Hackford Privacy Notice
Effective date: 23 June 2026
Hackford's current public Privacy Notice explains how Hackford Data Ltd ("Hackford", "we", "us" or "our") processes personal data for our database, website, platform, APIs, data products, customer accounts, enquiries, support and consultancy.
Hackford provides information about financial services firms and associated professionals. Most personal data in the Hackford database concerns people acting in a professional capacity. We obtain it mainly from official registers, public professional sources and other lawful business sources, and use it to maintain the database, provide market intelligence, operate our services and manage business relationships.
1. Who we are
The controller responsible for the processing described in this notice is:
Hackford Data Ltd, trading as Hackford
Company number: 14973762
Registered office: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB, United Kingdom
Privacy Contact: Daniel Robinson Email: dan.robinson@hackforddata.com
2. Our role and customer roles
Hackford is generally the controller of personal data in its professional and regulatory database, website records, prospect records, customer contacts, user accounts, platform analytics and business administration records.
Customers normally act as separate controllers when they use personal data supplied by Hackford for their own purposes, such as regulatory research, market mapping, due diligence, CRM maintenance, business development or recruitment. Customers are responsible for their own lawful basis, transparency, security, retention and rights handling.
Hackford may act as processor where a customer supplies personal data and instructs us to process it only to provide a defined service, such as customer-created watchlists, saved configurations, notes, CRM matching or enrichment. In that case, the customer's privacy notice and our agreement with that customer also apply.
3. Personal data we process
For people represented in the Hackford database, we may process professional identity, employment, role, relationship, regulatory-status, public-history, office-location, business-contact, source, freshness, correction, objection and suppression information. We may also create classifications, matches, summaries, confidence scores and other derived information. Official regulatory enforcement or disciplinary information may be included where relevant and published by an authoritative source.
The database is designed for professional and regulatory information. We do not seek to collect private-life or special category personal data.
For website visitors, prospects, business contacts, customer administrators and platform users, we may process work contact, employer, role, enquiry, demo, sales, support, correspondence, marketing-preference, account, billing, authentication, session, device, audit, security and feature-use information.
Customers may also provide personal data through files, integrations, support requests, bespoke projects or platform features. Where we process that information only on the customer's instructions, we act as processor.
Customers may create private or team watchlists containing firms or professionals represented in Hackford and may add watchlist names, descriptions and short notes. Hackford processes customer-created watchlist information to provide the watchlist and alert features. The underlying Hackford database records remain Hackford Data, for which Hackford acts as controller.
4. Where personal data comes from
We obtain personal data from you directly; your employer or associated organisation; Hackford customers and partners; official registers and public bodies; public filings, notices, decisions and official documents; company and professional websites; public professional profiles; business-oriented social networks; public news, reports, directories and search results; third-party business-data, search, validation and enrichment providers; and information we derive from other data.
Official and public sources used by Hackford include Financial Conduct Authority and United States Securities and Exchange Commission sources. Public availability does not remove your data protection rights.
5. How we provide this privacy information
Hackford obtains most information in its professional and regulatory database indirectly from official registers, public professional sources and other lawful business sources. The database contains a large number of current and historical professional records, many of which do not include reliable direct contact information.
For these large datasets, providing this notice separately to every person would involve disproportionate effort, taking account of the number and age of the records, the professional and generally public nature of the information, the professional context and likely effects of the processing and the safeguards we apply.
We therefore make this notice publicly available and take additional steps to protect individuals, including limiting the information collected, controlling access, restricting customer use, maintaining correction, objection and suppression procedures, and recording source or freshness information where appropriate. We may provide this notice directly where appropriate in the circumstances.
6. How the Hackford database works
Hackford brings together official regulatory information, public business information and proprietary classifications to make regulated financial services markets easier to search and understand. The database may include current and historical professional information because previous roles and regulatory relationships can remain relevant.
Where available, we may record a professional business email address or telephone number. We may infer a likely business email address from an organisation's known email format and use verification or confidence information to indicate quality. We do not intentionally collect private contact details for the Hackford database.
Hackford may match records, classify firms and roles, calculate counts or confidence measures, extract structured information from public documents, and generate summaries or analytical outputs. Some work is assisted by rules, statistical methods or AI models. Derived information may be incomplete or incorrect, so we use source links, dates, confidence measures and correction mechanisms where appropriate.
