Privacy Policy
Who we are
Executive Grapevine International Limited ("EGIL") is an information services business specialising in B2B data, intent data, and marketing services. We are committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, disclose, and safeguard personal information in compliance with the UK GDPR, Data Protection Act 2018, UK PECR, and applicable international privacy laws.
Data Controller
Executive Grapevine International Limited
Registered in England and Wales (Company No 2789779)
Registered office: Gate House, Fretherne Road, Welwyn Garden City, Hertfordshire, AL8 6NS
Email: [email protected]
Phone: +44 (0)1707 351 451
Scope
This policy applies to all personal data processed by EGIL and its brands — HR Grapevine, HR Grapevine Live, HR Grapevine Virtual, Executive Grapevine, and myGrapevine — across web platforms, apps, events, marketing activities, and professional directories.
Regulatory Framework
UK & EU
- UK GDPR & UK Data Protection Act 2018
- UK PECR
- EU GDPR (for data subjects in the EEA; with representative requirements where applicable)
US
- California Consumer Privacy Act as amended by California Privacy Rights Act (CCPA/CPRA)
- Virginia Consumer Data Protection Act (VA CDPA)
- Colorado Privacy Act (CO CPA)
- Utah Consumer Privacy Act (UT CPA)
How we collect
We collect personal data through various channels, including:
- Interactions with our websites and mobile apps (contact forms, registrations, surveys)
- Event and webinar registrations and attendance
- Cookies and similar tracking technologies
- Behavioural data from website visitors (page views, click patterns, scroll depth, session duration)
- Publicly available professional sources (e.g., LinkedIn)
- Account registration and authentication details (usernames and passwords)
- Client transactions and orders (payment information, bank account details, order history)
- User comments and feedback submitted on our websites and platforms
What we collect
- Identity & Contact: name, job title, company, business email, address
- Professional & Directory: sector expertise, public profile URLs
- Technical & Usage: IP address, device data, browsing patterns
- Behavioural: website interactions, page view history, clickstream data, scroll depth, reading behaviours
- Account Credentials: username and password (securely stored as encrypted)
- Topic Preferences: selected subjects, industries, areas of interest
- Client Transaction Data: payment details, billing address, order history
- Firmographic: industry, geography, company size
- User-generated Content: comments, feedback, other submissions
- Images & Photos: event photographs and marketing images
- Video & Audio: recordings of webinars and events
- Content Preferences: communication consents, opt-out settings
What we do not collect
Sensitive Personal Information
- personal data from minors (under 18).
- special category data (e.g., racial origin, political opinions, health data). If you voluntarily provide such data, we will rely on explicit consent, apply additional safeguards, and delete it promptly when no longer needed.
Cookies and Electronic Communications
We use cookies and similar tracking technologies in line with ICO’s 2024 guidance:
- Clear cookie banner categorising cookies (necessary, preferences, analytics, marketing)
- Prior, granular opt-in consent for non-essential cookies
- Cookie preference centre for modifying or withdrawing consent
- Records of all consents maintained for auditing
- Regular policy reviews to reflect new technologies
- Electronic communications (email, SMS, push) are sent only with valid consent or legitimate interest, compliant with UK PECR and UK GDPR. Every message includes an opt-out link.
- For more information on how we use cookies see our [cookie policy].
International Data Transfers
Personal data is processed and stored in the UK. We transmit data to the US solely for email delivery via service providers; no data is stored in the US. Transfers to other jurisdictions rely on adequacy decisions, Standard Contractual Clauses (SCCs) with addenda, or the UK International Data Transfer Agreement (IDTA).
Who we share data with
We share personal data only under strict safeguards with:
- Group companies and affiliates (reporting, analytics, services)
- Service providers and technology platforms (e.g., Google, LinkedIn, Salesforce, Pardot, HubSpot, Stripe, Sage)
- Clients and partners for services or communications on their behalf
- Event organisers and sponsors (registration, badge printing, follow-up)
- Legal and regulatory authorities when required
- Professional advisors and auditors (compliance, audit)
- Third parties in corporate transactions, subject to confidentiality
All data processors are contractually bound to GDPR-compliant standards.
Legal Basis
We process personal data to enable and improve our services, personalise experiences, manage transactions, and comply with legal obligations. Below are the key activities and our legal bases:
Activity | Legal Basis |
Marketing communications (email, SMS) | Legitimate interest |
Service delivery & account management | Contractual necessity |
Business directory listings | Legitimate interest |
Emails on behalf of clients | Legitimate interest¹ |
Website analytics & improvement | Legitimate interest |
Partner campaigns | Consent |
Event registrations | Contractual necessity |
Compliance & fraud prevention | Legal obligation |
¹Summaries of our Legitimate Interest Assessments (LIAs) are available on request.
Consent Management
We record and timestamp all consents, provide separate opt-in controls for different processing activities, and allow you to withdraw consent at any time via account settings or opt-out links.
Legitimate Interests
For activities based on legitimate interest, we conduct a Legitimate Interest Assessment (LIA) to balance our business needs with your privacy rights. LIAs consider:
The purpose and necessity of the processing for our operations
The minimal impact on you and safeguards to protect your data
Your rights and the ability to opt out at any time
Summaries of LIAs are documented and available on request.
