Privacy and Cookies Policy

Who we are

This is the Privacy & Cookies Policy of the Hilton-Baird Group of companies, which comprises:

Each company’s registered address is 110 Cannon Street, London, United Kingdom, EC4N 6EU and additional contact details are available on our websites. Any Data Protection enquiries should be directed to When we refer to “HBG”, “we”, “us” or “our” we are talking about all the Companies within the Hilton-Baird Group.

Your use of our website and our services indicates your agreement to the terms of use set out on our websites, which you should consult:

We are committed to protecting any data that we collect concerning you and processing it only in ways which comply with the Data Protection Act 2018 (and any replacement legislation) (“the DPA”, for short) and the European Union’s General Data Protection Regulation (“the GDPR”).

This Privacy Policy (“Policy”) explains what personal data we collect about you, how we will tell you about the data we collect and what we do with it, and explains the legal basis on which we process your personal data under the GDPR.

Please contact us if you have any questions about this Policy or wish to exercise your legal rights under the GDPR.

By email to:

Or by post to:

Woollen Hall
Castle Way
SO14 2AW


What Personal Data do we collect about you?

We may collect, use, store and transfer different kinds of Personal Data about you. The Personal Data we collect will depend on the relationship you have with HBG.

If you are:

An employee of HBG, someone working with us under a contract for services, or someone who applies for employment or work with us, we will provide you with specific privacy information and also ask for your consent to use Special Categories of Personal Data which we’re likely to obtain as a result of our working relationship. Although you should refer to any more specific privacy information we give you, we will also collect the following information on you:

A business contact, including persons who supply us with goods (including hiring things to us) or services and any contacts at a company or other organisation which does so, we may collect the following types of data on you:

A client or potential client, being a company or other organisation who has approached us in order to instruct or potentially instruct our services, we may collect the following types of data on you:

A customer or debtor of our client or funder, including persons who we have identified or been notified as customers for our client and any contacts at a company or other organisation which has similarly been identified, we may collect the following types of data on you:

Under the GDPR, we’re required to ensure any personal data we hold is accurate and, where necessary, kept up to date, but also that we keep it for no longer than is necessary for the purposes we use it for. We may also be required by law to retain certain types of data for a longer period.

All telecommunications data is kept in line with the European Union’s Data Retention Directive, for a minimum of one year and a maximum of two years. A copy is archived for the minimum period, after which time all archived data is purged and erased.

If you fail to provide Personal Data

Where we need to collect Personal Data by law or under the terms of a contract we have with you, and you fail to provide that data when requested:

What we do with Your Data

We will only use your personal data when the law allows us to. Most commonly, we will use, analyse and assess your personal data in the following circumstances, utilising the communication services available to us such as direct mail, email, SMS and/or telephone:

In obtaining or storing information about you we may:

If you do not want your data to be used by us or selected third parties for marketing purposes, please ensure that you select the appropriate option on any of our online forms. You can also notify us at any time if you do not wish your data to be used in this way.

Our Legal Basis for Data Processing

HBG is a data controller working on its own behalf and on behalf of the group of companies and their clients. We collect and process information based upon our Legitimate Interests, which is to promote and support the business of the group companies.

In line with ICO recommendations, HBG has conducted a Legitimate Interests Assessment. When processing your personal information, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your Personal Data for activities where our interests are overridden by the impact on you.

Additionally, we fully comply with the Corporate Telephone Protection Service (CTPS).

We collect Personal Data to obtain funding options, process your order, manage your account, assist with contractual support and, if we are legally permitted to do so, to email you about other products and services we think may be of interest to you.

We use our marketing automation provider, InboxGuru, to assign lead scores to our contacts based on a number of factors. These scores can be generated by reviewing the webpages visited, any action taken off the back of any email we have sent, or by matching any personal information that has been provided to us, for instance their job title. This allows us to contact or send more relevant information to visitors, based on this information.

We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. Where the legal basis for our processing is our or another person’s legitimate interest, we explain what these are.

Note that we may process your Personal Data on more than one lawful basis depending on the specific purposes for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your Personal Data where more than one ground has been set out in the table below.


Type of data

Lawful basis for processing including basis of legitimate interest

To register you (or your employer or a person or entity to whom you provide services) as a new client, customer, debtor or potential funder.

