Privacy Policy

This Privacy Policy explains how Cherry Blossom Consulting LTD (“FoundationState”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when representatives of investors, acquirers, boards, management teams, and businesses visit this website, submit an enquiry, or otherwise interact with us through our public marketing channels.

FoundationState is the trading name used by Cherry Blossom Consulting LTD trading as FoundationState for its independent advisory work focused on Technical Due Diligence, Product Due Diligence, and related technology and product risk assessment for investors, acquirers, and businesses.

For the purposes of UK data protection law, including the UK GDPR and the Data Protection Act 2018, FoundationState acts as the data controller for the personal data described in this policy.

You can contact us about privacy matters at contact@foundationstate.com.

We collect personal data that business and professional users choose to provide to us and limited technical data generated by the operation of the website.

When you use our contact form, we may collect:

• First name
• Last name
• Email address
• Company name
• Service interest selection
• Message content and any other information you include in your enquiry

We may also receive standard technical request data from our hosting or infrastructure providers, such as IP address, browser or device information, and server or request logs needed to deliver the site, maintain availability, and investigate faults, misuse, or security events affecting the website or our enquiry workflow.

Please do not submit special category data, criminal offence data, or highly confidential information through the public contact form unless we have specifically asked for it and a suitable confidentiality arrangement is already in place.

If this type of information is sent to us unintentionally, we may delete it where it is not needed or apply heightened access controls and retention restrictions where continued handling is required for legal, compliance, or engagement-related reasons.

We use personal data for the following business purposes:

• To receive, review, and respond to enquiries submitted through the website
• To understand your diligence or advisory requirements and assess service fit
• To understand the transaction, advisory, technology, or product context of your enquiry
• To communicate with you about a prospective engagement or related follow-up
• To maintain enquiry records and internal business administration
• To support basic website security, technical diagnostics, and service continuity

We do not use the contact form to profile you, make automated decisions about you, or run advertising audiences based on your enquiry data.

Under the UK GDPR, we must have a lawful basis for processing personal data. For the activities described in this policy, we rely primarily on the following lawful bases:

• Steps at your request before entering into a contract: where you ask us to discuss a possible due diligence or advisory engagement, prepare for a call, assess scope, or review whether our services are suitable.
• Legitimate interests: to manage business enquiries, maintain records, operate and secure the website, protect the integrity of our systems and public channels, and run a professional business-to-business enquiry process.

If we ever need to rely on consent for a specific activity, we will make that clear at the point of collection.

We do not sell personal data. We may share personal data with service providers who help us operate the website and process business enquiries, including:

• Supabase: Contact form database storage, supporting infrastructure, and serverless workflow processing.
• Email notification providers used by our contact workflow: Routing or sending contact-form notifications where the workflow is enabled.
• Website hosting and infrastructure providers: Delivering the site, maintaining availability, and supporting technical security and diagnostics.

We may also disclose personal data where necessary to comply with legal obligations, protect our rights, respond to lawful requests, or manage actual or threatened claims.

Some of the service providers we use may process personal data outside the UK. Where this happens, we take reasonable steps to ensure that any transfer is protected in accordance with UK data protection law.

Depending on the provider and destination, this may include relying on adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to standard contractual clauses, the UK-US Data Bridge where applicable, or other lawful transfer mechanisms recognised under the UK GDPR.

If you would like more information about the safeguards relevant to a particular transfer scenario, you can contact us using the details in this policy.

We keep enquiry data only for as long as it is reasonably necessary for the purposes set out in this policy. As a working standard, we retain enquiry records for up to 24 months after our last meaningful contact with you, unless we need to keep it for longer to establish, exercise, or defend legal claims, comply with legal obligations, or manage a live engagement process.

We may keep information for longer where this is necessary to comply with legal obligations, manage a live engagement or dispute, or protect our legal position.

Technical and security logs are generally kept for up to 12 months, unless a longer period is needed for security investigations, dispute management, legal claims, or compliance obligations.

Based on the current configuration of this website, we do not intentionally deploy non-essential analytics, advertising, or tracking cookies.

Our infrastructure providers may still process limited technical request data, caching information, or security-related logs as part of delivering the site and protecting it against misuse. Those technical processes are used for operational and security purposes, not behavioural advertising.

If we introduce non-essential cookies or analytics tools in future, we will update this Privacy Policy and, where required, implement an appropriate consent mechanism.

You may have the following rights, depending on the circumstances:

• The right to be informed about how your personal data is used
• The right of access to the personal data we hold about you
• The right to rectification if your personal data is inaccurate or incomplete
• The right to erasure in certain circumstances
• The right to restrict processing in certain circumstances
• The right to object to processing based on legitimate interests
• The right to data portability in certain circumstances
• Rights in relation to automated decision-making and profiling, although we do not currently use personal data for those purposes on this site

We will assess and respond to rights requests in accordance with UK data protection law.

To exercise your data protection rights, please contact us at contact@foundationstate.com and describe your request clearly. We may need to verify your identity, confirm the scope of your request, or ask for clarification before responding.

If you have a complaint about how we have handled personal data, please raise it with us first so that we can investigate it. We aim to acknowledge privacy complaints promptly, review them fairly, and respond within a reasonable period.

If you believe that we have not handled your personal data properly, you also have the right to complain to the Information Commissioner’s Office (ICO), the UK data protection regulator, via the ICO website or its published contact channels.

This website and our public content are intended for business and professional audiences seeking information about due diligence and technology or product advisory services.

We may update this Privacy Policy from time to time to reflect legal, operational, or service changes. The version published on this page is the current version.