top of page

Privacy Policy

Carta Risk a private company limited by shares that has been incorporated in England & Wales. References to Carta Risk, we or us in this policy are references to Carta Risk Ltd and/or its associated entities, as appropriate.

Carta Risk understands the importance of your privacy and treats your personal information with the respect it deserves. This policy sets out how we collect, use, disclose and manage your information.

Collection

We may collect personal information from you in a number of ways including in the course of our business with you, your use of our website, through our technology, when you contact or request information from us, when you apply for a role with us and when you engage us for our services. 

We may also collect personal information about you from our group entities, from publicly available sources of information, or in some cases, from third parties including recruitment agencies, previous employers, government departments and third party service providers which provide criminal, bankruptcy and other checks.

The personal information we collect about you may include your name, date and place of birth, contact details, Internet Protocol (IP) address, occupation and education/work history, employer, legal and industry areas of interest, passport details and information relating to your dealings with us and our clients.

Use of information

The purposes for which we collect your information may include:

  • verifying your identity and carrying out checks;

  • contacting you (including via electronic messaging such as SMS and email, by mail, by phone or in any other lawful manner);

  • providing you with, developing and improving our services or information;

  • undertaking searches for our own purposes and the purpose of determining if we can work with a client or potential client;

  • promoting our services, including sending updates, publications and details of events;

  • managing and administering our relationship with you and our clients;

  • fulfilling our legal, regulatory and risk management obligations; and

  • exercising, defending and managing legal claims and proceeding.

If we are not able to collect personal information about you we may not be able to provide you with products, services and assistance to the extent that they require us to collect, use or disclose personal information.

Marketing and other emails

We may use personal information to understand whether you read the emails and other materials, such as legal publications, that we send to you, click on the links to the information that we include in them and whether and how you visit our website after you click on that link.  We may do this by using software that places a cookie on your device which tracks this activity and records it against your email address.  Removal of such a cookie will not affect your experience on our websites. 

If you receive marketing communications from us and no longer wish to do so, you may unsubscribe at any time by sending an email to hello@cartarisk.com

Our services

We collect, create, hold and use personal information in the course of and in connection with the services we provide to our clients.  We will process identification and background information as part of our business acceptance, finance, administration and marketing processes, including anti-money laundering, conflict, reputational and financial checks.  We will also process personal information provided to us by or on behalf of our clients for the purposes of the work we do for them.  The information may be disclosed to third parties to the extent reasonably necessary in connection with that work. 

Retaining personal information

Your personal information will be retained in accordance with our data retention policy which categorises all of the information held by us and specifies the appropriate retention period for each category of data.  Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and our business purposes.

Sharing your personal information

Any information that you provide to us may be shared with and processed by any entity in our network and we may also share your personal information with certain trusted third parties, including:

  • our professional advisers and auditors;

  • suppliers to whom we outsource certain support services such as word processing, translation, photocopying and document review;

  • IT service providers to us;

  • third parties engaged in the course of the services we provide to clients, such as professional advisers and technology service providers like data room and case management services; and

  • third parties involved in hosting or organising events or seminars.

Where necessary, or for the reasons set out in this policy, personal information may also be shared with regulatory authorities, courts, tribunals, government agencies and law enforcement agencies.

If in the future we re-organise or transfer all or part of our business, we may need to transfer your information to new entities or to third parties through which our business will be carried out.

We may use social media sites such as Facebook, LinkedIn and X.  If you use these services, you should review their privacy policy for more information on how they deal with your personal information.

We may contact you via email, SMS or other means in order to provide you with updated information about the website, in relation to events or to provide you with other information about our services.  If you do not wish to receive any such information, please contact us by email to hello@cartarisk.com.

Access to information

You are entitled to request details of the information we hold about you and how we process it.  You may also have a right in accordance with applicable data protection law to have it rectified or deleted, to restrict our processing of that information, to stop unauthorised transfers of your personal information to a third party and, in some circumstances, to have personal information relating to you transferred to another organisation. If you wish to access, correct or update any personal information we may hold about you, please contact us by email to hello@cartarisk.com.

Storage and security of information

We will take reasonable steps to keep any personal information we hold about you secure and we implement a range of physical and electronic security measures to protect the personal information. However, except to the extent liability cannot be excluded by law, we exclude all liability (including in negligence) for the consequences of any unauthorised access to your personal information. Please notify us immediately if you become aware of any breach of security.

We may store your files in hard copy or electronically in our ordinary IT systems.  These may include UK-based cloud servers or the servers of third parties within the UK and elsewhere. 

Complaints

If you have any questions or concerns about our collection, use or disclosure of personal information, or if you believe that we have not complied with this policy or relevant law, please contact us by email to hello@cartarisk.com.  The Privacy Officer will investigate the complaint and determine whether a breach has occurred and what action, if any, to take.  When contacting us, please provide as much detail as possible in relation to the query, issue or complaint. You may also have the right to lodge a complaint in relation to our processing of your personal information with a local supervisory authority.

Your rights

The European Union’s General Data Protection Regulation and other applicable data protection laws provide certain rights.  If you object to the processing of your personal information, or if you have provided your consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations. 

Your objection (or withdrawal of any previously given consent) could mean that we are unable to perform the actions necessary to achieve the purposes set out above or that you may not be able to make use of the services and products offered by us. Please note that even after you have chosen to withdraw your consent we may be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations.

06032025

bottom of page