HR Grapevine UK Digital Media Kit

Who we are

Executive Grapevine International Limited ("EGIL") is an information services business specialising in B2B data, intent data, and marketing services. We are committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, disclose, and safeguard personal information in compliance with the UK GDPR, Data Protection Act 2018, UK PECR, and applicable international privacy laws.

Data Controller

Executive Grapevine International Limited

Registered in England and Wales (Company No 2789779)

Registered office: Gate House, Fretherne Road, Welwyn Garden City, Hertfordshire, AL8 6NS

Email: [email protected]

Phone: +44 (0)1707 351 451

Scope

This policy applies to all personal data processed by EGIL and its brands — HR Grapevine, HR Grapevine Live, HR Grapevine Virtual, Executive Grapevine, and myGrapevine — across web platforms, apps, events, marketing activities, and professional directories.

Regulatory Framework

UK & EU

UK GDPR & UK Data Protection Act 2018
UK PECR
EU GDPR (for data subjects in the EEA; with representative requirements where applicable)
UK Data (Use and Access) Act 2025

California Consumer Privacy Act as amended by California Privacy Rights Act (CCPA/CPRA)
Virginia Consumer Data Protection Act (VA CDPA)
Colorado Privacy Act (CO CPA)
Utah Consumer Privacy Act (UT CPA)

How we collect

We collect personal data through various channels, including:

Interactions with our websites and mobile apps (contact forms, registrations, surveys)
Event and webinar registrations and attendance
Cookies and similar tracking technologies
Behavioural data from website visitors (page views, click patterns, scroll depth, session duration)
Publicly available professional sources (e.g., LinkedIn)
Account registration and authentication details (usernames and passwords)
Client transactions and orders (payment information, bank account details, order history)
User comments and feedback submitted on our websites and platforms

What we collect

Identity & Contact: name, job title, company, business email, address
Professional & Directory: sector expertise, public profile URLs
Technical & Usage: IP address, device data, browsing patterns
Behavioural: website interactions, page view history, clickstream data, scroll depth, reading behaviours including engagement analysis used to understand content relevance and professional interests
Account Credentials: username and password (securely stored using industry-standard hashing and security controls)
Topic Preferences: selected subjects, industries, areas of interest
Client Transaction Data: payment details, billing address, order history
Firmographic: industry, geography, company size
User-generated Content: comments, feedback, other submissions
Images & Photos: event photographs and marketing images
Video & Audio: recordings of webinars and events
Content Preferences: communication consents, opt-out settings

What we do not collect

Sensitive Personal Information

personal data from children under the age of 13. Our services are intended for professionals and are not directed at minors.
special category data (e.g., racial origin, political opinions, health data). If you voluntarily provide such data, we will rely on explicit consent, apply additional safeguards, and delete it promptly when no longer needed.

Cookies and Electronic Communications

We use cookies and similar tracking technologies in line with ICO’s 2024 guidance:

Clear cookie banner categorising cookies (necessary, preferences, analytics, marketing)
Prior, granular opt-in consent for non-essential cookies
Cookie preference centre for modifying or withdrawing consent
Records of all consents maintained for auditing
Regular policy reviews to reflect new technologies
Electronic communications (email, SMS, push) are sent only with valid consent or legitimate interest, compliant with UK PECR and UK GDPR. Every message includes an opt-out link.
For more information on how we use cookies see our [cookie policy].

International Data Transfers

Personal data is processed and stored in the UK. We transmit data to the US solely for email delivery via service providers; no data is stored in the US. Transfers to other jurisdictions rely on adequacy decisions, Standard Contractual Clauses (SCCs) with addenda, or the UK International Data Transfer Agreement (IDTA).

Who we share data with

We share personal data only under strict safeguards with:

Group companies and affiliates (reporting, analytics, services)
Service providers and technology platforms (e.g., Google, LinkedIn, Salesforce, Pardot, HubSpot, Stripe, Sage)
Clients and partners for services or communications on their behalf
Event organisers and sponsors (registration, badge printing, follow-up)
Legal and regulatory authorities when required
Professional advisors and auditors (compliance, audit)
Third parties in corporate transactions, subject to confidentiality

All data processors are contractually bound to GDPR-compliant standards.

Legal Basis

We process personal data to enable and improve our services, personalise experiences, manage transactions, and comply with legal obligations. Below are the key activities and our legal bases:

Activity	Legal Basis
Marketing communications (email, SMS)	Legitimate interest
Service delivery & account management	Contractual necessity
Business directory listings	Legitimate interest
Emails on behalf of clients	Legitimate interest¹
Website analytics & improvement	Legitimate interest
Partner campaigns	Consent
Event registrations	Contractual necessity
Compliance & fraud prevention	Legal obligation
Analytics, insight, and service improvement	Legitimate interest

¹Summaries of our Legitimate Interest Assessments (LIAs) are available on request.

