Privacy Policy

This Privacy Policy explains how Bibohmalim collects, uses, discloses, and protects personal data when you visit our website and when you submit inquiries for advisory services. We provide informational and advisory services related to organizational development and business planning. This policy is written to be specific about what we do on this site, including cookie choices and analytics.

1) Introduction and data controller

For the purposes of the UK GDPR and the EU GDPR (where applicable), the data controller is Bibohmalim Advisory Ltd (referred to as “Bibohmalim”, “we”, “us”, or “our”). We determine the purposes and means of processing personal data described in this Privacy Policy.

2) What personal data we collect

We practice data minimization. We collect personal data that is necessary to operate this website, respond to inquiries, and maintain basic security and operational records. Depending on how you interact with the site, we may collect:

• Identity and contact data: full name, business email address, and phone number (only if you choose to provide it in a message or by email).
• Inquiry content: the text you submit in the inquiry form, which may include business context. Please avoid including sensitive personal data in form fields or emails.
• Technical data: IP address, device and browser type, operating system, referral source, pages viewed, and approximate location derived from IP (city/region level).
• Cookie and similar technology data: information stored on your device such as cookie preferences and analytics identifiers (if enabled).
• Server and security logs: timestamps, request URLs, HTTP status codes, and related log data used for security monitoring and service reliability.

We do not intentionally collect special category personal data (for example health data, political opinions, or biometric data). If you voluntarily include such information in an inquiry, we will handle it with care and limit use to responding to you, unless a legal obligation requires otherwise.

3) How we collect personal data

We collect personal data using the following methods:

• Web forms: when you submit the inquiry form on /contact/ or any form provided on this website.
• Email correspondence: when you email us at [email protected] or [email protected].
• Cookies and similar technologies: when you visit pages on this site and your browser stores cookie preferences or analytics identifiers (where permitted).
• Analytics tools: we may use Google Analytics 4 to understand aggregated site usage and improve content. If marketing pixels are ever added, they will be disclosed here and configured to respect consent choices.
• Server logs: our hosting environment may automatically record technical request data to maintain security and availability.

4) Legal bases for processing (GDPR Article 6)

We process personal data only when there is a valid legal basis. Depending on the context, the legal basis may be one or more of the following:

Where we rely on legitimate interests, we consider the impact on your rights and implement safeguards such as minimization, access controls, and retention limits. You can object to certain processing based on legitimate interests as described in the “Your rights” section.

5) Purposes of processing

We process personal data for the following purposes:

• Responding to inquiries: to reply to requests submitted via forms or email, including scoping discussions for advisory services.
• Service delivery and administration: to manage communications, scheduling, and documentation for client engagements.
• Customer support: to address questions and maintain continuity in ongoing correspondence.
• Website operation and security: to maintain site performance, troubleshoot issues, and prevent abuse.
• Analytics (consent-based where required): to understand aggregated user behavior such as which pages are visited and how content performs.
• Legal compliance: to meet legal obligations and to establish, exercise, or defend legal claims.

We do not sell personal data. We do not use personal data to make automated decisions that produce legal or similarly significant effects.

6) Data retention

We keep personal data only for as long as necessary for the purposes described above, unless a longer retention period is required or permitted by law. Typical retention periods are:

• Form submissions and inquiry correspondence: up to 2 years from the date of last contact, to support follow-up and continuity, then deleted or anonymized unless required for legal reasons.
• Client engagement records: typically 6 years after completion, where necessary for contractual, tax, or legal compliance (scope may vary depending on the engagement and applicable law).
• Analytics data: 14 months for user-level analytics data where configured in analytics tools; aggregated reports may be kept longer because they do not directly identify individuals.
• Cookie consent records: stored in your browser via local storage until you clear it or update your preference.
• Server and security logs: typically 90 days, unless needed to investigate security incidents or comply with legal obligations.

When retention periods expire, we delete, anonymize, or securely archive data in line with reasonable technical and organizational measures.