Your Rights
You have the right to access, rectify, erase, restrict, object, and port your data; withdraw consent; and lodge complaints with the ICO (https://ico.org.uk/make-a-complaint/) or relevant authority.
To exercise these rights, contact [email protected].
We will respond to all standard legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a large number of requests. In this case, we will notify you and keep you updated.
Updating Information & Marketing Preferences
Account holders can update personal details, preferences, and topic interests via their myGrapevine profile, the cookie centre, or by emailing our Data Protection team.
How long information is kept
Data is retained only as long as necessary:
Active contacts & client records: up to 5 years post engagement
Event registrations: up to 3 years post event
Cookies & analytics: up to 13 months (unless extended by consent)
Transactions & billing: up to 7 years for audit
Consent & preference records: 5 years from withdrawal or update
Records are securely deleted or anonymised thereafter. The full Data Retention Schedule is available on request.
Security and Assurance
We recognise the importance of protecting personal data. Technical measures include TLS encryption, secure servers, penetration testing, vulnerability scanning, backups, firewalls, IDPS, vulnerability assessments, patch management, MFA, and continuous monitoring. Organisational measures include access controls, staff training, background checks, incident response plans, and DPIAs for high-risk processing.
Cookies and Electronic Communications
We use cookies and similar tracking technologies in line with ICO’s 2024 guidance:
- Clear cookie banner categorising cookies (necessary, preferences, analytics, marketing)
- Prior, granular opt-in consent for non-essential cookies
- Cookie preference centre for modifying or withdrawing consent
- Records of all consents maintained for auditing
- Regular policy reviews to reflect new technologies
Electronic communications (email, SMS, push) are sent only with valid consent or legitimate interest, compliant with UK PECR and UK GDPR. Every message includes an opt-out link.
For more information on how we use cookies see our [cookie policy].
EU Representative
For data subjects based in the European Union our representative under Article 27 of the GDPR is:
INSTANT EU GDPR REPRESENTATIVE LIMITED
Office 2, 12A LOWER MAIN STREET
LUCAN CO. DUBLIN
K78 X5P8
IRELAND
Email: [email protected]
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the supervisory authority.
Your California privacy rights
The California Consumer Privacy Act 2018 (“CCPA”) and California Privacy Rights Act 2020 (“CPRA”) provide certain rights to residents of California. The CCPA and CPRA are collectively referred to as “CCPA” below.
If you are a resident of California you may contact us with regard to the following rights in relation to your personal data:
- Right to Know: At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal data and sensitive personal data to be collected, the purposes for which it is collected and used, whether such personal data is “sold or shared” and for how long personal data is retained. These details are set out in this Privacy Policy.
- Right to Access: You have the right to request access to the personal data we may hold on you for the past twelve (12) months. You may submit up to two (2) requests per year of access to your personal data.
- Right to Correct: You have the right to correct inaccurate personal data we hold about you.
- Right to Opt-Out of Sale of Personal Data: For individuals sixteen (16) years or older, you have the right to opt-out of sale of personal data we may hold on you. You can exercise this right at any time by emailing [email protected] with “California resident - Do not sell” in the subject line or using the contact us form on any of our sites. For individuals between thirteen (13) to sixteen (16) years old, you have the right to opt-in to the sale of personal data we may hold on you.
- Right to Deletion: You also have the right to ask us to delete personal data we may hold on you or restrict how it is used. There may be exceptions to the right to deletion which, if applicable, we will set out for you in response to your request.
- Right to Limit Use and Disclosure of Sensitive Personal Data: Where applicable, you have the right to limit our use of sensitive personal data for any purposes other than to provide the services you request or as otherwise permitted by law.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your California Consumer Privacy Act rights.
If you want to make any of these requests, please contact [email protected].
We will deal with requests for access to your personal data within forty-five (45) days for California-specific requests.
To help us respond as you expect, please specify that you are making a request under the CCPA. We may need to request specific information from you to help us confirm your identity. For example, we will verify your identity before complying. If you provide us with proof of identity containing information that does not match our records, we may request further proof of identity from you.
You can designate an “authorized agent” to make requests to exercise your rights on your behalf under the CCPA. We will clarify that any “authorized agent” has your written permission in making that request. We may also contact you directly to verify your identity.
Governance and Updates
This policy is reviewed annually or upon regulatory changes. Version history is maintained online.
Contact Us
For questions or requests, contact our Data Protection team:
Email: [email protected]
Phone: +44 (0)1707 351 451
Address: Gate House, Fretherne Road, Welwyn Garden City, Hertfordshire, AL8 6NS
We aim to respond within 30 days.
¹LIA summaries available on request via our Data Protection team.
Executive Grapevine International Ltd
Registered in England & Wales: 2789779 | VAT: 6259453 20
Gate House, Fretherne Road, Welwyn Garden City, AL8 6NS, United Kingdom | +44 (0)1707 351451
Last reviewed by: Chris Lewis, Chief Executive Officer
16/06/2025