Boru Consulting Group
This Privacy Policy explains how the Boru Consulting Group ("we," "our," or "us") collects, uses, stores, shares, and protects personal data in connection with the services we provide and the operation of our website at www.boruconsulting.com (the "Website").
We are committed to protecting your personal data and processing it in accordance with the applicable data protection legislation in each jurisdiction in which we operate.
The Website is owned and operated by Boru Global (UK) Limited (Company No. 14435343), registered at 23-24 Berkeley Square, London W1J 6HE. Boru Global (UK) Limited is the data controller for all personal data collected through the Website, including contact form submissions, cookie and analytics data, and enquiry data.
Boru Global (UK) Limited is supervised by HMRC for anti-money laundering purposes (Reg. No. XCML00000187357), is registered with Companies House as an Authorised Corporate Service Provider (Agent No. AP000267) under the Economic Crime and Corporate Transparency Act 2023, and is registered with the Information Commissioner's Office (ICO) under reference ZB534745. Boru Global (UK) Limited t/a Boru Consulting.
Where personal data is processed in connection with the delivery of professional services, the data controller will be the group entity with which you have engaged:
Where both entities process your data in connection with a single engagement, they act as joint controllers and have arrangements in place to ensure your rights are protected. You may exercise your rights by contacting either entity.
This policy applies to all personal data processed by the group, including data collected through the Website, in the course of providing professional services, and through our anti-money laundering and client due diligence procedures. A separate Cookie Policy provides further detail on the cookies and tracking technologies used on the Website.
Client and Contact Information: Name, email address, telephone number, postal address, job title, company name, and other details you provide when you contact us or engage our services.
Identity Verification and Due Diligence Data: Identity documents (passport or national identity card copies), proof of address, date of birth, nationality, source of wealth and source of funds documentation, PEP and sanctions screening results, and ACSP identity verification records. See Section 5.
Business and Financial Information: Trade licence copies, corporate registration documents, financial statements, tax records, and other documents provided in connection with our services.
Technical and Website Data: IP address, browser type, device information, pages visited, and cookies. See our Cookie Policy.
Communications Data: Records of correspondence by email, telephone, or other means, including instructions, deliverables, and meeting notes.
UAE processing is carried out under the UAE Federal Decree-Law No. 45 of 2021 and Meydan Free Zone regulations.
Where we file a SAR or STR, we are prohibited by law from informing you. This applies under POCA 2002 and the Terrorism Act 2000 (UK), and equivalent provisions elsewhere.
AML/CDD records: 5 years from cessation. AML-only data deleted at 5 years unless documented exemption. ACSP IDV records: 7 years from date of checks. Overlapping records: 7 years (longer period applies). Internal suspicion reports and MLRO logs: at least 5 years, restricted access. SAR copies: 5 years from date made, restricted access.
Contact us for copies of transfer safeguards (see Section 12).
We retain personal data only as long as necessary or as required by law. The UK entity's Data Retention Policy and Schedule governs specific periods. Key retention periods:
| Category of Data | Retention Period | Legal Basis / Rationale |
|---|---|---|
| AML/CDD records | 5 years from cessation | MLR 2017 Reg. 40. AML-only data deleted at 5 years unless exemption. |
| AML policies, risk assessments, training, audits | 5 years from cessation | Best practice; MLR 2017 compliance. |
| Suspicion reports, MLRO logs | At least 5 years (restricted) | Best practice; tipping-off risk. |
| SAR copies, NCA correspondence | 5 years from date made (restricted) | Best practice; restricted access. |
| ACSP IDV records | 7 years from date of checks | Companies House; ECCTA 2023. |
| Overlapping AML/ACSP records | 7 years | Longer obligation; AML-only data at 5 years. |
| Engagement letters, contracts | 6 years from cessation | Limitation Act 1980. |
| Client correspondence, deliverables | 6 years from cessation | Best practice. |
| Accounting/financial records | 6 years from end of period | Companies Act 2006; HMRC. |
| Client tax working papers | 6 years from end of period | Best practice; HMRC queries. |
| Property deeds (if held) | Ownership + 12 years | Limitation periods. |
| HR records | 6 years after employment ends | Employment claims limitation. |
| Marketing consent records | Consent + 1 year | GDPR consent evidence. |
| Website analytics | 26 months | GA default; reviewed periodically. |
| Enquiry / contact form data | 2 years from last contact | Legitimate interest. |
Disposal is secure, irreversible, and logged. Legal holds override deletion where required.
The Website uses cookies. Full details are in our separate Cookie Policy. Categories: Necessary, Analytics, Marketing, and Preferences. Manage preferences via the cookie consent tool or browser settings.
Contact corporate@boru-consulting.com (UK) or corporate@boru-consulting.com (UAE). Response within one month; extension to three months for complex cases.
UK: Boru Global (UK) Limited, 23-24 Berkeley Square, London W1J 6HE. corporate@boru-consulting.com. +44 (0)20 341 121 48.
UAE: Boru Consulting L.L.C-FZ, Meydan Grandstand, 6th Floor, Meydan Road, Nad Al Sheba, Dubai. corporate@boru-consulting.com. +971 (0)50 435 4530.
Material changes notified by email or website notice at least 30 days before taking effect.