Privacy & Cookie Policy

Privacy Policy

Gridworks Development Partners LLP (Gridworks) is registered at 123 Victoria Street, London, United Kingdom, SW1E 6DE, company number OC423567.

Gridworks respects your privacy. This privacy policy (the policy) describes how we process personal data, which personal data we collect and why we collect it, with whom we share this personal data, how we protect it, and the choices you can make about how we use your personal data.   Gridworks is part of the CDC Group.

This policy applies to any personal data collected, held or processed by or on behalf of Gridworks and its subsidiaries relating to any individual in their dealings with Gridworks or its subsidiaries.

The scope of this policy also includes all the websites, applications, mobile sites, and social media platforms that are owned by Gridworks, where personal data is processed. If you chose not to provide us with your personal information, in most cases, we will not be able to provide you with our services or information about them

Gridworks may amend this policy at any point in time. Please check this policy periodically at to inform yourself of any changes.

1. Definitions

In this Policy, the following terms shall have the following meanings:

  • CDC Group means CDC Group plc, its affiliated companies and subsidiaries.
  • Controller means the organisation which determines the purposes for which, and the way, any personal data is processed. For the purposes of this policy, the controller is Gridworks.
  • Data Protection Officer or DPO means the data protection officer appointed by Gridworks.
  • Data subjects means all individuals about whom Gridworks holds personal data.
  • Gridworks means Gridworks Development Partners LLP and its subsidiaries.
  • Personal data is any data relating to a living individual which allows the individual to be identified, whether from the data alone, or in combination with other information.
  • Processing means any operation or set of operations which is performed upon personal data, such as the collection, recording, organisation, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.
  • Processor means the individual and/or organisation which processes personal data on behalf of the Controller.
  • Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health, sexual orientation or sex life. Special provisions apply to the processing of sensitive personal data.

2. Key policy principles

We value the personal data entrusted to us and we are committed to processing personal data in a fair, transparent and secure way. The key principles of this policy are as follows:

  • Data collection: we will only collect personal data by fair, lawful and transparent means.
  • Data minimisation: we will limit the collection of personal data to what is directly relevant and necessary for the purposes set out in this policy.
  • Purpose limitation: we will only process your personal data for specified, explicit and legitimate purposes and not further process your personal data in a way incompatible with those purposes.
  • Accuracy: we will keep your personal data accurate and up to date.
  • Data security: we will implement appropriate technical and organisational measures to ensure an appropriate level of security in relation to the risks represented by the processing and the nature of the personal data to be protected. Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of processing.
  • Access and rectification: we will process your personal data in line with your privacy rights.
  • Retention: we will retain your personal data in a manner consistent with the applicable data protection laws and regulations. In any event, we will not keep your personal data longer than is necessary for the purposes set out in this policy.
  • International transfers: we will ensure that any personal data transferred outside the United Kingdom is adequately protected.
  • Third parties: we will ensure that access to and transfers of personal data to third parties are carried out in accordance with the applicable laws and regulations and with suitable contractual safeguards.
  • Direct communications and cookies: where we send you information or place cookies on your computer, we will ensure that we do so in accordance with the applicable laws.

3. How we collect and use your information

We collect and use your personal data where:

  • we have, or a third party has, a legitimate interest and it is reasonable for us to do so when balanced against your right to privacy (for example, dealing with your queries, complaints or processing investment proposals).  We process most of the information on the basis of our legitimate interests as a business to engage with our clients, deliver services you have requested, to develop our business and protect our rights and those of the CDC Group;
  • we are required to by law (for example, verifying your identity for KYC purposes);
  • it is necessary to fulfil a contract with you, or to take steps at your request prior to entering into a contract (for example, if you are offered a job with us, we will need your bank details for payroll purposes); or
  • you have given us consent (for example, where you subscribe to our newsletter).

We have set out below the different purposes for which we collect and use your personal data.

3.1 Visitors to our websites

We collect IP addresses, cookies, moments of connection from visitors to our websites, which are analysed by Google Analytics, who collect standard internet log information and details of visitor behaviour patterns. We do this to identify the number of visitors to the various sections of the site. This information is not used to identify anyone.

Both Gridworks and Google do not make any attempt to discover the identities of visitors to our website.

For further information about our use of cookies and on how to decline them, please consult our cookie policy.

