Privacy Policy

Effective Date: 29th June 2026
Last reviewed: 29th June 2026
Organisation: Cornerstone Resources HR Consultancy

1. Introduction

Cornerstone Resources HR Consultancy is committed to protecting the privacy and security of personal information. This policy explains how we collect, use, store, protect and share personal data when individuals visit our website, contact us, make enquiries, receive or use our services, attend training or events, apply for roles, work with us, or otherwise engage with our business.

This policy has been prepared to support transparency under UK data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and relevant updates introduced by the Data (Use and Access) Act 2025. It should be read alongside any separate privacy information, cookie information or service-specific notices we provide in relation to specific services, recruitment activity, employment matters or client work.

2. Who We Are

Cornerstone Resources Limited, trading as Cornerstone Resources HR Consultancy, is a private limited company registered in England and Wales under company number 10982868. Our registered office is Equitas House, 6 Station View, Stockport, SK7 5ER.

For the purposes of data protection law, Cornerstone Resources Limited is the data controller for personal data we collect and use for our own business purposes, including through our website at www.cornerstoneresources.co.uk. Where we provide HR consultancy support to clients and process personal data on their behalf, we may act as a data processor. In those circumstances, the client will usually be the data controller and responsible for providing privacy information to the individuals whose personal data is being processed. We will process that personal data only in accordance with the client’s documented instructions, our contractual obligations and applicable data protection law.

General enquiries can be sent to [email protected] or made by telephone on 0161 647 7990. Data protection enquiries should be sent to [email protected].

3. Personal Data We May Collect

We may collect and use different types of personal data depending on how you interact with us. This may include:

  • Contact details, such as name, job title, organisation, email address, telephone number and business address.
  • Enquiry information, such as details submitted through our website contact forms, emails, telephone calls or other communications.
  • Client and service information, such as information needed to provide HR consultancy, employee relations, investigation, training, salary and benefits advice, policy or advisory services.
  • Recruitment information, where individuals apply for roles or send us CVs, covering letters or related information.
  • Website and technical information, such as IP address, browser type, device information, pages visited and information collected through cookies or similar technologies.
  • Supplier and business contact information, where needed to manage commercial relationships.

In some circumstances, we may process more sensitive types of personal data where this is relevant, necessary, and lawful. This may include special category data, such as health information, disability or reasonable adjustment information, or information relating to employment matters. It may also include information relating to criminal allegations, convictions, offences, DBS checks, safeguarding concerns, disciplinary matters, investigations or related proceedings, particularly where we support clients with recruitment, safeguarding, regulated-sector or employment-related matters. We will only process this type of information where we have a lawful basis, where an additional legal condition applies where required, and where appropriate safeguards are in place.

4. Sources of Personal Data

We may collect personal data from different sources, depending on the nature of our relationship with you and the services we provide. This may include personal data collected:

  • Directly from you, for example when you contact us, complete a website form, subscribe to updates, attend training, apply for a role, provide information during a meeting, or communicate with us by email, telephone or other channels.
  • From your employer, organisation or representative, for example, where they ask us to provide HR consultancy, employee relations, investigation, training, policy or advisory support.
  • From our clients, where they provide information that is necessary for us to deliver services or support them with workplace matters.
  • From recruitment sources, such as CVs, application forms, referees, recruitment platforms, agencies or professional networking sites.
  • From business contacts, suppliers, professional advisers or third parties involved in providing services, managing contracts or dealing with legal or compliance matters.
  • From publicly available sources, such as professional websites, business directories, Companies House, LinkedIn or other professional networking platforms, where relevant and appropriate.
  • From our website and IT systems, including website forms, analytics tools, cookies, system logs, security records and other technical information generated when you use our website or communicate with us electronically.

Where we receive personal data from another source, we will use it only where we have a lawful basis to do so and where it is relevant, necessary, and proportionate for the purpose for which it is processed.

5. How We Use Personal Data

We may use personal data for the following purposes:

  • To respond to enquiries submitted through our website, email or telephone.
  • To provide HR consultancy and related professional services to clients.
  • To manage client relationships, contracts, billing and administration.
  • To deliver training, meetings, workshops and advisory support.
  • To manage recruitment, onboarding and employment-related processes.
  • To comply with legal, regulatory, tax, accounting and record-keeping obligations.
  • To protect our business, systems and confidential information.
  • To improve our website, services and communications.

