Effective date: 3 June 2026

1. About this Privacy Policy

This Privacy Policy explains how Fort Hospitality Holdings Limited handles personal information when you visit FHH.group, contact us, submit a general or advisory enquiry, upload supporting material, apply for a role, register interest in working with us, or otherwise interact with us through the public website and related communication channels.

Fort Hospitality Holdings Limited is the controller of the personal information described in this policy. The company is registered in England and Wales under company number 13617801, and its registered office is 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

FHH.group is the public-facing operating brand of Fort Hospitality Holdings Limited. References in this policy to “FHH.group”, “we”, “us”, “our”, or “the company” mean Fort Hospitality Holdings Limited unless the context clearly requires otherwise.

This policy explains what information may be collected, why it is used, the lawful bases relied on, how long information may be retained, who it may be shared with, and the rights available under applicable data protection law.

2. Privacy contact

Questions about this Privacy Policy or the way personal information is handled may be sent to hello@fhh.group.

Postal correspondence may be sent to Fort Hospitality Holdings Limited, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

We have not appointed a data protection officer. Privacy enquiries should be directed to the contact details above.

3. Scope of this policy

This policy applies to personal information collected through the public website, website forms, email correspondence arising from website contact, advisory enquiry routes, careers and register-interest routes, and technologies used to support website operation, security, consent management, analytics, and digital administration.

It applies in particular to information connected with general contact requests, company-level conversations, strategic or advisory enquiries, careers submissions, register-interest submissions, collaboration discussions, supplier or professional communications, and related website interactions.

Where a specific page, form, notice, contract, engagement letter, statement of work, employment process, contractor arrangement, or other document contains additional privacy wording, that wording should also be read alongside this Privacy Policy.

4. Personal information we may collect

The personal information collected depends on how you interact with us, what you choose to provide, and the services or technologies used on the website.

Identity and contact details

This may include your name, email address, telephone number, role, job title, organisation name, location, correspondence details, and preferred contact route.

General enquiry information

This may include messages, questions, company-level enquiries, context provided through contact forms, and records of related correspondence or follow-up.

Advisory and strategic enquiry information

This may include information about an organisation, site, estate, operating model, commercial priorities, advisory requirements, project context, sector, timing, and other details submitted for an initial review.

Attachments and supporting materials

This may include files, documents, briefs, CVs, portfolios, images, presentations, spreadsheets, file names, metadata, and other material uploaded or sent in connection with an enquiry, role, register-interest route, or collaboration discussion.

Careers, talent, and register-interest information

This may include CVs, portfolios, biographies, employment history, education, skills, certifications, LinkedIn or professional profiles, availability, compensation expectations where voluntarily provided, interview notes, and internal review records where a process moves forward.

Technical and usage information

This may include IP address, browser type, device type, operating system, language settings, approximate location derived from network information, pages viewed, referral source, navigation paths, time on page, interaction events, error information, and diagnostic logs.

Cookie and consent information

This may include cookie preferences, consent records, settings choices, analytics events where consented, tag status, and related information used to respect and evidence website choices.

Security and abuse-prevention information

This may include access logs, security events, form misuse signals, spam detection information, reCAPTCHA or similar anti-spam/security signals, malicious-traffic indicators, device and interaction signals, and technical information used to protect the website and communications environment.

5. Information from other sources

Most information is provided directly by the person contacting us or using the website. In some cases, we may receive or review information from other sources where relevant and lawful.

Those sources may include professional referrers, advisers, counterparties, publicly available business websites, public registers, Companies House, professional networking profiles, recruitment-related sources, publicly available social or professional information, and information provided by people within the same organisation.

If you provide information about another person, you should ensure that you have an appropriate basis for doing so and that the person is aware of the relevant privacy information where required.

6. Special category and sensitive information

We do not seek special category personal information through public website forms unless there is a clear reason and an appropriate basis for handling it. Special category information can include information about health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric information, sex life, or sexual orientation.

General contact and advisory enquiry routes should not be used to submit highly sensitive personal information, confidential information, privileged material, restricted documentation, or personal information that is not reasonably necessary for the purpose of first contact.

If you choose to provide information that is sensitive, confidential, or unnecessary, we may delete it, restrict access to it, decline to review it, or handle it only to the extent reasonably necessary for security, legal, administrative, or response purposes.

7. How we use personal information

We use personal information only where there is a lawful basis for doing so and where the use is relevant and proportionate to the purpose.

Website operation and administration

We may use information to operate, maintain, troubleshoot, secure, and improve the website and related digital touchpoints.

