Privacy Notice

This notice explains how Doyle Blackfriars Ltd (registered in England and Wales, company number 14688261) and Doyle Blackfriars SL (registered in Spain, NIF B22819288) — together referred to as "the Firm," "we," "us," or "our" — collect, hold, process, and share personal data. It applies to personal data submitted via this website, exchanged in the course of a professional engagement, or otherwise provided to the Firm.

References to "UK GDPR" mean the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018. References to "EU GDPR" mean Regulation (EU) 2016/679.

1. Who we are

Doyle Blackfriars Ltd and Doyle Blackfriars SL are each independent data controllers in respect of the personal data they process in connection with their own client engagements. Both entities act as joint data controllers in respect of personal data collected through this website, by virtue of their joint operation of it.

Doyle Blackfriars Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. Doyle Blackfriars SL is subject to the supervision of the Agencia Española de Protección de Datos (AEPD) as its lead supervisory authority within the EU.

For all data protection enquiries, contact us at hello@doyle-blackfriars.com. We aim to respond within ten working days.

2. Personal data we collect

We collect and process the following categories of personal data:

Website enquiries and form submissions: when you submit a contact form or download a research report, we collect the information you provide — typically your name, work email address, organisation name, and the contents of your message or submission.

Engagement data: in the course of a professional engagement, we collect and process contact details, professional background information, and any personal data contained in materials you share with us or that we produce on your behalf.

Billing and financial data: where we invoice for services, we collect and process the name, business address, and relevant tax identification details of the individual or entity responsible for payment.

Website analytics: we use Google Analytics to collect aggregated information about how visitors use this website, including pages visited, time on site, general geographic location, browser type, and device type. This data is collected by way of cookies and similar technologies; it does not directly identify you. See Section 7 for more detail.

We do not use third-party advertising trackers or behavioural profiling on this site. We do not process special categories of personal data as defined by UK GDPR Article 9 or EU GDPR Article 9.

3. Lawful basis for processing

We process personal data only where we have a lawful basis to do so. Our basis varies by activity:

Contact form submissions and general enquiries: we rely on our legitimate interests (UK GDPR Article 6(1)(f) / EU GDPR Article 6(1)(f)) in responding to communications directed to us and in developing the Firm's relationships with prospective clients and collaborators. We have assessed that this interest is not overridden by individuals' rights, given the professional context and the reasonable expectation that an unsolicited enquiry will receive a reply.

Research downloads and mailing lists: where you submit your details to receive research publications or other communications from the Firm, we rely on your consent (UK GDPR Article 6(1)(a) / EU GDPR Article 6(1)(a)). You may withdraw your consent at any time by contacting us at hello@doyle-blackfriars.com or by using the unsubscribe link in any email communication. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Engagement delivery: we process personal data necessary for the performance of a contract to which you or your organisation are a party, or to take steps at your request prior to entering into a contract (UK GDPR Article 6(1)(b) / EU GDPR Article 6(1)(b)).

Billing and financial records: we process billing data to comply with our legal obligations under UK and Spanish tax and accounting law (UK GDPR Article 6(1)(c) / EU GDPR Article 6(1)(c)).

Website analytics: we process analytics data on the basis of your consent, given via our cookie consent mechanism (UK GDPR Article 6(1)(a) / EU GDPR Article 6(1)(a)). You may withdraw or manage your consent at any time via your browser settings or our cookie preferences tool.

4. How long we keep it

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law.

Engagement records, including any personal data contained in deliverables, correspondence, and billing documentation, are held for seven years from the close of the engagement. This reflects professional record-keeping practice and the requirements of HMRC and the Spanish Agencia Tributaria in respect of accounting records.

Contact form submissions and enquiry records that do not proceed to an active engagement are held for two years from the date of receipt, after which they are deleted or anonymised.

Research download and mailing list records are held for as long as your consent remains active. If you withdraw consent or your contact becomes inactive for a continuous period of two years, we will remove your details from the relevant list.

