Effective date: 6 January 2026
1. Who we are and scope
This Privacy Policy explains how HamiltonBC (“HamiltonBC”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal data in connection with the website available at hamiltonbc.com and hamiltonbc.com subdomains (the “Website”). HamiltonBC is the data controller for the processing described in this Policy.
This Policy is intended to comply with applicable data protection laws, including the EU/EEA General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, and relevant United States state privacy laws such as the California Consumer Privacy Act as amended (CCPA/CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA).
2. Personal data we collect
2.1 Information you provide to us
- Contact details such as name, email address, phone number, company name, job title, and any message content when you submit a form, request information, or communicate with us.
- Account or subscription details if you create an account or sign up for newsletters or updates.
- Business and professional information you provide when inquiring about or engaging our services.
- Preferences and consents (for example, marketing preferences and cookie choices).
2.2 Information collected automatically
- Device and usage data such as IP address, browser type, operating system, referring URLs, pages viewed, links clicked, approximate location (derived from IP), and timestamps. We may collect this via cookies, pixels, SDKs, and similar technologies.
- Security and performance logs, including event logs for debugging, fraud prevention, and service integrity.
2.3 Information from third parties
- Information from service providers and partners, such as analytics providers, hosting providers, and customer relationship management tools.
- Business contact information from publicly available sources or business data providers to help us identify prospective business customers.
3. Purposes and legal bases for processing
We process personal data for the following purposes and, where the GDPR/UK GDPR applies, on the following legal bases:
- Providing and operating the Website: to deliver pages, content, and features; ensure availability and performance; and respond to your requests and inquiries.
Legal basis: performance of a contract or taking steps at your request prior to entering into a contract; legitimate interests (to provide and maintain our services). - Customer service and communications: to communicate with you, manage relationships, and provide requested information.
Legal basis: performance of a contract or legitimate interests (to respond to inquiries and manage relationships). - Marketing and newsletters: to send updates, news, event invitations, and promotional communications, and to measure campaign effectiveness.
Legal basis: consent where required (e.g., EEA/UK); legitimate interests where permitted (for example, “soft opt-in” to existing customers, subject to local law). You can opt out at any time. - Analytics and improvement: to understand usage, improve content, and develop new features.
Legal basis: consent where required (e.g., for non-essential cookies in the EEA/UK); legitimate interests (to analyze and improve our Website) where permitted. - Security and fraud prevention: to detect, prevent, and address security incidents, protect against malicious activity, and maintain the integrity of our systems.
Legal basis: legitimate interests (to secure our services); legal obligation where applicable. - Compliance and legal purposes: to comply with laws and regulations, enforce our terms, and protect our rights and the rights of others.
Legal basis: legal obligation; legitimate interests (to establish, exercise, or defend legal claims).
Where we rely on consent, you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
4. Cookies and similar technologies
We use cookies, web beacons, pixels, and similar technologies to operate the Website, remember your preferences, analyze traffic, and, where applicable, support marketing. Cookies may be “session” cookies (expire when you close your browser) or “persistent” cookies (stored for a defined period).
- Strictly necessary cookies: required for core functionality and security. These are set on the basis of our legitimate interests and do not require consent.
- Functional and preference cookies: help remember choices and enhance your experience. Consent may be required depending on your location.
- Analytics cookies: help us understand how the Website is used to improve performance. In the EEA/UK, these are used with your consent.
- Advertising/targeting cookies: if used, these support interest-based advertising. In the EEA/UK, these are used only with your consent.
Your choices: You can manage cookie settings through your browser or device settings to delete or block cookies. If you are in a region where consent is required, we will request it via a consent banner and honor your choices. Some browsers offer Global Privacy Control signals; see section 12 below.
Retention: In the EEA/UK, non-essential cookies are generally retained for no longer than 13 months. Other regions may use similar or shorter durations. Server logs used for security and diagnostics are typically retained for up to 12 months unless longer is required for investigations.
5. How we share personal data
We share personal data with the following categories of recipients for the purposes outlined above:
- Service providers and processors that host the Website, provide analytics, security, communications, and other business support services, under contracts that require appropriate data protection and confidentiality.
- Professional advisers (legal, compliance, accounting) as necessary for compliance and governance.