General contact and correspondence

We may use information to review messages, respond to enquiries, route communications internally, maintain records, and manage appropriate follow-up.

Advisory and strategic enquiry review

We may use information to assess whether an enquiry is relevant to the company’s scope of work, understand the issue presented, determine whether a follow-up conversation is appropriate, and prepare for that conversation where it proceeds.

Attachments and supporting materials

We may use information to receive, store, review, filter, delete, or restrict access to files submitted for initial review, advisory enquiry, careers, register-interest, or collaboration purposes.

Careers and register-interest handling

We may use information to review suitability for live roles, future roles, project-based work, specialist collaboration, freelance or fractional work, and maintain a limited record of relevant profiles where appropriate.

Analytics and website improvement

We may use information to understand aggregate website usage and improve content, navigation, performance, and user experience where analytics are enabled lawfully and in line with cookie choices.

Security and misuse prevention

We may use information to protect the website, forms, systems, communications, and users against spam, fraud, misuse, malicious traffic, unauthorised access, malware, abuse, or operational risk.

Legal, accounting, governance, and record keeping

We may use information to comply with legal obligations, maintain business records, manage disputes, protect legal position, and establish, exercise, or defend legal rights.

Business continuity and corporate transactions

We may use information to support reorganisation, restructuring, sale, financing, investment, diligence, insurance, or similar business events where lawful and proportionate.

8. Lawful bases for processing

The lawful basis depends on the purpose and context of the processing. More than one basis may apply in some circumstances.

Website security, technical logs, access controls, spam prevention, abuse prevention, and service integrity

The typical lawful basis is legitimate interests in maintaining a secure, reliable, resilient, and properly administered website and communications environment.

General contact enquiries and company-level conversations

The typical lawful basis is legitimate interests in managing and responding to genuine enquiries. In some cases, the basis may also be steps taken at the individual’s request before entering into a possible contract or relationship.

Advisory, strategic, commercial, partnership, and project-related enquiries

The typical lawful basis is legitimate interests in assessing and responding to potential business opportunities, understanding commercial relevance, managing follow-up, and protecting legal position. Where relevant, processing may also be based on steps taken before entering into a contract.

Attachments and supporting materials submitted through forms or email

The typical lawful basis is legitimate interests in reviewing relevant material, assessing enquiries, managing security, filtering inappropriate material, and maintaining appropriate records. In some cases, processing may also be based on steps before entering into a contract or relationship.

Careers, collaboration, register-interest, and talent submissions

The typical lawful basis is legitimate interests in reviewing suitability, managing recruitment or collaboration processes, and maintaining a limited talent or specialist network. In some cases, processing may be based on steps before entering into an employment, contractor, freelance, or collaboration arrangement. Consent may be used where specifically requested or appropriate.

Analytics and other non-essential cookies or similar technologies

The typical lawful basis is consent where consent is required under applicable law.

Cookie consent records and preference management

The typical lawful basis is legal obligation where relevant and legitimate interests in respecting, applying, and evidencing user choices.

Legal, accounting, tax, regulatory, and statutory record keeping

The typical lawful basis is compliance with a legal obligation.

Protection of legal rights, dispute management, and claims handling

The typical lawful basis is legitimate interests and, where necessary, the establishment, exercise, or defence of legal claims.

Where we rely on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Where we rely on legitimate interests, those interests may include operating the website, responding to genuine enquiries, assessing advisory relevance, managing recruitment interest, protecting systems, preventing misuse, maintaining business records, and protecting legal position. We consider whether those interests are overridden by the rights, freedoms, or interests of the people whose information is processed.

9. Website forms, advisory enquiries, and attachments

Website forms are intended to support appropriate first contact and efficient review. They should not be used to submit full confidential briefs, privileged material, highly sensitive personal information, unnecessary personal information, or restricted documentation unless an appropriate basis for receiving it has already been agreed.

Where an advisory enquiry or contact route allows file uploads, the information may be handled for initial review, security screening, relevance assessment, follow-up, and record-keeping purposes. We may choose not to open, review, retain, or respond to attachments that appear unsafe, excessive, irrelevant, unlawful, confidential without an agreed basis, or inconsistent with the intended purpose of the form.

Additional guidance about how contact routes and advisory enquiries should be used is set out in the Contact and Advisory Enquiry Notices.

10. Careers, live roles, and register-interest submissions

Where you apply for a live role, submit a CV or portfolio, register interest in future opportunities, or contact us about collaboration, freelance, project-based, fractional, contractor, or specialist work, we may use the information to assess suitability, manage the process, contact you about relevant next steps, and maintain limited records.

