Privacy Notice

01 Who we are

Penleigh International Limited is a private limited company registered in England and Wales (company number 12442642). Our registered office is 32 Park Cross Street, Leeds, LS1 2QH, United Kingdom.

We act as a recruitment business under the Conduct of Employment Agencies and Employment Businesses Regulations 2003. We are a one-person consultancy led by James Leigh.

02 Who this notice is for

This notice covers personal data we hold about three groups of people:

• Website visitors — anyone who visits penleighinternational.com or sends us a message via the contact form.
• Candidates — individuals whose details we hold for the purpose of executive search, including those we approach directly, those who approach us, and those represented in market mapping reports.
• Clients and prospective clients — the named contacts at organisations who engage us for retained search or market mapping, or who enquire about doing so.

Where we’ve been engaged for a specific search or mapping project, the engagement contract may set out additional or more specific terms about how we process personal data on that project. Where there’s any conflict between this notice and an engagement contract, the engagement contract takes precedence for that project.

03 What we collect

From website visitors

When you submit our contact form, we collect the information you provide: your name, company, email address, phone number (if you give it), the type of enquiry, the market it relates to, and the message you write. We also collect basic technical data automatically — your IP address, browser type and the page you submitted from — through our hosting provider for security and abuse-prevention purposes.

From candidates

For the purpose of executive search, we collect and process information such as: name, contact details, current and previous roles, employment history, education, qualifications, references, salary expectations, geographic preferences, and the results of competency and behavioural assessments completed via our HireInsight platform. We may also record video introductions where candidates choose to provide them.

We collect this information from a combination of: the candidate themselves, public professional sources (LinkedIn, company websites, industry directories), referrals, and our own industry network.

From clients and prospects

We collect the contact details of the individuals at client organisations who instruct us, alongside notes of our discussions, the briefs we receive, and records of the work we do on each engagement. Where clients provide information about their internal teams or organisational context, we treat that as confidential commercial information and process it solely for the purpose of the engagement.

04 Why and how we use it

We process personal data only where we have a lawful basis to do so under the UK GDPR. The table below summarises the main processing activities.

Activity

Responding to website enquiries

Lawful basis

Legitimate interests — replying to a person who has actively contacted us

Retention

Up to 24 months from last contact, then deleted unless an engagement begins

Activity

Identifying, approaching and assessing candidates for client searches

Lawful basis

Legitimate interests — recruitment in the relevant industries; or consent where the candidate has actively registered with us

Retention

While the candidate is reasonably considered active in our network, with periodic review (see Section 7)

Activity

Delivering retained search and market mapping engagements to clients

Lawful basis

Performance of a contract with the client; legitimate interests in delivering effective search work

Retention

Engagement records kept for the duration of the relationship plus 6 years for legal and tax purposes

Activity

Administrative, accounting and legal compliance

Lawful basis

Legal obligation (HMRC, regulatory requirements); legitimate interests in running the business

Retention

As required by law — typically 6 years for tax records

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects. Behavioural assessment results presented to clients via HireInsight are one input among several to inform a hiring decision; the decision to hire is always made by the client.

05 Who we share it with

We share personal data only where necessary, and only with parties who are themselves bound by appropriate confidentiality and data protection obligations. The categories of recipients are:

• Clients — for whom we share candidate shortlist information through HireInsight, on the basis that this is the purpose for which the candidate provided it.
• Service providers — including our website host (Netlify), email and productivity tools (Google Workspace), the HireInsight platform, and our accounting and payment providers.
• Professional advisors — legal, tax or audit advisors where engagement is necessary.
• Regulators and law enforcement — where we’re required by law to disclose information.

We do not sell personal data, and we do not share it for third-party marketing purposes.

06 International transfers

We work globally and may transfer personal data outside the UK in two contexts: when sharing candidate information with clients located overseas (typically in the US, EU, Middle East or Asia-Pacific), and when using service providers whose infrastructure may be hosted outside the UK.

Where a transfer is to a country that the UK government has not deemed to provide an adequate level of data protection, we rely on appropriate safeguards — typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other valid transfer mechanism.

07 How long we keep it

Specific retention periods are set out in Section 4 above. As a general principle:

• Website enquiry data is kept for up to 24 months from last contact.
• Candidate records are kept while the individual remains active in our network. We review records periodically and remove those we no longer have a legitimate reason to keep.
• Client engagement records are kept for the duration of the relationship plus six years.
• Records required for legal or tax compliance are kept for the period required by the applicable law.

You can request that we review and remove your data at any time — see Section 9.

08 How we protect it

We take reasonable and proportionate technical and organisational measures to protect personal data, including:

• Encrypted storage and transmission for sensitive data, including all candidate records held in HireInsight.
• Access controls limiting who can see personal data within our business and supplier ecosystem.
• Multi-factor authentication on accounts that handle personal data.
• A small operational footprint — as a one-person consultancy, the number of people with access to personal data is deliberately limited.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we’ll notify the UK Information Commissioner’s Office within 72 hours and, where required, the affected individuals.

09 Your rights

Under UK data protection law you have a number of rights in relation to the personal data we hold about you. These include the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, where we no longer have a lawful basis to hold it.
• Restriction — ask us to restrict processing in certain circumstances.
• Portability — request your data in a portable format, where applicable.
• Object — object to processing based on legitimate interests, including direct outreach.
• Withdraw consent — where we rely on consent as our lawful basis, you can withdraw it at any time.

To exercise any of these rights, email us at enquiries@penleighinternational.com. We’ll respond within one calendar month. We may need to verify your identity before acting on a request.

If you’re unhappy with how we’ve handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator. You can contact them at ico.org.uk or by calling 0303 123 1113. We’d appreciate the chance to address any concerns directly first.

10 Cookies and analytics

This website does not set tracking cookies and does not use third-party analytics. We don’t track you across the web, and we don’t share usage data with advertising platforms.

The site loads typefaces from Google Fonts, which may log the IP address and basic technical metadata of visitors as part of its content delivery network operation. This is a standard request log handled by Google rather than a tracking activity, but we’re flagging it for transparency.

If we add analytics or other tools in future that involve cookies or tracking, we’ll update this notice and where required, present a consent banner before the tools are loaded.

11 Changes to this notice

We may update this notice from time to time to reflect changes in our practices, technology, legal requirements or other factors. The version number and last-updated date at the top of this page show when it was most recently revised.

For material changes, we’ll take reasonable steps to communicate the update — such as a note in the footer of the site, or a direct email to candidates and clients where appropriate.

12 How to contact us

For any privacy-related question, request, or complaint, contact us at:

Penleigh International Limited
32 Park Cross Street
Leeds, LS1 2QH
United Kingdom
Email: enquiries@penleighinternational.com
Phone: +44 (0)113 320 4980

We are not currently required to appoint a Data Protection Officer under UK law. James Leigh handles privacy matters personally as Director.