Click the Buttons Below to view our
Policies
PRIVACY NOTICE Sombra Ltd Company Number: 16561039 Registered Office: Floor 3, 86–90 Paul Street, London, EC2A 4NE Effective Date: 01/03/2026 Sombra Ltd is registered with the Information Commissioner’s Office (ICO) as a Data Controller. 1. Who We Are Sombra Ltd (“Sombra”, “we”, “us”, “our”) is a United Kingdom registered company providing private investigations, surveillance, intelligence, protective security, and related advisory services. We act as a Data Controller in relation to personal data processed through our website and in connection with our professional services. Contact Details Email: contact@sombraglobal.com Telephone: +44 2038052410 Registered Office: Floor 3, 86–90 Paul Street, London, EC2A 4NE Data protection queries should be directed to: contact@sombraglobal.com 2. Our Legal Framework We process personal data in accordance with: UK General Data Protection Regulation (UK GDPR) Data Protection Act 2018 Privacy and Electronic Communications Regulations (PECR), where applicable In accordance with Article 5 UK GDPR, personal data is: Processed lawfully, fairly, and transparently Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and kept up to date Retained only as long as necessary Processed securely using appropriate technical and organisational measures All operational activities are guided by principles of legality, necessity, proportionality, and accountability. 3. Categories of Personal Data We Process A. Website and Enquiry Data When individuals visit our website or contact us via website forms, email, or telephone, we may process: Name Email address Telephone number IP address Device and browser information Website usage data Information voluntarily provided in enquiry forms Where analytics cookies are enabled, website usage data may include unique online identifiers and IP address information. Analytics processing is conducted only where valid consent has been actively provided and is governed by our Cookie Policy. Non-essential cookies are technically blocked until consent is obtained. B. Client and Business Contact Data Where individuals or organisations engage our services, we may process: Identification and contact details Billing and contractual information Correspondence records Assignment instructions Due diligence and verification documentation where appropriate C. Investigative and Operational Data In the course of providing investigative, surveillance, intelligence, or protective security services, we may process personal data necessary and proportionate to fulfil the lawful objective of an assignment. This may include: Identifying information Contact details Vehicle registration numbers Time-stamped observations Photographic or video evidence Location-related observations Incident records Employment or credential verification information Where processing involves special category data (Article 9 UK GDPR) or criminal offence data, processing is conducted strictly in accordance with Article 9 UK GDPR and applicable Schedule 1 conditions under the Data Protection Act 2018. Surveillance and operational activities are: Objective-led Time-bound Limited to what is necessary Conducted in accordance with lawful authority We do not engage in unlawful interception of communications, unauthorised tracking, or unlawful intrusion into private premises. D. Recruitment and Engagement Data We may process personal data relating to employment or subcontractor opportunities received via: Website forms Direct email correspondence Third-party recruitment platforms Professional networking platforms This may include: CVs and employment history Qualifications and certifications Professional memberships References Identity documentation Right-to-work documentation Third-party recruitment platforms act as independent Data Controllers for their own services. Once Sombra Ltd accesses or stores applicant data, we act as Data Controller for that processing. Access to applicant data is restricted to authorised personnel on a need-to-know basis. 4. Lawful Basis for Processing We process personal data under one or more of the following lawful bases: Article 6(1)(b) – Performance of a contract or steps prior to entering into a contract Article 6(1)(f) – Legitimate interests (including investigative necessity, protective security operations, risk management, and business governance) Article 6(1)(c) – Compliance with legal obligations Article 6(1)(a) – Consent (including website analytics and certain optional communications) Our legitimate interests include the provision of lawful investigative and protective security services, prevention of fraud and misconduct, protection of client assets, safeguarding of individuals, and maintenance of business security and governance. Website analytics processing is conducted on the basis of Article 6(1)(a) – Consent, and is not undertaken unless consent has been actively provided. Where reliance is placed on Article 6(1)(f) (legitimate interests), Sombra Ltd conducts and documents a Legitimate Interests Assessment (LIA) where appropriate. Where special category or criminal offence data is processed, relevant Article 9 and Schedule 1 conditions are identified and documented. 5. Data Protection Impact Assessments (DPIAs) Where processing is likely to result in high risk to individuals’ rights and freedoms, including certain surveillance or security operations, a Data Protection Impact Assessment (DPIA) is conducted in accordance with Article 35 UK GDPR. 6. Data Sharing We may share personal data strictly on a lawful and need-to-know basis with: Instructing solicitors and legal representatives Professional advisers Approved subcontractors under contractual confidentiality and data protection obligations Service providers operating under Data Processing Agreements Law enforcement or regulatory authorities where required by law We do not sell, rent, trade, or commercially exploit personal data. 7. International Transfers Where personal data is transferred outside the United Kingdom, appropriate safeguards are implemented, including: UK adequacy regulations International Data Transfer Agreements (IDTA) Standard Contractual Clauses (where applicable) 8. Data Retention Personal data is retained only for as long as necessary and proportionate for the purpose for which it was collected. Typical retention periods include: Website enquiries (where no engagement results): up to 12 months Client records and contractual documentation: up to 6 years Recruitment data (unsuccessful applicants): up to 6 months Raw surveillance material not forming part of final evidential output: deleted following conclusion of the assignment unless required for ongoing legal proceedings Retention may be extended where litigation, insurance claims, or regulatory review is anticipated. Data exceeding retention periods is securely deleted or destroyed. 9. Data Security In accordance with Article 32 UK GDPR, we implement appropriate technical and organisational measures including: Full disk encryption on company devices Role-based access controls Strong authentication standards Multi-factor authentication where appropriate Encrypted storage media Structured case management systems Secure deletion procedures Controlled physical document storage In the event of a personal data breach presenting risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours where required and inform affected individuals where high risk exists. 10. Automated Decision-Making Sombra Ltd does not conduct automated decision-making or profiling that produces legal or similarly significant effects. 11. Your Rights Under UK GDPR, individuals have the right to: Access their personal data Rectify inaccurate data Request erasure (where lawful) Restrict processing Object to processing Withdraw consent where applicable Lodge a complaint with the ICO Requests will be responded to within one calendar month, subject to identity verification and applicable lawful exemptions. Exemptions under Schedule 2 and Schedule 3 of the Data Protection Act 2018 may apply where disclosure would prejudice crime prevention, legal proceedings, or regulatory functions. To exercise your rights, contact: contact@sombraglobal.com 12. Complaints If you are dissatisfied with how we process personal data, you may contact: Information Commissioner’s Office (ICO) www.ico.org.uk 13. Updates This Privacy Notice may be updated periodically to reflect legal, regulatory, operational, or technological changes. The most current version will always be available on our website.
