Privacy Policy

1. Who we are and how to contact us

CapitalHouse operates the website https://www.capitalhouse-edinburgh.co.uk (the “Website”). For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, CapitalHouse is the data controller of the personal data processed via the Website and in connection with our services.

If you have questions about this Privacy Policy or how we handle your personal data, please contact us using the contact details published on the Website’s contact page and mark your message “FAO: Data Protection Lead”. Postal contact details are also available on the Website.

We do not intentionally offer services to children under 13 and our Website is not directed to them.

2. Personal data we collect

We collect and process the following categories of personal data:

  • Identification and contact details: name, email address, telephone number, postal address.
  • Communication content: messages you send via contact forms, email, or phone, and our responses.
  • Account and preference data: if you create or are given an account or sign up for updates, your login identifier, preferences, and subscription settings.
  • Transactional and relationship data: details about enquiries, bookings or services you request from us, and related records (including billing information if applicable).
  • Technical and usage data: IP address, device and browser type, operating system, pages viewed, time and date of visits, referring URLs, clickstream data, and approximate location (derived from IP). This is collected via server logs, cookies, and similar technologies.
  • Marketing and communications data: your choices about receiving marketing and your communication preferences.
  • Recruitment data: if you apply for a role, CV/resume, cover letter, qualifications, employment history, and references.

We may also receive personal data about you from third parties, such as analytics providers, social media platforms when you interact with our profiles, publicly available sources, or service providers acting on our behalf (for example, website hosting and security providers).

3. How we use your personal data and legal bases

We process your personal data for the purposes and on the legal bases set out below:

  • To operate and provide the Website and our services, respond to enquiries, and manage our relationship with you (legal basis: performance of a contract or taking steps at your request before entering into a contract; and/or our legitimate interests in operating our business and communicating with users and customers).
  • To send service communications (for example, important updates, confirmations, or policy changes) (legal basis: performance of a contract and/or our legitimate interests).
  • To send marketing communications about our services where permitted (legal basis: your consent, or our legitimate interests where the “soft opt-in” applies; you can opt out at any time).
  • To improve and secure our Website, services, and user experience, including troubleshooting, testing, analytics, and monitoring (legal basis: our legitimate interests in maintaining and improving our Website and services; for non-essential cookies or similar technologies, consent under the Privacy and Electronic Communications Regulations (PECR)).
  • To comply with legal and regulatory obligations, respond to lawful requests, and establish, exercise, or defend legal claims (legal basis: compliance with a legal obligation and/or our legitimate interests).
  • To process job applications and manage recruitment (legal basis: taking steps at your request before entering into a contract and our legitimate interests in recruiting staff).

Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. Cookies and similar technologies

We use cookies and similar technologies to run the Website and to understand how it is used. Cookies are small text files placed on your device. We use:

  • Strictly necessary cookies: required for core functionality such as page navigation, security, load balancing, and form submission. These are set on the basis of our legitimate interests and do not require your consent.
  • Analytics/performance cookies: help us understand Website traffic and usage to improve performance and user experience. These are only used with your consent.
  • Functionality cookies: remember your settings and preferences to enhance your experience. Where they are not strictly necessary, we rely on your consent.

On your first visit, you may be presented with a cookie banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time via your browser settings by blocking or deleting cookies. If you block some cookies, parts of the Website may not function properly.

Cookie retention varies: strictly necessary cookies typically last only for the session or a short period; analytics and functionality cookies may persist for several months unless you delete them earlier.

5. Sharing your personal data

We share personal data only as necessary and in accordance with the law:

  • With service providers acting on our behalf, such as website hosting, maintenance, security, analytics, email and communications platforms, IT support, and professional advisers. These providers are bound by contractual obligations to keep data confidential and secure and to use it only as instructed.
  • With authorities, regulators, law enforcement, courts, or counterparties where required to comply with legal obligations or to establish, exercise, or defend legal claims.
  • With third parties in connection with a business reorganisation, merger, or transfer of assets, in which case personal data will be transferred to the new entity subject to appropriate protections.

We do not sell your personal data.

6. International data transfers

Some of our service providers may be located outside the United Kingdom or may process data in other countries. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or another legally recognised mechanism. We also assess the laws of the destination country to ensure an equivalent level of protection where required.

7. Data retention

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Typical retention periods are:

  • Enquiries and correspondence: up to 24 months after the last interaction, unless a longer period is needed for ongoing matters.
  • Customer and contract records: for the duration of the relationship and up to 6 years thereafter (to meet tax, accounting, and legal requirements).
  • Marketing data: until you opt out or withdraw consent, or after a period of inactivity, whichever occurs first.
  • Technical logs and security records: generally up to 12 months, unless required longer for security or legal reasons.
  • Recruitment records: generally up to 12 months after the process ends, unless hired or a longer period is justified and permitted by law.
  • Cookies: as described in section 4, depending on the cookie type and your browser settings.

We may anonymise data so that it can no longer be associated with you; such anonymised data may be retained and used indefinitely without further notice.

8. Your rights

Under data protection law, you have the following rights (subject to conditions and exemptions):

  • Right of access: to obtain a copy of your personal data and information about how we process it.
  • Right to rectification: to have inaccurate or incomplete data corrected.
  • Right to erasure: to have your data deleted in certain circumstances.
  • Right to restriction: to limit our processing in certain circumstances.
  • Right to data portability: to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
  • Right to object: to processing based on our legitimate interests or for direct marketing. We will stop direct marketing promptly if you object.
  • Rights in relation to automated decision-making and profiling: we do not carry out decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you.
  • Right to withdraw consent: where we rely on consent, you can withdraw it at any time.

To exercise your rights, please contact us using the contact details published on the Website’s contact page and mark your message “FAO: Data Protection Lead”. We may need to verify your identity before responding. We aim to respond within one month, or notify you if more time is needed for complex requests.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO). Contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113.

9. Data security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include access controls, encryption in transit where appropriate, secure hosting, logging and monitoring, staff confidentiality obligations, and regular review of our security practices. While we work hard to protect your data, no system can be guaranteed 100% secure.

10. Direct marketing

We may send you marketing communications about our services if you have consented, or where permitted by law under the “soft opt-in” for existing or recent customers. You can opt out at any time by using the unsubscribe instructions in the message or by contacting us. We will not send you marketing if you opt out.

11. Third-party links and platforms

The Website may include links to third-party sites or features, or allow you to interact with our content on third-party platforms (for example, social media). Those third parties have their own privacy practices. We are not responsible for their policies or processing. We encourage you to review their privacy information.

12. Children’s privacy

Our services are not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Data Protection Officer

We are not required to appoint a statutory Data Protection Officer. We have designated a Data Protection Lead who oversees privacy matters. For all privacy-related queries, please contact us using the contact details published on the Website’s contact page and mark your message “FAO: Data Protection Lead”.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated version on this page and change the date below. We encourage you to review this page periodically.

Last updated: 14 December 2025

About The Editorial Team Terms of Service Legal Notice Privacy Policy Sitemap Contact
© 2025 CapitalHouse