6. When Providing Personal Data Is Required

In some circumstances, we need personal data because it is required by law, necessary to enter into or perform a contract, or needed so that we can provide services, respond to enquiries or manage our business relationship with you or your organisation.

For example, we may need contact and business information to respond to enquiries, manage client relationships, arrange training, or provide consultancy services. We may need contract, billing and payment information to administer agreements and comply with accounting, tax and record-keeping obligations. In recruitment or employment-related contexts, we may need information to assess applications, check eligibility to work, manage onboarding, support reasonable adjustments, or comply with employment law obligations.

If you do not provide information that is necessary for a legal, contractual or service-related purpose, we may not be able to respond to your enquiry, provide the requested service, enter into or perform a contract, process an application, meet legal obligations or continue a relevant business relationship.

Where information is optional, such as consent-based marketing preferences, optional feedback or non-essential cookies, you can choose not to provide it or withdraw your consent where applicable. Choosing not to provide optional information will not affect your ability to use our core website or services, although some optional features, communications or preferences may not be available.

7. Our Lawful Bases for Processing

We only use personal data where we have a lawful basis to do so. Depending on the circumstances, we may rely on one or more of the following lawful bases:

  • Contract: where processing is necessary to enter into or perform a contract with you or your organisation.
  • Legal obligation: where we need to comply with a legal or regulatory requirement.
  • Legitimate interests: where processing is necessary for our legitimate business interests, provided those interests are not overridden by individual rights and freedoms.
  • Consent: where we ask for clear consent for a specific purpose, such as certain marketing or optional communications.

Where we process special category data, we will only do so where an additional lawful condition applies, such as employment law obligations, legal claims, explicit consent, or another permitted condition under data protection law.

PurposePersonal data commonly usedLikely lawful basisAdditional notes
Responding to website, email, telephone or general business enquiriesName, contact details, organisation, role, enquiry details and communication recordsLegitimate interests or contract, where the enquiry relates to taking steps before entering into a contractOur legitimate interest is to respond to enquiries, provide information about our services and manage business communications.
Providing HR consultancy and related professional servicesClient contact details, employee relations information, employment records, case information, meeting notes, investigation material and service correspondenceContract, legitimate interests and legal obligation, depending on the nature of the serviceWhere we process personal data on behalf of a client, we may act as a processor. Where special category data is involved, an additional condition will be identified.
Managing client relationships, contracts, billing and administrationBusiness contact details, contract information, billing records, payment information and correspondenceContract, legal obligation and legitimate interestsOur legitimate interest is to manage our business operations, maintain records and administer client relationships.
Delivering training, meetings, workshops and advisory supportName, role, organisation, contact details, attendance information, training records, feedback and communicationsContract and legitimate interestsOur legitimate interest is to arrange and deliver services, maintain attendance records and improve the quality of our support.
Recruitment, onboarding and employment-related processesApplication details, CVs, references, interview notes, right to work information, employment records and onboarding documentationContract, legal obligation and legitimate interestsSpecial category data may be processed where necessary for employment law obligations, equality monitoring, reasonable adjustments, health information or legal claims.
Complying with legal, regulatory, tax, accounting and record-keeping obligationsIdentity information, contact details, financial records, contracts, correspondence, case records and compliance documentationLegal obligation and legitimate interestsWe may need to keep certain records to demonstrate compliance, respond to legal requests, manage disputes or establish, exercise or defend legal claims.
Protecting our business, systems, confidential information and legal rightsAccount access information, system logs, security records, correspondence, case records and relevant evidenceLegitimate interests and legal obligationOur legitimate interest is to maintain security, prevent misuse, protect confidential information and manage legal or operational risk.
Improving our website, services and communicationsWebsite usage data, analytics information, feedback, service interaction data and communication preferencesLegitimate interests or consent, depending on the technology or communication usedWhere consent is required, such as for certain cookies or marketing activity, we will seek consent and allow it to be withdrawn.
Sending marketing, service updates or event informationName, organisation, role, email address, communication preferences and engagement informationConsent or legitimate interests, depending on the type of communication and the relationship with the recipientIndividuals can opt out of marketing communications at any time. Electronic marketing will be managed in line with applicable privacy and electronic communications rules.

