Privacy Policy

At Crimson Phoenix we are committed to protecting the data and privacy of our clients and the individuals we work with. This privacy policy explains how and why we collect personal data during the course of providing services and what we do to ensure that information is kept safe and secure.


We are Crimson Phoenix Limited, a private limited company with registered number 08166308, having our registered office and main place of business at 80-83 Long Lane, London, EC1A 9ET. You can contact us by writing to our office address, telephoning us on +44 (0)20 7710 5444 or emailing

We are regulated as a controller under Data Protection Laws in relation to the personal data (meaning information which relates to an identified or identifiable individual) we collect and process in connection with our work. We are registered as a data controller with the UK Information Commissioner’s Office under registration number ZA699542.


We collect and process personal data relating to individuals we work with or who are connected to matters we advise on. This may include representatives of corporate clients and other parties involved, along with their professional advisers.

This information is typically:

(a) provided to us by our clients or other persons involved in a transaction;
(b) collected during the course of providing M&A and corporate finance advisory services (such as
personal data contained in email correspondence or company materials provided to us by our
(c) received from third parties; or
(d) obtained from external sources.


The categories of personal data we process will vary but may include some or all of the following:

(a) information about clients and their representatives, including contact information and professional details such as name, email, address, telephone, job title and employer;
(b) communications data, for example email correspondence or audio/video processed during web meetings and conference calls;
(c) identification and verification documents, for example passports, driving licences or other identifying documents;
(d) payment data (when we make or receive payments, for example to our suppliers);
(e) other information provided to us, for example in relation to meetings or events; and
(f) other personal data we collect in the course of providing advisory services (which may include personal and financial information contained in corporate and transactional documents).

We may process other types of personal data and, occasionally, this may include special category ‘sensitive’ personal data, such as information relating to someone’s health, racial or ethnic origin, religious or philosophical beliefs, sexuality, political opinions or trade union membership.


We typically store and process personal data because it is necessary to do so to pursue our legitimate interests and those of our clients in providing and receiving M&A and corporate finance advisory services and performing our contractual obligations to clients. Where necessary and appropriate we may also process personal data on other grounds including:

(a) in order to fulfil our contractual obligations towards individuals or exercise contractual rights;
(b) to comply with our legal obligations; or
(c) for the legitimate interest of promoting our business and services.

In limited circumstances, we may use personal data on the basis of consent. If so, we will always clearly ask for specific and informed agreement. You are, of course, free to refuse and we will inform you as to what (if any) consequences refusal might have.


Any personal data we collect will be kept private and confidential in accordance with our obligations under data protection laws and our legal obligations of confidentiality. We will only disclose or share personal data with other data controllers where this is necessary:

(a) in connection with our business of providing M&A and corporate finance advisory services and where it is necessary and in the legitimate interests of ourselves or our clients to do so;
(b) where legally required to do so, such as where we are required to comply with a court order;
(c) where we have another lawful basis for sharing personal data; or
(d) in connection with a business reorganisation, merger or acquisition of our business.

We also share personal data with some of the third parties who provide services to our firm. This includes software providers, cloud service providers and IT support services. However, these third parties will only process personal data on our behalf for specified purposes and in accordance with
strict instructions and after providing appropriate guarantees that the information will be kept safe.


We only retain personal data for as long as is necessary for the specific purposes it was collected for (or for related compatible purposes such as complying with applicable legal, accounting, or recordkeeping requirements). To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Once we are satisfied that information is no longer required it will be securely destroyed.


We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. Our security includes physical security measures, electronic security technology and organisational


We will only transfer personal data internationally where it is necessary and lawful to do so. This includes transfers made to other countries (such as Japan or the EEA Member States) which are recognised as providing adequate protection for personal data, or where the recipient has entered into standard contractual clauses which ensure the protection of personal data and which have been approved in accordance with data protection laws.


Data protection laws provide individuals with certain rights in relation to their personal data. These are as follows:

(a) The right of access (including the right to receive a copy of the personal data we hold about that individual, subject to certain exemptions).
(b) The right to request correction or completion of personal data.
(c) The right to request erasure of personal data in certain circumstances.
(d) The right to object to processing for legitimate interests purposes or for direct marketing.
(e) The right to restrict how personal data is used in certain circumstances.
(f) The right to a portable copy or the transfer of data in a structured, commonly used, machinereadable format.
(g) The right to withdraw consent (if we are relying on consent to process personal data then that consent can be withdrawn at any time).

Further information on each of these rights can be found on the Information Commissioner’s Office website ( To exercise any of these rights, please email or write to Crimson Phoenix Limited at 80-83 Long Lane, London, EC1A 9ET. There is not normally a fee to access personal data (or to exercise any other legal rights). However, we may charge a reasonable fee if a request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with a request in these circumstances.

We try to respond to all personal data requests within one month, though it may take us longer than a month if a request is particularly complex or a number of requests have been made. Please remember that there are exceptions to the rights above and some situations where they do not apply. Individuals also have the right to complain to the UK Information Commissioner’s Office if they are not satisfied with our response to a data protection request or if they think personal data has been mishandled. For further information on how to make a complaint, please visit