Privacy Policy
Apex Core Platform
Version: V01.00 Last updated: 15 February 2026
This Privacy Policy explains how Apex Aspire Limited, a company registered in England and Wales under company number 16387803 ("Apex Aspire", "we", "us", or "our"), collects, uses, stores, and protects personal data in connection with the Apex Core platform ("Platform").
We are committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and all applicable data protection legislation.
1. Data Controller
Apex Aspire Limited is the data controller for personal data processed through the Platform in the course of providing its services. Where we process personal data on behalf of our clients ("Clients"), we act as a data processor, and the Client is the data controller.
Contact details:
- Company: Apex Aspire Limited
- Registered address: C/O Prime Accounts, The Old Church School, Butts Hill, Frome, Somerset, BA11 1HR
- Email: admin@apexaspire.co.uk
2. Personal Data We Collect
2.1 Data provided directly by users
- Account information: Full name, email address, job title, and organisational affiliation.
- Authentication data: Login credentials managed via our authentication provider (Clerk).
- Profile data: Profile photographs, contact preferences, and role-based access information.
2.2 Data generated through use of the Platform
- Activity logs: Records of platform interactions, including pages visited, features used, and timestamps.
- Deal and referral records: Business information entered into the Platform relating to deals, cross-referrals, contacts, events, and advisory work.
- Documents: Files uploaded to the Platform, including proposals, invoices, and deal room documents.
- Feedback and communications: Feedback submissions, comments, and internal notes.
2.3 Technical data collected automatically
- Device information: Browser type, operating system, and screen resolution.
- Connection data: IP address (anonymised where possible) and approximate location.
- Cookies: Session cookies and authentication tokens necessary for Platform operation (see Section 8).
3. How We Use Personal Data
We process personal data for the following purposes:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing and operating the Platform | Performance of a contract (Art. 6(1)(b)) |
| User authentication and access control | Legitimate interests (Art. 6(1)(f)) |
| Managing deals, referrals, and advisory workflows | Performance of a contract (Art. 6(1)(b)) |
| Generating invoices and financial records | Legal obligation (Art. 6(1)(c)) / Contract (Art. 6(1)(b)) |
| Platform security, monitoring, and abuse prevention | Legitimate interests (Art. 6(1)(f)) |
| Improving Platform functionality and user experience | Legitimate interests (Art. 6(1)(f)) |
| Responding to support requests and feedback | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
4. Data Sharing and Third Parties
We do not sell personal data. We share personal data only in the following circumstances:
4.1 Service providers (sub-processors)
We engage third-party service providers who process data on our behalf, subject to appropriate contractual safeguards:
| Provider | Purpose | Data Location |
|---|---|---|
| Vercel | Platform hosting and deployment | EU (Frankfurt) |
| Airtable | Backend data storage | United States (with EU SCCs) |
| Cloudflare R2 | Document storage | EU (jurisdiction-locked) |
| Clerk | Authentication and identity management | United States (with EU SCCs) |
| Resend | Transactional email delivery | United States (with EU SCCs) |
4.2 Client organisations
Where you access the Platform through a Client organisation, that Client may have access to data you enter in the course of your work on the Platform, in accordance with the Master Subscription Agreement.
4.3 Legal requirements
We may disclose personal data where required by law, regulation, or court order, or to protect the rights, property, or safety of Apex Aspire, our Clients, or others.
5. International Data Transfers
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
- Adequacy decisions where the UK has recognised a country as providing adequate data protection.
- Supplementary measures as required, including encryption in transit and at rest.
Further details of our international transfer safeguards are available on request.
6. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
| Data Type | Retention Period |
|---|---|
| Account and authentication data | Duration of active account + 12 months after deactivation |
| Deal and referral records | Duration of Client subscription + 24 months |
| Uploaded documents | Duration of Client subscription + 12 months, or as required by the Client |
| Activity logs | 12 months (rolling) |
| Invoicing and financial records | 7 years (UK legal requirement) |
At the end of the applicable retention period, personal data is securely deleted or anonymised.
7. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption: TLS 1.2+ in transit; AES-256 at rest for stored documents.
- Access controls: Role-based access with multi-factor authentication (MFA) enforced via Clerk.
- Infrastructure security: Vercel serverless architecture with automatic patching; Cloudflare DDoS protection and bot mitigation (Turnstile).
- Data sovereignty: Document storage restricted to EU-jurisdiction Cloudflare R2 endpoints.
- Monitoring: Automated security monitoring and incident response procedures.
For a comprehensive overview of our security practices, please refer to our Security & Data Governance Overview document (AC-SEC-001).
8. Cookies
The Platform uses a minimal set of cookies, all of which are strictly necessary for operation:
| Cookie | Purpose | Duration |
|---|---|---|
| __clerk_* | Authentication session management | Session |
| __apex_verify | Cached user verification (avoids repeated API calls) | 5 minutes |
| cf_clearance | Cloudflare bot protection verification | 30 minutes |
We do not use analytics cookies, advertising cookies, or third-party tracking cookies. No cookie consent banner is required as all cookies fall within the "strictly necessary" exemption under the Privacy and Electronic Communications Regulations 2003.
9. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your data where there is no compelling reason to continue processing.
- Right to restrict processing — Request limitation of processing in certain circumstances.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests.
- Rights related to automated decision-making — The Platform does not make solely automated decisions with legal or similarly significant effects.
To exercise any of these rights, please contact us at admin@apexaspire.co.uk. We will respond within one calendar month of receiving your request.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or by email. The "Last updated" date at the top of this policy indicates when the most recent changes were made.
11. Complaints
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office:
- Website: ico.org.uk
- Telephone: 0303 123 1113
We encourage you to contact us first at admin@apexaspire.co.uk so that we can attempt to resolve your concern.
Apex Aspire Limited is registered in England and Wales under company number 16387803. Registered address: C/O Prime Accounts, The Old Church School, Butts Hill, Frome, Somerset, BA11 1HR.