GK Advisory Group Privacy Policy

Contact Details

Email: [email protected]

What information we collect, use, and why

We collect or use the following information to provide services and goods, including delivery: names and contact details, addresses, purchase or account history, payment details (including card or bank information for transfers and direct debits), account information, website user information (including user journeys and cookie tracking), call recordings, records of meetings and decisions, information relating to compliments or complaints. We collect or use the following information for the operation of customer accounts and guarantees: names and contact details addresses, payment details (including card or bank information for transfers and direct debits), purchase history, account information, including registration details, information used for security purposes, marketing preferences, business information, website details, CRM configuration, automation requirements, project notes, onboarding information, client portal access details, support requests, and service usage information.

We collect or use the following information for service updates or marketing purposes: names and contact details, addresses, marketing preferences, website and app user journey information. records of consent where appropriate, business name, company website, enquiry source, campaign source, form responses, communication history, and preferences relating to service updates or marketing communications. We collect or use the following information to comply with legal requirements: name, contact information, financial transaction information, any other personal information required to comply with legal obligations, business name, billing details, contract records, invoice records, payment history, tax and accounting records, and correspondence relating to legal or regulatory obligations. We collect or use the following personal information for dealing with queries, complaints or claims: names and contact details, address, payment details, account information, purchase or service history, call recordings, customer or client accounts and records, correspondence, business name, website details, enquiry details, project notes, onboarding information, support requests, CRM records, automation records, and service delivery records.

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website. Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website: Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access. Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification. Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure. Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing. Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing. Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability. Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent. If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide services and goods are: Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object. Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We have a legitimate interest in collecting and using personal information to respond to enquiries, understand what a person or business is asking for, assess whether our services are suitable, manage our relationship with prospective and existing clients, provide support, maintain accurate business records, and improve the way we deliver our services. Using this information benefits both GK Advisory and the people we work with by allowing us to respond properly, provide relevant information, manage service delivery, and keep records of communications and decisions. We only use information that is relevant to these purposes and do not use it in a way that would override the rights, freedoms or interests of the people involved. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above. Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are: Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object. Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability. Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We have a legitimate interest in collecting and using personal information to create, manage, support and maintain customer accounts, client workspaces, service records, user access, billing records and ongoing client relationships. This helps us deliver our services properly, manage client onboarding, provide support, maintain accurate records, monitor service usage, resolve account issues, improve our systems, and keep client services secure and reliable. We only use information that is relevant to these purposes and aim to avoid using personal information in a way that would unfairly affect the rights, freedoms or interests of the people involved. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above. Our lawful bases for collecting or using personal information for service updates or marketing purposes are: Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time. Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We have a legitimate interest in using personal information to provide relevant service updates, respond to business enquiries, follow up with people who have shown an interest in our services, understand which communications are useful, improve our marketing, and keep prospective and existing clients informed about services that may be relevant to them. This helps GK Advisory communicate with the right people about relevant business services, and helps recipients receive information that may be useful to their business. We only use information that is relevant for these purposes, aim to keep the impact on individuals low, and provide a way for people to opt out of marketing communications. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above. Our lawful bases for collecting or using personal information for legal requirements are: Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability. Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are: Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object. Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability. Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are: We have a legitimate interest in collecting and using personal information to respond to queries, investigate complaints, resolve support issues, manage disputes, handle claims, keep accurate records of what has happened, and protect our legal and business position. Using this information helps us understand the issue, communicate with the people involved, review relevant account, service, payment, communication and call records, and take appropriate action. This benefits both GK Advisory and the person making the query or complaint by allowing issues to be handled properly, fairly and efficiently. We only use information that is relevant to the query, complaint or claim, and we aim to avoid using personal information in a way that would unfairly affect the rights, freedoms or interests of the people involved. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from

Directly from you, publicly available sources, suppliers and service providers, third parties: We may receive personal information from, or share personal information with, third parties where this is necessary to operate our business, respond to enquiries, deliver our services, manage customer accounts, process payments, communicate with prospects or clients, improve our website, or comply with legal obligations. These third parties may include CRM and automation platforms, website and funnel providers, payment processors, email and SMS providers, calendar and meeting tools, analytics and tracking providers, AI and automation tools, cloud storage providers, professional advisers, accountants, legal advisers, clients, client team members, referral partners, and publicly available business information sources. Where we use third-party service providers, we aim to use them only for relevant business purposes and only share information that is necessary for the service being provided.

