Contents

Madison Brook Group (“we”, “us”, or “our”) is committed to protecting your privacy and ensuring that your personal information is handled fairly, transparently, and securely.

• 1. Introduction
• 2. Who We Are
• 3. Information We Collect
• 4. How We Use Your Information
• 5. Lawful Bases for Processing
• 6. Sharing Your Information
• 7. International Transfers
• 8. Data Security
• 9. Data Retention
• 10. Your Rights
• 11. Data Breaches
• 12. Cookies and Online Tracking
• 13. Updates to This Notice
• 14. Contact Us

1. Introduction

This Privacy Notice explains how we collect, use, store, share, and protect personal data across the Madison Brook, which includes (without limitation):

• Madison Brook (Agency) Limited
• Madison Brook (Construction) Limited
• Madison Brook (Living Markets) Limited
• Madison Brook (Group) Limited
• Any affiliated or associated entities

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Who We Are

Each entity within the Group acts as a data controller for the personal data it collects in connection with its services.

3. Information We Collect

Depending on your relationship with us (client, tenant, supplier, employee, applicant, or visitor), we may collect:

• Identity Data: name, title, date of birth, national insurance number
• Contact Data: address, email address, telephone numbers
• Financial Data: bank details, transaction history, credit status
• Property & Legal Data: ownership details, tenancy records, contracts, conveyancing files
• Employment Data: CVs, qualifications, training records, references, HR files
• Technical Data: IP address, browser type, device identifiers, log information, cookies
• Marketing Data: preferences and communication history

4. How We Use Your Information

• Provide and manage property, legal, construction and investment services
• Manage client, tenant and supplier relationships
• Meet contractual and legal obligations (e.g. SRA, HMRC, AML)
• Communicate with you about your account, projects or enquiries
• Maintain security of our systems and premises
• Send marketing communications where you have consented or where we have a legitimate interest

5. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

• Contract: where processing is necessary to perform our agreement with you
• Legal obligation: where we must comply with a law (e.g. financial record keeping, AML checks)
• Legitimate interests: for business operations such as client service and security monitoring, provided these interests do not override your rights
• Consent: where you have explicitly agreed (e.g. marketing communications)
• Vital interests: to protect someone’s life in an emergency

6. Sharing Your Information

We share data only where necessary and always under appropriate safeguards. Typical recipients include:

• Third-party IT and security providers responsible for our firewalls, Microsoft 365 environment and Mimecast email security
• Professional advisers (accountants, lawyers, auditors)
• Public authorities (e.g. HMRC, SRA, local authorities, law enforcement)
• Service partners such as surveyors, contractors and managing agents who assist in delivering our services

7. International Transfers

Where personal data is transferred outside the UK (e.g. through Microsoft 365 cloud services), we ensure adequate protection by using UK adequacy decisions or Standard Contractual Clauses (SCCs) approved by the ICO.

8. Data Security

• Management by a third-party IT security provider
• Enterprise-grade firewalls and intrusion detection systems
• Multi-factor authentication (MFA) and strong password controls
• Device encryption and Mobile Device Management (MDM)
• Regular patching of high/critical vulnerabilities within 14 days
• 3-2-1 encrypted backups tested for restore
• Central security logging and monitoring
• Staff training and awareness on cyber security and phishing

9. Data Retention

We keep personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements. Retention periods are defined within our Records of Processing Activities (RoPA) and applied consistently across the Group.

10. Your Rights

Under data protection law, you have the right to:

• Access your data and receive a copy of it
• Request correction of inaccurate information
• Request erasure (“the right to be forgotten”)
• Object to or restrict processing
• Request data portability to another controller
• Withdraw consent at any time (where processing is based on consent)
• Lodge a complaint with the Information Commissioner’s Office (ICO)

Response times: We will respond to all valid requests within one month. If requests are complex or numerous, we may extend this period by up to two further months and will inform you within the first month.

11. Data Breaches

We maintain an Incident Response Plan to detect, investigate and report data breaches. If a breach poses a risk to your rights or freedoms, we will notify the ICO within 72 hours of becoming aware of it and inform affected individuals without undue delay. All incidents are recorded and reviewed to prevent recurrence.

12. Cookies and Online Tracking

Our website uses cookies to improve functionality and analyse usage. You can manage or disable cookies through your browser settings. For more information, please see our Cookie Policy.

13. Updates to This Notice

We may update this Privacy Notice periodically to reflect changes in law or our operations. The latest version will always be available on our website, showing the effective date at the top of this page.

14. Contact Us

To ask a question or exercise your rights, please contact:

Email: directors@madisonbrook.com
Post: Data Protection Officer, Madison Brook, Railway Arches, 8a Chancel Street, London SE1 0UR, United Kingdom
Phone: 020 3917 2250

If you are unhappy with how we handle your data, you can contact the Information Commissioner’s Office (ICO).

© Madison Brook. All rights reserved. Madison Brook is the group trading style of the Madison Brook companies listed above.