Privacy policy

1. Who We Are

FourthLine Ltd ("FourthLine", "we", "us", "our") is a specialist operational resilience and regulatory risk consultancy. We are registered in England and Wales under company number 06952875. Our registered office is at Arkwright House, Parsonage Gardens, Manchester, M3 2LF.

We operate the website www.thefourthline.co.uk ("the Website"). For the purposes of UK data protection law, FourthLine Ltd is the data controller in respect of personal data collected through this Website and in connection with our business activities.

We can be contacted at:

Data Controller contact details

FourthLine Ltd

Arkwright House, Parsonage Gardens, Manchester, M3 2LF

Email: kieran.maplesden@thefourthline.co.uk

Website: www.thefourthline.co.uk

2. Scope of this Policy

This Privacy Policy explains how FourthLine Ltd collects, uses, stores, and shares personal data in connection with:

Use of the Website, including contact forms, content download forms, and meeting scheduling
Business development and marketing activities, including outbound email and LinkedIn outreach
Client engagement and service delivery
Prospecting and lead generation activities using third-party tools

This policy applies to all individuals whose personal data we process, including website visitors, prospective clients, existing clients, and professional contacts.

It does not cover personal data processed by third-party websites linked from our Website. We are not responsible for the privacy practices of those third parties.

3. Legal Framework

FourthLine Ltd processes personal data in accordance with:

The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018
The Privacy and Electronic Communications Regulations 2003 (PECR), as amended

Where we process personal data of individuals located in the European Economic Area (EEA), we also comply with the EU General Data Protection Regulation (EU GDPR) to the extent applicable.

4.1 What Personal Data we Collect

We collect personal data that you provide when you:

Complete a contact or enquiry form on the Website
Download gated content (regulatory briefings, guides, or other resources)
Book a meeting or briefing call via the Website's scheduling tool
Subscribe to regulatory intelligence or newsletter content
Engage with FourthLine via email or LinkedIn
Enter into a client engagement with FourthLine

The categories of personal data collected in these circumstances include: full name, job title, employer or firm name, work email address, sector, and primary regulatory obligation. For client engagements, we may also collect additional professional details relevant to the delivery of our services.

4.2 Data collected automatically

When you visit the Website, certain data is collected automatically by our website platform (HubSpot) and analytics tools. This includes: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, and time spent on pages. This data is used in aggregate and pseudonymised form for website analytics and performance purposes.

We use cookies and similar tracking technologies on the Website. Please see Section 10 (Cookies) for full details.

4.3 Data collected from third party sources

In the course of our business development activities, we may collect professional contact data from the following third-party sources:

LinkedIn and LinkedIn Sales Navigator — publicly available professional profile information including name, job title, employer, and sector
Apollo.io — a B2B prospecting and data enrichment platform that provides professional contact information sourced from publicly available data and third-party data providers
Publicly available sources including company websites, regulatory registers (including the FCA Financial Services Register), and Companies House

Data collected from these sources is limited to professional contact information and is used solely for legitimate business development purposes as described in Section 5.

5. How and Why We Use Your Personal Data

The table below sets out the purposes for which we process personal data, the categories of data involved, the legal basis for processing, and our retention period for each activity.

Purpose	Data categories	Legal basis	Retention
Website enquiries and contact forms	Name, email, job title, firm, sector, message	Legitimate interests (responding to an inbound enquiry)	3 years from last contact, or until you request deletion
Gated content downloads	Name, email, job title, firm, sector, regulatory obligation	Consent (form submission constitutes consent to receive related communications)	3 years from download, or until you unsubscribe
Meeting scheduling	Name, email, job title, calendar availability	Legitimate interests (arranging a requested business meeting)	3 years from last contact, or until you request deletion
Business development outreach	Name, email, job title, firm, sector, LinkedIn profile	Legitimate interests (direct marketing to relevant B2B professionals)	2 years from last engagement, or until you unsubscribe or object
Client service delivery	Professional contact details, engagement-related communications	Contract performance and legal obligation	7 years from engagement end (statutory accounting and legal requirement)
Regulatory intelligence distribution	Name, email, firm, sector	Consent or legitimate interests (B2B marketing to opted-in contacts)	Until you unsubscribe or 2 years from last engagement, whichever is sooner
Website analytics	IP address (pseudonymised), device and browser data, page visits	Legitimate interests (understanding website performance)	26 months (standard HubSpot analytics retention)

