Privacy & Cookie Policy

Last updated: 22 June 2026

This notice is issued, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR"), to users who interact with the website accessible at www.martingalerisk.co.uk ("Website").

This notice applies exclusively to the Website and not to any other sites the user may visit via links contained within it; for those, please refer to their respective privacy notices.

All personal data collected through this Website are processed and protected by Martingale Risk Italia S.r.l., established in the European Union (Italy) and therefore subject to the GDPR. Users based in the United Kingdom are equally recognised as exercising all the rights set out below. Cookies and similar technologies used on this Website also comply with the Privacy and Electronic Communications Regulations 2003 (PECR) applicable in the United Kingdom.

1. Data Controller

The Data Controller is Martingale Risk Italia S.r.l.

• Registered address: Largo del Nazareno 15, 00187 Rome (Italy)

• VAT number: IT 10408251006

• Telephone (Italy): +39 06 32652828

• Telephone (UK office): +44 (0)20 7368 3364

• Email: info@martingalerisk.com

• Certified email (PEC): martingalerisk@legalmail.it

2. Categories of Personal Data Processed

The Controller processes the following categories of data:

a) Browsing data
The computer systems and software procedures used to operate the Website collect, in the course of their normal operation, certain data whose transmission is implicit in the use of Internet communication protocols. This includes: IP address, browser type and device parameters, Internet Service Provider (ISP) name, date and time of visit, referring and exit pages, and number of clicks. These data are used solely to obtain anonymous statistical information about the use of the Website and to monitor its correct functioning and security.

b) Data provided voluntarily by the user
The optional, explicit and voluntary sending of messages via the contact form, sending emails to the addresses listed on the Website, submitting a curriculum vitae, or using the chat service results in the acquisition of the sender's contact details (first name, surname, email, telephone) and any other personal data included in the communication.

c) Data collected via cookies and similar technologies
Please refer to the Cookie Policy in the second part of this document.

3. Purposes of Processing and Legal Bases

Personal data are processed for the following purposes, each based on a specific legal basis:

#PurposeLegal basis

1Responding to requests submitted via form, email, chat or telephonePerformance of pre-contractual measures and/or contract at the data subject's request — Art. 6(1)(b) GDPR

2Provision of consultancy and assistance servicesPerformance of a contract — Art. 6(1)(b) GDPR

3Compliance with legal obligations (tax, accounting, anti-money laundering, etc.)Legal obligation — Art. 6(1)(c) GDPR

4Website security, fraud prevention, system logsLegitimate interests of the Controller — Art. 6(1)(f) GDPR

5Sending newsletters, commercial communications and informational material about servicesFreely given, specific, informed and withdrawable consent — Art. 6(1)(a) GDPR

6Profiling and retargeting via Google Ads, Meta/Facebook Ads and similar toolsExpress consent via cookie banner — Art. 6(1)(a) GDPR + PECR

7Management of job applications (CVs)Pre-contractual measures and data subject's consent — Art. 6(1)(b) and (a) GDPR

Provision of data for purposes 1, 2, 3 and 7 is necessary: refusal means it will be impossible to process the request or establish the relationship. Provision of data for purposes 5 and 6 is optional: refusal does not affect the use of the Website or the provision of services.

4. Retention Periods

Data are retained for the time strictly necessary for the purposes for which they were collected, and in particular:

• Contact and enquiry data: 24 months from the last contact, unless a contractual relationship is subsequently established;

• Client data: for the entire duration of the contractual relationship and, subsequently, for 10 years from its termination, for civil and tax purposes;

• Data for marketing and newsletter purposes: until consent is withdrawn and in any event no longer than 24 months from the last interaction;

• Data for profiling/retargeting purposes: until consent is withdrawn and in any event no longer than 12 months;

• CVs and job applications: 24 months from receipt, unless otherwise agreed;

• Security and browsing logs: maximum 12 months, unless specific retention obligations apply or investigation of unlawful conduct is necessary.

