KONVEL

Privacy Policy

Privacy Policy

Version 1.3 · Last updated 03-May-2026. Konvel Ltd is the data controller in respect of personal data described below. This page is published in English; any translation is provided as a courtesy and the English version prevails in case of ambiguity.

Konvel Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose and safeguard personal data when you visit our website, contact us, or engage us as a client or supplier.

1. Personal data we collect

When you visit our website

  • Technical data: IP address, browser, operating system, time zone.
  • Usage data: pages visited, time on page, navigation paths, referring website.

When you contact us

  • Contact data: name, employer, job title, email, phone.
  • Content of communications: information you provide.

When you become a client or supplier

  • Counterparty identification and due-diligence data (legal name, country, registration number, registered office, authorised signatories) collected for two purposes: (a) to comply with UK sanctions law (UK GDPR Article 6(1)(c) lawful basis); and (b) to support Konvel's adequate-procedures duty under the UK Bribery Act 2010 (UK GDPR Article 6(1)(f) lawful basis). Additional risk-based checks are applied only where specific risk factors are present.
  • Commercial and contract data necessary to provide or receive services.
  • Financial data necessary to issue invoices and receive payment.
  • For Mode B (supply / principal) transactions: shipping details, customs documentation, and any personal data appearing on commercial invoices, packing lists, certificates of origin and export-control documentation.

2. How we use personal data, and our lawful bases

Performance of a contract

To provide procurement consultancy, supply of goods (Mode B, where applicable), manage supplier relationships, issue and pay invoices.

Legitimate interests

Responding to enquiries, business development, exercising and defending legal claims, fraud prevention, anti-bribery due diligence under the UK Bribery Act 2010 adequate-procedures duty, and improving our website. You have the right to object to processing on this basis.

Compliance with legal obligations

Sanctions screening, customs and export-control compliance, accounting, tax, and company law.

Consent

Marketing communications. Konvel does not currently operate a marketing list; this lawful basis is reserved for future use and will only be applied where individuals have actively opted in. Withdrawable at any time.

3. Sharing personal data

  • Service providers: IT, cloud, accountants, professional advisers, freight forwarders for Mode B transactions.
  • Hosting and content delivery: this website is hosted on Cloudflare Pages, which receives technical data (including IP addresses) for security and operational purposes. Web fonts are self-hosted from this domain — no third-party font CDN is used.
  • The contact form on this website does not post your details to any third-party form processor. When you press Send, the form is delivered through a Cloudflare Pages Function (running on the same Cloudflare infrastructure that hosts this site) directly to our Microsoft 365 mailbox at hello@konvel.co.uk. The form contents are processed transiently and are not retained by Konvel beyond delivery to that mailbox. Cloudflare and its mail-relay infrastructure log technical request metadata for security and operational purposes per their respective privacy notices.
  • Prospective suppliers, under NDA where applicable.
  • Customs authorities, banks, and similar bodies, where these institutions require counterparty identity or transaction-purpose information for their own regulatory compliance (sanctions, customs, and — for banks — anti-money-laundering).
  • Regulatory and law enforcement authorities where required.
  • Third parties in connection with any sale, merger, or restructuring.

4. International transfers

Personal data may be transferred outside the United Kingdom – including to suppliers and freight partners in the EU, Turkey, China and other Asian jurisdictions where we source from. Where this happens, we apply appropriate safeguards under UK GDPR Articles 44 to 49: transfers to jurisdictions covered by a UK adequacy decision (including the EU/EEA) rely on that adequacy; transfers to other jurisdictions are made under the UK International Data Transfer Agreement (IDTA) or, where the underlying transfer is the subject of EU Standard Contractual Clauses, the UK Addendum to those Clauses. A copy of the relevant safeguard for any specific transfer is available on request from hello@konvel.co.uk.

5. Retention

  • Enquiry correspondence: up to 24 months from last contact.
  • Client and supplier engagement records: 6 years post-engagement (statutory limitation).
  • Counterparty due-diligence and sanctions-screening records: 6 years post-engagement, consistent with the Limitation Act 1980 standard period and the audit trail Konvel maintains in support of its UK Bribery Act 2010 adequate-procedures defence.
  • Customs and export records: 6 years (HMRC requirement).
  • Accounting and tax: 6 years post accounting period end.

6. Your rights

Under UK GDPR you have the right to access, correction, erasure (in certain circumstances), restriction, portability, objection (to legitimate-interests processing or marketing), and withdrawal of consent. Contact us using the details below. You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection.

7. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure or destruction, including, where appropriate, encryption in transit, role-based access controls, multi-factor authentication on administrative accounts, and periodic review of our security practices.

8. Special category personal data

Konvel does not process special category personal data (UK GDPR Article 9 — including data revealing racial or ethnic origin, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health data, or data concerning a person's sex life or sexual orientation) at scale. Where such data appears incidentally — for example in counterparty due-diligence sources or in documents you choose to send us — we do not use it for any purpose beyond that diligence and we retain it only as long as needed for the original purpose.

9. Automated decision-making

Konvel does not make automated decisions with legal or similarly significant effects about you within the meaning of UK GDPR Article 22. Counterparty screening produces analyst-reviewed outputs for human consideration, not automated determinations. We do not engage in profiling that produces such effects.

10. Children's personal data

Konvel's services are business-to-business. We do not knowingly collect personal data of children (individuals under 18). If you believe a child's personal data has been provided to us in error, please contact us using the details below and we will delete it.

11. Cookies

This website uses only cookies that are strictly necessary for the site to function. We do not set tracking, advertising or analytics cookies.

12. Changes to this policy

We may update this Privacy Policy from time to time. The updated version will be effective from the date shown at the top of this page.

13. Contact us

For any privacy-related queries or to exercise your rights, contact us at hello@konvel.co.uk. We will acknowledge your enquiry within 7 days and aim to resolve it within one month. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (the UK supervisory authority for data protection — becoming the Information Commission under the Data (Use and Access) Act 2025).

Konvel Ltd is registered with the ICO under reference ZC138728.

Data Protection Officer. Konvel is not required to and has not appointed a Data Protection Officer under UK GDPR Article 37. Privacy queries should be sent to the email address above.

EU representative. Konvel's processing of personal data of individuals in the European Union is occasional and incidental to its UK-established consultancy services. Konvel relies on the exemption at Article 27(2)(a) of the EU GDPR from the requirement to appoint an EU representative. We will appoint a representative if and when our processing of EU personal data ceases to be occasional within the meaning of that exemption.

Statutory or contractual nature of providing personal data. Personal data submitted through our enquiry form or in correspondence is provided voluntarily. There is no statutory or contractual requirement to provide it; however, without it we cannot respond to enquiries or perform consultancy or supply engagements. Personal data captured for counterparty due-diligence is provided pursuant to UK sanctions law (UK GDPR Article 6(1)(c)) and Konvel's Bribery Act 2010 adequate-procedures duty (Article 6(1)(f)); declining to provide it means Konvel cannot enter into the relevant business relationship.