(a) Identity data

(b) Contact data

(c) Financial data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests in running our business

(c) Your consent

To fulfil our contractual obligations to you or your organisation or to enforce your or your organisation’s obligations to us, including to

(a) Process your order

(b) Assist with contractual support

(a) Identity data

(b) Contact data

(c) Financial data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests in running our business in a prudent and profitable manner and for the benefit of our stakeholders

To share your data with our client or to a potential funder or customer.

(a) Identity data

(b) Contact data

(c) Financial data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests in running our business

(c) Your consent

To manage your account:

(a) Notifying you about changes to our terms or Policy

(b) Contacting you about products or services we provide

(a) Identity data

(b) Contact data

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how our services are used and received)

(d) Your consent

To administer and protect our business, which may include:

a) Financial risk assessment, preventing money laundering, fraud or other wrongdoing

b) Contacting credit reference agencies and making credit-related decisions

(a) Identity data

(b) Contact data

(c) Financial data

(a) Necessary for our legitimate interests

(b) Necessary to comply with a legal obligation

To administer a contract for services or contract of employment between us – we will provide you with further information about this when we collect information from you and during the course of our relationship

(a) Identity data

(b) Contact data

(c) Financial data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to administer the economic relationship between us)

(c) Necessary to comply with a legal obligation (related to your work or workplace or our obligations under the law in relation to these)

To share information with members of our Group about our suppliers, customers, and financial position from time to time

(a) Identity data

(b) Contact data

(c) Financial data

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to administer the economic relationship between us and to promote the businesses of our Group)

To comply with legal and regulatory obligations, including the prevention of bribery and money laundering and financial reporting obligations

(a) Identity data

(b) Contact data

(c) Financial data

(a) Necessary to comply with a legal obligation
(b) Necessary for our legitimate interests (to ensure we comply with our regulatory and legal obligations and for the prudent conduct of our business)

To prevent and record any criminal activity to promote a safe working space (CCTV).

(a) Identity data

(a) Necessary for our legitimate interests


Where is the Personal Data sourced?

We collect two types of information from site users and other people we contact in the course of our business: statistical data (e.g. how many users use the site, and which pages they view); and Personal Data (including names and email addresses).

The statistical data we capture includes your IP address as you browse the site. This is purely for website statistics, recording the number of users to the site and which pages they visit. This information does not tell us who you are, and we only use this to monitor the effectiveness of the site.

Personal data is obtained from a variety of sources, depending upon the agreement with our client or funder.

In some instances, data will have been provided by our client, funder, or obtained directly from the customers. Additionally, we source or purchase data from GDPR compliant data providers and online resources in the public domain.

We may receive Personal Data about you from various third parties and public sources including directors, shareholders and employees at any business or organisation you are associated with, public registers, credit reference agencies and public bodies or authorities.

We process personal data relating to the individuals within the businesses we are instructed to review on behalf of our clients. Furthermore, in the course of this activity, we will process data relating to debtors of those businesses. This will, on occasion, be conducted on a confidential basis.

We also obtain personal data through offline methods, either directly (for instance, over the telephone or instruction form when you consent to your data being passed to our client to access their goods or services) or indirectly (for instance, from your colleagues when they advise you’re the most appropriate contact).

Personal data is only captured online when you provide it, such as but not limited to when you fill in a quotation or contact form, subscribe to our email service, engage in a Live Chat conversation, download a resource or enter a competition, for example.

We may also receive Personal Data about you from other members of our Group in connection with the business of the Group or any member of the Group.

Who is the Personal Data shared with?

We may share your Personal Data with the parties set out below for the purposes set out in the table above:

Name of third party

How we share data with them


We use, to publish our websites. These sites are hosted at, which run by Automattic Inc. We use a standard WordPress service to collect anonymous information about users’ activity to help us improve the site. WordPress requires visitors that want to post comments to enter a name and email address. For more information, please see Automattic’s privacy notice.


We use InboxGuru to deliver our email communications, capture visitors’ personal data when they choose to supply it through website forms, and to assign lead scores to contracts based on their website activity. We gather statistics on this channel using industry standard technologies to help us evaluate and improve. Please see InboxGuru’s privacy notice.


We use CookieYes to manage cookie preferences for our website users, allowing them to choose which cookies, if any, are stored. For more information, please see CookieYes’s privacy notice.


We use Tawk.To to supply and support our LiveChat service, which we use to answer enquiries in the real time. If you use the LiveChat service we will collect your name, email address, company name (all optional) and the contents of your LiveChat session. For more information, please see Tawk.To’s privacy notice.


We use Jotform for our Credit Management Health Check tool, which generates and sends a report delivering best practice tips to visitors who choose to supply their personal data through the form. For more information, please see Jotform’s privacy notice.


