Privacy Policy

Effective date: 28 February 2026  •  Last updated: 28 February 2026

This Privacy Policy explains how The Braveheart CIO Group Limited ("we", "us", or "our") collects, uses, and protects personal data when you visit www.thebraveheartcio.com (the "Website") or contact us directly.

We are committed to handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

The Braveheart CIO Group Limited
Email: benedetto@thebraveheartcio.com
Website: www.thebraveheartcio.com

2. What Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

Website usage data

When you visit our Website, we collect anonymised analytics data (with your consent) including:

• Pages visited and time spent on each page
• Referral source (how you found us)
• Device type, browser, and operating system
• Approximate geographic location (country/region — not precise location)
• Anonymised IP address

This data is collected via Google Analytics 4 and does not identify you personally.

Contact and enquiry data

If you contact us by email, we collect:

• Your name and email address
• The content of your message
• Any additional information you choose to provide

Newsletter subscription data

If you subscribe to our newsletter via our "NewsAgent" service, we collect your email address for the purpose of sending you updates, articles, and thought leadership content.

Advisory booking data

If you book an advisory session through Calendly (our third-party booking platform), Calendly will collect your name, email address, and scheduling preferences directly. Please refer to Calendly's Privacy Policy for details.

3. How We Collect Your Data

Method	Data Collected	When
Google Analytics 4	Anonymised usage data, device info, location region	When you visit the Website and consent to analytics cookies
Direct email	Name, email address, message content	When you email us at benedetto@thebraveheartcio.com
Newsletter form (AWS CloudFront)	Email address	When you subscribe to our NewsAgent newsletter
Calendly (third party)	Name, email, scheduling preferences	When you book an advisory session

4. Legal Basis for Processing

We process your personal data on the following legal grounds under UK GDPR:

• Consent (Article 6(1)(a)): For analytics cookies (Google Analytics 4), which we only activate after you have given your explicit consent via our cookie banner.
• Legitimate interests (Article 6(1)(f)): For processing email enquiries and improving our Website based on aggregated, anonymised analytics data. Our legitimate interest is in running and developing our advisory business effectively.
• Contract performance (Article 6(1)(b)): For processing data necessary to deliver advisory services you have requested.
• Consent (Article 6(1)(a)): For newsletter subscriptions, where you have opted in to receive communications from us.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

• To understand how visitors use our Website and improve its content and performance
• To respond to your enquiries and provide information about our services
• To send newsletter content to subscribers who have opted in
• To facilitate advisory session bookings
• To comply with legal obligations

We do not use your personal data for automated decision-making or profiling.

6. Third-Party Service Providers

We share data with the following trusted third-party providers who process data on our behalf or independently:

Provider	Purpose	Data Processed	Location
Google LLC (Analytics)	Website analytics	Anonymised usage data	USA (SCCs)
Amazon Web Services (AWS)	Newsletter hosting (CloudFront/S3)	Email address	EU (eu-north-1)
Calendly, LLC	Advisory booking	Name, email, scheduling data	USA (SCCs)
Brightcove Inc.	Video hosting	Viewing data (when video is played)	USA (SCCs)
Google LLC (YouTube)	Video content (linked)	Standard YouTube analytics if you visit YouTube	USA (SCCs)
Vercel Inc.	Website hosting	Server request logs (IP address, page requested)	USA/EU (SCCs)

SCCs = Standard Contractual Clauses, the legal mechanism used for data transfers from the UK to countries without an adequacy decision.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

Some of our third-party service providers are based outside the UK and the European Economic Area (EEA). Where data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or we rely on the provider's participation in an approved adequacy framework.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

• Analytics data: Retained for 14 months within Google Analytics (Google's default retention period for GA4), after which it is automatically deleted.
• Email correspondence: Retained for as long as is relevant to our business relationship and any follow-up, typically no longer than 3 years from the last contact.
• Newsletter subscriptions: Email addresses are retained until you unsubscribe or request deletion.
• Cookie consent records: Stored in your browser's localStorage on your device; cleared when you clear your browser data.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

To exercise any of these rights, please contact us at benedetto@thebraveheartcio.com. We will respond within one month of receiving your request.

10. Cookies

Our Website uses cookies and similar technologies. For full details of the cookies we use, how to manage them, and how to withdraw consent, please read our Cookie Policy.

11. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our Website is served over HTTPS, and sensitive services (such as our newsletter subscription page) are hosted on HTTPS-secured infrastructure via AWS CloudFront.

Please be aware that transmission of data over the internet can never be guaranteed to be completely secure. Any data you send by email is transmitted at your own risk.

12. Links to Third-Party Websites

Our Website contains links to external websites (including INSEAD, Reuters Plus, the London Speaker Bureau, and LinkedIn). This Privacy Policy applies only to our Website. We are not responsible for the privacy practices of third-party websites and recommend you review their policies before providing any personal data.

13. Children's Privacy

Our Website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately and we will take steps to delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any revisions. Where changes are material, we will take reasonable steps to bring them to your attention. We encourage you to review this page periodically.

15. How to Contact Us or the Regulator

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

The Braveheart CIO Group Limited
Email: benedetto@thebraveheartcio.com