Consent Management

We record and timestamp all consents, provide separate opt-in controls for different processing activities, and allow you to withdraw consent at any time via account settings or opt-out links.

Legitimate Interests

For activities based on legitimate interest, we conduct a Legitimate Interest Assessment (LIA) to balance our business needs with your privacy rights. LIAs consider:

The purpose and necessity of the processing for our operations
The minimal impact on you and safeguards to protect your data
Your rights and the ability to opt out at any time
Where appropriate, we apply data minimisation, aggregation, or anonymisation techniques to reduce privacy impact.

Summaries of LIAs are documented and available on request.

Your Rights

You have the right to access, rectify, erase, restrict, object, and port your data; withdraw consent; and lodge complaints with the ICO (https://ico.org.uk/make-a-complaint/) or relevant authority.

To exercise these rights, contact [email protected].

We will respond to all standard legitimate requests within one month. Where permitted by law, we may pause the response period while we clarify a request or verify your identity. Occasionally it may take us longer than a month if your request is particularly complex or you have made a large number of requests. In this case, we will notify you and keep you updated.

Updating Information & Marketing Preferences

Account holders can update personal details, preferences, and topic interests via their myGrapevine profile, the cookie centre, or by emailing our Data Protection team.

How long information is kept

Data is retained only as long as necessary:

Active contacts & client records: up to 5 years post engagement

Event registrations: up to 3 years post event

Cookies & analytics: up to 13 months (unless extended by consent)

Transactions & billing: up to 7 years for audit

Consent & preference records: 5 years from withdrawal or update

Records are securely deleted or anonymised thereafter. The full Data Retention Schedule is available on request.

Security and Assurance

We recognise the importance of protecting personal data. Technical measures include TLS encryption, secure servers, penetration testing, vulnerability scanning, backups, firewalls, IDPS, vulnerability assessments, patch management, MFA, and continuous monitoring. Organisational measures include access controls, staff training, background checks, incident response plans, and DPIAs for high-risk processing. Where automated or machine-assisted analysis is used, appropriate governance and human oversight are applied.

EU Representative

For data subjects based in the European Union our representative under Article 27 of the GDPR is:

INSTANT EU GDPR REPRESENTATIVE LIMITED
Office 2, 12A LOWER MAIN STREET
LUCAN CO. DUBLIN
K78 X5P8
IRELAND
Email: [email protected]

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the supervisory authority.

Your California privacy rights

The California Consumer Privacy Act 2018 (“CCPA”) and California Privacy Rights Act 2020 (“CPRA”) provide certain rights to residents of California. The CCPA and CPRA are collectively referred to as “CCPA” below.

If you are a resident of California you may contact us with regard to the following rights in relation to your personal data:

Right to Know: At or before the time of collection, you have a right to receive notice of our practices, including the categories of personal data and sensitive personal data to be collected, the purposes for which it is collected and used, whether such personal data is “sold or shared” and for how long personal data is retained. These details are set out in this Privacy Policy.
Right to Access: You have the right to request access to the personal data we may hold on you for the past twelve (12) months. You may submit up to two (2) requests per year of access to your personal data.
Right to Correct: You have the right to correct inaccurate personal data we hold about you.
Right to Opt-Out of Sale of Personal Data: For individuals sixteen (16) years or older, you have the right to opt-out of sale of personal data we may hold on you. You can exercise this right at any time by emailing [email protected] with “California resident - Do not sell” in the subject line or using the contact us form on any of our sites. For individuals between thirteen (13) to sixteen (16) years old, you have the right to opt-in to the sale of personal data we may hold on you.
Right to Deletion: You also have the right to ask us to delete personal data we may hold on you or restrict how it is used. There may be exceptions to the right to deletion which, if applicable, we will set out for you in response to your request.
Right to Limit Use and Disclosure of Sensitive Personal Data: Where applicable, you have the right to limit our use of sensitive personal data for any purposes other than to provide the services you request or as otherwise permitted by law.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your California Consumer Privacy Act rights.

If you want to make any of these requests, please contact [email protected].

We will deal with requests for access to your personal data within forty-five (45) days for California-specific requests.

To help us respond as you expect, please specify that you are making a request under the CCPA. We may need to request specific information from you to help us confirm your identity. For example, we will verify your identity before complying. If you provide us with proof of identity containing information that does not match our records, we may request further proof of identity from you.

You can designate an “authorized agent” to make requests to exercise your rights on your behalf under the CCPA. We will clarify that any “authorized agent” has your written permission in making that request. We may also contact you directly to verify your identity.

Governance and Updates

This policy is reviewed annually or upon regulatory changes, including updates under the UK Data (Use and Access) Act 2025.

Contact Us

For questions or requests, contact our Data Protection team: