Privacy Statement

Version 2.0 – 27 April 2018

You can also download this Privacy Statement (PDF, 74 kB).


Hillbreak Limited (“Hillbreak”) and Hillbreak (APC Success) Limited (“APC Success”) (together referred to hereinafter as “we”, “us”, or “our”) are strongly committed to protecting personal data.

This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

Personal data is any information relating to an identified or identifiable living person. We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

The purposes for which we process personal data

Hillbreak and APC Success are two separate companies under common ownership and control. We provide separate professional services to clients although some of those clients are common to us.

Consequently, we usually process personal data separately for Hillbreak and APC Success purposes (including by keeping separate business contact lists and separate transactional databases), although many of the systems and locations that we use to store and process personal data are the same for both companies.

When collecting and using personal data, our policy is to be transparent about why and how we do so. We hold and process personal data for several purposes, for some of which explicit consent is required from those whose data we process, whilst for others we have a legitimate and lawful reason for doing so.

The purposes for which we process personal data and for which explicit consent is required from those whose data we process are:

For general communication purposes:

  • To provide general updates to our business contacts on Hillbreak and/or APC Success projects, services, capabilities, insights and business announcements.
  • To send seasonal greetings to our business contacts.

For targeted communication purposes:

  • To send relevant invitations and information on Hillbreak and/or APC Success training courses which we think may be of interest to our business contacts.
  • To send Hillbreak and/or APC Success event invitations and information which we think may be of interest to our business contacts.
  • To provide information on relevant industry activities and initiatives, including those organised by third party organisations, which we think may be of interest to our business contacts.

Use of our website:

  • To protect the personal data of those who use our website, we routinely collect the IP addresses of our website visitors to a security log. None of this data is further processed unless there is a legitimate reason to do so, such as for identifying risks and taking evasive action when a threat to our website has been identified. IP addresses deemed to have been compromised or to be the source of potentially harmful activity may be retained indefinitely as a means of preventing harmful connections and protecting our customers’ and visitors’ data.
  • To ensure the continued functioning of our website by routinely collecting the IP addresses of our website visitors to a raw access and error logs. None of this data is further processed unless there is a legitimate reason to do so, such as troubleshooting functional errors.
  • Our website uses cookies as part of its core functions. Session data is stored in visitors’ browsers to enable logging in and store/ticketing functionality.
  • In addition, our website may collect IP addresses, geographical, language, and other data. This information is not collected unless consent is explicitly given by visitors. This data is sometimes analysed in order to improve our website layout and behaviour. This data is anonymised and shared with a third party service, Google Analytics, where it is stored for a maximum of 14 months.

Where consent is required for us to process personal data, we ensure that such consent is freely provided and is clearly specific to the purpose(s) to which the processing relates. This includes making sure that consent is given with specific reference to the activities of Hillbreak and/or APC Success.

The purposes for which we have a legitimate and legal basis for processing personal data and for which consent is not required from those whose data we process are:

For business engagement and related commercial purposes:

  • To contract, engage, transact and record our dealings with our clients in relation to projects and the services we provide or have provided to them.
  • To enable us to perform the services we provide to our clients effectively where we are required to be in contact with third parties that are relevant to the performance of those services.
  • To contract, engage, transact and record our dealings with those who provide services to us, including the industry bodies and associations of which we are a member, and which may include the personal data of individuals connected to service providers or membership organisations.
  • To enable us to perform business analytics, such as identifying trends, establishing relationship maps, generating sales intelligence and assessing our progress against our business goals.
  • To enable our clients and business contacts to be contacted by us in relation to specific potential opportunities and projects which we reasonably consider to be of legitimate commercial interest to them.
  • To maintain a record of those who may apply to us, including in unsolicited circumstances, for employment or contracting opportunities in order that we can keep in touch with them regarding relevant opportunities that may arise in the future.
  • To comply with any requirement of law, regulation or a professional body of which we are a member because we are subject to legal, regulatory and professional obligations; we need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.


We take the security of all the data we hold very seriously and we have invested in internal data protection processes and data storage products with data privacy and security in mind.

