Blog Details

European Union Privacy Statement

We reserve the right to modify this Privacy Statement at any time. When we do, we will post the changes on this page. We will give you notice of any materially adverse changes to this privacy policy and may give you notice of all other changes but reserve the right to make such modifications immediately if required. It is your responsibility to regularly check this page to determine if there have been changes to the Privacy Statement and to review such changes.

The most current version of this Privacy Statement can be viewed by visiting our website and clicking on “Privacy Statement” located at the bottom of the pages. Any changes will take effect immediately. The effective date of this Privacy Statement is stated below. Continued access or use of our services following the effective date of any changes shall indicate your acceptance of such changes. If you do not agree to the modified provisions of this Privacy Statement, you must discontinue your access and use of the services.

This Privacy Statement governs the collection and processing of personal data of Limestone Advisory Group affiliates seated in or operating in the European Union. When reference is made to “Limestone Advisory Group”, “we”, “our” or “us”, such reference is to be understood as referring to the affiliate acting as controller of the respective personal data.

Limestone Advisory Group collects your personal data for various purposes, as detailed in this Privacy Statement. When we collect or use your data, we being controller decide how and why your personal data is processed. This Privacy Statement sets out the different ways we collect personal data and how we use it. It also explains your rights in relation to your personal data and how to contact us.

UPDATED: JANUARY 2026

We publish the current version of this Privacy Statement on our website, and we may update this from time to time.

We will notify you of these updates where:

  1. we are making substantial changes; or
  2. we are doing something with your personal data, which you might not expect based on what we have told you in this Privacy Statement.

Please read our Privacy Statement to understand our approach to processing your personal data.

1. Contact Information and Controllership

If you have a question on this Privacy Statement or how we use your personal data, you can contact the data controller at any time. Depending on the service you obtain from us, the Limestone Advisory Group affiliate controlling the processing of your personal data may differ. For your convenience, we have set up a central point of contact which can be reached by way of email. The address is the following:

  1. dsb@limestoneadvisory.com

Alternatively, you can contact the Limestone Advisory Group affiliate controlling your respective personal data. The respective information is provided as part of the service you obtain from us. You may address your communication to the Data Protection Officer at the following addresses:

  1. Limestone Advisory Group, LLC, New York, USA
  2. Limestone Advisory Group GmbH, Berlin, Germany

2. How we collect your personal data

Your personal data is collected by Limestone Advisory Group in a few ways:

  1. Personal data you give directly;
  2. Personal data we collect from third parties;
  3. Personal data we collect from the monitoring of system use.

3. Personal data we collect

We may collect, hold and use the following personal data from or about you. Some of these are optional or depend on Limestone Advisory Group’s obligations to its customers, employees and job applicants:

  1. Contact details: this may include your email address, phone number, telephone number and home address;
  2. Identity details: this may include your first name, maiden name, last name, marital status, title, date of birth and gender;
  3. Health data: this may include your medical certificates, self-certification forms, records of sickness absence, medical reports and health assessments;
  4. Financial data: this may include your billing address, bank account and payment card details;
  5. Criminal offence data: this may include information relating to any criminal convictions or criminal charges secured or brought against you;
  6. Trade union membership data: this may include data about your trade union membership;
  7. Data about your use of Limestone Advisory Group’s websites: this may include your IP address, cookies, web beacons, browser type and version, time zone and language and notification preferences;
  8. Information about how you use our IT, communication, and other systems: this may include your user account, email activity and call details;
  9. Personal data provided when you apply for work with us: this may include personal data you provide in your curriculum vitae and covering letter, information provided as part of the interview process; and
  10. Other personal data about yourself that you provide voluntarily (for example, when you sign up to our services, subscribe to our communications, provide information to us and/ or access certain resources on our website): this may include your interests, social media profile links, job title, emergency contact details and absence records.

4. Personal data we do not collect: Children’s data

Limestone Advisory Group’s websites are intended for use by adults aged 18 years or over and we do not knowingly collect personal data from people under 16 years of age.

5. Who we share your personal data with

We use third party sub-processors and other third-party service providers to provide our service and communicate with you in connection with the purposes set out in the section How and why we use your personal data. We have certain safeguards in place to protect your personal data. For example, written agreements that only permit third party sub-processors to process your personal data for specified purposes and subject to certain security measures.

We routinely share personal data with:

  1. Cloud-based email and data storage providers;
  2. Business application software providers;
  3. Payroll agencies;
  4. Benefit (including pension) providers;
  5. Computer maintenance companies;
  6. Professional advisers;
  7. Other affiliates (Limestone Advisory Group, LLC and other holding and parent companies are all affiliates);
  8. Potential purchasers of the business.

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

Digital Marketing Service Providers:

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.

We may also share anonymous aggregate usage statistics or anonymous individual data for service evaluation and improvement purposes with consultants or research organisations that we work with from time to time. This anonymous data is not itself personal data, and we take care to ensure that individuals cannot be identified (or indeed re-identified) in the data.

