Privacy & Data Protection Policy
Effective: January 2026
Kozenkow Advisory ("we", "us", "our") is a boutique consulting and advisory firm. We are committed to protecting your personal data and to being fully transparent about how we collect, use, and safeguard it.
For the purposes of the General Data Protection Regulation (GDPR) and all applicable EU/EEA data protection legislation, Kozenkow Advisory is the data controller of any personal data collected through this website and our associated services.
1. Who We Are
This policy applies to:
visitors to our website (the "Site");
prospective, current, and former clients and business contacts;
individuals who contact us by email, phone, or through online forms;
applicants for positions at our firm; and
any other person whose personal data we process in the course of our business activities.
This policy does not apply to third-party websites linked from our Site. We are not responsible for the privacy practices of those sites and encourage you to review their own policies.
2. Scope of This Policy
3.1 Data You Provide Directly
Identity data: name, job title, employer;
Contact data: email address, telephone number, postal address;
Business data: professional background, sector, and areas of interest shared with us;
Correspondence: emails, messages, and notes from calls or meetings;
Recruitment data: CV/résumé, cover letter, references, and interview records.
3.2 Data We Collect Automatically
When you visit our Site, we may automatically collect:
Technical data: IP address, browser type and version, operating system, device identifiers;
Usage data: pages viewed, time on site, referring URL, click paths;
Cookie data: as described in Section 8 below.
3.3 Data We Receive from Third Parties
We may receive limited personal data from:
LinkedIn and other professional networking platforms (where you engage with our content)
Referrals from clients or partners; and
Publicly available professional directories or company registries.
We only use such data where we have a legitimate basis to do so.
3. Personal Data We Collect
4. Legal Bases for Processing (Art. 6 GDPR)
We process your personal data only where a valid legal basis exists under Article 6 of the GDPR:
Contractual necessity (Art. 6(1)(b)) to perform a contract with you or to take steps at your request before entering into a contract.
Legitimate interests (Art. 6(1)(f)) for business development, service improvement, and internal administration, where such interests are not overridden by your rights and freedoms.
Legal obligation (Art. 6(1)(c)) to comply with applicable laws, regulations, or court orders.
Consent (Art. 6(1)(a)) where you have freely given, specific, informed, and unambiguous consent (for example, for non-essential cookies or marketing communications). You may withdraw consent at any time.
Where we process special categories of personal data (Art. 9 GDPR), we will identify and rely on an additional condition under Article 9(2) and record this accordingly.
5. How We Use Your Personal Data
We use your personal data for the following purposes:
-Providing advisory and consulting services to you or your organisation;
-Responding to enquiries and managing our client relationship;
-Sending service-related communications (e.g., engagement letters, meeting summaries);
-Sending marketing and thought-leadership communications where you have consented or we have a legitimate interest (you may opt out at any time);
-Improving and personalising our Site and services through analytics;
-Complying with our legal and regulatory obligations;
-Preventing and detecting fraud, security threats, or other harmful activity;
-Managing recruitment and talent pipelines.
We will not use your data for automated individual decision-making or profiling that produces legal or similarly significant effects (Art. 22 GDPR) without your explicit consent.
6. How We Share Your Personal Data
We do not sell, rent, or trade your personal data. We may share it with:
Service providers: IT infrastructure, CRM, email, and analytics providers acting as our data processors under appropriate agreements (Art. 28 GDPR);
Professional advisors: lawyers, accountants, and insurers under duties of confidentiality;
Regulators and public authorities: where required by law or to protect legal rights;
Business successors: in the event of a merger, acquisition, or restructuring, subject to confidentiality obligations.
All third-party processors are required to implement appropriate technical and organisational measures to protect your data and to process it only on our documented instructions.
7. International Data Transfers
Where we transfer personal data outside the European Economic Area (EEA), we ensure an adequate level of protection through one of the following safeguards:
An adequacy decision by the European Commission (Art. 45 GDPR);
Standard Contractual Clauses (SCCs) adopted by the European Commission (Art. 46(2)(c) GDPR); or
Binding Corporate Rules or other approved mechanisms, where applicable.
You may request a copy of the relevant transfer mechanism by contacting us at privacy@kozenkowadvisory.com.