Upon expiry of the above periods, data are permanently deleted or irreversibly anonymised.

5. Recipients and Data Processors

Data may be accessed, within the limits of their respective responsibilities, by:

• persons authorised to process data pursuant to Art. 29 GDPR (employees and collaborators in the administrative, commercial, marketing, legal and IT functions);

• Data Processors appointed pursuant to Art. 28 GDPR, including in particular:

  • hosting and cloud infrastructure providers;

  • email and certified-email service providers;

  • CRM and marketing automation providers (e.g. HubSpot);

  • chat and support service providers (e.g. Tawk.to);

  • advertising service providers (e.g. Google, Meta);

  • law firms and professional advisers;

  • audit and accounting/tax consultancy firms.

Data are not disclosed and are not sold or communicated to third parties for their own promotional purposes without the explicit consent of the data subject.

An up-to-date list of Data Processors is available upon request by writing to info@martingalerisk.com.

6. International Transfers

Some of the providers referred to above (in particular Google LLC, HubSpot Inc., Tawk.to Inc., Meta Platforms Inc.) are established or carry out processing operations outside the European Economic Area, typically in the United States of America.

Transfers take place in compliance with Arts. 44 et seq. GDPR, on the basis of one of the following safeguards:

• Adequacy decision by the European Commission (in particular the EU–U.S. Data Privacy Framework, for certified US providers);

• Standard Contractual Clauses (SCC) approved by the European Commission, supplemented where necessary by additional technical and organisational measures.

Users based in the United Kingdom should note that data flows between Italy (EU) and the United Kingdom are covered by the UK adequacy decision adopted by the European Commission, meaning personal data may be transferred to and from the UK without additional safeguards.

The data subject has the right to obtain a copy of the applicable safeguards by writing to info@martingalerisk.com.

7. Rights of the Data Subject

Pursuant to Arts. 15–22 GDPR, the data subject has the right, at any time, to:

• obtain access to their personal data and information about its processing (Art. 15);

• obtain rectification of inaccurate data or completion of incomplete data (Art. 16);

• obtain erasure ("right to be forgotten") of data (Art. 17);

• obtain restriction of processing (Art. 18);

• receive notification of rectifications, erasures or restrictions carried out (Art. 19);

• obtain data portability to themselves or to another controller (Art. 20);

• object to processing on legitimate grounds, and in any case to processing for direct marketing purposes (Art. 21);

• not be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects (Art. 22);

• withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).

To exercise these rights, please write to info@martingalerisk.com or by certified email to martingalerisk@legalmail.it. The Controller will respond within 30 days of receipt of the request (extendable by a further 60 days in complex cases, with notification to the data subject).

Right to Lodge a Complaint

A data subject who considers that the processing of their personal data infringes the GDPR may lodge a complaint with the supervisory authority of the EU Member State of their habitual residence, place of work, or place of the alleged infringement. The competent authority for the Controller is:

• Garante per la Protezione dei Dati Personali (Italian Data Protection Authority) — www.garanteprivacy.it — Piazza Venezia 11, 00187 Rome, Italy.

Users based in the United Kingdom may also contact the Information Commissioner's Office (ICO) — www.ico.org.uk — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK — which may refer the matter to the competent lead supervisory authority pursuant to the applicable cooperation mechanisms.

8. Security

The Controller adopts appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk, including — by way of example — encryption in transit (HTTPS/TLS), access controls, periodic data backups, training of authorised personnel, and procedures for detecting and managing personal data breaches.

9. Minors

The services offered by the Website are not intended for individuals under the age of 14 years. The Controller does not knowingly collect personal data from minors under this age; any data collected in error will be deleted without delay. Parents or guardians who become aware that a minor has provided personal data are asked to contact the Controller at info@martingalerisk.com.

10. Changes to this Notice

The Controller reserves the right to modify this notice at any time, as a result of new legal requirements or changes to processing activities. Changes will be communicated by publication on the Website, with the date of the last update indicated. Users are therefore invited to consult this page periodically.