6. How and why we use your personal data

Under the EU General Data Protection Regulation (EU) 2016/679 (the “EU GDPR) and the German Federal Data Protection Act (the “BDSG”), (together the “Data Protection Laws”), Limestone Advisory Group is allowed to use personal data only if we have a proper reason to do so. This is called our ‘lawful basis’ for processing. The four main ways that we are permitted to use your personal data are:

  1. When you consent to us using your personal data.
  2. When we fulfil our contractual commitments to you.
  3. When we need to meet our legal obligations.
  4. When it is in our legitimate interests.

Many of these uses are mandatory – in other words, where we need to use your personal data to meet our contractual obligations to you, or to meet our legal obligations. We have provided more detail below on what personal data we use, why and which of the above categories we are relying on for each purpose. We have determined, acting reasonably and considering the circumstances, that we are able to rely on legitimate interests as the lawful basis on which to process your personal data in certain circumstances (we have stated this below and set out our legitimate interests). We have reached this decision by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We have provided more detail below on what personal data we process, why we process your personal data and which of the above categories we are relying on for each purpose. We may use your personal data for more than one purpose, depending on the circumstances. There may be situations where we rely on two lawful bases as a matter of course to achieve the same or similar purposes.

7. Links to other websites

You should also be aware that where you link to another website from Limestone Advisory Group , Limestone Advisory Group has no control over that website. Accordingly, Limestone Advisory Group cannot guarantee that the controller of that website will respect your privacy in the same manner as Limestone Advisory Group.

8. Data security and storage

In order to prevent unauthorised access or disclosure, we have put in place suitable policies and procedures to safeguard and secure the information we process.

All Limestone Advisory Group employees are contractually bound to respect the confidentiality of any personal data held by Limestone Advisory Group.

9. Retention of personal data

We shall retain personal data in accordance with our Information Security Policy. In summary:

  1. We use Microsoft 365 for email and file storage.
  2. We are not required to retain any client work product given the nature of our services. Our work output is immediately owned by the client upon delivery and payment. Client information is retained in accordance with a non-disclosure agreement (“NDA“) or engagement letter. We will dispose of client information if requested by a client if it is in accordance with the NDA, engagement letter and regulatory requirements.
  3. We have policies in place to ensure that documents that we do retain are disposed in accordance with applicable laws.

10. Sending data across regions and jurisdictions

The levels of data protection differ from region to region and jurisdiction to jurisdiction. This is due to regional and/or national regulatory differences. As we operate in various regions around the globe, we make sure when transferring personal data across regions and jurisdictions to meet the requirements of each region and/or jurisdiction in due course. This includes adhering to provisions relating to cross-border data transfer. In the following, we provide you with guidance how this is achieved.

11. Marketing

We wish to send you marketing communications for products and services that may be relevant to you. We may also need to send you communications that are not direct marketing communications (service communications by post, telephone or email/MMS/SMS) from time to time. Service communications relate to information that is necessary for us to convey when you are receiving products and services.

We will only contact you, or businesses associated with you, with marketing messages by email/MMS/SMS where we are permitted to do so in accordance with Data Protection Laws and other applicable laws (i.e. where we have collected the appropriate permissions).

Where we rely on your consent, we may seek, or re-seek, your marketing consent any time that there is a change in our marketing strategy or your relationship with us, including where there is a change in law or where there is a structural change in our organisation.

From time to time, we may send you marketing messages by email relating to our own products and services without your consent where you have not opted out of receiving marketing message. Under the Data Protection Laws, we are permitted to do this in relation to existing customers. We will give you the chance to opt out of receiving direct marketing messages by email when we first collect your personal data and, thereafter, in every marketing message that we send (via the “unsubscribe” link at the foot of the marketing message). Where you exercise this option, we will cease to send you marketing message by email. Additionally, you have a right to object to all marketing messages whether electronic marketing or by post or telephone. Please see Your rights below. You are free to change your preferences by contacting us – please see Contact information above.

12. Cookies

A cookie is a file with a small amount of data which is sent to a user’s browser from a web server and stored on a user’s computer, used to store and track information about the user. When you visit our site, we may use cookies containing information (such as unique user ID) to track your usage of our site.

12.1 We use the following types of cookies

  1. Strictly necessary cookies – We use this for the operation of our website. Under the EU GDPR, this is on the basis of Article 6(1)(f).
  2. Analytical or performance cookies – We use this to allow us to recognise and count the number of visitors and see how many visitors move around our website when they are using it. Under the EU GDPR, this is on the basis of your consent according to Article 6(1)(a).
  3. Targeting cookies – We use this to record your visit to our website, the pages you have visited and the links you have followed. Under the EU GDPR, this is on the basis of your consent according to Article 6(1)(a).

12.2 Your consent to the use of cookies and the associated personal data

Cookies and associated personal data used for non-necessary purposes

We will only store and read cookies for non-necessary purposes on your device and process the associated personal data (or allow third party providers and partners to do so) if you have given us your prior consent and have not withdrawn it. We request this using the cookie tool, which is displayed when you visit a page on the website for the first time.

