Privacy Statement
Privacy
Baron & Cabot – Privacy Policy
Effective date: 6 October 2025
Baron & Cabot (“we”, “us”, or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our websites, use our services, attend our seminars/webinars, or otherwise interact with us.
Who we are
Baron & Cabot is a property investment firm serving clients globally. For the purposes of this Policy, the following entities act as data controllers (depending on your interaction and location):
Baron & Cabot Ltd (Commercial Unit 1, 52 Trinity Way, Manchester, England, M3 7FX, UK)
Baron & Cabot DMCC (Swiss Tower, Cluster Y, Jumeirah Lakes Towers, Dubai, United Arab Emirates)
Unless we tell you otherwise at the point of collection or in a contract, the controller is the Baron & Cabot entity you deal with.
How to contact us
Email: milanesi.bascuguin@baroncabot.com
Postal address: Commercial Unit 1, 52 Trinity Way, Manchester, England, M3 7FX
Data Protection Officer (global): Tinicia Hepworth
1) What data we collect
We may collect the following categories of personal data about you:
Identifiers & contact details (name, postal address, email, phone, country of residence, job title, company).
Demographic data (age range, nationality where required by law).
Client & prospect data (investment preferences, budget ranges, source of funds information, meeting notes, recordings where permitted, documents you upload such as bank statements for AML/KYC checks).
Transactional data (reservations, payments, invoices, contract status, property selections).
Marketing & communications data (your consents and preferences; event attendance; responses to surveys; engagement with emails and ads).
Device/usage data (IP address, device identifiers, cookie IDs, pages viewed, links clicked, session recordings where enabled, and analytics events).
Inferences (probable interests or audience segments derived from other data).
Sensitive/regulated data collected only where necessary and lawful (e.g., identity documents, proof of address, source-of-wealth information for AML/KYC and sanctions screening; recordings of calls/meetings where you are notified; any health or disability information only where you choose to share it for event accommodation).
We collect data directly from you, automatically from your devices (via cookies and similar technologies), and from third parties (e.g., credit reference agencies, sanctions/PEP screening providers, social platforms, advertising partners, and public sources).
2) Purposes and legal bases (EEA/UK GDPR; analogous bases noted for other regions)
We use personal data for:
Providing services and customer support (account set-up, consultations, bookings, transactions, property reservations, aftercare).
Legal bases: contract performance; legitimate interests to operate our business; consent where required.
Responding to enquiries and communicating with you (including call-back and meeting scheduling).
Legal bases: contract/steps prior to contract; legitimate interests; consent where required.
Marketing and personalisation (sending updates, event invitations, property recommendations, audience targeting/retargeting, lookalike audiences where allowed).
Legal bases: consent where required (e.g., email/SMS in some countries); legitimate interests with opt-out.
Analytics and service improvement (site/app analytics, diagnostics, A/B tests, training sales staff, quality assurance of calls).
Legal bases: legitimate interests; consent for non-essential cookies/SDKs.
Compliance and risk management (AML/KYC, sanctions screening, fraud prevention, record-keeping, audits, legal claims).
Legal bases: legal obligation; substantial public interest (where applicable); legitimate interests; vital interests in emergencies.
Security (threat detection, access controls, incident response).
Legal bases: legal obligation; legitimate interests.
Automated decision-making/profiling (e.g., internal lead scoring or prioritisation; eligibility gates for offers).
Approach: we do not make decisions with legal or similarly significant effects without human review unless required by law and subject to your rights.
Where we rely on consent, you may withdraw it at any time. Where we rely on legitimate interests, we balance our interests against your rights and expectations.
3) Cookies and similar technologies
We use first- and third-party cookies, pixels, tags, and SDKs for: essential functions, analytics, performance, personalisation, and advertising (including cross-site or cross-app targeting). Where required, we present a consent banner and honour your choices. See Appendix A – Cookie Notice for details of technologies, purposes, and retention. You can change preferences at any time via the banner’s settings link.
4) Sharing and disclosures
We may share personal data with:
Service providers/processors (cloud hosting, CRM, marketing platforms, communications, analytics, payment processors, AML/KYC vendors, call recording/transcription providers, IT security, professional advisors). These parties process data under written contracts and follow our instructions.
Business partners and developers where you request or authorise us to introduce you (e.g., property developers or allied professional firms for conveyancing or mortgages). We will tell you when another party becomes an independent controller of your data.
Advertising and analytics partners (to measure campaigns, reach relevant audiences, or limit frequency), in line with your choices.
Corporate transactions (mergers, acquisitions, financing, or asset sales) subject to appropriate safeguards.
Legal, compliance, and safety (to comply with laws, law enforcement requests, enforce our terms, protect rights, property, or safety).
We do not sell personal information for money. In certain jurisdictions (e.g., some U.S. states), disclosures for targeted advertising or certain analytics may be considered a “sale” or “sharing”—see Section 10 and Appendix B for how to opt out.