Cookie Policy

1. What Are Cookies?

Cookies are small text files that visited websites send to the user's device, where they are stored and then retransmitted to the same websites on subsequent visits. Similar technologies (web beacons, pixels, local storage, fingerprinting) are used for comparable purposes and are subject to the same rules. On this Website, the use of cookies and similar technologies also complies with the Privacy and Electronic Communications Regulations 2003 (PECR), applicable in the United Kingdom.

2. Types of Cookies Used

2.1 Technical cookies (no consent required)

These are strictly necessary for the Website to function and for the delivery of services requested by the user. They include session/navigation cookies, functionality cookies (which remember preferences such as language), and analytical cookies used solely for statistical purposes in aggregate form with anonymised IP addresses, managed by the Controller.

2.2 Profiling and marketing cookies (consent required)

These are used to build profiles of the user and to deliver advertising messages in line with preferences expressed during browsing. These cookies are only installed following the user's express consent given via the cookie banner.

3. List of Tools Used

ToolProviderCategoryPurposeDurationPrivacy Policy

CloudflareCloudflare Inc. (USA)TechnicalSecurity, CDN, anti-DDoSSessionhttps://www.cloudflare.com/privacypolicy/

Google Tag ManagerGoogle Ireland Ltd. (IE)Technical (tag manager)Technical management of other tagsSessionhttps://policies.google.com/privacy

Google FontsGoogle Ireland Ltd. (IE)TechnicalFont loadingSessionhttps://policies.google.com/privacy

Font AwesomeFonticons Inc. (USA)TechnicalIcon loadingSessionhttps://fontawesome.com/privacy

HubSpot CRM & Lead ManagementHubSpot Inc. (USA)Profiling / MarketingLead management, CRM, conversion trackingUp to 13 monthshttps://legal.hubspot.com/privacy-policy

Google Ads – Conversion TrackingGoogle Ireland Ltd. (IE)Profiling / MarketingConversion monitoring, retargetingUp to 13 monthshttps://policies.google.com/privacy

Meta Pixel (Facebook)Meta Platforms Ireland Ltd. (IE)Profiling / MarketingRetargeting on Facebook/InstagramUp to 13 monthshttps://www.facebook.com/privacy/policy/

VimeoVimeo Inc. (USA)Profiling / MarketingEmbedded video playbackUp to 24 monthshttps://vimeo.com/privacy

Tawk.toTawk.to Inc. (USA)FunctionalSupport chatSession / persistenthttps://www.tawk.to/privacy-policy/

4. Managing Consent

On first access to the Website, users are shown a banner that allows them to:

• Accept all cookies;

• Reject all non-technical cookies;

• Select individual categories via "View preferences".

Users may change their preferences at any time by clicking the "Manage consent" link at the bottom of every page of the Website.

5. Browser-Level Controls

Alternatively, users may manage or disable cookies through their browser settings:

• Google Chrome: https://support.google.com/chrome/answer/95647

• Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

• Apple Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac

• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

• Opera: https://help.opera.com/en/latest/web-preferences/#cookies

Disabling all cookies may result in reduced functionality or unavailability of certain areas of the Website.

6. Social Network Plugins

The Website may embed social network plugins (Facebook, Instagram, YouTube, LinkedIn, WhatsApp). These plugins are configured so as not to install cookies when the page is accessed: cookies are only installed as a result of the user's voluntary interaction with the plugin. For the respective policies, please refer to:

• Meta (Facebook/Instagram): https://www.facebook.com/privacy/policy/

• YouTube (Google): https://policies.google.com/privacy

• LinkedIn: https://www.linkedin.com/legal/privacy-policy

• WhatsApp: https://www.whatsapp.com/legal/privacy-policy-eea

For any clarification or to exercise the rights recognised under the GDPR, please write to info@martingalerisk.com or by certified email to martingalerisk@legalmail.it.