8. Who We Share Personal Data With

We may share personal data where it is necessary, lawful and proportionate to do so. This may include sharing information with clients, where we provide HR consultancy or related services; professional advisers, such as legal, insurance, finance or accounting advisers; IT, cloud, software, website hosting, secure document storage, email, communications, HR, payroll, accounting, case management or training platform providers; regulatory bodies, law enforcement agencies or public authorities where required by law; and other service providers or third parties where necessary to provide our services, protect our rights, manage our business operations or comply with legal obligations.

Where third parties process personal data on our behalf, we expect them to handle it securely, use it only for the agreed purpose and process it only in accordance with our instructions, contractual obligations and applicable data protection law.

9. How We Store and Protect Personal Data

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure. These measures may include access controls, secure systems, password protection, multi-factor authentication, confidentiality obligations and staff awareness measures.

We use business systems such as Microsoft 365, including SharePoint, OneDrive and Outlook, and other appropriate HR or business platforms to manage information securely.

Where clients ask us to support, administer or access their HR systems, we may process personal data within client-authorised HR platforms, employee management systems or related software. This may include systems used to store or manage employee records, absence information, employment documents, payroll-related information, performance records, training records, disciplinary or grievance information, recruitment information or other HR data.

In these circumstances, we usually act on the client’s documented instructions and the client remains responsible for deciding what personal data is held in those systems, why it is used, how long it is kept, and what privacy information is provided to its employees, workers, candidates or other relevant individuals. We will only access or use information in those systems where it is necessary to provide the agreed HR consultancy, administration or support services, and in line with our contractual obligations, confidentiality duties and applicable data protection law.

Although we take appropriate steps to protect personal data, no system, method of transmission or method of storage can be guaranteed to be completely secure. We therefore keep our security arrangements under review and take reasonable steps to reduce risks to personal data.

10. How Long We Keep Personal Data

We only keep personal data for as long as necessary for the purposes for which it was collected, including legal, regulatory, accounting, reporting, contractual or legitimate business purposes. Retention periods may vary depending on the type of information, the reason it is held and any legal, regulatory, contractual or client service requirements that apply.

Specific retention periods may be set out in our internal retention schedules, client contracts, service arrangements or other relevant policies. Where it is not possible to specify a fixed retention period, we will decide how long to keep personal data by considering the nature of the information, the purpose for which it is held, legal or regulatory requirements, limitation periods, contractual obligations and whether the information may be needed to establish, exercise or defend legal claims.

When personal data is no longer required, we will securely delete, destroy or anonymise it in line with our data retention and disposal arrangements.

11. International Transfers

Some of the systems or service providers we use may process personal data outside the UK. Where this happens, we will ensure appropriate safeguards are in place, such as an adequacy decision, standard contractual clauses, an international data transfer agreement, or another lawful transfer mechanism recognised under UK data protection law.

12. Cookies and Website Analytics

Our website may use cookies and similar technologies to make the website work, keep it secure, improve how it performs, understand how visitors use it and support a better user experience. Cookies may collect technical information such as device information, browser type, pages visited, time spent on pages and general usage patterns.

Some cookies are essential or strictly necessary for the website to operate securely and effectively. These may be used without consent where they are required to provide the website or a service requested by the user.

We may use analytics tools, such as Google Tag Manager, Google Analytics 4, Microsoft Clarity and HubSpot, to help us understand how visitors use our website and improve its performance. Analytics information may include pages visited, time spent on the website, how visitors arrived at the website, approximate location, device type, browser, operating system and interactions with website content.

Some cookies or similar technologies may be used without consent where an applicable legal exemption applies, for example where they are strictly necessary or used only for a permitted low-risk purpose. Where consent is required, including for advertising, personalised marketing, behavioural tracking, social media tracking or similar non-essential purposes, we will ask for consent before using those cookies.

When you first visit our website, you may be asked whether you accept or decline certain cookies. If you decline non-essential cookies, your information will not be tracked for analytics or similar non-essential purposes during your visit. A single cookie may be placed in your browser to remember your preference not to be tracked, so that we do not ask you to make the same choice repeatedly.