5) International transfers
We operate globally. When transferring personal data internationally, we implement appropriate safeguards, which may include:
Adequacy decisions (where the destination is recognised as providing adequate protection).
Standard Contractual Clauses or other transfer contracts.
Onward transfer and due diligence obligations for our vendors and partners.
UAE PDPL transfer mechanisms and risk assessments, as applicable.
Singapore PDPA transfer obligation (ensuring comparable protection when data is transferred overseas).
We will provide more information on request about specific transfer safeguards that apply to you.
6) Data retention
We retain personal data only as long as necessary for the purposes described above, including to meet legal, accounting, or reporting requirements. We delete or anonymise data when no longer needed, subject to backup and archival cycles.
Standard retention periods (unless law requires longer):
Client/property transaction files (incl. AML/KYC, source-of-funds, sanctions checks): 7 years after the end of the client relationship or last transaction.
Contracts & finance (invoices, receipts, tax records): 7 years.
HR/Recruitment records (employees, contractors, applicants): up to 6 years after employment/engagement ends; payroll/tax records 6 years; health & safety/accident records as required by law.
Call & meeting recordings (where applicable): 12–24 months unless needed for training, disputes or compliance.
Marketing CRM records: until you withdraw consent or object; suppression lists are retained indefinitely to honour your preferences.
Website/app analytics data: typically 3–26 months depending on the tool and settings (see Appendix A).
7) Security
We maintain administrative, technical, and physical safeguards appropriate to the nature of the data, including access controls, encryption in transit and at rest (where supported), logging/monitoring, vendor due diligence, staff training, and incident response procedures. No system is perfectly secure; if we detect a breach affecting you, we will notify you and regulators where required by law.
8) Your rights (by region)
EEA/UK (GDPR)
You have rights to access, rectify, erase, restrict, object (including to direct marketing), and data portability. Where processing is based on consent, you can withdraw consent at any time. You may also have rights relating to automated decision-making. You can lodge a complaint with your local supervisory authority.
United Arab Emirates (Federal PDPL; DMCC)
Depending on the context, you may request access, correction, deletion, and restriction; object to processing; and obtain information about automated processing. You may also complain to the UAE Data Office. Where you engage with Baron & Cabot DMCC, we apply UAE Federal PDPL and DMCC requirements that reference the federal law.
Singapore (PDPA)
You may request access and correction of personal data, withdraw consent at any time (which may affect our ability to provide services), and request information on our data protection policies and practices. You can lodge a complaint with the Personal Data Protection Commission (PDPC).
United States (state privacy laws)
Residents of U.S. states with comprehensive privacy laws — including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Tennessee, New Jersey (and any other state that adopts similar laws) — may have rights to access, correct, delete, obtain a portable copy, and opt out of:
Targeted advertising;
Selling or sharing personal information; and
Profiling in furtherance of decisions producing legal or similarly significant effects.
California residents also have the right to limit the use/disclosure of Sensitive Personal Information and to use an authorized agent. Where a request is denied, you may appeal our decision via the DPO re-check described below.
9) Exercising your rights
Submit requests by emailing milanesi.bascuguin@baroncabot.com with the subject “Privacy Request” and specify your country/state of residence and the right(s) you wish to exercise. We will verify your identity (and, where allowed, your authorized agent) and respond within the timeframe required by applicable law.
Appeals (U.S. residents): If we decline to act on your request, you may appeal by replying to our response and asking for a DPO re-check. We will review the decision and inform you in writing of the outcome and how to contact your state Attorney General if you remain unsatisfied.
10) Marketing choices and opt-outs
Email/SMS: You can unsubscribe using the link in our messages or by contacting us.
Targeted advertising / “sale” or “sharing” (U.S.): Use our Do Not Sell or Share My Personal Information link (where provided) or contact us. We honour platform-level signals where required by law (e.g., Global Privacy Control in California).
Cookies/SDKs: Adjust preferences via our cookie banner or your device settings (see Appendix A – Cookie Notice).
11) Children’s privacy
Our services are not directed to children. We do not knowingly collect personal data from children under 13 (or the age defined by local law). If you believe a child has provided us data, please contact us and we will take appropriate steps.
12) Region-specific notices
EEA/UK addendum
Controller identity & representative: Baron & Cabot Ltd is the UK controller. If required under Article 27 GDPR, please add details of an EU representative.
Legal bases: When we rely on legitimate interests, they include: operating and improving our services; securing systems; preventing fraud; and relevant marketing to business contacts.
International transfers: We rely on adequacy decisions where available and Standard Contractual Clauses otherwise; we implement supplementary measures when necessary.
UAE addendum
Lawful bases: We process data to perform contracts, comply with UAE laws (including AML/CFT), with consent where required, and for legitimate interests that do not conflict with your rights.
