Privacy Policy

Crux Risk LLP
Unit 19 A/B, Blackwell Business Park
Blackwell, Shipston on Stour
United Kingdom, CV36 4PE
T: +44 (0)20 7112 8620
E: responseteam@cruxrisk.com
Last updated: 20 May 2026

1. Who we are

Crux Risk LLP is a risk and crisis management services provider. We specialise in the management and resolution of crises associated with kidnapping, extortion, hijacking, maritime piracy, product tampering and wrongful detention, as well as broader risk and security advisory services including country evacuations, strategic risk assessments, reputation management and breach response.

Crux Risk LLP is the data controller for the purposes of UK GDPR and the Data Protection Act 2018. Our registered office is Unit 19 A/B, Blackwell Business Park, Blackwell, Shipston on Stour, CV36 4PE.

2. What this policy covers

This policy explains:

  • what personal data we collect about you and why
  • where we collect personal data from
  • the lawful basis on which we process it
  • how long we keep it
  • who we share it with
  • how we transfer and store it
  • your rights in relation to the data we hold
  • how to contact us or make a complaint

3. What personal data we collect

We collect only the information necessary to provide the services you have asked us to carry out, or where underwriters and/or brokers with whom you are insured have asked us to contact you in connection with our services.

The personal data we may collect includes:

  • contact information such as your name, telephone number, email address and postal address
  • information you provide directly to us in the course of instructing us or receiving our services
  • information passed to us by referring third parties such as legal firms, underwriters or insurance brokers
  • publicly available information from sources such as the internet and LinkedIn where relevant to the services we are providing

We will only collect and process sensitive personal data (special category data) where you have given your explicit consent and where it is strictly necessary for the services we are providing, or where we are legally obliged to do so.

4. Lawful basis for processing

We process your personal data on one or more of the following lawful bases under UK GDPR:

  • Contract: where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract.
  • Legitimate interests: where processing is necessary for our legitimate business interests, such as managing and developing our services, provided those interests are not overridden by your rights and interests.
  • Legal obligation: where processing is necessary to comply with a legal obligation, including obligations to regulatory bodies such as OFAC or SOCA or requirements of the courts.
  • Consent: where you have given us your explicit consent, in particular in relation to any special category data.

5. How we use your personal data

We use your personal data solely to enable us to carry out the services we are providing to you, or to manage our relationship with you if you provide or may in future provide services to us.

Where we have provided casework services to you we will retain case data and maintain a log of events and actions for legal and regulatory purposes, unless you expressly ask us not to do so and we are not otherwise legally obliged to retain it.

We do not use your personal data for marketing purposes without your consent.

6. How long we keep your personal data

We retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, including to complete casework or to comply with legal, regulatory or contractual obligations.

Even after you cease to use our services, we may retain certain information to comply with obligations to regulatory bodies such as OFAC, SOCA or the courts. When your data is no longer needed, we will delete or anonymise it securely.

7. Who we share your personal data with

We do not sell or share your personal data with third parties for their own purposes. We may share your data in the following limited circumstances:

  • internally among Crux Risk partners and associates where necessary to deliver our services
  • with third parties instructed to support the delivery of our services, such as specialist advisers or translators, where you have consented or where it is necessary to perform the contract
  • with regulatory bodies, law enforcement agencies or courts where we are legally required to do so

Any third parties with whom we share data are required to handle it securely and in accordance with applicable data protection law.

8. International transfers

Crux Risk operates globally and it may sometimes be necessary to transfer personal data to countries outside the United Kingdom. Where we transfer personal data internationally, we do so only where:

  • the UK Government has made an adequacy decision in respect of that country, confirming it provides an equivalent level of protection to UK law, or
  • appropriate safeguards are in place, such as standard contractual clauses approved for use under UK GDPR, or
  • another lawful transfer mechanism applies.

We will not transfer your personal data to a jurisdiction that does not provide adequate protection without first putting appropriate safeguards in place.

9. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • The right to be informed: to receive clear and transparent information about how we use your data, as set out in this policy.
  • The right of access: to request a copy of the personal data we hold about you.
  • The right to rectification: to have inaccurate or incomplete data corrected.
  • The right to erasure: to request deletion of your data where there is no compelling reason for us to continue processing it, subject to our legal obligations.
  • The right to restrict processing: to request that we limit how we use your data in certain circumstances.
  • The right to data portability: to receive your data in a structured, commonly used and machine-readable format and to transfer it to another controller in certain circumstances.
  • The right to object: to object to processing based on legitimate interests or for direct marketing purposes.
  • The right to withdraw consent: where we process your data on the basis of consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to the withdrawal.
  • The right to lodge a complaint: you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.

We will respond to requests within one month. We do not normally charge a fee, though we reserve the right to charge a reasonable administrative fee for requests that are manifestly unfounded, excessive or repetitive.

10. What happens if you do not provide your data

If you do not provide the personal data we request, or if you withdraw consent for us to process it, we may be unable to provide services to you.

11. How we will contact you

We may contact you by telephone, email or other written means. If you have a preference as to how we contact you, please let us know.

12. How to contact us

If you have any questions about this policy, wish to exercise your rights, or are unhappy with how we have handled your data, please contact us at:

Crux Risk LLP
Unit 19 A/B, Blackwell Business Park
Blackwell, Shipston on Stour
United Kingdom, CV36 4PE
T: +44 (0)20 7112 8620
E: responseteam@cruxrisk.com

You also have the right to complain to the Information Commissioner’s Office at any time: ico.org.uk | 0303 123 1113.