A separate cookie notice, cookie banner or cookie preference tool may be used on our website to explain the specific cookies in place, their purpose, duration, provider and how users can manage their choices. Where visitors are able to manage cookie preferences, withdrawing consent should be as easy as giving it.

13. Marketing and Newsletters

We may use personal data to send newsletters, service updates, event invitations, training information, HR or employment law updates, and information about services that may be relevant to clients, prospective clients or business contacts. This may include name, job title, organisation, business email address, communication preferences and engagement information, such as whether an email has been opened or links have been clicked.

Where required by law, we will only send electronic marketing where we have consent or where the soft opt-in applies. The soft opt-in may apply where we obtained contact details during a sale, negotiation or enquiry about our services, the marketing relates to similar services, and the recipient was given a clear opportunity to opt out when their details were collected and in each further message.

For business-to-business marketing, we may rely on legitimate interests where this is permitted and where the communication is proportionate, relevant and not unexpected. Our legitimate interest is to promote our services, share relevant HR and employment law updates, maintain business relationships and keep contacts informed about training, events and service developments.

You can opt out of marketing communications at any time by using the unsubscribe link or instructions in a marketing email, updating your communication preferences where a preference tool is available, or contacting us at [email protected]. You also have the right to object to direct marketing at any time. If you opt out or object, we will stop using your personal data for direct marketing and may keep limited details on a suppression or “do not contact” list to prevent further marketing being sent by mistake.

We will aim to action opt-out requests as soon as reasonably practicable. If a marketing message has already been prepared or sent before your opt-out is processed, you may still receive that message, but we will take steps to prevent further marketing being sent to you. Service messages that are necessary to administer an existing client relationship, contract, training booking or service arrangement may still be sent, provided those messages do not include promotional content.

14. Individual Rights

Individuals have rights under data protection law, subject to certain conditions and exemptions. These rights may include the right to:

  • Access personal data held about them.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of personal data in certain circumstances.
  • Object to processing or request restriction of processing.
  • Request data portability where applicable.
  • Withdraw consent where processing is based on consent.

To exercise these rights, please contact us using the details in this policy. We may need to verify identity before responding to a request.

15. Automated Decision-Making

We do not currently use solely automated decision-making, including profiling, to make decisions about individuals that produce legal effects or similarly significant effects.

If this changes in the future, and we use automated decision-making in a way that has a legal or similarly significant effect on an individual, we will provide clear information about the decision-making process and the safeguards available. These safeguards may include the right to make representations, challenge the decision and request meaningful human intervention.

Where automated decision-making involves special category data, such as health information, we will only use it where permitted by law and where appropriate additional safeguards are in place.

16. Children’s Data

Our website and services are not generally aimed at children. However, we may process children’s personal data where this is relevant to the services we provide, for example where a client asks us to support an employment, HR, safeguarding, family-related employment matter, work experience arrangement or other workplace issue involving a child or young person. Where we process children’s personal data, we will take particular care to ensure that the information is relevant, necessary, proportionate and handled with appropriate safeguards.

17. Complaints

You have the right to complain to us about how we have collected, used, stored, shared or otherwise handled your personal data.

You can raise a data protection complaint by contacting [email protected]. Please include enough information for us to understand the nature of your concern and, where relevant, the personal data or processing activity your complaint relates to.

In line with the Data (Use and Access) Act 2025, we will acknowledge receipt of your complaint within 30 days. We will take appropriate steps to consider and respond to your complaint without undue delay. This may include making enquiries, reviewing relevant records, verifying identity where appropriate, and keeping you informed of progress.

Once we have considered your complaint, we will inform you of the outcome without undue delay.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection matters. We encourage you to contact us first so we can try to resolve your concern, but you may contact the ICO at any time if you remain dissatisfied.

18. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements or how we process personal data. The latest version will be made available on our website.

19. Contact Us

For questions about this privacy policy or how Cornerstone Resources Limited, trading as Cornerstone Resources HR Consultancy, handles personal data, please contact:

Cornerstone Resources Limited

Trading as Cornerstone Resources HR Consultancy

Company number: 10982868

Registered office: Equitas House, 6 Station View, Stockport, SK7 5ER

General enquiries: [email protected]

Telephone: 0161 647 7990

Data protection enquiries: [email protected]