8. Cookie Policy
8.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device and remember certain information about your visit. Similar technologies include web beacons, pixels, and local storage objects. References to "cookies" in this policy encompass all such technologies.
8.2 Categories of Cookies We Use
We use the categories of cookies, consistent with the guidance of the European Data Protection Board and Recital 30 of the GDPR.
8.3 Your Choices Regarding Cookies
Strictly necessary cookies cannot be disabled as they are essential for the Site to function. For all other cookies, you have the following options:
Cookie Consent Banner: When you first visit our Site, you will be presented with a banner allowing you to accept or decline non-essential cookies by category. Your preference is saved and can be changed at any time via the "Cookie Settings" link in our Site footer.
Browser settings: You can set your browser to refuse or delete cookies. Please note that disabling cookies may affect the functionality of the Site. Guidance is available at www.allaboutcookies.org.
Google Analytics opt-out: you can install the Google Analytics Opt-out Browser Add-on (available at tools.google.com/dlpage/gaoptout).
LinkedIn opt-out: visit www.linkedin.com/psettings/guest-controls to opt out of LinkedIn advertising.
8.4 Do Not Track
Our Site does not currently respond to "Do Not Track" (DNT) signals from browsers. We will review this position as industry standards evolve.
9. Data Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our general retention periods are:
Client engagement data: 7 years from the end of the engagement (to meet statutory and regulatory obligations);
Marketing and newsletter data: until you unsubscribe or withdraw consent, plus 30 days;
Website analytics data: 26 months from the date of collection (aligned with Google Analytics defaults);
Job application data: 6 months from the close of the recruitment process, unless you consent to retention in our talent pool;
Correspondence and enquiries: 3 years from last contact.
At the end of the applicable retention period, data is securely deleted or anonymised. Where data is anonymised, it may be retained for statistical purposes indefinitely.
10. Data Security
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
Encryption of data in transit (TLS 1.2+) and at rest;
Role-based access controls and the principle of least privilege;
Regular security assessments and staff training;
Incident response procedures, including notification to the competent supervisory authority within 72 hours of becoming aware of a personal data breach where required (Art. 33 GDPR).
No method of transmission over the internet is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately at privacy@kozenkowadvisory.com.
11. Your Rights Under the GDPR
As a data subject, you have the following rights under Chapter III of the GDPR. We will respond to verified requests without undue delay and in any event within one calendar month (extendable by a further two months for complex or numerous requests):
-Right of access (Art. 15) to obtain confirmation of whether we process your data and a copy thereof.
-Right to rectification (Art. 16) to have inaccurate or incomplete data corrected.
-Right to erasure / 'right to be forgotten' (Art. 17) to have your data deleted, subject to certain exceptions.
-Right to restriction of processing (Art. 18) to restrict how we use your data in specified circumstances.
-Right to data portability (Art. 20) to receive your data in a structured, machine-readable format and, where technically feasible, to have it transmitted to another controller.
-Right to object (Art. 21) to object to processing based on legitimate interests or for direct marketing (the latter is absolute).
-Rights related to automated decision-making (Art. 22) not to be subject to solely automated decisions that have a significant impact on you.
-Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please submit a written request to privacy@kozenkowadvisory.com that includes sufficient information to verify your identity. We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
You also have the right to lodge a complaint with a supervisory authority. In the EU, this will typically be the authority in your Member State of habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is [Name of Competent SA, e.g., "the Data Protection Commission (Ireland)" or "the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) (Germany)"].
12. Children's Data
Our services are directed exclusively at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately, and we will delete it without delay.
13. Updates to This Policy
We review and update this policy periodically to reflect changes in our practices, technologies, legal requirements, and other operational factors. When we make material changes, we will:
Update the "Last Reviewed" date at the top of this document; post the revised policy prominently on our Site; and where required by law, notify affected individuals directly.
Your continued use of the Site following the posting of changes constitutes your acknowledgement of the revised policy. We encourage you to review this page periodically.
14. Contact & Complaints
For any questions, concerns, or requests relating to this policy or our data processing activities, please contact: privacy@kozenkowadvisory.com
We take all privacy concerns seriously and will endeavour to address them promptly.