Cross-border transfers: Where we transfer data outside the UAE, we use PDPL-permitted mechanisms and risk assessments, or rely on transfers necessary to perform a contract at your request.
DMCC: Where services are provided by Baron & Cabot DMCC, DMCC requirements that reference the federal PDPL are observed. We do not operate under DIFC/ADGM data protection regimes.
Singapore addendum
DPO contact: Tinicia Hepworth — milanesi.bascuguin@baroncabot.com.
Access & correction: Reasonable fees may apply for access requests as allowed by the PDPA.
Overseas transfers: We ensure a comparable standard of protection by contract or other PDPC-recognised means.
United States addendum (including California)
Categories collected: identifiers; customer records; commercial information; internet/usage data; approximate geolocation; inferences; and Sensitive Personal Information where necessary (e.g., government IDs for KYC).
Purposes: as set out in Sections 2–5 above.
Disclosures for business purposes: to service providers and contractors under written agreements.
Sale/Sharing/Targeted Advertising: We do not sell for money; we may share for targeted advertising or cross-context behavioural advertising unless you opt out.
Sensitive Personal Information: We do not use or disclose SPI to infer characteristics or for additional purposes without notice/consent where required.
Retention: we retain as described in Section 6; specific retention periods are available on request.
Non-discrimination: We will not discriminate against you for exercising your rights.
Appeals: If we decline to act, you may appeal via the DPO re-check described in Section 9.
13) Third-party links and services
Our websites may include links to third-party sites or services. Their privacy practices are governed by their own policies.
14) Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you by posting the updated Policy and changing the Effective date above, and, where required, by additional notice.
15) How to complain
If you have concerns, please contact us first at milanesi.bascuguin@baroncabot.com. You also have the right to contact your local data protection authority/regulator.
EEA/UK: Contact your national supervisory authority (see EU/EEA list) or the UK Information Commissioner’s Office (ICO).
UAE: Contact the UAE Data Office.
Singapore: Contact the PDPC.
USA: Contact your state Attorney General or the California Privacy Protection Agency (for California residents).
Appendix A — Cookie Notice (summary)
This Appendix describes the cookies/SDKs we commonly use. Actual tools may vary. Non-essential cookies/SDKs are used only with your consent where required.
| Category | Purpose | Examples of providers/technologies | Typical retention |
|---|---|---|---|
| Strictly necessary | Core site functions, security, load balancing, consent storage | First-party session cookies; CDN; consent manager | Session to 12 months |
| Analytics & performance | Understand usage, improve features, detect bugs | Google Analytics; HubSpot analytics; Hotjar/Clarity (session replay) | 3–26 months |
| Advertising & social | Measure campaigns, retargeting, frequency capping, lookalikes | Meta Pixel; Google Ads/Floodlight; LinkedIn Insight Tag | 3–12 months |
| Functional | Remember choices, language, region | First-party preference cookies | 6–12 months |
Managing preferences: Use our cookie banner to accept/reject categories and change your choices anytime. You may also adjust browser/mobile OS settings. Blocking some cookies may impact functionality.
Appendix B — Standalone page text: “Do Not Sell or Share My Personal Information” (U.S.)
Your rights: Some U.S. state laws allow you to opt out of (1) the sale of personal information and (2) targeted advertising (also called cross-context behavioral advertising or “sharing” in California).
How to opt out:
Use this page’s Opt-Out button to record your choice, or email milanesi.bascuguin@baroncabot.com with subject “Do Not Sell/Share”.
We honour Global Privacy Control (GPC) signals sent by your browser/extension for this device and browser.
What this covers: Disclosures to ad/analytics partners that may qualify as a sale, share, or targeted advertising under state laws.
Authorized agents (CA only): Your agent must provide proof of authority; we may require you to verify your identity or confirm the request.
Sensitive Personal Information (CA only): We do not use or disclose SPI for additional purposes that require a right to limit.
Appeals: If we deny your request, reply to our response to request a DPO re-check.
Appendix C — Retention schedule (detail)
This schedule supplements Section 6 and may be updated. Where multiple periods apply, we keep the longest required by law or for legal defense.
Client/property files: 7 years after last transaction/relationship end.
KYC/AML & sanctions screening: 7 years after last check.
Contracts & finance (including tax/VAT): 7 years.
Marketing CRM & engagement data: Active marketing data until opt-out; suppression lists retained indefinitely to honour opt-outs.
Events/webinars registrations & attendance: 24 months.
Call recordings & QA materials: 12–24 months unless needed for training, compliance, or disputes.
Support tickets & chat transcripts: 24 months.
Website/app analytics: 3–26 months (tool-dependent).
Recruitment/applicant data: 12 months (or longer with consent).
Employee HR records: 6 years after employment ends (longer where safety/accident or pension rules require).
