Legal

Privacy & Data Protection Policy

Last updated January 2026

1. Introduction

Mangeot & Co. (“M&C”), which includes “we,” “us,” “our” and cognates and, unless the context otherwise requires, refers to Joshua Mangeot and his affiliates or delegates doing business as Mangeot & Co. is committed to protecting the privacy and personal data of clients, partners, and website users.

This policy outlines how we collect, use, store, and protect personal data in compliance with the European Union (EU) General Data Protection Regulation (GDPR) and applicable data protection laws. We also provide services to clients outside the European Economic Area (EEA) and EU on a cross-border basis and such services are only provided in accordance with applicable laws.

This policy sets out how M&C collects and processes your personal data and what rights you have in relation to the personal data we hold and process — including in connection with client engagement and supplier provision of services.

This policy forms part of our terms and conditions of business and engagement agreement. By entering into our terms and conditions and engagement agreement, you expressly consent to the provisions of this policy. If you have any concerns or questions, please contact us at the details below.

2. Data Controller and Data Protection Officer

Joshua Mangeot operates as the data controller (and data protection officer, where applicable) for the personal data we process. Please refer to the contact details provided to you and contact him in case of any questions regarding your data or this policy.

3. Personal Data We Collect

Personal data includes any information relating to an identified or identifiable natural person.

We may collect and process personal data in various categories, which may include:

  • Identification Data: Name, passport details, date of birth, educational or professional background, job title, organisation name or other information relating to your personal preferences.
  • Contact Data: Email address, telephone or mobile number, business, postal or residential address.
  • Financial Data: Data necessary for us to process payments and implement bribery or fraud prevention and other compliance measures, including bank account details, credit or debit card numbers, security code numbers or other billing or invoicing details.
  • Business and Professional Data: Business information which we necessarily process as part of client instructions or projects in which we are involved or which is otherwise provided to by you and information related to your professional background and engagements with us.
  • Technical Data: Internet protocol (IP) addresses, device and browser type and version, operating system, and other technical information collected through our website or electronic platforms or client service portals.
  • Compliance Data: Information we are required by law or compliance requirements and conflict checks to collect, such as "know-your-customer" or client due diligence information, conflict check information, information required by anti-money laundering, anti-bribery, international sanctions or similar requirements and information about relevant disputes or litigation that may be relevant to our engagement.
  • Communications and Marketing Data: Information regarding your preferences that is relevant to the services M&C provides. If any such information is sensitive or high risk, the processing of such data is based solely on your express consent.
  • Public Information: Information we collect from publicly available resources, including credit rating agencies and databases we use for compliance checks.
  • Registered Data: Personal data available or registered as a result of any interest or position you may have in or relating to any corporate person, entity, partnership, trust or other undertaking relevant to our engagement or to which we may provide services (each a "Relevant Entity").
  • Sensitive or Special Information: We only process such information where permitted by a legal or regulatory obligation to do so or where you have provided us with such information because it is necessary for provision of our services to you.

We undertake an information audit process to ensure that any personal data we collect is identified and used appropriately.

4. Purposes and Legal Bases for Processing

We may process personal data for the following purposes:

  • Provision of Services: To deliver consultancy services as requested by clients. This may include engaging sub-contractors or delegates to provide services to or on behalf of M&C ("Sub-Contractors").
  • Communication: To respond to inquiries, provide information about our services, and manage our relationships.
  • Compliance: To fulfill legal obligations under applicable law.
  • Marketing: To send promotional materials, subject to obtaining explicit consent.

The legal bases for processing are:

  • Consent: Processing is based on the data subject's explicit consent, particularly for marketing purposes.
  • Contractual Necessity: Processing is necessary for the entry into or performance of a contract to which the data subject is a party.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject.
  • Legitimate Interests: Processing is necessary for the purposes of our legitimate business interests (where this is permitted by applicable law), provided these are not overridden by the interests or fundamental rights and freedoms of the data subject.

5. Data Sharing and Transfers

We do not sell or rent personal data to third parties or otherwise exploit personal data. We may share personal data with:

  • Service Providers: Third-party Sub-Contractors or other vendors who provide services for us or on our behalf, subject to confidentiality and data protection agreements and formal security policies. We conduct a formal due diligence and monitoring process when engaging any third party to ensure that the Sub-Contractor or vendor also has privacy, data protection and security policies and mechanisms. This is a key criterion for selection and retention of Sub-Contractors.
  • Legal Authorities: When required by law or to protect our legal rights.
  • Authorised Persons: Authorised persons specifically designated by clients and only with express consent pursuant to our terms and conditions of business, such as lawyers or other professional advisors.