3.1.1 Newsletters

We will collect your name and email address if you choose to subscribe to our newsletter. We rely on your consent and you can withdraw your consent at any time, by following the unsubscribe instructions included in the communications or by contacting the DPO at [email protected]

We use a third party provider, Mailchimp, to deliver our monthly e-newsletters. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see:

Mailchimp terms and conditions

Mailchimp privacy policy

3.1.2 General enquiries

When you submit an enquiry, we will collect your: email address and comments, we will also collect your first name, surname and the nature of the request if you choose to provide us with this information. Where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

3.1.3 Events

The information you provide will be used to process your event booking. We will also use it to contact you via Eventbrite regarding your booking. We may also contact you to undertake post-event evaluation.

Please note that Eventbrite is a third-party service that is not owned or managed by Gridworks. For more information, please see:

Eventbrite terms and conditions

Eventbrite privacy policy

3.1.4 Investment proposals

When you submit an investment proposal, we will collect your: first name, surname, email address, comments and any attached documents you choose to provide us with for the purposes of considering your proposal.

3.2 People who participate in our surveys

We may contact you to participate in optional surveys from time to time. We will only do this if we have your consent or a legitimate and lawful basis to do so (for example, legitimate interests). We use a third-party provider, Survey Monkey to deliver, manage and produce reports relating to the survey. We may collect names, contact details and other information relevant to the survey. We will be transparent when we collect personal data through our surveys and will explain the purposes for which we are collecting it.

3.3 People who call our contact points

When you call Gridworks, we collect Calling Line Identification (CLI) information which may include your telephone number. We use this information to help improve our efficiency and effectiveness. We do not record phone conversations.

3.4 People who email us

When you send an email address to us we may collect your IP address, email address and other data you have provided within the email or attachments. The information will only be used to address the purposes of your request, it will be recorded in our email and email security systems and may be recorded in a ticketing system to manage and respond to the request.

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with security best practices. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

3.5 People who make a complaint to us

When we receive a complaint from a person we create a file containing the details of the complaint. This normally contains the identity (name, contact details, address, alias etc.) of the person making the complaint and any other individuals involved in the complaint.

We will only use the personal information we collect to handle the complaint and to check on the level of service we provide.

We may have to disclose the person who submitted the complaint’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If the person who submitted the complaint doesn’t want information identifying them to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our record and retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

3.6 Identity data and verification of identity

In some instances, we will need to verify your identity (e.g. access requests, know your customer (KYC), or for other screening purposes). We will always be transparent and explain the purposes for collecting identity data from you prior to processing.

Identity data can include: IDs assigned by us, passport, driving license, or a copy of ID (passport, driver’s licence or comparable identity document), utility bills.

This data will only be used for verification of identity relating to the purposes it was requested for.

3.7 Use of personal data for direct communication purposes

We will only use your personal data to send communications via electronic means (e.g. email, SMS or MMS) if we have obtained your prior consent or have a legitimate and lawful interest to do so. You can withdraw your consent or object to communications at any point in time, by following the unsubscribe instructions included in the communications or by contacting the DPO at [email protected].

3.8 Photos and videos at Gridworks events

At special events organised by Gridworks we may take – with your permission –photos and videos of you. This includes image recordings such as films, photographs, video recordings, digital photos.

3.9 Personal data we receive from third parties

We may obtain the same categories of personal data about you from third parties, other CDC Group companies, carefully selected business partners who provide services on behalf of us, and any other third party who may lawfully pass to us information about you.

3.10 Personal data collected through the recruitment process

We will collect various information from you through our recruitment process. This is detailed below.  Unless otherwise specified, we collect this information on the basis of our legitimate interests, to consider your suitability for employment with us and to liaise with you in relation to your application:

3.10.1 Application

We will ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our recruitment team will have access to all this information.

You will also be asked to provide equal opportunities information. This is not mandatory information – if you don’t provide it, it will not affect your application. This information will not be made available to any staff outside of our recruitment team, including hiring managers, in a way which can identify you. Any information you do provide, will be processed on the basis it is necessary to assess equality of opportunity or treatment and will be used only to produce and monitor equal opportunities statistics.

3.10.2 References

When providing references via our online reference system these will be collected by a processor called HireRight Ltd on our behalf, please see:

HireRight Privacy Policy

3.10.3 Assessments

We might ask you to participate in assessment days, complete tests or complete occupational questionnaires, and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by Gridworks.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise.