We use the LinkedIn Insight tag to obtain information about visitors to our website. For website visitors registered with LinkedIn, we can analyse the key occupational data of our website visitors to help us target with relevant content. We also measure whether website visitors complete our forms or perform other actions. This insight tag also allows us to display targeted advertising to visitors when on other websites. For more information, please see LinkedIn’s Privacy Policy. More information on how to opt-out can be found in our Cookie Policy.


Google Analytics software helps us to collect and analyse visitor information to help us to improve our website marketing campaigns. For more information, please see Google’s Privacy Policy. We also use Google AdWords’ remarketing service to advertise on third party websites (including Google) to previous visitors to our site. For more information on this, please see our Cookie Policy.


We use Optinmonster to serve pop-up forms to our website visitors for marketing purposes. For more information, please see Optinmonster’s Privacy Policy.


Microsoft Bing helps us to collect and analyse visitor information to help us to improve the website and to make our marketing campaigns more relevant. For more information, please see Microsoft’s Microsoft’s Privacy Policy.


We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.

Your email address and personal information will never be made available to another organisation for marketing purposes without your explicit consent. However, please note that under Article 6(1)(f) of GDPR, we have the right to contact you and pass your details to third parties where we have a genuine and legitimate reason to do so, unless this is outweighed by harm to your rights and interests. We also have the right to share your details in the event the sharing of such information is necessary for the performance of a contract with you.

We will always maintain control over the confidentiality of your information. However, we can disclose your information to authorised parties if we are required to by law.

All personal data is stored and processed within the EU within a cloud-based network infrastructure in Azure, as well as all O365 hosting, under compliant and stringent data handling policies.

The exceptions are the following data processors we work with. Where this is the case, this data transfer is GDPR compliant.


Personal data processed for us by Tawk.To is hosted in the U.S., on their cloud servers. All data is encrypted, and the encryption key is held by Google. The data is encrypted at rest and in transit between the client and our network. However, it is not encrypted within our internal system. Tawk.To complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and/or Switzerland to the United States. Tawk.To has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.


Personal data processed for us by InboxGuru is hosted in the U.S.. As InboxGuru is an American company, it also participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework, and is committed to subjecting all Personal Information received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. This framework is considered by the European Commission to provide adequate protection for the rights of EU citizens in personal data.


Personal data processed for us by CookieYes may involve a transfer of data to countries outside the European Economic Area (“EEA“), Switzerland or the UK.

Personal data will only be transferred to a country that provides an adequate level of protection (for example, where the European Commission or the UK Data Protection Authority, (“ICO”) has determined that a country provides an adequate level of protection) or where the recipient is bound by standard contractual clauses according to conditions provided by the European Commission or ICO. To learn more, visit CookieYes’s full Privacy Policy


Personal data processed for us by Google may be stored and processed in the United States of America and any other country in which Google or its contractors maintain facilities.

Google LLC (the parent company of the Google group) is self-certified under the EU-U.S. Privacy Shield Framework on behalf of itself and its wholly-owned U.S. subsidiaries and will process your data subject to it. This framework is considered by the European Commission to provide adequate protection for the rights of EU citizens in personal data.

Microsoft Bing

Microsoft adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, although Microsoft does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18. To learn more, visit the U.S. Department of Commerce’s Privacy Shield website.


Personal data processed for us by Optinmonster under a written data processing agreement and in accordance with Article 46 of the GDPR.


HBG as “Controller” acknowledges and agrees that, notwithstanding that we may elect to have Personal Data stored in the EU or UK, transferred outside the EEA by Jotform as “Processor” to countries such as the United States, as part of our agreement with the Processor. Where data is transferred either directly or via onward transfer outside the European Economic Area (“EEA”) to a country not recognised by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, any Personal Data is transferred to a country located outside of the EEA, the Processor shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place. For Jotform’s full Privacy Policy, see


In summary, HBG as “Controller” acknowledges and agrees that for transfers of UK Personal Data to LinkedIn “Processor” for processing by the Processor in a jurisdiction other than a jurisdiction in the UK or UK Information Commissioner’s Office-approved countries (“UK ICO Approved”) providing ‘adequate’ data protection, each party agrees it will use the European Commission Standard Contractual Clauses (“UK Addendum”). If the Processor is unable or becomes unable to comply with these requirements, then UK Personal Data will be processed and used exclusively within the territory of the UK or UK ICO Approved countries and any movement of UK Personal Data to a non-UK ICO Approved country requires the prior written consent of Controller. For the full terms of agreement, see

Accuracy of Data

Core to our service is ensuring the data we are working with is up to date and accurate. We may do this ourselves or may engage a third-party service provider to do so. Third party service providers may compare your data to publicly available information or to information they lawfully hold or obtain about you and may analyse or provide this data to us to help us in the conduct of our business. We will ensure that any service provider only processes your information in a way that complies with the law.

