Bath · Bristol · London

01Who We Are

The Crane Consultancy is a trading name of Crane Consultancy Limited, a company registered in England and Wales (Company No. 15526285), with its registered office at 45 Albemarle Street, Floor 3, Mayfair, London, W1S 4JL.

We are the data controller for personal information collected through this website and through our commercial engagements. This policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

When we manage digital advertising and marketing operations for our clients, we act as a data processor on behalf of those clients, who remain the data controllers for their own customers' and leads' personal data. In that role we process personal data only on our clients' documented instructions and under a data processing agreement. Except where this policy states we are acting as a processor for a client, we act as the data controller.

Questions? If you have any questions about this policy or how we handle your data, please contact us at [email protected] before proceeding.

02Data We Collect

We collect personal data in the following ways:

  • Contact enquiries. When you submit our contact form, we collect your full name, professional email address, and the content of your message.
  • Direct communications. When you contact us via WhatsApp, email, or telephone, we retain records of that correspondence.
  • Analytics data. We collect anonymised usage data including pages visited, time on site, and device type via Google Analytics (configured with IP anonymisation and no cross-site tracking).
  • Technical data. Server logs may record your IP address, browser type, and referring URL for security and diagnostic purposes. These logs are not used for profiling.
  • Commercial mandates. When we enter into a commercial engagement, we may collect additional business contact information as part of our client onboarding process.
  • Newsletter subscription. When you subscribe to The Crane Briefing, we collect your email address and an auditable record of your consent (the date, time, source and IP address of your subscription), as required under the Privacy and Electronic Communications Regulations (PECR).
  • Consultation bookings. When you book a consultation, we collect your name, professional email, optional company name and your chosen time, which is added to our calendar to schedule the call.
  • Readiness scanners. When you use our AI readiness scanners, we process the website domain you submit; if you request a manual review, we also collect the email address you provide.

We do not knowingly collect data from individuals under the age of 18. This website and our services are directed exclusively at business professionals.

03How We Use It

We use your personal data only for the purposes for which it was collected:

  • To respond to your enquiry and assess whether we can assist you
  • To communicate with you regarding a potential or active commercial engagement
  • To fulfil our contractual obligations as your retained consultancy
  • To improve the performance and user experience of this website
  • To send you The Crane Briefing, our weekly newsletter, where you have subscribed (you can unsubscribe from any email)
  • To comply with legal and regulatory obligations applicable to our business
  • To detect, investigate, and prevent fraudulent or unlawful activity

We do not use your personal data for automated decision-making or profiling. We do not sell, rent, or trade your personal data to third parties for marketing purposes.

05Data Sharing

We do not sell your data. We share personal data only in limited, necessary circumstances:

  • Service providers. We use trusted third-party processors to operate our business, including Cloudflare (website hosting and data storage), Resend (transactional and newsletter email delivery), Google (Calendar, for scheduling the consultations you book, and analytics and advertising infrastructure), and Stape (server-side tracking). Each operates under a data processing agreement, and some are based in the United States.
  • Advertising and measurement partners (client engagements). When we manage advertising for our clients, we share limited data with the advertising platforms those clients use — Google, Microsoft (Bing) and LinkedIn — for conversion measurement and campaign optimisation. This may include advertising click identifiers (such as the Google Click ID, Microsoft Click ID and the LinkedIn first-party ad tracking identifier) and contact details that we irreversibly hash (SHA-256) before transmission, used only to match a sale or enquiry back to the advertisement that produced it. Where a client runs lead generation forms on these platforms (such as LinkedIn Lead Gen Forms), we also deliver the resulting leads into that client's own CRM. This processing is carried out on behalf of, and on the documented instructions of, the client as data controller; we do not use it for our own marketing, and we never sell it.
  • Legal compliance. We may disclose data to law enforcement, regulatory authorities, or courts where legally required or where necessary to protect our rights or the rights of others.
  • Business transfers. In the event of a merger, acquisition, or sale of the business, your data may be transferred to the acquiring party, subject to equivalent privacy protections.

Where we transfer data outside the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or adequacy decisions as applicable.

06Retention

We retain personal data only for as long as necessary for the purposes set out in this policy:

  • Enquiry data from the contact form is retained for up to 24 months, after which it is securely deleted unless a commercial engagement has commenced
  • Scanner review requests are treated as enquiries and retained for up to 24 months
  • Newsletter subscription data is retained until you unsubscribe; your email is then removed from the active list, though a minimal record of your prior consent may be kept as evidence of lawful processing
  • Client engagement data is retained for 7 years following the end of an engagement, in accordance with UK financial record-keeping requirements
  • Anonymised analytics data is retained in accordance with Google Analytics default retention settings (26 months)
  • Server security logs are retained for 90 days

At the end of the applicable retention period, data is securely deleted or anonymised.

07Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Access. You may request a copy of the personal data we hold about you.
  • Rectification. You may request correction of inaccurate or incomplete data.
  • Erasure. You may request deletion of your personal data where there is no compelling reason for us to continue processing it.
  • Restriction. You may request that we restrict processing of your data in certain circumstances.
  • Portability. You may request that we provide your data in a structured, machine-readable format.
  • Objection. You may object to processing based on legitimate interests or for direct marketing purposes.
  • Withdraw consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.

08Cookies

This website uses cookies and similar tracking technologies. We operate a server-side tracking infrastructure through Stape to minimise client-side data exposure.

  • Essential cookies. Required for the site to function correctly. No consent required.
  • Analytics cookies. We use Google Analytics with IP anonymisation enabled and client storage disabled. These cookies collect anonymised data about how visitors use our site. You may opt out via your browser settings or the Google Analytics opt-out browser add-on.
  • Advertising cookies. We may use conversion and measurement tags from advertising platforms including Google, Microsoft and LinkedIn. Ad storage is disabled by default on our analytics configuration.

You can control cookies through your browser settings at any time. Disabling certain cookies may affect site functionality.

09Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These measures include:

  • HTTPS encryption across all pages and data transmissions
  • Content Security Policy headers restricting resource loading to trusted origins
  • Server-side tracking to reduce client-side data exposure
  • Honeypot and time-gating mechanisms on contact forms to prevent automated abuse
  • Access controls limiting data access to authorised personnel only

No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

10Third Parties

Our website contains links to third-party websites, including our verified infrastructure partners. This policy does not apply to those websites. We encourage you to review their respective privacy policies before providing any personal data.

Our key infrastructure providers and their privacy documentation:

11Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The date at the top of this page indicates when the policy was last revised.

Material changes will be communicated to active clients directly. Continued use of our website following an update constitutes acceptance of the revised policy.

12Contact Us

For any questions, requests, or concerns regarding this Privacy Policy or your personal data, please contact us through any of the following:

Data Controller

Crane Consultancy Limited

45 Albemarle Street, Floor 3

Mayfair, London, W1S 4JL

[email protected]

WhatsApp: +44 7771 007209

If you are unsatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.