PRIVACY NOTICE (Updated 21st August 2025) 

 

 

This Privacy Notice sets out the details of how CMNC Associates Limited (“we”, “us”, “our”), as data controller, collects and processes your personal data obtained directly from you, or through our website located at www.cmncassociates.com/invite or our other online platforms and social media channels (collectively referred to as “the Website”).

 

For the purposes of this Privacy Notice, personal data means any information that can be used to identify an individual, whether directly or indirectly (“Personal Data”).

 

By accessing the Website and providing us with your Personal Data you are warranting that you are over 13 years of age. If you have any questions about this Privacy Notice or require more information, please contact us at admin@cmncassociates.com.

 

What personal data do we process, why do we process it, and how do we collect it

 

We may process Personal Data that you provide to us by subscribing to a newsletter or email list, requesting information through a contact form, or by any other communication via email, text or through our Website. 

 

We may also process Personal Data through the use of cookies or other tracking software on our Website, and may receive Personal Data from third parties such as Google, Meta (Facebook/Instagram), Stripe, Calendly, YouTube, Companies House or other information providers.

 

When we process your Personal Data we comply with the UK GDPR and the Data Protection Act 2018, which means that your data will be used lawfully, fairly, securely and only for as long as necessary.

 

The types of Personal Data we process include:

  • Personal Information: name, date of birth, email, phone number, business contact details, IP address – processed to communicate with you and keep records (lawful basis: Legitimate Interests).
  • Customer or Client Information: purchases of goods/services, billing/delivery addresses, payment details – processed for service delivery (lawful basis: Contract).
  • User Information: comments, statements, documents or media shared, website/browser usage data – processed to analyse and monitor usage and maintain security (lawful basis: Legitimate Interests).
  • Promotional Information: data provided for marketing or promotions – processed to provide relevant offers and track promotional activity (lawful basis: Legitimate Interests/Consent where required).
  • Financial Information (Clients only): If you engage us for consultancy services, we process business bank transaction data and related financial records that may identify individuals (e.g., directors, employees, suppliers and payees). We use this to deliver our finance consultancy services, including cash allocation, reporting and strategic reviews. Lawful bases: Contract (service delivery), Legitimate Interests (analysis and reporting), Legal Obligation (anti-money laundering checks).

 

Special Category Data

We do not intentionally collect special category data. Special category data includes information about health, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetics, biometrics, sex life or sexual orientation.

Where such data appears incidentally (for example, within a bank transaction narrative), we apply additional safeguards, restrict access, and minimise retention.

We do not process data relating to criminal offences and convictions unless required by law (e.g. AML obligations).

 

Disclosure of Personal Data

We may share your Personal Data with trusted third parties who support our business, including technology providers, professional advisors, compliance platforms, payment processors and marketing platforms. We require all such parties to keep your Personal Data secure and only process it under our instructions and in line with the law.

 

Client Clinic Management Systems
In limited cases, we may access client clinic management systems to review financial or operational data. Where possible, we work only with anonymised or pseudonymised exports (e.g., patient IDs rather than names). We do not download or retain identifiable patient information. Clients remain the Data Controller of their patient data, and we act only as an authorised user under their instructions.

 

Transfer of Personal Data

Our Website is located within the United Kingdom and your data will be processed in the United Kingdom.

Where we transfer personal data outside of the UK, we ensure appropriate safeguards are in place. These may include the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or reliance on a UK adequacy decision (such as the UK–US Data Bridge where the recipient participates in the Data Privacy Framework).

We currently use the following third-party providers to deliver our services:

  • Microsoft 365 (secure storage, communications, SharePoint/Planner)
  • IRIS Elements / IRIS Openspace (compliance and AML document management)
  • SmartSearch (AML verification and screening)
  • Stripe (payment processing)
  • Xero (accounting platform)
  • Slack (team communication)
  • Kartra (CRM and marketing platform)
  • Respond.io (multi-channel client communications)
  • Google / Meta (Facebook, Instagram) (analytics and advertising)

  • ChatGPT (OpenAI) – paid subscription service used to support analysis, categorisation and drafting. In some cases, client-identifiable information may be processed where necessary to deliver our services. We ensure that processing is limited to what is required, and OpenAI participates in the UK–US Data Bridge, providing an approved safeguard for international transfers.

  • Advisory AI – used to capture and produce client meeting notes, which may include client-identifiable information. Data is processed securely and only for accurate records and follow-up.

  • LastPass (secure password management and access control)

We regularly review these providers and ensure contracts include appropriate data protection safeguards. Details of our current service providers and transfer mechanisms are available on request.

 

Data Security

We take the protection of your Personal Data seriously and apply appropriate technical and organisational measures, including encryption, access controls and secure storage. We limit access to only those employees or contractors who need it, and require them to keep it confidential.

 

Data Retention

We retain personal data only as long as necessary for the purposes set out in this notice, subject to legal and regulatory obligations. Specifically:

  • Financial transaction records: 6 years (aligned with HMRC record-keeping obligations)
  • AML records: 5 years from the end of the client relationship (legal requirement)
  • General correspondence: 3–6 years (business need)

We apply the same timelines to backups and implement secure deletion or anonymisation when data is no longer required.

 

Your Rights

You have rights in relation to your Personal Data, including the right to access a copy of your data, request correction, request erasure, restrict or object to processing, and data portability. Where processing is based on consent, you may withdraw your consent at any time.

If you are unhappy with how we process your data, you can complain to the UK Information Commissioner’s Office (ICO).

 

Changes to this Privacy Notice

We may update this Privacy Notice from time to time. The latest version will always be available on our Website. We encourage you to review this Notice periodically.

 

Legal Jurisdiction

This Privacy Notice shall be governed and construed in accordance with the laws of England and Wales, and by using our Website you agree to the exclusive jurisdiction of the Courts of England and Wales.

 

{:lang_general_banner_cookie_disclaimer}
{:lang_general_banner_cookie_cookie} {:lang_general_banner_kartra_cookie}
{:lang_general_banner_cookie_privacy}
{:lang_general_powered_by} KARTRA