However, if you believe that the data we hold for you is incorrect, please contact us at

Your Legal Rights

Data Protection Law gives you certain rights in relation to your Personal Data held by us. The below represents merely a summary of your rights and are not intended to give you other or additional rights. You have the right to:

1. Access to Information

Under the DPA and GDPR, you have a right of access to information we hold on our records about you. Please note that the DPA allows us to charge a fee for this service. Please contact us at to request access.

2. Right to Rectify

We will respond to any request for rectification of inaccurate or incomplete data within one month, or within three months if the request is complex. If the personal data has been disclosed to third parties, we will inform them of the rectification.

3. Right to Object

You have the right to object to any processing we undertake where we are relying on our legitimate interests (or those of a third party) as the legal basis for our use of your data, on grounds related to your own personal situation.

Likewise, you have a right to tell us not to process your personal data for direct marketing purposes. We will give you the option to refuse marketing when we collect your details. You can also exercise this right at any time by contacting us at, or by unsubscribing from any marketing email which we send to you.

You may opt-out at any time using any of the following methods:

4. Right to Erasure

You have the right to have your personal data erased:

5. Right to Request Restriction

You have the right to request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

6. Right to Data Portability

You have the right to request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format.

Note that this right only applies:

Should you wish to make a complaint over our use of your personal data at any time, you can do so by contacting the Information Commissioner’s Office (ICO). The ICO is the UK’s supervisory authority for data protection issues.

If you do have a problem, question or concern about our use of your Personal Data, we would really appreciate the chance to try to help you before you approach the ICO, so please feel free to contact us in the first instance at

Data Security

We take appropriate technical and organisational security measures to ensure any information you provide to us is stored securely and confidentially and is not processed except in accordance with the GDPR and the DPA. However, we cannot guarantee the security of any information disclosed online, including the possibility that another person or organisation may monitor, intercept or obtain your information other than from us. By using our website, you accept the security implications of providing information over the internet and agree not to hold us responsible for any harm arising from those risks, unless we have been proved to be negligent.


To assist your navigation of this website, make full use of the tools and aid our prevention of fraud, we may send ‘cookies’ from this website to your computer, mobile phone or tablet. However, we do not collect any personal data or personal information about you unless you provide information to our server.

Our Cookie Policy

For the best browsing experience when using our website and to ensure that we can continue to adapt the site to our visitors’ interests and expectations, your computer, mobile phone or tablet will need to accept cookies.

Below is a list of the main cookies we use on our site and what they are used for:


Description: This cookie is set when you save your cookie settings. It enables us to only set cookies according to your preferences and to remember your preferences on future visits.


Description: This cookie allows some of the features on our website to function correctly, such as our quote and solutions engine tools. The website and these features wouldn’t work without it.

OriginalReferralURL, OriginalTargetURL, RecentReferralURL, RecentTargetURL

Description: These cookies show us how you found our website, which website you came from and which of our webpages you visited first. This helps us to review which of our online marketing channels is most effective. They also enable us to reward some external websites for directing you to us.

__utma, __utmb, __utmc, __utmz, _gat, utm_campaign, utm_content, utm_medium, utm_source, utm_term, _ga, _ga_CWDVLPL1C5, _gat_UA-22806846-1, _ga_42LTKT6BWQ, _gat_UA-70621949-1, _ga_WJSCVNGXZJ, _gat_UA-78886896-1, _ga_T2NK8VHVWV, _gat_UA-114680155-1, _gid

Description: These cookies enable the function of Google Analytics software. Google Analytics software helps us to collect and analyse visitor information such as browser usage, new visitor numbers, responses to marketing activity and other general website trends. This information helps us to improve the website and to make our marketing campaigns more relevant. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above. To opt out of being tracked by Google Analytics across all websites visit For more information, visit


Description: We use Google AdWords’ remarketing service to advertise on third party websites (including Google) to previous visitors to our site. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, use cookies to serve ads based on someone’s past visits to this website. Any data collected will be used in accordance with our own privacy policy and Google’s privacy policy. You can set preferences for how Google advertises to you using the Google’s My Ad Center. Visitor information is collected and associated with Google information from accounts of signed-in users who have consented to this association for the purpose of ads personalisation. This Google information may include end user location, search history, YouTube history and data from sites that partner with Google – and is used to provide aggregated and anonymised insights into visitors’ cross device behaviours. Your data can be accessed and/or deleted via My Activity.