7) Sharing and disclosure of personal data

We may share personal data with service providers (“processors”) that help us operate the website and deliver services. We require processors to protect personal data and to use it only for the services they provide to us.

Categories of recipients may include:

• Hosting and infrastructure providers: to host our website and store operational data.
• Email and productivity providers: to manage correspondence and calendars.
• Analytics providers: such as Google Analytics 4, when enabled and configured.
• Professional advisors: legal, accounting, or compliance advisors, where necessary and subject to confidentiality.

We may also disclose personal data if required to comply with a legal obligation, to protect rights and safety, or to respond to lawful requests by public authorities.

8) International transfers

We are based in the United Kingdom. Some of our service providers may process data in countries outside the UK or the European Economic Area (EEA). Where personal data is transferred internationally, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs): approved contractual protections for international transfers.
• UK International Data Transfer Addendum: where UK transfer rules apply.
• Adequacy decisions: where the destination country is recognized as providing an adequate level of protection.

You can request further information about safeguards used for specific transfers by contacting us at [email protected].

9) Your rights (GDPR)

Depending on your location and applicable law, you may have the following rights in relation to your personal data:

• Right of access: request confirmation of whether we process your personal data and obtain a copy.
• Right to rectification: request correction of inaccurate or incomplete personal data.
• Right to erasure: request deletion of personal data in certain circumstances.
• Right to restrict processing: request that we limit processing in certain circumstances.
• Right to data portability: receive certain personal data you provided to us in a structured, commonly used format, and transmit it to another controller where technically feasible.
• Right to object: object to processing based on legitimate interests, including certain analytics configurations where applicable, and object to direct marketing at any time.
• Right to withdraw consent: where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise these rights, contact [email protected] with enough information to verify your identity and describe your request. We may ask for additional information to confirm identity and prevent unauthorized access. We aim to respond within applicable legal timelines.

Right to complain: If you are in the UK, you can lodge a complaint with the Information Commissioner’s Office (ICO). ICO contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk.

10) Cookie policy

Cookies and similar technologies help websites function and help site owners understand how content is used. On this site we use a cookie consent banner and store your choice in your browser (local storage). You can also manage cookies through your browser settings.

Types of cookies

• Strictly necessary: required for core site functionality, including security and basic navigation. These do not require consent in many jurisdictions.
• Analytics: used to understand how visitors use our site (for example, page views and navigation patterns) in aggregated form. These are enabled only where permitted and, where required, based on consent.
• Marketing: if used in the future for advertising measurement or retargeting, these would be disclosed here and would require consent where required by law. At the time of this policy update, the website is designed to be informational and does not require marketing cookies to function.

Cookie duration and controls

Cookie and local storage durations vary by type and provider configuration. Our banner stores your consent choice using local storage under a key similar to cookieConsent until you clear it or change your preference. Analytics cookies, if enabled, may persist for periods configured by the provider; we target a user-level analytics retention period of 14 months where applicable.

To change your cookie preference, you can clear site data in your browser settings, then reload the site to see the banner again. You may also use browser-level controls to block cookies and similar technologies.

11) Children’s privacy

This website is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact [email protected]. If we learn that personal data of a child under 16 has been collected, we will take reasonable steps to delete it.

12) Security measures

We apply reasonable technical and organizational measures to protect personal data, such as access controls, least-privilege handling, and secure configurations. No method of transmission or storage is completely secure. If a security incident occurs that is likely to result in a risk to your rights and freedoms, we will take appropriate steps and, where required, notify affected individuals and regulators.

13) Policy updates

We may update this Privacy Policy to reflect changes to this website, our processing activities, or legal requirements. When updates are made, we will revise the “Last Updated” date at the top of this page. For material changes, we may also provide an additional notice such as a site banner or email notification where appropriate.

14) Contact and data protection inquiries

For privacy questions, requests, or concerns, contact our privacy mailbox. For general service inquiries, use the general contact email or the inquiry form on the contact page.

Service disclaimer: “Bibohmalim provides advisory services related to organizational development and business planning. Outcomes depend on internal processes, management decisions, and external market conditions.”