5. Legitimate interests

Where we rely on legitimate interests as our legal basis for processing, we have assessed that our interests in conducting professional B2B marketing and business development are not overridden by the interests or rights of the individuals concerned. This assessment is based on the following factors:

We contact only professional individuals in their business capacity, not in a personal capacity
Our communications are directly relevant to the professional responsibilities and regulatory obligations of the individuals we contact
We provide a clear and easy means of opting out of further communications in every message
We do not engage in high-volume mass marketing; our outreach is targeted and proportionate

If you wish to object to processing on the basis of legitimate interests, please see Section 8 (Your Rights).

6. Third-Party Tools and Data Sharing

6.1 Tools we use to process personal data

FourthLine uses the following third-party tools and platforms in the course of its operations. Each acts as a data processor on our behalf under a data processing agreement or equivalent contractual arrangement:

Tool	Purpose	Data location
HubSpot	CRM, website hosting, forms, meeting scheduling, email marketing, analytics	USA (adequacy mechanism: EU-US Data Privacy Framework equivalent; SCCs in place)
Lemlist	Outbound email sequencing and campaign management	EU (France)
Apollo.io	B2B prospecting, contact data enrichment	USA (SCCs in place)
LinkedIn / LinkedIn Sales Navigator	Professional networking, outbound prospecting	USA (SCCs in place)
Zapier	Workflow automation between tools	USA (SCCs in place)

6.2 International Transfers

Some of the third-party tools listed above process personal data outside of the United Kingdom. Where personal data is transferred to countries not covered by a UK adequacy decision, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO), or equivalent mechanisms.

6.3 Other disclosures of personal data

We do not sell, rent, or trade personal data with third parties for their own marketing purposes. We may disclose personal data to third parties in the following limited circumstances:

To professional advisers including solicitors and accountants, where necessary for the conduct of our business
To comply with a legal obligation, court order, or regulatory requirement
To protect the rights, property, or safety of FourthLine, our clients, or others
In connection with a business transfer, merger, or acquisition, in which case data subjects will be notified

7. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are set out in the processing table in Section 5.

The following specific retention rules apply:

Client engagement records: 7 years from the end of the engagement, in accordance with statutory accounting and legal requirements under the Companies Act 2006 and applicable tax legislation
Marketing and business development contacts: 2 to 3 years from last engagement, or until you unsubscribe or object to processing, whichever is sooner
Website analytics data: 26 months, in line with HubSpot's standard analytics data retention
Gated content download records: 3 years from download date, or until unsubscription

At the end of the applicable retention period, personal data is securely deleted or anonymised. Where deletion is not immediately possible due to technical constraints, data is isolated from further processing until deletion can be completed.

8. Your rights

Under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month.

Right	What it means	How to exercise
Access	You can request a copy of the personal data we hold about you.	Email kieran@thefourthline.co.uk with subject "Data Subject Access Request "
Rectification	You can ask us to correct inaccurate or incomplete personal data.	Email kieran@thefourthline.co.uk
Erasure	You can ask us to delete your personal data where there is no legitimate reason to continue processing it.	Email kieran@thefourthline.co.uk with subject "Erasure Request "
Restriction	You can ask us to restrict processing of your data in certain circumstances, for example while accuracy is disputed.	Email kieran@thefourthline.co.uk
Portability	Where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used format.	Email kieran@thefourthline.co.uk
Object	You can object to processing based on legitimate interests, including direct marketing. We must stop unless we can demonstrate compelling legitimate grounds.	Email kieran@thefourthline.co.uk or use the unsubscribe link in any marketing email
Withdraw consent	Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.	Use the unsubscribe link in any email, or email kieran@thefourthline.co.uk