- Authorities and third parties where required by law or to protect rights, safety, and property, or to respond to lawful requests.
- Successors or affiliates in connection with a corporate transaction (e.g., merger, acquisition, reorganization), subject to appropriate safeguards.
We do not sell personal information and we do not share it for cross-context behavioral advertising as those terms are defined by applicable U.S. state privacy laws. If our practices change, we will provide required notices and opt-out mechanisms.
6. International data transfers
We may transfer personal data to countries outside your country of residence, including to countries that may not provide the same level of data protection. Where required, we implement appropriate safeguards, such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum or other legally recognized transfer mechanisms, supplemented by transfer impact assessments and additional technical and organizational measures as appropriate. You can contact us to request more information about these safeguards.
7. Data retention
We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. Typical retention periods include:
- Inquiries and correspondence: up to 24 months after our last interaction, unless a longer period is needed to manage a request or dispute.
- Marketing contacts: until you unsubscribe; we will remove or suppress your details within a reasonable time after you opt out, and in any case within 30 days.
- Contract and transaction records: typically 6–7 years after the end of the relevant relationship to comply with legal, tax, and audit obligations.
- Security and audit logs: typically up to 12 months unless needed longer for investigations.
- Cookies and analytics: as described in section 4.
When data is no longer needed, we will delete or anonymize it in accordance with our retention practices and applicable law.
8. Data security
We implement technical and organizational measures designed to protect personal data, including encryption in transit, access controls, security logging, vulnerability management, and personnel training. While we work to protect your information, no method of transmission or storage is completely secure and we cannot guarantee absolute security.
9. Your privacy rights
9.1 EEA and UK residents
You have the right to request access to your personal data, rectification, erasure, restriction of processing, data portability, and to object to processing based on legitimate interests or for direct marketing. Where processing is based on consent, you may withdraw consent at any time. You also have the right to lodge a complaint with your data protection authority.
9.2 United States state privacy rights
Depending on your state of residence, you may have the right to:
- Know and access the categories and specific pieces of personal information we have collected about you.
- Correct inaccuracies in your personal information.
- Delete personal information, subject to exceptions.
- Receive your personal information in a portable format.
- Opt out of the processing of personal information for targeted advertising, the sale of personal information, or certain profiling. We currently do not sell or share personal information for cross-context behavioral advertising.
- Appeal a decision if we decline to act on your request (where applicable).
- Be free from discriminatory treatment for exercising your rights.
We will respond to verifiable consumer requests within required timeframes (generally 45 days, with a possible extension where permitted by law).
9.3 Marketing communications
You can opt out of marketing emails at any time by using the unsubscribe instructions in our emails or by contacting us. We may still send you non-marketing messages related to the Website or our relationship with you.
9.4 Cookie choices
You can manage cookies via your browser settings. Where a consent banner is presented, your selections will be honored for the categories of cookies you choose to allow or reject.
10. How to exercise your rights and contact our Data Protection Officer
To exercise your rights or make a privacy inquiry, contact our Data Protection Officer:
Data Protection Officer
HamiltonBC
Email: privacy@hamiltonbc.com
To protect your information, we may need to verify your identity before responding to a request. Authorized agents may submit requests where permitted by law, subject to verification of the agent’s authority and the consumer’s identity. If we decline your request, you may have the right to appeal; instructions will be provided in our response where applicable.
11. Children’s privacy
The Website is not directed to children and we do not knowingly collect personal data from anyone under 16 years of age. If you believe a child has provided us with personal data, please contact us so we can take appropriate steps to delete the information.
12. Do Not Track and Global Privacy Control
Some browsers transmit “Do Not Track” signals. Because there is no industry standard for DNT, we do not respond to DNT signals. Where legally required, we will honor Global Privacy Control (GPC) signals as an opt-out preference for certain types of processing.
13. Third-party sites and services
The Website may include content or functionality provided by third parties. This Privacy Policy does not apply to third-party websites, services, or practices that we do not control. We encourage you to review the privacy policies of those third parties before interacting with them.
14. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will take appropriate steps to notify you, consistent with the significance of the changes. The “Effective date” at the top indicates when this Policy was last updated.
15. Additional information
If you have any questions about this Privacy Policy or how we handle your personal data, contact our Data Protection Officer at privacy@hamiltonbc.com.