Right-to-work checks, references, background checks, or additional verification would ordinarily be considered later in a process where relevant, lawful, and proportionate. They are not part of general public website browsing activity.

More detail is provided in the Careers and Register-Interest Privacy Notice.

11. Cookies, analytics, and similar technologies

The website may use cookies and similar technologies to support core website operation, security, consent management, preferences, analytics, tag administration, and performance measurement.

The website may use a consent-management platform, Google Tag Manager, Google Analytics 4, Google Search Console, and related website administration tools. Non-essential analytics technologies operate only in accordance with the choices made through the website’s cookie settings controls, where consent is required by law.

The public website is not intended to deploy advertising, remarketing, behavioural profiling, or session replay tools at the time of publication. If that position changes, the Cookie Policy, consent controls, and relevant privacy wording should be updated before those technologies are used.

More detail is provided in the Cookie Policy and the website’s cookie settings controls.

12. Direct marketing and newsletters

The public website is not intended to operate a newsletter or marketing mailing-list capture at the time of publication.

We do not use general contact, advisory, careers, or register-interest submissions to add people to a marketing mailing list without a valid lawful basis and, where required, consent.

If a newsletter, mailing list, event list, or similar marketing route is introduced later, the relevant sign-up wording, consent mechanism, and privacy information should be provided at the point of collection.

13. Automated decision-making

We do not use the public website, public contact forms, advisory enquiry routes, or careers/register-interest routes to carry out automated decision-making that produces legal or similarly significant effects on individuals.

14. When we share personal information

We do not sell personal information. We may share personal information where reasonably necessary for website administration, business operations, security, professional support, legal compliance, or the purposes described in this policy.

Website hosting, infrastructure, security, and content delivery providers

These providers may support the operation, security, delivery, maintenance, and troubleshooting of the website and related systems.

Consent-management, tag-management, analytics, and search-performance providers

These providers may help manage cookie choices, apply consent settings, measure website usage where lawful, and administer website performance tools.

Form-handling, file-upload, and website administration providers

Where Google reCAPTCHA or a similar form-security service is used, the relevant provider may process technical, device, interaction, and security information for the purpose of helping protect forms, submissions, systems, and communications from spam, abuse, and automated misuse.

These providers may receive, route, store, filter, notify, and manage contact, advisory, careers, register-interest, and attachment submissions.

Business communication, email, cloud storage, productivity, and scheduling providers

These providers may support correspondence, documents, records, internal review, meetings, follow-up, and company administration.

Professional advisers and service providers

These may include lawyers, accountants, auditors, insurers, tax advisers, technical advisers, compliance advisers, security advisers, recruitment support, or other business support where relevant.

Recruiters, referees, background-check providers, or external specialists

These recipients may be involved only where relevant, lawful, proportionate, and connected with a role, collaboration, or specialist process that has moved forward.

Courts, regulators, law-enforcement bodies, public authorities, or government bodies

Information may be disclosed where required by law, necessary for compliance, or reasonably necessary to protect legal rights, security, or legitimate interests.

Advisers, counterparties, funders, purchasers, or transaction participants

Information may be disclosed where relevant to a reorganisation, sale, financing, diligence process, investment, insurance, or similar corporate event, subject to appropriate controls where lawful and proportionate.

15. Service providers and processors

Where third-party service providers process personal information for us, they are expected to do so under appropriate contractual, confidentiality, security, and data protection arrangements where required.

The specific providers used may change over time as the website, forms, analytics, hosting, security, communications, and administration stack develops. The live implementation should remain consistent with this Privacy Policy, the Cookie Policy, and any form-specific notice.

16. International transfers

Some service providers used for hosting, analytics, tag management, consent management, form handling, file uploads, communications, cloud storage, support, or security may process personal information outside the United Kingdom.

Where that happens, we take reasonable steps designed to ensure that personal information remains protected in a manner consistent with applicable data protection law. Depending on the circumstances, those steps may include reliance on adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to standard contractual clauses, equivalent contractual safeguards, recognised transfer mechanisms, vendor due diligence, and appropriate technical and organisational measures.

International transfer arrangements may vary depending on the provider, service, configuration, and location involved.

17. Data retention

We keep personal information only for as long as it is reasonably necessary for the purpose for which it was collected, including to manage correspondence, evaluate opportunities, maintain records, comply with legal obligations, resolve disputes, and protect legal position.

General contact enquiries and non-engaged correspondence

These are typically retained for up to 24 months from the last meaningful contact, unless a longer period is needed for dispute management, legal reasons, security, or business continuity.

Advisory, strategic, partnership, investment-adjacent, and commercial enquiries that do not become active engagements

These are typically retained for up to 24 months from the last meaningful contact, including related form records and proportionate supporting material.

