transfer after being informed of the possible risks.

You may request a copy of the relevant safeguard using the contact details in section 16, subject to redaction of confidential commercial terms.

9. Retention periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, regulatory or reporting requirements.

Data	Retention period
Server log data	Up to 30 days, then deleted or fully anonymised, unless retention is required to investigate a specific security incident.
Cookie consent records (via CookieYes)	Typically 12 months from the date of consent, or until you change your consent — whichever is shorter. The banner will be redisplayed thereafter.
Email correspondence and enquiries	For the duration of the enquiry or relationship, plus the applicable limitation period (in England and Wales, generally up to 6 years from the end of the matter for ordinary contractual claims, or 12 years for matters under deed).
Records required by law (e.g. tax, accounting, AML)	For the statutory minimum period, typically 6 years from the end of the financial year to which they relate.

Where it is not possible to set a precise retention period in advance, we determine retention by reference to the criteria above. When personal data is no longer needed, it is securely deleted or irreversibly anonymised.

10. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration or disclosure, as required by Article 32 UK GDPR. These measures include transport encryption (TLS/HTTPS), access controls, hardened hosting infrastructure, regular software updates, and contractual safeguards with our processors. Despite our efforts, no electronic transmission or storage is entirely secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours, and will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

11. Your rights

Subject to the conditions and exemptions set out in the UK GDPR and DPA 2018, you have the following rights in relation to personal data we process about you:

Right to be informed — to be told how your personal data is used (Art. 13–14).
Right of access — to obtain confirmation that we process your personal data and a copy of that data (Art. 15).
Right to rectification — to have inaccurate or incomplete personal data corrected (Art. 16).
Right to erasure — to have your personal data deleted where one of the grounds in Art. 17 applies.
Right to restriction — to require us to limit our processing in the circumstances set out in Art. 18.
Right to data portability — where applicable, to receive personal data you have provided to us in a structured, commonly used and machine-readable format (Art. 20).
Right to object — to object, on grounds relating to your particular situation, to processing carried out under Art. 6(1)(e) or (f), and at any time to processing for direct marketing purposes (Art. 21).
Right to withdraw consent — where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).
Right not to be subject to automated decisions — see section 12.

To exercise any of these rights, please contact us at info@csmcventures.com. We will respond within one month of receipt of your request, although this period may be extended by up to a further two months where the request is complex or numerous. We may need to ask for additional information to verify your identity before we can give effect to your request. There is generally no fee for exercising these rights, but we may charge a reasonable fee or refuse to act where the request is manifestly unfounded or excessive.

12. Automated decision-making and profiling

We do not make decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 UK GDPR.

13. Children

This website is intended for a business and professional audience and is not directed at children. We do not knowingly collect personal data from children under the age of 13. If you believe that a child has provided personal data to us, please contact us so that we can take appropriate steps to delete that data.

14. Third-party links

Our website may contain links to third-party websites, plug-ins and applications (for example, the CookieYes website). Following those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the technologies we use, or the legal and regulatory framework. The "Last updated" date at the top of this page reflects the date of the most recent material change. Where the changes are material, we will take reasonable steps to bring them to your attention.

16. How to contact us · Complaints

For any question relating to this Privacy Policy or to the processing of your personal data, or to exercise any of your rights, please contact us at:

CSMC Ventures Limited — Privacy
Office 4, 3/F Coachworks Arcade, Northgate Street
Chester, CH1 2EY, United Kingdom
Email: info@csmcventures.com

If you are not satisfied with the way we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO), the supervisory authority for data protection in the United Kingdom: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF · ico.org.uk · Helpline: 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you approach the ICO, and ask that you contact us in the first instance.