Privacy Notice

Last updated: 18 June 2026

1. About this notice

This privacy notice explains how Equatorial Strategies Group Limited collects, uses, shares and protects personal data.

It applies to personal data processed through:

  • our website;

  • enquiries and business communications;

  • client and supplier relationships;

  • investigations, tracing, due diligence and intelligence assignments;

  • governance, risk, crisis-management and ESG advisory services;

  • our artificial-intelligence and technology services; and

  • our general business operations.

Additional privacy information may be provided for a particular investigation, engagement, platform or service. Where there is any inconsistency, the more specific notice will apply to that processing.

2. Who we are

Equatorial Strategies Group Limited is a company registered in England and Wales under company number 17142196.

Our registered office is:

167–169 Great Portland Street
5th Floor
London
United Kingdom
W1W 5PF

In this notice, “Equatorial”, “we”, “us” and “our” refer to Equatorial Strategies Group Limited.

You can contact us about privacy or data-protection matters by writing to our registered office or through the contact facility on our website.

3. Our data-protection role

For our website, business administration, marketing and most of our own commercial activities, Equatorial determines why and how personal data is processed and acts as the controller.

When providing services to clients, our role depends on the circumstances. We may act as:

  • an independent controller;

  • a joint controller with a client or another organisation; or

  • a processor acting only on a client’s documented instructions.

Where we act solely as a processor, the relevant client is normally responsible for explaining how the personal data is used. Further information may be provided in the relevant engagement documentation or investigation-specific privacy notice.

4. Personal data we may collect

Depending on your relationship with us and the services concerned, we may process the following categories of personal data.

4.1 Contact and business information

This may include:

  • your name, title and organisation;

  • business address;

  • telephone number and email address;

  • professional role and responsibilities;

  • correspondence and meeting records; and

  • information contained in enquiries, proposals or instructions.

4.2 Client, supplier and engagement information

This may include:

  • contractual and billing information;

  • identity and authority checks;

  • details of client personnel, advisers and representatives;

  • supplier and subcontractor information;

  • project records, instructions and deliverables; and

  • records necessary to manage conflicts, risks, insurance and compliance.

4.3 Investigation, tracing and due-diligence information

Our work may require us to process information about complainants, witnesses, sources, employees, officers, counterparties, subjects of investigations and other relevant individuals.

This may include:

  • identity and contact information;

  • employment and professional history;

  • corporate appointments and ownership interests;

  • allegations, complaints and witness accounts;

  • financial, transactional and asset information;

  • communications, documents, photographs and recordings;

  • location, travel and event information;

  • relationships between people, organisations, assets or events;

  • information from court, regulatory, corporate and other public records;

  • online and open-source information;

  • sanctions, watchlist and adverse-media information; and

  • findings, assessments, opinions and investigative conclusions.

Information concerning an allegation or suspicion of criminal activity may constitute criminal-offence data even where no charge or conviction exists.

4.4 Special-category personal data

Where relevant and necessary, we may process information concerning:

  • racial or ethnic origin;

  • political opinions;

  • religious or philosophical beliefs;

  • trade-union membership;

  • health;

  • sex life or sexual orientation;

  • genetic information; or

  • biometric information used for identification.

We seek to avoid collecting sensitive information that is not relevant or necessary for the particular purpose.

4.5 Website and technical information

When you use our website or online services, we may collect:

  • IP address;

  • browser and device information;

  • operating system;

  • pages visited and actions taken;

  • date, time and duration of visits;

  • referring website;

  • security and diagnostic information; and

  • cookie or similar technology identifiers.

4.6 Technology and AI-service information

Where you use one of our technology services, we may process:

  • account and authentication information;

  • information submitted to the service;

  • prompts, queries, documents or other inputs;

  • analytical outputs and risk assessments;

  • system logs, usage records and diagnostic information; and

  • feedback about the service.

You should not submit personal data to a service unless you are authorised to do so.

5. How we obtain personal data

We may obtain personal data:

  • directly from you;

  • from our clients or their advisers;

  • from complainants, witnesses, sources and investigation subjects;

  • from employers, colleagues, counterparties and business partners;

  • from investigators, consultants and specialist service providers;

  • from public authorities, regulators or law-enforcement bodies;

  • from corporate, court, property and regulatory records;

  • from sanctions, screening and commercial intelligence databases;

  • from publicly available websites, publications and social media; and

  • through our website and technology systems.