COOKIE POLICY Sombra Ltd Company Number: 16561039 Registered Office: Floor 3, 86–90 Paul Street, London, EC2A 4NE Website: www.sombraglobal.com Effective Date: 01/03/2026 Sombra Ltd is registered with the Information Commissioner’s Office (ICO) as a Data Controller. This Cookie Policy explains how we use cookies and similar technologies in accordance with: Privacy and Electronic Communications Regulations (PECR) UK General Data Protection Regulation (UK GDPR) Data Protection Act 2018 1. What Are Cookies? Cookies are small text files placed on your device when you visit a website. They enable website functionality, enhance security, and, where consent is provided, allow limited analytics measurement. Certain cookies may collect information such as IP address, browser type, device information, and usage data. Where such information can identify an individual, it is treated as personal data under UK GDPR and processed in accordance with our Privacy Notice. Cookies may be: Session cookies – deleted when you close your browser Persistent cookies – stored for a defined period or until manually deleted Cookies do not provide access to files or information beyond what is described in this policy. 2. Categories of Cookies We Use A. Strictly Necessary Cookies These cookies are essential for the secure and functional operation of our website. They support: Secure page loading Network management Session integrity Load balancing Fraud prevention Protection against malicious activity Under Regulation 6 of PECR, strictly necessary cookies do not require user consent. These cookies are deployed automatically when you access the website. B. Analytics Cookies (Consent-Based) Where enabled, we use analytics tools to understand general website usage patterns and improve performance. Analytics cookies: Are not deployed unless valid consent is obtained May assign a unique identifier to your browser Collect aggregated usage data Are not used for behavioural advertising Are not used for cross-site tracking Non-essential cookies are technically blocked until valid consent is provided via our consent management platform. If consent is declined, analytics cookies will not be set. C. Functional Cookies (Where Applicable) Certain functional cookies may be used to: Store user preferences Manage consent settings Support optional website features Where such cookies are not strictly necessary, they are deployed only after consent. D. We Do Not Use Advertising or Profiling Cookies Sombra Ltd does not use: Behavioural advertising cookies Retargeting technologies Third-party marketing pixels Data resale mechanisms We do not monetise visitor data. 3. Legal Basis for Cookie Use Strictly necessary cookies are deployed under Regulation 6 PECR. Non-essential cookies (including analytics and certain functional cookies) are deployed only where: Consent is provided under Regulation 6 PECR Lawful basis under Article 6(1)(a) UK GDPR applies Consent is: Freely given Specific Informed Unambiguous Users may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. 4. Consent Mechanism When you first visit our website, a cookie banner allows you to: Accept all cookies Reject non-essential cookies Customise preferences Non-essential cookies are not deployed unless you actively provide consent. Consent choices are retained for 14 days, after which users are prompted to reconfirm their preferences. Records of consent (including timestamp and technical identifiers necessary to demonstrate lawful consent) are retained for up to 90 days for accountability and regulatory compliance purposes. Users may update or withdraw consent at any time via the cookie settings link available on the website. 5. Third-Party Hosting Our website is hosted by Wix.com Ltd. Wix may place strictly necessary platform and security cookies to ensure website functionality and integrity. Wix acts as a Data Processor in relation to hosting services and processes data in accordance with contractual data protection obligations. 6. Cookie Inventory A current inventory of active cookies, including: Cookie name Provider Purpose Category Duration is available through the website’s cookie settings panel. The cookie inventory is dynamically generated based on current deployment and is periodically reviewed to ensure alignment between technical implementation and published policy. 7. International Data Transfers Certain hosting or analytics services may involve processing outside the United Kingdom. Where personal data is transferred internationally, appropriate safeguards are implemented in accordance with UK data protection law, including: UK adequacy regulations International Data Transfer Agreements (IDTA) Approved transfer mechanisms 8. Relationship to Our Privacy Notice For detailed information about: Categories of personal data Lawful bases for processing Retention periods Individual rights Please refer to our Privacy Notice. 9. Contact If you have questions regarding this Cookie Policy or our use of cookies, please contact: Email: contact@sombraglobal.com Registered Office: Floor 3, 86–90 Paul Street, London, EC2A 4NE