Personal data may be transferred to countries outside the EEA only if adequate safeguards are in place, in compliance with GDPR requirements (which may include entering into the EU Commission’s standard contractual clauses). We ensure that any cross-border transfers of data comply with any other applicable data protection laws.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods are determined based on:

  • Legal Requirements: Retention periods mandated by applicable law.
  • Contractual Obligations: Duration of contracts and any related legal claims or proceedings.
  • Business Needs: Operational considerations and the necessity of data for legitimate business purposes (including archiving purposes).

We will delete or destroy your personal data once it is no longer reasonably necessary for us to keep it for the purposes described above or if you withdraw your consent, where we have relied on your consent to keep your personal data, unless we are permitted or required by law to keep the data.

7. Data Subject Rights

Under the GDPR and applicable data protection laws, data subjects have the following rights:

  • Access: The right to obtain confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to the personal data.
  • Rectification: The right to obtain the rectification of inaccurate personal data concerning them.
  • Erasure: The right to obtain the erasure of personal data concerning them under certain conditions.
  • Restriction: The right to object to or to request restriction of processing under certain conditions.
  • Data Portability: The right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format.
  • Objection: The right to object, on grounds relating to their particular situation, to processing of personal data concerning them.
  • Right against Automation: We will not process your personal data or make any related decisions using automated means. If any of our business processes use automation, all confidential or personal data is redacted prior to processing and such processes are not relevant to any decision-making.
  • Right to be Forgotten: If you object to processing of your data (for example because the processing is not legitimate or proportionate to the purposes for which it was collected), you may ask for your data to be deleted or destroyed, providing there is no legal obligation to retain such information.
  • Right to Complain: You may submit a complaint or any concerns regarding how we process your personal data.

To exercise such rights, please contact us using the contact details provided in Section 2 above.

You may directly report any concerns or complaints (including to make formal complaints) to your local data protection authority, who will also provide you with more information regarding your rights under applicable data protection laws.

Generally, we receive your personal data from you voluntarily and with express consent pursuant to our engagement agreement. Usually there will be no detrimental effect if you prefer not to provide personal data. However, there may be circumstances where we cannot provide services without receiving such data — for example, due to compliance, legal, regulatory or sanctions laws and regulations. Where that is the case, we will notify you.

8. Corrections and Updating Personal Data

If any personal data provided to us has changed or may be inaccurate (or if you wish to withdraw any consent or request previously provided to us), please let us know using the contact details at Section 2 above. We cannot be responsible (and do not accept responsibility) for any liability or loss that may arise due to us having any inaccurate, incomplete, inauthentic or otherwise deficient personal data.

9. Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Anonymity: Wherever possible (and particularly when dealing with Sub-Contractors), we anonymise or redact personal data or use pseudonyms in documents or communications, to avoid processing any personal data except as strictly necessary for the above purposes.
  • Access Controls: Restricting access to personal data to authorized personnel only.
  • Encryption: Using encryption technologies to protect personal data during transmission and storage.
  • Regular Audits: Conducting regular security assessments and audits to identify and mitigate potential risks.
  • Formal Security Policy: We maintain a formal security policy that includes due diligence requirements for Sub-Contractors and vendors.
  • Data Protection Impact Assessments: If processing may present a high risk to the rights and freedoms of any individual(s), we conduct data protection impact assessments ("DIPAs").

We may keep your personal data in our electronic systems and the systems of our Sub-Contractors or in physical form.

Privacy and security safeguards are embedded in our processes. If you have any specific security requirements for handling your confidential information or personal data, please let us know.

10. Cookies Notice

Our website does not store “cookies” or similar tracking data on your devices or electronic systems.

11. Data Breach Notification

We have measures to identify and prevent data breaches. We conduct DIPAs when required and investigate potential data breaches as soon as we become aware of them.

In the event of a data breach, we have implemented a response plan that includes:

  • Notification to any appropriate data protection authority within 72 hours (or shorter legal deadline, if applicable), where required.
  • Communication to any affected individual(s) if breach is likely to result in high risk to their rights and freedoms.
  • Incident documentation and corrective measures to prevent future breaches.

12. Personal Data of Others

If you provide us with personal data of any other individual(s) — for example, your own agents, beneficial owners, directors, employees or office holders or any individual connected with any Relevant Entity — you are solely responsible for ensuring that you are entitled to disclose such personal data to us. You are also solely responsible for ensuring that we can collect, use and disclose those data pursuant to this policy without taking any further steps.

You must ensure that any affected individual is aware of their rights and this privacy and data protection policy, including our identity and contact details, the purposes for which we (and our Sub-Contractors) may process their data and our disclosure and sharing policies.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on our website and expressly incorporated as part of our terms and conditions of business and engagement agreement. We encourage you to review this policy periodically. Changes are effective as soon as the revised edition is published on our website.

14. Contact Information

For any questions or concerns regarding this policy or our confidentiality or data protection practices, please contact us at the details at Section 2 above.

Mangeot & Co.

Last updated January 2026