Hackford does not use solely automated processing to make decisions about an individual that produce legal effects or similarly significant effects. Our data and classifications are information resources, not determinations of a person's rights, suitability or legal status.
7. Why we process personal data
We process personal data only where we have a lawful basis. Legitimate interests are the principal lawful basis for building, maintaining, correcting and improving the Hackford database and making regulatory and business intelligence available to customers.
Our purposes and lawful bases include:
- building, maintaining, correcting, improving and supplying the database: legitimate interests;
- providing platform access, data products, consultancy, demos, support and customer-requested services: contract where the individual is party to it, otherwise legitimate interests;
- processing customer-supplied data: on the customer's instructions where Hackford is processor, otherwise legitimate interests as appropriate;
- operating, securing, monitoring and improving our website, platform and infrastructure: legitimate interests, consent where required, and legal obligation where applicable;
- managing enquiries, prospects, customer relationships, relevant business communications, subscriptions, invoices, tax, claims, compliance requests and corporate transactions: contract, legal obligation, consent where required and legitimate interests as applicable.
Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect processing carried out before consent was withdrawn.
8. Our legitimate interests and safeguards
Our legitimate interests include providing specialist regulatory and business intelligence services; helping customers identify, understand and monitor regulated firms and professionals; supporting lawful research, compliance consulting, market analysis, due diligence, CRM maintenance and relevant business development; maintaining useful professional information; operating and securing our services; managing relationships; and protecting Hackford's legal and commercial interests.
Before relying on legitimate interests, we consider the purpose and necessity of the processing, the professional nature and sources of the data, reasonable expectations, possible effects on individuals and safeguards. Safeguards include data minimisation, use restrictions, source and date information, quality measures, security controls, correction and objection processes, marketing suppression and restrictions on customer use.
You may object to processing based on legitimate interests. See section 15.
9. Analytics, cookies and automated processing
We use self-hosted Umami to produce aggregate website-visit statistics. The service receives page-view and technical request data needed to generate those statistics and is configured to respect browser "Do Not Track" signals.
Google Analytics and PostHog are optional public-website analytics services. They load only after a visitor accepts optional analytics. We store your analytics preference in your browser.
We use product analytics and operational telemetry within the authenticated Hackford platform to understand use, support customers, diagnose errors, protect the service and improve features. Platform analytics may include account-linked records viewed, searches, filters, watchlists, exports and feature interactions. We do not use platform analytics for third-party behavioural advertising.
We also use essential storage and security technologies for authentication, session management, fraud prevention, preferences and service operation.
Automated and AI-assisted processing
Hackford may use automated and AI-assisted tools to help extract, match, classify, structure and summarise information obtained from official, public and other authorised business sources.
These tools support Hackford's data preparation, research and quality processes. Their outputs may be incomplete or inaccurate, and Hackford uses source information, review processes and correction mechanisms where appropriate.
Hackford does not use automated or AI-assisted processing to make decisions about individuals that produce legal or similarly significant effects.
10. Who we share personal data with
Authorised users at Hackford customers may access personal data through the platform, APIs, exports, reports or bespoke datasets. Customers may incorporate selected data into internal systems, including CRM and business-intelligence systems, subject to their agreement with Hackford and law.
We use service providers for hosting, storage, email, billing, analytics, telemetry, monitoring, security, logs, customer relationship management, office tools, source control, deployment, internal AI-assisted data operations and data-processing infrastructure. They may process personal data only as needed to provide the service. A current list is available on our Service Providers and Subprocessors page.
We may also disclose personal data to professional advisers; regulators, courts, law-enforcement bodies or public authorities where required or permitted; parties involved in preventing fraud, security threats or legal claims; and a prospective buyer, investor or successor, subject to confidentiality and data protection controls.
11. International transfers
Hackford is based in the United Kingdom. Some customers and service providers may be located, or may process data, outside the United Kingdom.
Where we transfer personal data internationally, we use an applicable lawful mechanism, such as UK adequacy regulations, the United Kingdom International Data Transfer Agreement, the UK Addendum to the European Commission's standard contractual clauses, another approved safeguard, or a permitted exception. We also assess the recipient, destination and data and apply supplementary protections where appropriate.
