Privacy Policy

Last updated: 25/04/2026

1. Introduction

This Privacy Policy explains how Cairnstone Group Limited ("Cairnstone", "we", "us" or "our") collects, uses, and protects personal data through the website at cairnstonegroup.net and any sub-domains operated by us (the "Website").

We are committed to protecting your personal data and to handling it in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as well as the EU General Data Protection Regulation where it applies.

This Policy applies only to personal data collected through the Website. Personal data we receive in the course of providing professional services to a client is governed by the terms of the relevant engagement and any data protection terms set out in or alongside it.

2. Who we are

Cairnstone Group Limited is a company registered in England and Wales under company number 16805685, with its registered office at 33 Hill Street, London W1J 5LT, United Kingdom.

For the purposes of UK GDPR, Cairnstone Group Limited is the controller of the personal data described in this Policy.

If you have any questions about this Policy or about how we handle your personal data, please contact us at adunkels@cairnstonegroup.net.

3. The personal data we collect

We collect personal data in the following ways:

(a) Information you provide via our contact form. When you complete the contact form on the Website, we collect the personal data you submit. This typically includes your name, email address, telephone number (if provided), and the contents of your message.

(b) Information collected automatically. When you visit the Website, certain limited information is collected automatically by our website hosting platform (Framer) for the purpose of providing site analytics. This information is aggregated and does not identify you. Specifically, Framer’s built-in analytics measure metrics such as page views, unique visitors, country (derived from IP address), referrer source, and device type. Framer’s built-in analytics do not use cookies, do not generate persistent identifiers, and do not collect personal data that can be traced back to an individual.

We do not currently use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other third-party analytics or advertising tracking on the Website.

We do not knowingly collect personal data from children under the age of 18.

4. How we use your personal data

We use the personal data you submit through the contact form to:

(a) respond to your enquiry and any related correspondence;

(b) provide you, at your request, with a copy of Cairnstone’s credentials or other information about our services;

(c) consider whether to enter into a professional engagement with you or your organisation; and

(d) keep records of our communications with you for our internal administrative and compliance purposes.

We use the aggregated, non-personal information collected by Framer’s built-in analytics to understand how visitors use the Website and to improve its performance and content.

5. Legal basis for processing

Under the UK GDPR, we rely on the following legal bases for processing your personal data:

(a) Your consent (Article 6(1)(a)) — when you choose to submit an enquiry through our contact form, you consent to us processing the personal data you provide for the purpose of responding to that enquiry. You may withdraw your consent at any time by contacting us at the address below.

(b) Our legitimate interests (Article 6(1)(f)) — we have a legitimate interest in responding to enquiries about our services, in maintaining records of our communications, and in understanding how the Website is used. Where we rely on legitimate interests, we have considered and balanced any potential impact on your rights, and we believe our processing does not unfairly affect them.

(c) Compliance with a legal obligation (Article 6(1)(c)) — where we are required by law to retain or disclose personal data.

6. Who we share your personal data with

We do not sell, rent, or trade your personal data, and we do not share it with third parties for their own marketing purposes.

We do, however, use a small number of trusted service providers ("processors") who handle personal data on our behalf, under contract, and only on our instructions. These currently include:

• Framer B.V. — our website hosting and analytics platform. Personal data submitted via the contact form is transmitted through, and may be temporarily processed by, Framer’s infrastructure.

• Microsoft 365 — our email service provider, through which contact form submissions are received and stored.

We may also disclose your personal data:

(a) where required to do so by law, court order, regulatory request, or to comply with legal proceedings;

(b) to professional advisers (such as lawyers or accountants) where reasonably necessary in connection with our business;

(c) to a successor entity in the event of a sale, merger, or reorganisation of our business; or

(d) where you have given your consent to the disclosure.

7. International data transfers

Some of our service providers (including Framer and our email provider) are based outside the United Kingdom or operate cloud infrastructure that may involve the transfer of personal data to countries outside the UK, including the European Economic Area and the United States.

Where personal data is transferred outside the UK, we take steps to ensure that an appropriate level of protection is in place. This may include relying on adequacy decisions made by the UK government, on the UK International Data Transfer Agreement, or on the UK Addendum to the EU Standard Contractual Clauses, as appropriate.

8. How long we keep your personal data

We retain personal data only for as long as is necessary for the purposes for which it was collected:

• Contact form enquiries that do not lead to an engagement: typically retained for up to 24 months from the date of last correspondence, after which they are deleted, unless we are required to retain them for longer for legal or regulatory reasons.

• Contact form enquiries that lead to a professional engagement: retained in accordance with the data retention provisions of the relevant engagement and our broader records-management practices.

9. Cookies

The Website does not currently use cookies for analytics, advertising, or other non-essential purposes. Framer’s built-in analytics are cookieless.

A small number of strictly necessary cookies may be set by the hosting platform to ensure the technical operation of the Website (for example, to manage page loading, security, or load balancing). Strictly necessary cookies do not require your consent under PECR.

If we add any non-essential cookies or third-party tracking to the Website in the future, we will update this Policy and, where required, implement an appropriate cookie consent mechanism before any such cookies are set.

10. Your rights

Under the UK GDPR you have a number of rights in relation to your personal data. These include the right to:

(a) Access the personal data we hold about you and obtain a copy of it;

(b) Rectification — to have inaccurate personal data corrected, or incomplete data completed;

(c) Erasure ("right to be forgotten") — to ask us to delete your personal data in certain circumstances;

(d) Restriction of processing in certain circumstances;

(e) Object to our processing of your personal data, in particular where we rely on legitimate interests;

(f) Data portability — to receive your personal data in a structured, commonly used, machine-readable format, where the processing is based on consent or contract and is carried out by automated means;

(g) Withdraw consent at any time, where the processing is based on your consent. Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it; and

(h) Lodge a complaint with a data protection supervisory authority (see clause 11 below).

To exercise any of these rights, please contact us at adunkels@cairnstonegroup.net. We will respond to valid requests within one month of receipt, although this period may be extended by up to two further months where the request is complex or where we have received a number of requests. There is no charge for exercising these rights, save in exceptional circumstances permitted by law.

We may need to verify your identity before responding to a request.

11. Complaints to a supervisory authority

If you are unhappy with how we have handled your personal data, please contact us in the first instance at adunkels@cairnstonegroup.net and we will do our best to resolve the matter.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk

• Helpline: 0303 123 1113

• Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

If you are based in the European Economic Area, you may also lodge a complaint with the supervisory authority in the country where you live or work.

12. Changes to this Policy

We may update this Policy from time to time. The version in force at the time you visit the Website applies to your use of it. Any material changes will be highlighted on the Website. The "Last updated" date at the top of this Policy indicates when it was last revised.

13. Contact

For any questions, requests, or concerns relating to this Privacy Policy or to our handling of your personal data, please contact:

Cairnstone Group Limited

33 Hill Street

London W1J 5LT

United Kingdom

Email: adunkels@cairnstonegroup.net