Attachments connected with enquiries that do not proceed

These are typically retained only for as long as reasonably necessary for review, follow-up, security, and record keeping, and normally within the relevant enquiry retention period.

Records relating to an advisory engagement, commercial project, supplier relationship, or contractual relationship

These are typically retained for the duration of the relationship and then for up to 6 years afterwards, or longer where legal, tax, accounting, dispute, insurance, or regulatory reasons require this.

Careers, register-interest, collaboration, and talent submissions

These are typically retained for up to 12 months from the last meaningful contact unless earlier deletion is requested or a longer period is justified by an active process, legal reason, or live dispute.

Cookie consent records and preference history

These are typically retained for up to 24 months, or for such other period as is reasonably necessary to demonstrate consent and preference history.

Website security, technical, diagnostic, and access logs

These are typically retained for up to 12 months, subject to operational need, security events, investigation, legal requirements, or system configuration.

Analytics information

Analytics information is retained according to the settings used in the relevant analytics platform and in accordance with consent choices and applicable law.

Actual retention may vary where the circumstances require a longer or shorter period. We review retention periodically and aim not to keep information longer than necessary.

18. Data security

We take reasonable technical and organisational measures to protect personal information against unauthorised access, unlawful processing, misuse, accidental loss, destruction, alteration, or disclosure.

These measures may include access controls, role-based permissions, secure service providers, controlled administrative access, encryption in transit where appropriate, file-handling controls, spam and abuse prevention, malware or security screening, internal review procedures, and record-management practices.

No website, system, email route, form, file-upload process, or transmission method is completely risk free. While we take security seriously, we cannot guarantee that information transmitted to us or stored by our providers will always remain completely secure.

19. Your rights

Subject to applicable law, you may have the right to:

  • request access to the personal information we hold about you;
  • ask that inaccurate or incomplete information is corrected;
  • request deletion in certain circumstances;
  • ask that our use of your information is restricted in certain circumstances;
  • object to particular processing in certain circumstances;
  • object to direct marketing if it is ever carried out;
  • where applicable, request portability of information you provided to us; and
  • withdraw consent where processing is based on consent.

These rights are not absolute and may be subject to conditions, exemptions, identity verification, or competing legal obligations. Where necessary and proportionate, we may ask for information to verify identity before responding to a request about personal information.

We aim to respond to valid rights requests within the period required by applicable law, unless an extension or exemption applies.

20. Data protection complaints

We would welcome the opportunity to address privacy questions, rights requests, and data protection complaints directly first. Please contact hello@fhh.group if you have a question or concern about how personal information has been handled.

If you make a data protection complaint, please provide enough information for us to understand the issue, the relevant interaction or form route, the information involved where known, and the outcome you are seeking. Please do not include unnecessary sensitive information when raising a complaint.

We aim to acknowledge receipt of data protection complaints within 30 days and to take appropriate steps to consider and respond to them without undue delay. Where a matter requires further review, we may ask for additional information, verify identity where necessary, and keep you informed as appropriate.

Where we complete our review of a data protection complaint, we will tell you the outcome without undue delay. This does not affect any rights you may have under applicable data protection law.

You also have the right to lodge a complaint with the Information Commissioner's Office in the United Kingdom if you believe your personal information has been handled unlawfully or unfairly. Information about the ICO is available at www.ico.org.uk.

You also have the right to lodge a complaint with the Information Commissioner’s Office in the United Kingdom if you believe your personal information has been handled unlawfully or unfairly. Information about the ICO is available at www.ico.org.uk.

21. Third-party websites and services

The website may contain links to websites, services, platforms, or resources operated by third parties. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices, security, content, availability, or handling of information.

You should review the relevant privacy materials, cookie notices, and terms of those third parties before interacting with them or providing information through them.

22. Children

The website, advisory enquiry routes, and company-level communications are not directed to children, and we do not knowingly collect personal information from children through the public website.

If you believe that information relating to a child has been submitted without appropriate authority, please contact us and we will review the position promptly.

23. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the website, legal obligations, service providers, business practices, forms, analytics, cookies, recruitment routes, or the way personal information is handled.

When material changes are made, the effective date at the top of the policy will be updated and, where appropriate, additional steps may be taken to draw the changes to users’ attention.

24. Contact

If you have questions about this Privacy Policy or about the way Fort Hospitality Holdings Limited handles personal information, please contact hello@fhh.group.

You can also write to Fort Hospitality Holdings Limited, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Home
About
Philosophy
Operating Areas
Team
Advisory
Careers