When and how to give your consent

When you visit the website for the first time, you will be asked to give your consent to the non-mandatory cookies and the personal data we collect as a result of their use. You can consent to all non-essential cookies by selecting “Accept all” or refuse consent for all non-essential cookies by selecting “Reject all”. Alternatively, you can consent to cookies according to their respective categories of use. If you do not consent to these cookies, we will not use them or process any personal data in connection with them. Consequently, your provision of personal data in connection with the cookie is voluntary and you can revoke your consent at any time for the future. Until you withdraw your consent, the use of cookies and the associated data processing is lawful.

The duration for which your consent is valid

If you give us your consent to process your personal data using cookies and other technologies, we will rely on this for a period of 6 months from the date on which you last gave us your consent using the cookie tool on this website. After this period, the cookie tool will automatically treat your consent as withdrawn and you will be asked to give your consent again on your first subsequent visit to this website.

How to withdraw your consent

Depending on the type of cookie, you can revoke the consent previously given for cookies in two ways:

  1. The cookie tool is available in the footer of the website. You can access the cookie tool at any time from any page of this website and revoke your consent by switching off the option for the relevant category of cookies using the slider.
  2. Customise the settings in your web browser. Most web browsers are set by default to accept all cookies. However, you have the option to configure your web browser settings so that cookie information is displayed before it is saved or you can reject them outright. You can find details of the different cookie settings available and the associated changes for the most popular web browsers by clicking on the relevant link:
    1. Google Chrome:
      https://support.google.com/accounts/answer/61416?hl=en
    2. Internet Explorer:
      https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
    3. Microsoft Edge:
      https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
    4. Mozilla Firefox:
      https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
    5. Opera:
      http://www.opera.com/help/tutorials/security/privacy/
    6. Safari:
      https://support.apple.com/kb/PH19214?locale=cs_CZ&viewlocale=en_US

Please note that any changes to your web browser settings only apply to the web browser for which you have adjusted your settings. If you use more than one web browser on a device, you must change the settings for each browser and each device separately. You may find additional information on cookies in the help function of the browser or operating system or in the operating instructions for your device.

Storage after you have withdrawn your consent

After you have withdrawn your consent to non-necessary cookies, this website will no longer access or read these cookies. Depending on the cookies, this means that files, scripts, codes and other cookie-related information may remain stored on your device. You can delete these cookies by deleting your cookies and browser cache using your web browser settings. For more information on this and how to proceed, please refer to the links for the common browsers mentioned above.

Consequences of refusing/withdrawing your consent

If you refuse or withdraw your consent to the use of non-necessary cookies or associated personal data, the relevant functions or features of this website may either not function properly or not function at all. Your use of the core functions and features of the website will remain unaffected.

How long will we process and store your personal data?

We do not process or store personal data in an identifiable format for longer than necessary. We process and store your personal data for the following periods:
In relation to necessary cookies, the processing of your personal data will end with your browsing session, after which your personal data will be deleted (except in relation to cookies used to store your consent preferences, which we will retain and process for [6] months from the date you granted consent).

All other personal data relating to cookies will be processed until the consent authorising such processing is withdrawn or expires (i.e. after [6] months in most cases). Ten they will be deleted.

13. Data deletion and storage duration

The personal data of the data subject will be deleted as soon as the purpose of storage ceases to apply. Data may also be stored if this is provided for by applicable regulations, laws or other provisions to which Limestone Advisory Group is subject. The data will also be deleted if a storage period prescribed by the aforementioned laws expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

14. Your rights

You have rights regarding your personal data. If you wish to exercise any of your rights outlined below, please contact us using one of the contact details mentioned in Contact information.

Right to access your personal data – You have the right to know if your personal data is being held, what categories of data are held, and to receive a copy of all data about you.

Right to change or remove your details – You have the right to correct any inaccurate data or remove data if it is not necessary for us to hold it where there is no compelling reason for its continued processing by us.

Right to restrict or object to processing – You can object to processing if it could affect your rights, freedoms or interests. For example, you have the right to object to direct marketing and automated decision-making (although we do not engage in the latter).

Right to withdraw consent – where the processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to data portability – We will provide your data in a portable format.

Right to lodge a complaint – You also have the right to lodge a complaint with a supervisory authority, although we encourage you to contact us first. Please contact our Data Protection Manager at dsb@limestoneadvisory if you believe that your personal data is not being processed in line with this Privacy Statement. If you are not satisfied with the response, you might wish to lodge a complaint with the competent supervisory authority. You can make a complaint to the Irish Data Protection Commission at www.dataprotection.ie. You can find out on website of UK’s Information Commissioner’s Office how to report a concern at ico.org.uk/concerns/. A list of the German data protection supervisory authorities to which you can submit your complaint can be found at:: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/AufsBehoerdFuerDenNichtOeffBereich/AufsichtsbehoerdenNichtOeffBereich_liste.html.

Note that if you exercise your right to remove your details, to restrict processing or to object, this may adversely affect your ability to obtain our products and services from us, or to use our website.