Introduction
Welcome to CPRA’s privacy policy.
CPRA respects your privacy and is committed to protecting your personal data. This privacy policy explains how we look after your personal data, your privacy rights, and how the law protects you.
Purpose of this privacy policy
This privacy policy provides information on how CPRA collects and processes your personal data when you use our website at https://www.cpragroup.com/ (“the Site”), or when we provide you or your organisation with our professional services (“the Services”).
This Site is not intended for children, and we do not knowingly collect data relating to children. Our Services are provided in a professional (B2B) context.
Controller
CPRA Group Ltd is the controller and responsible for your personal data (referred to as “CPRA”, “we”, “us” or “our” in this policy).
We have appointed a data privacy manager who oversees questions about this privacy policy. If you wish to exercise your legal rights or ask questions, please contact the data privacy manager using the details below.
Contact details
Contact: Data Privacy Manager
Email: info@cpragroup.com
Registered office address: 163 City Road, London, United Kingdom EC1V 1NR
Company number: 11592994
You have the right to make a complaint to the Information Commissioner’s Office (ICO) at www.ico.org.uk. We would appreciate the opportunity to address your concerns before you contact the ICO.
Changes to the policy and your duty to inform us
We keep our privacy policy under regular review. This version was last updated in December 2025.
It is important that the personal data we hold is accurate and current. Please inform us of any changes during your relationship with us.
Third-party links
The Site may contain links to third-party websites, plug-ins and applications. Clicking those links may allow third parties to collect data about you. We do not control third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policies of every website you visit.
The data we collect about you
“Personal data” means information that identifies an individual. It does not include anonymised data.
We may collect, use, store and transfer the following categories of personal data:
- Identity Data - First name, last name, employer, job title, and title.
- Contact Data - Business email address, business telephone number, billing address, delivery address.
- Profile / Property Data - Information relating to commercial property relevant to your enquiry or the Services.
- Anti-Money Laundering (AML) Data - PEP status, sanctions-screening results, photographic ID, proof of identity, verification documents, and evidence of source of funds. This may involve limited processing of special-category data (e.g., political opinions inferred from PEP status) and/or criminal-offence data (e.g., sanctions data). Such processing is carried out only where required by law and under the applicable UK GDPR and DPA 2018 Schedule 1 conditions (substantial public interest and regulatory requirements).
- Transaction Data - Details relating to the Services purchased or requested.
- Technical Data - IP address, login data, browser type/version, time zone setting, operating system, device information, and other technology used to access the Site.
- Marketing and Communications Data - Marketing preferences and communication preferences.
We do not collect health data, genetic/biometric data, or other special categories outside what is strictly required for AML purposes.
If you fail to provide personal data
Where we need personal data to comply with the law or perform a contract with you or your organisation, we may be unable to provide the Services if you do not supply it.
How is your personal data collected?
We collect data through:
- Direct interactions. You may provide Identity, Contact and Property Data through forms, calls, emails or other correspondence when you:
- Instruct us to provide Services
- Subscribe to publications
- Request marketing
- Provide feedback or contact us
- Automated interactions. We collect Technical Data using cookies, server logs and similar technologies.
See our Cookie Policy for details. - Third parties and public sources. We may receive data from:
- Analytics providers (e.g., Google)
- AML and KYC verification providers
- Your organisation or colleagues who provide professional contact details
- Professional advisers
- Public sources (Companies House, Land Registry, planning portals, sanction/PEP lists)
How we use your personal data
We only process your personal data when the law permits. Most commonly:
- To perform a contract with you or your organisation
- Where necessary for our legitimate interests (and your rights do not override those interests)
- Where we need to comply with a legal obligation.
- To comply with a legal obligation
- On the basis of consent (e.g., certain cookies or location data)
Purposes for which we will use your personal data
| Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
To register you or your organisation as a new customer | (a) Identity | Performance of a contract with you or your organisation |
To carry out Anti-Money Laundering (AML) checks and onboard you or your organisation | AML Data (Identity documentation, verification checks, PEP/sanctions screening, proof of funds) | (a) Performance of a contract with you or your organisation |
To process and deliver your organisation’s request for the Services, including: | (a) Identity | (a) Performance of a contract with you or your organisation |
To manage our relationship with you or your organisation, including: | (a) Identity | (a) Performance of a contract |
To administer and protect our business and the Site, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting | (a) Identity | (a) Necessary for our legitimate interests (to run our business, maintain IT systems, prevent fraud, and support business reorganisation) |
To deliver relevant Site content and advertisements to you and measure their effectiveness | (a) Identity | Necessary for our legitimate interests (to understand how visitors use our Site and to inform marketing strategy) |
To make suggestions and recommendations to you about goods or services that may be of interest | (a) Identity | Necessary for our legitimate interests (to develop our Services and grow our business) |
Marketing
We aim to give you clear choices about marketing. You may opt out at any time by following unsubscribe links or contacting us at info@cpragroup.com.
Cookies
You may refuse cookies through your browser settings. Essential cookies are required for the Site to function. Please refer to our Cookie Policy for details about types of cookies, consent, and your choices.
Change of purpose
We will only use your personal data for the purposes for which it was collected, unless we reasonably determine that another purpose is compatible. If processing for a new purpose is required, we will explain the legal basis.
Disclosures of your personal data
We may share your data with:
- Service providers acting as processors (IT, hosting, system admin, AML/KYC providers)
- Professional advisers (lawyers, auditors, insurers, bankers)
- Third parties where reasonably necessary to provide the Services
- HMRC, regulators and authorities requiring reporting
- Third parties involved in a merger, restructuring or sale of the business
All third parties must respect the security and confidentiality of your data.
International transfers
Some external providers are located outside the UK. Where transfers occur, we ensure adequate protection through:
- UK adequacy decisions, or
- UK-approved international data transfer agreements (IDTAs) or Standard Contractual Clauses
If we serve individuals in the EEA, equivalent EU GDPR safeguards are applied. You may request further information on safeguards by contacting us.
Data security
We have implemented appropriate technical and organisational security measures to prevent personal data from being lost, used unlawfully, accessed without authorisation, altered or disclosed. Measures include:
- Access controls and authentication
- Encryption and secure storage
- Regular security reviews and staff training
- Role-based access to data
Data retention
We retain your personal data only as long as necessary for the purposes described, including legal, tax, regulatory or reporting requirements.
We may retain data for longer where litigation is possible. By law, we must keep basic customer information (Identity and Contact Data) for six years for tax purposes.
Your legal rights
You have the following rights under data protection law:
- Request access to your personal data
- Request correction of inaccurate data
- Request erasure where lawful
- Object to processing based on legitimate interests or for direct marketing
- Request restriction of processing
- Request transfer of your data to you or a third party
- Withdraw consent (where consent is the legal basis)
We do not make decisions about you based solely on automated processing that have legal or similarly significant effects.
Fees, verification and response time
- You normally pay no fee.
- We may charge a reasonable fee for unfounded, repetitive or excessive requests.
- We may need to verify your identity before fulfilling a request.
- We aim to respond within one month unless the request is complex.