There is no charge for exercising your rights. We may ask you to verify your identity before processing a request. If we are unable to comply with a request, we will explain why.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Website: www.ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Direct Marketing and Outbound Communications

FourthLine conducts targeted, professional B2B marketing and outreach activities. This section explains how we approach direct marketing and your rights in relation to it.

9.1 Email marketing

We may send you regulatory intelligence updates, sector briefings, event invitations, and commercial communications by email where:

You have provided consent by downloading gated content or subscribing to our communications, or
We have assessed that we have a legitimate interest in contacting you as a professional whose role is directly relevant to the services we provide
Access controls limiting personal data access to authorised individuals on a need-to-know basis
Encryption of data in transit and at rest where provided by our third-party platform providers
Regular review of our data processing activities and third-party processor arrangements
Use of reputable, security-certified third-party platforms with their own data security programmes

Every marketing email we send includes an unsubscribe link. You can opt out of email marketing at any time by clicking the unsubscribe link or emailing kieran@thefourthline.co.uk. We will action all unsubscribe requests within 10 working days.

9.2 LinkedIn outreach

We may contact you via LinkedIn in connection with our business development activities. LinkedIn connection requests and direct messages are based on our legitimate interests in reaching professionals whose roles are relevant to our services. You can manage LinkedIn communication preferences through your LinkedIn account settings.

9.3 Frequency and targeting

We do not engage in high-volume or untargeted mass marketing. Our outreach is limited to professionals in relevant roles at relevant firms, and we manage contact frequency to avoid excessive or intrusive communication. Our maximum outbound email volume is 40 emails per day across all campaigns.

10. Cookies

The Website uses cookies and similar tracking technologies. A cookie is a small text file placed on your device when you visit a website. We use the following categories of cookies:

Category	Purpose	Basis
Strictly necessary	Essential for the Website to function correctly. Includes session management and security cookies set by HubSpot.	No consent required — these cookies cannot be disabled without affecting site functionality
Analytics and performance	Used to understand how visitors use the Website, including pages visited, time on site, and referring sources. Set by HubSpot analytics.	Consent — you will be asked to accept these cookies on first visit
Marketing and tracking	Used to track visitors across the Website and support personalisation of content and outreach. Set by HubSpot.	Consent — you will be asked to accept these cookies on first visit

You can manage your cookie preferences at any time using the cookie consent banner on the Website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the Website. For more information on how to manage cookies, visit www.allaboutcookies.org.

11. Children's Data

FourthLine's services are directed exclusively at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that personal data from a person under 18 has been collected without appropriate consent, we will delete it promptly.

12. Data Security

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach, and affected individuals where the risk is high, in accordance with our obligations under UK GDPR Articles 33 and 34.

13. Changes to This Policy

We review this Privacy Policy annually and following any material change to our data processing activities. The current version and its effective date are shown at the top of this document.

Where changes are material, we will take reasonable steps to bring them to your attention, which may include a notice on the Website or a direct communication to individuals whose data we hold. Continued use of the Website following notification of a material change constitutes acceptance of the revised policy.

Previous versions of this Privacy Policy are available on request by emailing kieran@thefourthline.co.uk.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a concern about how we handle your personal data, please contact us:

FourthLine Ltd — Data Controller

Kieran Maplesden, Founder & Managing Director

Arkwright House, Parsonage Gardens, Manchester, M3 2LF

Email: kieran.maplesden@thefourthline.co.uk

Website: www.thefourthline.co.uk

Response time: We aim to respond to all privacy-related enquiries within 5 working days.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at www.ico.org.uk or on 0303 123 1113.