Where personal data is obtained from another source, it may not always be appropriate or lawful to contact the individual immediately. For example, doing so could prejudice an investigation, reveal a confidential source, compromise security or conflict with legal or professional obligations. We provide privacy information when required and permitted by law.

6. Why we use personal data and our lawful bases

We use personal data only where we have an appropriate lawful basis.

6.1 Website operation and security

We process website and technical data to:

  • provide and maintain our website;

  • monitor performance;

  • prevent fraud, misuse and cyberattacks;

  • investigate security incidents; and

  • improve our services.

We generally rely on our legitimate interests in operating a secure and effective website and protecting our systems, users and business.

6.2 Enquiries and business relationships

We process contact and business information to:

  • respond to enquiries;

  • prepare proposals;

  • take steps towards entering into an agreement;

  • provide services;

  • administer contracts and payments; and

  • manage client, supplier and professional relationships.

Depending on the circumstances, we rely on contractual necessity, steps taken at your request before entering into a contract, legal obligations or our legitimate interests in conducting and managing our business.

6.3 Investigations, tracing, due diligence and intelligence analysis

We may process personal data to:

  • examine allegations, incidents or suspected wrongdoing;

  • establish relevant facts and preserve evidence;

  • identify relationships between people, organisations, assets, funds, information or events;

  • verify identity, ownership, integrity and credibility;

  • assess potential partners, investments, appointments or transactions;

  • prevent or detect fraud, corruption, misconduct or other unlawful activity;

  • protect people, assets, organisations and operations;

  • provide findings, analysis and recommendations to clients; and

  • establish, exercise or defend legal rights.

Depending on the assignment, we may rely on:

  • our legitimate interests or those of our clients and relevant third parties;

  • a recognised legitimate interest, including the prevention, detection or investigation of crime or safeguarding, where its legal requirements are met;

  • compliance with a legal obligation;

  • contractual necessity;

  • the establishment, exercise or defence of legal claims;

  • protection of vital interests in an emergency; or

  • consent where it is genuinely appropriate and freely given.

Consent is not ordinarily the principal lawful basis for an investigation, because withdrawing consent must not normally prevent a necessary and otherwise lawful investigation from continuing.

6.4 Governance, risk, crisis-management and ESG services

We process personal data where necessary to:

  • assess governance, controls, compliance and organisational capability;

  • identify and assess operational, security and enterprise risks;

  • prepare for or respond to crises;

  • analyse intelligence and emerging threats;

  • assess ESG controls, performance and stakeholder impacts; and

  • advise boards, executives and institutions.

We generally rely on contractual necessity, legal obligations and legitimate interests in providing effective advice, managing risk, protecting people and organisations and supporting sound decision-making.

6.5 Technology and AI services

We may use personal data to:

  • provide and administer our technology services;

  • authenticate users;

  • generate analysis or risk-related outputs;

  • maintain security and reliability;

  • diagnose problems;

  • prevent misuse; and

  • evaluate and improve service performance.

The applicable lawful basis will depend on the service and may include contractual necessity, legitimate interests, legal obligations or consent for optional processing.

Where a service involves automated analysis or profiling, additional service-specific information may be provided explaining how that processing operates. We will not use personal data to make decisions based solely on automated processing that produce legal or similarly significant effects unless this is permitted by law and appropriate safeguards are in place.

6.6 Marketing and professional communications

We may use business contact information to send relevant information about our services, publications or events.

We rely on consent where consent is legally required. In other circumstances, we may rely on our legitimate interests in developing professional relationships and promoting relevant business services.

You may object to direct marketing at any time. We may retain limited information on a suppression list to ensure that your preference continues to be respected.

6.7 Legal, regulatory and corporate purposes

We may process personal data to:

  • comply with legal, regulatory, tax, accounting or insurance obligations;

  • respond to lawful requests and court orders;

  • conduct audits;

  • manage complaints and disputes;

  • establish, exercise or defend legal claims;

  • protect our legal rights; and

  • support a proposed corporate restructuring, investment, sale or acquisition.

We rely on legal obligations and our legitimate interests in protecting and administering our business.

7. Special-category and criminal-offence data

Where we process special-category personal data, we identify both a lawful basis and an additional condition under Article 9 of the UK GDPR.

Depending on the circumstances, these conditions may include:

  • explicit consent;

  • protection of vital interests;

  • information manifestly made public by the individual;

  • establishment, exercise or defence of legal claims; or

  • substantial public-interest conditions under the Data Protection Act 2018, including preventing or detecting unlawful acts, safeguarding, fraud prevention or meeting regulatory requirements.