Our central data storage system uses end-to-end encryption which protects personal data from third party access. We also use other industry-standard systems on which personal data may be stored, including cloud-based accounting software and our website.

When and how we share personal data and locations of processing

We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

We may use third parties located in countries other than the UK to help us run our business. We also provide professional services to clients that operate in or may be based in countries other than the UK. As a result, personal data may be transferred outside the country in which we are located. This includes to countries outside the European Union (“EU”) and may include countries that do not have laws that provide specific protection for personal data.

Where we transfer personal data outside of the EU to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the EU requirements for the transfer of personal data outside the EU, such as the European Commission approved standard contractual clauses.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence relating to the business engagement and related commercial purposes set our above is 6 years.

For all other purposes set out above, which are all of those for which explicit consent is required from those whose personal data we process, we consider it good practice to ask for such consent to be restated at least every three years.

Personal data held by us may be transferred to:

  • Third party organisations and individuals that provide professional services to us under contract, including our accountant and business administrator, and the business associates to whom we may sub-contract the performance of client services (where permitted to do so under the terms of our contract with our clients).
  • Third party organisations and individuals that provide applications, data processing or IT services to us, such as for the purpose of running and managing our internal IT systems. For example, providers of information technology, cloud based software as a service provider, identity management, website hosting and management, data analysis, data back-up, security and storage services. The servers powering and facilitating that cloud infrastructure are located in secure data centres around the world, and personal data may be stored in any one of them.
  • Third party organisations that otherwise assist us in providing goods, services or information, including other professional advisers.
  • Law enforcement or other government and regulatory agencies or to other third parties as required by, and in accordance with, applicable law or regulation.
  • Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, or to establish, exercise or defend legal rights. We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Changes to this privacy statement

This privacy statement was last updated on 27 April 2018.

We will keep this privacy statement under regular review.

Data controller and contact information

The data controllers to which this privacy policy relates are:

  • Hillbreak Limited (registered in England & Wales with registered number 9619492)
  • Hillbreak (APC Success) Limited (registered in England & Wales with registered number 10568488)

If you have any questions about this privacy statement or how and why we process personal data, please contact us using the relevant contact details below:

Data Protection Officer
Hillbreak Limited / Hillbreak (APC Success) Limited
5A Ack Lane East
Email: or

Because of the clarity of our communication, the specificity of our consent processes, and the clear distinction between our Hillbreak and APC Success services, we are confident that individuals whose personal data we process will have a clear understanding about which of our companies the data processes relate to. However, in the event that you are unsure about this, you may contact us using either of the or email addresses to seek confirmation.

Individuals’ rights and how to exercise them

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and include further information about the rights that individuals have and how to exercise them below.

Access to personal data

You have a right of access to personal data held by us as a data controller. This right may be exercised by emailing us at or We may charge for a request for access in accordance with applicable law. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (currently 40 days).

Amendment of personal data

To update personal data submitted to us, you may email us at or or, where appropriate, contact us via the relevant website registration page or by amending the personal details held on relevant applications with which you registered.

When practically possible, once we are informed that any personal data processed by us is no longer accurate, we will make corrections (where appropriate) based on your updated information.

Withdrawal of consent

Where we process personal data based on consent, individuals have a right to withdraw consent at any time. To withdraw consent to our processing of your personal data please email us at or or, to stop receiving an email from a a Hillbreak or APC Success general communication list, please click on the unsubscribe link in the relevant email received from us.

Other data subject rights

This privacy statement is intended to provide information about what personal data we collect about you and how it is used. As well as rights of access and amendment referred to above, individuals may have other rights in relation to the personal data we hold, such as a right to erasure/deletion, to restrict or object to our processing of personal data and the right to data portability. Some of these rights will only be available from 25 May 2018.

If you wish to exercise any of these rights, please send an email to or


We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to or We will look into and respond to any complaints we receive as promptly as we reasonably can. You also have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.

Hillbreak Ltd is registered in England and Wales with registered number 9619492 and its registered office at 5A Ack Lane East, Bramhall, Cheshire, SK7 2BE
Hillbreak (APC Success) Limited is registered in England and Wales with registered number 10568488 and its registered office at 5A Ack Lane East, Bramhall, Cheshire, SK7 2BE