12. How long we retain personal data
We retain personal data only for as long as reasonably necessary for the relevant purpose, including legal, regulatory, security and evidential requirements.
Professional and regulatory database records are retained while relevant to current or historical regulatory and market intelligence, subject to review, correction, objection and applicable source restrictions. Historical roles and firm relationships may be retained because professional history forms part of the service. Correction and suppression records are retained as needed to preserve accuracy and respect objections.
Customer account, contract, billing and support records are normally retained for the customer relationship and up to seven years afterwards where needed for tax, accounting, contractual or legal purposes. Enquiries and prospect records are normally retained for up to 24 months after the last meaningful interaction, unless a relationship continues or the person objects. Direct-marketing records are retained until consent is withdrawn or the person objects; a minimal suppression record may remain.
Website analytics, platform analytics, security records, audit records and application logs are retained only for as long as reasonably needed for the relevant operational, product-improvement, security, legal or evidential purpose, taking account of provider settings and sensitivity. Customer-created watchlists, notes, saved configurations and related Customer Personal Data are retained until the customer deletes the relevant content, the relevant service ends, or retention is otherwise required under the agreement, subject to ordinary backup cycles. Customer-supplied files and other Customer Personal Data are retained for the period specified in the customer agreement or DPA. One-off source files are deleted promptly after the agreed processing is complete where possible.
13. Accuracy, corrections and suppression
We take reasonable steps to maintain accurate data, but official and public sources may be incomplete, delayed, inconsistent or later corrected.
You may ask us to correct information about you. Please provide enough detail for us to locate the relevant record and explain the requested correction. Where useful, provide supporting evidence.
Where data was supplied by an official authority, we may retain the original source record while adding a correction, qualification, later status or link to the updated source. We may notify relevant customers or service providers of a material correction where required and practicable.
You may also ask us to suppress professional contact details from future Hackford data supplies. Suppression by Hackford does not automatically delete copies already lawfully held by independent customers, but we may notify relevant recipients where required and practicable.
14. Your rights
Depending on the circumstances, you may have the right to ask whether we process personal data about you; obtain access; request correction, erasure or restriction; object to legitimate-interests processing; object at any time to direct marketing; receive certain data in a portable format; withdraw consent; and raise concerns about automated decision-making.
These rights are not absolute. An exemption or other legal obligation may apply.
You may object to our processing of your professional information based on legitimate interests. We will consider your circumstances, the nature and source of the information, the purpose, the effect on you and whether we have compelling legitimate grounds to continue. Where you object to use of professional contact data for direct marketing, we will stop that use and may retain limited identifying information on a suppression list.
An objection does not necessarily require deletion of every public regulatory or historical record. We may need to preserve an official source record, accurate professional history, evidence of a correction or objection, or information required for legal claims. We will explain our decision.
To make a request, contact Daniel Robinson, Privacy Contact at dan.robinson@hackforddata.com. Please state your name, associated professional firm or firms, any relevant identifier, and the right you wish to exercise. We may ask for additional information where reasonably necessary to locate your records or confirm identity.
We aim to respond without undue delay and normally within one month. We may extend the period where the law permits and will tell you if an extension applies. We do not normally charge a fee, but the law permits a reasonable fee or refusal in limited cases.
15. Direct marketing and complaints
You may opt out of Hackford marketing at any time by using the unsubscribe link in a marketing email or contacting us at dan.robinson@hackforddata.com.
A Hackford customer may contact you using data it controls. If you do not want that customer's communications, use the opt-out provided by the customer or contact it directly.
You may make a complaint by contacting Daniel Robinson, Privacy Contact at dan.robinson@hackforddata.com. Please explain the issue and the outcome you are seeking. We will acknowledge, investigate and respond without undue delay.
You also have the right to complain to the Information Commissioner's Office, the United Kingdom's data protection supervisory authority. You do not need to contact us first, although doing so may allow the issue to be resolved more quickly.
16. Children and changes to this notice
Hackford's services are not directed at children.
We may update this notice to reflect changes in our services, data sources, suppliers, operating practices or applicable law. We will publish the updated notice with a new effective date and, where appropriate, take reasonable steps to bring material changes to affected people.
This Privacy Notice is provided for transparency and information only. It does not form part of a customer contract and continued use of a service is not treated as consent to processing that requires consent.