Where we process criminal-offence data, including allegations or suspicions of criminal activity, we do so only where permitted under Article 10 of the UK GDPR and the Data Protection Act 2018.

We maintain an appropriate policy document where the law requires one.

8. Cookies and similar technologies

Our website may use cookies and similar technologies for essential operation, security, functionality, analytics and performance measurement.

Where the law requires consent, we will not use the relevant technology until consent has been provided. Where a statutory exception permits its use without consent, we will provide clear information and, where required, an accessible means of objecting.

Further information about the technologies used, their purposes and available controls should be provided through our cookie notice or consent-management tool.

9. Sharing personal data

Where necessary and lawful, we may share personal data with:

  • the client commissioning an engagement;

  • other controllers or joint controllers identified for a particular assignment;

  • investigators, analysts, consultants and specialist advisers;

  • technology, hosting, communications and security providers;

  • identity, sanctions, due-diligence and intelligence-data providers;

  • legal advisers, accountants, auditors, insurers and banks;

  • regulators, courts, public authorities and law-enforcement bodies;

  • persons or organisations necessary to protect individuals, assets or operations; and

  • prospective purchasers, investors or professional advisers involved in a corporate transaction.

Our service providers may process personal data only for agreed purposes and subject to contractual confidentiality, security and data-protection obligations.

Information from confidential sources is shared only where necessary and subject to applicable legal, contractual and investigative protections.

10. International transfers

Equatorial operates in international and emerging markets. Personal data may therefore need to be transferred to, accessed from or processed in countries outside the United Kingdom.

Where UK data-protection restrictions apply, we use an appropriate transfer mechanism, such as:

  • UK adequacy regulations;

  • the UK International Data Transfer Agreement;

  • the UK Addendum to approved EU standard contractual clauses;

  • another legally recognised safeguard; or

  • a permitted exception where necessary and proportionate.

Where required, we assess whether the transfer provides an appropriate level of protection and implement additional contractual, technical or organisational safeguards.

11. Data retention

We retain personal data only for as long as reasonably necessary for the purpose for which it was collected.

When setting retention periods, we consider:

  • the duration of the client relationship or engagement;

  • the investigation mandate and evidential value of the information;

  • legal, regulatory, contractual and insurance requirements;

  • applicable limitation periods;

  • security and fraud-prevention requirements;

  • the sensitivity and volume of the information;

  • the rights and interests of affected individuals; and

  • whether information can be securely deleted or anonymised.

Investigation and due-diligence records may need to be retained after an assignment has concluded in order to preserve an appropriate evidential record, respond to subsequent enquiries or establish, exercise or defend legal claims.

12. Information security

We use proportionate technical and organisational measures designed to protect personal data against unauthorised access, disclosure, alteration, loss or destruction.

These measures may include:

  • access restrictions based on role and need;

  • authentication and account controls;

  • secure storage and transmission;

  • encryption where appropriate;

  • logging and monitoring;

  • confidentiality obligations;

  • supplier due diligence;

  • staff training; and

  • incident-response arrangements.

No system can be guaranteed to be completely secure. We regularly consider the safeguards appropriate to the nature and risk of the processing.

13. Your rights

Subject to the relevant legal conditions and exemptions, you may have the right to:

  • obtain information about how we use your personal data;

  • request access to your personal data;

  • have inaccurate or incomplete data corrected;

  • request erasure of your personal data;

  • request restriction of processing;

  • object to processing based on legitimate or recognised legitimate interests;

  • object to direct marketing;

  • receive certain data in a portable format;

  • withdraw consent where processing is based on consent; and

  • request safeguards concerning qualifying automated decision-making.

These rights are not absolute. In particular, we may be unable to disclose or delete information where doing so would prejudice an investigation, reveal information about another person, breach legal privilege or confidentiality, undermine the prevention or detection of unlawful activity, or conflict with another legal obligation.

We may ask for information necessary to verify your identity before acting on a request.

14. Complaints

Please contact us first if you have a concern about how we have handled your personal data so that we can investigate it.

You also have the right to complain to the Information Commissioner’s Office, the United Kingdom’s independent data-protection regulator.

15. Changes to this notice

We may update this privacy notice to reflect changes in our services, technology, legal obligations or processing activities.

The latest version will be published on our website with its date of revision.