3.10.4 Conditional offer

If we make a conditional offer of employment we will (or HireRight will, on our behalf) ask you for information so that we or HireRight can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

  • Proof of your identity – you will be asked to attend our office with original documents, we will take copies.
  • Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.
  • You will be asked to complete a fitness and proprietary declaration including a criminal records declaration to declare any unspent convictions – our lawful bases for collecting criminal records information are preventing or detecting unlawful acts, complying with regulatory requirements relating to unlawful acts and dishonesty and exercising and carrying out our rights and obligations as an employer.
  • We will contact your referees, using the details you provide in your application, directly to obtain references.
  • We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work. This is performed through Blossoms Healthcare who provide our occupational health service.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work
  • Membership of a pension scheme – so we can help you determine whether you are eligible to re-join your previous scheme.

3.11 Other uses

In addition to the above Gridworks may collect and process your information where we have obtained your consent or another legitimate and lawful purpose to do so, including:

  • Accounts: including keeping accounts relating to any business and activity carried out by Gridworks and keeping records of purchases, sales and transactions;
  • Safety and security: any method, system or process used by Gridworks to protect its physical and intellectual property, to protect its economic and financial interests and to protect the integrity of its directors, employees, investees and stakeholders.
  • IT support and development: including processing as part of security event logging and monitoring of systems, business continuity planning and disaster recovery.
  • Compliance and legal claims: including ensuring compliance with legal obligations or establishing, exercising or defending legal claims;
  • Scientific, historical and statistical research: including the collection and processing of personal data for statistical surveys (or necessary to reach statistical results), analysing earlier events, and establishing patterns and rules of conduct;
  • Mergers and acquisitions: To prepare for and carry out a merger, take-over, transfer of an undertaking, transfer of assets or any other type of corporate transaction; and
  • Any other purpose described and communicated to you prior to using your personal data for such other purpose.

Gridworks will only process your personal data to achieve the purposes it was collected for, or for any other legitimate and lawful purpose.

Gridworks will notify the processing of personal data to the relevant authorities to the extent required under all applicable data protection laws and regulations.

4. Accurate Data

It is important for us to maintain accurate and up to date records of your personal data. Please inform us of any changes to or errors in your personal data as soon as possible by contacting the DPO at [email protected]. We will take reasonable steps to make sure that any inaccurate or out-of-date data is deleted, destroyed or amended accordingly.

5. Access and rectification

You have the right to access the personal data we hold about you and, if such personal data is inaccurate or incomplete, to request the rectification or erasure of such personal data. If you require further information in relation to your privacy rights or would like to exercise any of these rights, please contact the DPO at [email protected].

6. Timely processing

We shall retain your personal data in a manner consistent with the applicable data protection laws and regulations. We will only retain your personal data for as long as necessary to comply with the applicable laws and regulations or for the purposes for which we process your personal data. For guidance on how long certain personal data is likely to be kept before being destroyed, please contact the DPO at [email protected].

7. Data security

We shall ensure that appropriate technical and organisational security measures are taken against unlawful or unauthorised processing of personal data, and against the misuse, destruction, disclosure, acquisition, accidental loss of, or damage to personal data. Personal data shall only be processed by a third party processor if they can demonstrate adequate compliance or certification to relevant information security standards and practices.

Maintaining data security means protecting the confidentiality, integrity and availability of the personal data:

  • Confidentiality: we will protect your personal data from unauthorised disclosure to third parties.
  • Integrity: we will protect your personal data from being modified by unauthorised third parties.
  • Availability: we will ensure that authorized parties are able to access your personal data when needed.

Gridworks has implemented an information security management system to protect the confidentiality, availability and integrity of our assets, including protection of information processing facilities and your personal data.

8. Data protection officer (DPO)

Gridworks has taken the decision to appoint a Data Protection Officer (DPO) to monitor internal compliance, inform and advise on our data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and to act as a contact point for data subjects and the supervisory authority. The designated DPO for Gridworks and their contact information is as follows:

Data Protection Officer

Gridworks Development Partners LLP

123 Victoria Street




email: [email protected]

If you have a query in relation to this policy or our processing of your personal data, you can contact the DPO.

9. Disclosure of personal data

9.1 Categories of recipients

For the above-mentioned purposes, we may disclose your personal data to the following categories of recipients:

  • Authorised staff members of Gridworks;
  • Corporate affiliates and subsidiary companies including the CDC Group;
  • Our communication agencies: to help us deliver and analyse the effectiveness of our communications;
  • Business partners: trusted companies that may use your personal data to provide you with the services and/or the information you requested and/or that may provide you with communications (if you have consented to receiving them). We ask such companies to always act in compliance with applicable laws and this privacy policy and to pay high attention to the confidentiality of your personal data.

