Nabarro Consulting

Privacy policy

Last updated: 5 May 2026

About this policy

This policy describes how Nabarro Consulting collects, uses and protects personal data when you use nabarroconsulting.com. The data controller is David Nabarro, trading as Nabarro Consulting, an autónomo registered in Spain and based in Mallorca. For any questions about this policy or your data, email david@nabarroconsulting.com.

The principle: anonymous by default

The self-assessment is designed to be taken without giving up any personal information. No login. No name. No email required to read your recommendations on screen. An email address is only requested if you want the PDF version sent to your inbox, and even then it is the only piece of personal data captured by the assessment itself.

This is deliberate. The audience for this practice is family-office teams, where confidentiality is the operating norm. The architecture of the site reflects that.

What we collect, and what we don't

The self-assessment. The answers you submit (a small set of multiple-choice responses across four operational areas), and an email address only if you ask for the PDF emailed to you. We do not collect your name, your firm, your IP address, or any identifying information at the assessment stage.

The website itself. Standard server logs (IP address, browser type, page accessed, timestamp), used for security and abuse prevention. We use privacy-respecting analytics (Cloudflare Web Analytics) to count pageviews and measure performance; this does not set cookies, does not track individual visitors across pages or sites, and does not store personal data. We do not use advertising cookies or behavioural profiling.

Booking a call. When you book a call via our scheduling provider, you provide your name, email, and any questions you choose to share. Booking data is held by Cal.com and used to manage the booking.

The contact form on the about page. Name, email and message content, used only to respond to your enquiry.

Why we process this data

Under GDPR Article 6, we rely on:

  • Consent when you submit the self-assessment, request the PDF, book a call, or use the contact form
  • Legitimate interest for basic server logs (security and abuse prevention) and for responding to enquiries you initiate

Third parties who process data on our behalf

We use a small set of established service providers to run the site. Each is bound by their own data processing terms.

  • Anthropic (United States). Receives your assessment answers via their API to generate the recommendations. Per Anthropic's commercial terms, API data is not used to train their models. See trust.anthropic.com.
  • Convex (Ireland). Temporarily stores assessment data while it is being processed. Hosted within the European Economic Area.
  • Resend (United States). Sends the recommendation PDF to your inbox if you request it.
  • Cal.com (United States). Handles call bookings if you book one.
  • Cloudflare (United States). Receives anonymised request data via a small JavaScript beacon to count pageviews and measure performance. Cloudflare Web Analytics does not set cookies, does not track individual visitors, and does not store personal data.
  • Netlify (United States). Hosts the website and serves it to your browser.

International data transfers

Anthropic, Resend, Cal.com, Cloudflare and Netlify are based in the United States, so processing your data involves a transfer outside the European Economic Area. These transfers are made under standard contractual clauses or equivalent safeguards approved by the European Commission. Convex processing stays within the EEA.

How long we keep your data

  • Self-assessment answers and any optional email: up to 90 days, then deleted.
  • Booking data: retained per Cal.com's standard retention while the booking is active and for a short period after.
  • Contact form messages and email correspondence: kept while the conversation is active, and for a reasonable period after, unless you request earlier deletion.
  • Server logs: short retention, typically 30 days or less.

Your rights

Under GDPR and UK GDPR you can:

  • Request a copy of the personal data we hold about you
  • Ask us to correct anything inaccurate
  • Ask us to delete your data
  • Object to certain processing
  • Lodge a complaint with the Spanish data protection authority (AEPD, www.aepd.es) or your local supervisory authority

To exercise any of these rights, email david@nabarroconsulting.com. Because the assessment is anonymous, we may not always be able to identify your specific data unless you can provide enough context (such as the email address used or the approximate date of the submission).

Cookies

The site uses only essential cookies needed for the self-assessment to function. The Cloudflare Web Analytics beacon described above does not set any cookies and does not enable identification across sessions or sites. We do not use advertising cookies.

Changes to this policy

If we update this policy, we will change the Last updated date at the top. Material changes will be highlighted at the top of the page for a reasonable period.

Contact

For any questions about this policy, your data, or how Nabarro Consulting handles privacy, email david@nabarroconsulting.com.