_uetsid, _uetvid

Description: These cookies are set by Microsoft Bing in order to store and track visits across our website, enabling us to collect and analyse visitor information such as browser usage, new visitor numbers, responses to marketing activity and other general website trends. This information helps us to improve the website and to make our marketing campaigns more relevant. You can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies. For more information, visit

utm_visitor, VisitorID, AssetTrackId

Description: These are used when you have visited our website from an email marketing campaign via one of our providers, InboxGuru. These allow us to link individuals already known to us and opted in to our communication to website activity.

X-LI-IDC, __qca, bcookie, X-LI-IDC, visit, NSC_MC_WT_FU_IUUQ)

Description: LinkedIn cookies are introduced by the LinkedIn share button. This is only present on our blog pages. They are used to track which pages you visit. For more information, visit

pid, _twitter_sess, k, guest_id and original_referer

Description: This enables the Tweet button on our blog pages, which allows you to easily compose a Twitter message containing a link to the page. The cookies store anonymous session data and, if your computer is already logged in to Twitter, may contain session or other data identifying the logged in account. For more information, visit

all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-ag9zfmNsaWNrZGVza2NoYXRyHAsSD3Byb2FjdGl2ZV9ydWxlcxiAgIDf5rLOCQwonce_per_sessionnull, all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-cd_pubnub_visitor, all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-chat_triggers_cookie, all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-clickdesk_referrer, all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-site_visit_time, all_RyEgsSBXVzZXJzGICAgI_n6dkKDA-visit_count

Description: These cookies are set by the provider of our live chat service, ClickDesk, to ensure the tool works correctly and remembers your preferences when you load new webpages or begin a new session on our website. The information collected by cookies does not identify you personally. It collects general information pertaining to your IP address, operating system, browser details and location.

om-second-297444, om-297444, om-global-cookie, om-interaction-cookie

Description: These cookies allow us to serve pop-up forms to our website visitors using a third party, OptinMonster. They also prevent pop-ups from being shown if you come from one of our newsletters or previously closed or completed that pop-up.


Description: This LinkedIn cookie registers statistical data on users’ behaviour on the website. Used for internal analytics by the website operator. We use the LinkedIn Insight Tag (Javascript code) on our website. This tag drops a cookie on visitors’ web browsers when they visit our website. For more information please view LinkedIn’s terms and cookie policy.

Objection to the use of LinkedIn insight tag: You can object to LinkedIn’s analysis of user behaviour and targeted advertising at the following link: In addition, LinkedIn members can control the use of their personal information for promotional purposes in the account settings. To prevent LinkedIn from linking information collected on our site to your LinkedIn account, you must log out of your LinkedIn account before you visit our site.

woocommerce_cart_hash, woocommerce_items_in_cart, wp_woocommerce_session_, wdgk_donation_note, wdgk_product_display_price, wdgk_product_price

Description: We use a WordPress plugin, WooCommerce, to enable our clients and our clients’ debtors to make online payments via our website. These cookies enable this function to work correctly. No personal information is stored within these cookies.


Description: This cookie is set by us in the event you click through from our Debt Instruction Form to pay your administration fee via our website when instructing us. It enables us to pre-populate the online payments form with the correct administration fee and your client reference number.

Social media

Should you opt to ‘share’ content through social networks such as Twitter and LinkedIn directly from our website, you may be sent cookies from these websites. Hilton-Baird Group has no control over the settings of these cookies, so we would advise you to check their individual websites for more information about the cookies they send and how to manage them.

Any site containing a social sharing button may set a cookie when you are also logged in to their service. We do not control the dissemination of these cookies and you should check the relevant third party website for more information about these.

Updates to this Policy

We reserve the right to update our Privacy & Cookies Policy at any time. We will take reasonable steps to draw your attention to any changes in our Policy. However, to be on the safe side, we suggest that you read this document each time you use the website to ensure that it still meets with your approval. Should you disagree with any changes made, you may withdraw your consent at any time using the methods outlined above.

Registered address: 110 Cannon Street, London, United Kingdom, EC4N 6EU.