How long we keep information

We only keep personal information for as long as we need it for the purposes set out in this privacy notice, including to respond to enquiries, provide services, manage client accounts, meet legal obligations, resolve disputes and maintain business records. Enquiries and Free AI Review requests: up to 24 months after our last meaningful contact with you. Prospect and outreach records: up to 24 months after our last meaningful interaction, unless you ask us to delete them earlier and we have no legal reason to keep them. Client account and service records: for the duration of the client relationship and up to 6 years afterwards. Invoices, payment records, contracts, tax and accounting records: up to 6 years, or longer if required by law. Call recordings: up to 12 months, unless we need to keep them longer for service delivery, dispute resolution, legal reasons, training or quality purposes. Marketing preferences and consent records: for as long as you remain subscribed and for a reasonable period afterwards to evidence consent or opt-out status. Website analytics, cookie and tracking data: kept according to the settings of the relevant analytics, cookie or tracking tools. Where information is no longer needed, we will delete it, anonymise it, or securely archive it where we have a lawful reason to retain it.

Who we share information with

Data processors: CRM, website, funnel, automation, payment, communication, analytics, cloud storage, meeting, AI and professional service providers, including UK, US and other international technology and business service providers. This data processor does the following activities for us: These providers help us operate our website and forms, manage enquiries and customer records, deliver CRM and automation services, process payments, send emails and text messages, host files and business records, provide meeting and call tools, analyse website and campaign performance, support AI-assisted workflows, and provide professional business, accounting, legal or technical services.

Others we share personal information with

Professional or legal advisors, relevant regulatory authorities, professional consultants, organisations we’re legally obliged to share personal information with, other relevant third parties: We may share personal information with relevant third parties where necessary to operate our business and deliver our services. This may include managing client accounts, processing payments, providing support and communicating with prospects or clients., We may also share information to comply with legal obligations or protect our legal and business interests., Third parties may include CRM and automation platforms, payment processors, email and SMS providers, website and funnel providers., They may also include analytics providers, AI and automation tools, meeting tools, call recording tools and cloud storage providers., They may include professional advisers, accountants, legal advisers, subcontractors, consultants and referral partners., They may include client team members, integration partners and regulatory or public authorities where required by law., We only share personal information where we have a lawful basis and aim to share only what is needed for the relevant purpose.

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

Organisation name: International technology and business service providers. Category of recipient: CRM, automation, payment, communication, analytics, meeting, AI, cloud storage and professional service providers. Country the personal information is sent to: United States and other countries where our service providers operate or store personal information. How the transfer complies with UK data protection law: Transfers may rely on adequacy regulations, the UK-US Data Bridge, the UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs. Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place. Organisation name: International sub-processors used by our service providers. Category of recipient: Cloud hosting, CRM, automation, payment, communication, analytics, AI, meeting and technical infrastructure providers. Country the personal information is sent to: United States and other countries where our service providers or their sub-processors operate. How the transfer complies with UK data protection law: Transfers may rely on adequacy regulations, the UK-US Data Bridge, the UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs.

How to complain

If you have any concerns about our use of your personal information, you can make a data protection complaint to us: Email: [email protected]. If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO. The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Helpline number: 0303 123 1113, Website: https://www.ico.org.uk/make-a-complaint.

15 June 2026

Copyright 2026. GK Advisory. All Rights Reserved.