9.2 Service providers

Service providers are a core part of our IT strategy. Gridworks may share your personal data with external providers of IT related services (for example Microsoft, EACS, SAS, Spitfire, eFront, Mimecast).

We also share your personal data with the following service providers:

  • HireRight Ltd;
  • Eventbright UK Ltd; and
  • Professional advisers.

9.3 Other parties when required by law or as necessary to protect Gridworks

Gridworks may share your personal data with other third parties:

  • to comply with the law, regulatory requests, court orders, subpoena, or legal process;
  • to verify or enforce compliance with Gridworks’ policies and agreements; and
  • to protect the rights, property or safety of Gridworks and/or its clients.

9.4 Other parties in connection with corporate transactions:

Gridworks may share your personal data with other third parties in the context of a divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of Gridworks’ business.

9.5 Other parties with your consent or upon your instruction:

Gridworks may share your personal data with:

  • third parties when you consent to or request such sharing; and
  • Any other third party communicated to you by Gridworks prior to sharing your personal data with that third party.

Be aware that recipients as referred to above –especially service providers who may offer products and services to you through Gridworks applications or via their own channels– may separately collect data from you and, in these instances, are responsible for the control of your data. Your dealings with these service providers would fall under their own terms and conditions.

10. Use of social networks

Gridworks sometimes facilitates the publication of (personal) data via social media such as Twitter and Facebook. These social media have their own terms of use which you are required to consider and observe if you make use of them. Publication on social media may have (undesired) consequences, including for your privacy or that of persons whose data you share, such as the impossibility of withdrawing publication in the short term. You must estimate these consequences yourself, for you are taking the decision about the publication on these media. Gridworks does not accept any responsibility in that regard.

11. Disclosures outside the United Kingdom

Your personal data may be transferred to any of the recipients identified in this policy, some of which may be outside the United Kingdom and may be processed by us and any of these recipients in any country worldwide. The countries to which your personal data is transferred may not offer an adequate level of protection. In connection with any transfer of personal data to countries that do not offer the same level of protection as in the United Kingdom, Gridworks shall implement appropriate measures to ensure an adequate level of protection of your personal data.

12. Your choices and your rights

We want to be as transparent as possible with you, so that you can make meaningful choices about how you want us to use your information.

We can contact you by post and by phone, and if you give us your prior consent to do so, by email, SMS and other electronics means.

12.1 Your choices

In this context, you can make a variety of choices about how you want to be contacted by us, through which channel (e.g. email, mail, social media, etc.), for which purpose and how frequently, by contacting us at [email protected] or by following the unsubscribe instructions included in the communication.

Please note that by default, if you don’t make a choice, you will receive our communications at the following frequency: at the date of publication.

12.2 Your personal information

You may always contact us by post or email to find out what personal information we have concerning you, the origin of the data and to access or receive a copy of your data.

12.3 Your corrections

If you find any mistake in your personal information or if you find it incomplete or incorrect, you can request that we correct it or complete it.

12.4 Your objections

You may also object to the use of your data for direct marketing purposes (if you prefer, you can also advise us on which channel and how frequently you prefer to be contacted by us) or to the sharing of your personal information with third party for the same purpose.

You also have the right to request that we stop processing your information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. However, we may need to continue processing the information, if there is a compelling reason such as compliance with regulatory or legal requirements.

12.5 Restriction

You can ask us to temporarily limit the use of your personal data – for example, where you have questioned the accuracy of your information or how it is being used, but you do not want us to delete it.

12.6 Portability

You may request a copy of your personal data from us in a structured, commonly used and machine-readable format. You can also request that we transfer your personal data to another controller. Portability applies when we process your personal data in an automated means, either with your consent or for the performance of a contract.

12.7 Erasure

Finally, you may request for us to erase any data concerning you (except in some cases, for example, where we are required to retain the data by law).

13. Contact

For any privacy issues, questions or complaints concerning the application of this policy or to exercise your rights within the context of this policy, you may contact Gridworks at [email protected]. Alternatively, you may write to us:

Data Protection Officer

Gridworks Development Partners LLP

123 Victoria Street




If you are unhappy with how we have handled your personal data, you can also make a complaint to the Information Commissioner’s Office at