Website analytics data is retained in accordance with our Google Analytics configuration, currently set to fourteen months, after which it is automatically deleted.

5. Sharing and sub-processors

We do not sell personal data to any third party.

We share personal data only in the following circumstances:

With professional advisers — including legal counsel and accountants — where disclosure is necessary and those advisers are bound by duties of confidentiality.

With the sub-processors listed below, who provide the technical infrastructure through which we operate this website and our communications. Each sub-processor is engaged under a data processing agreement and is permitted to process personal data only in accordance with our instructions:

Brevo SAS (France) — email delivery and form data capture. Brevo is an EU-established entity subject to EU GDPR. Personal data transferred from the UK to Brevo is covered by the UK's adequacy regulations for transfers to the European Economic Area.

Google Ireland Limited (Ireland) — website analytics via Google Analytics. Google is an EU-established entity for the purposes of EU GDPR. Where data is onwardly transferred to Google LLC in the United States, this is governed by Standard Contractual Clauses and Google's participation in the EU–US Data Privacy Framework. For UK-originating data, transfers are covered by the UK's International Data Transfer Addendum to the Standard Contractual Clauses.

Netlify Inc. (United States) — website hosting and delivery. Transfers of personal data to Netlify from the EU are governed by Standard Contractual Clauses. Transfers from the UK are governed by the UK International Data Transfer Agreement.

With regulators, law enforcement agencies, or courts where we are required to do so by applicable law or by order of a competent authority.

6. International transfers

When personal data is transferred outside the United Kingdom or the European Economic Area, we ensure that an appropriate safeguard is in place as required by UK GDPR Chapter V or EU GDPR Chapter V. The applicable mechanisms are set out in Section 5 alongside each sub-processor. If you would like further information about the specific safeguards in place for any transfer, contact us at hello@doyle-blackfriars.com.

7. Cookies and analytics

This website uses cookies and similar tracking technologies. A cookie is a small file placed on your device when you visit a website. We use the following categories:

Strictly necessary cookies are required for the website to function. They cannot be disabled.

Analytics cookies, set by Google Analytics, allow us to understand how visitors interact with the site in aggregate. These cookies are only placed with your consent. You may withdraw consent at any time via your browser settings or our cookie preferences tool.

We do not set advertising or behavioural targeting cookies. Full details of the cookies we use, their duration, and how to manage them are set out in our Cookie Policy.

8. Your rights

Under UK GDPR and EU GDPR, you have the following rights in respect of personal data we hold about you:

The right to access: to obtain a copy of the personal data we hold about you and information about how we use it (subject access request).

The right to rectification: to have inaccurate personal data corrected or incomplete data completed.

The right to erasure: to request deletion of your personal data in certain circumstances, including where it is no longer necessary for the purpose for which it was collected.

The right to restriction: to request that we limit the processing of your personal data in certain circumstances, for example whilst the accuracy of data is contested.

The right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine-readable format, where processing is based on your consent or on a contract and is carried out by automated means.

The right to object: to object to processing based on legitimate interests at any time on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for the establishment, exercise, or defence of legal claims.

The right to withdraw consent: where we process personal data on the basis of your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at hello@doyle-blackfriars.com. We will respond within one month of receipt of your request. We do not charge for handling rights requests unless they are manifestly unfounded or excessive.

If you are not satisfied with our response, or if you believe we are processing your personal data in a manner inconsistent with data protection law, you have the right to lodge a complaint with the relevant supervisory authority:

In the United Kingdom: the Information Commissioner's Office (ICO) at ico.org.uk.

In Spain and for EU residents generally: the Agencia Española de Protección de Datos (AEPD) at aepd.es, or the supervisory authority in your country of residence or place of work within the EU.

9. Changes to this notice

We review this notice periodically and update it when our processing activities change or when required by law. The version number and date at the top of this page reflect the most recent update. We encourage you to check this page from time to time. Where changes are material, we will take reasonable steps to bring them to your attention.