Skip to main content

Privacy Policy

Last updated: February 2026

1. Introduction & Data Controller

This Privacy Policy explains how Mitton Ridge Partners Ltd, trading as Deal Exchange ("we", "us", "our", or the "Platform"), collects, uses, discloses, and protects your personal data when you use our platform at dealexchange.com and related services.

Data Controller: Mitton Ridge Partners Ltd, a company registered in England and Wales (Company No. 16690549), registered address: Brookmans Park Teleport, Great North Road, Brookmans Park, Hatfield, England, AL9 6NE.

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Information We Collect

We collect the following categories of personal data:

  • Identity Data: Full name, date of birth, and Companies House registration number (for sellers)
  • Contact Data: Email address, telephone number, and business address
  • Business & Financial Data: Business descriptions, revenue figures, EBITDA, asset values, and other financial information provided in listing forms
  • Account Data: Login credentials (email and authentication tokens), account preferences, investor self-declaration category, and account status
  • Document Data: Documents uploaded to listing data rooms, signed NDAs, and signed agreements
  • Technical Data: IP address, browser type and version, device information, time zone, and operating system
  • Usage Data: Pages visited, features used, listing interactions, access request history, and platform navigation patterns

3. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: When you create an account, submit a listing, complete forms, upload documents, sign agreements, or contact us
  • Automatically: When you use the Platform, through cookies, server logs, and analytics tools
  • From third parties: Public registry data from Companies House (publicly available information only, retrieved as a convenience feature and not constituting verification by the Platform), authentication providers (Supabase), and payment processors (Stripe)

4. Lawful Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following lawful bases:

Purpose Lawful Basis
Providing platform servicesPerformance of contract (Art 6(1)(b))
Managing user accountsPerformance of contract (Art 6(1)(b))
Processing paymentsPerformance of contract (Art 6(1)(b))
Sending transactional emailsPerformance of contract (Art 6(1)(b))
Platform improvement and analyticsLegitimate interest (Art 6(1)(f))
Fraud prevention and securityLegitimate interest (Art 6(1)(f))
Tax and accounting recordsLegal obligation (Art 6(1)(c))
Marketing communicationsConsent (Art 6(1)(a))

5. Special Category Data

We do not intentionally collect special category data (as defined in UK GDPR Article 9), such as data concerning racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. If you include such data in documents uploaded to the Platform, you do so at your own risk and consent to its processing as part of the Platform services.

6. How We Use Your Information

We use your personal data to:

  • Operate, maintain, and improve the Platform
  • Provide technology tools that enable connections between buyers and sellers
  • Manage user accounts, registration, and authentication
  • Process payments and fees through our payment processor (Stripe)
  • Generate anonymised listing descriptions from seller-provided data
  • Facilitate the NDA signing process and access request workflow
  • Send transactional communications about your account and listings
  • Detect and prevent fraud, abuse, or unauthorised access
  • Comply with applicable laws and legal obligations

7. Information Sharing

We do not sell your personal data. We share your information only in the following circumstances:

  • Between users: Listing details are shared with buyers only after the seller has granted access and the buyer has signed an NDA. Buyer contact details are shared with sellers only as part of an approved access request.
  • Service providers (data processors): We use third-party processors who act on our instructions, including Supabase (authentication and database hosting), Stripe (payment processing), and email service providers (transactional emails). All processors are bound by data processing agreements.
  • Public registry: We query Companies House (a UK public registry) to retrieve publicly available company data. This is a lookup of existing public records, not a disclosure of your data.
  • Legal requirements: We may disclose personal data if required by law, regulation, legal process, or governmental request.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of the transaction, subject to equivalent privacy protections.

8. Data Controller vs Data Processor

We are the Data Controller for personal data collected through your use of the Platform (account information, usage data, technical data).

Sellers are Data Controllers of the business and financial information they provide in their listings and data rooms. The Platform processes this data on behalf of the seller as a Data Processor for the purpose of displaying the listing and facilitating access. The Platform does not verify, audit, or take responsibility for seller-provided data.

9. International Transfers

Some of our third-party service providers are located outside the UK. Where personal data is transferred outside the UK, we ensure that adequate safeguards are in place, including:

  • Transfers to countries that the UK has determined provide an adequate level of data protection
  • Standard contractual clauses (SCCs) approved by the Information Commissioner's Office (ICO)
  • Other appropriate safeguards as required by UK GDPR Chapter V

10. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected:

  • Active accounts: Data is retained for the duration of your account
  • Inactive accounts: Account data is deleted after 24 months of inactivity
  • Transaction records: Retained for 7 years to comply with HMRC requirements
  • Signed agreements (NDAs, Introducer Agreements): Retained for 7 years from the date of signing
  • Data room documents: Deleted within 90 days of a listing being removed or closed
  • Technical and usage logs: Retained for 12 months
  • Marketing consent records: Retained for the duration of consent plus 12 months

11. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights:

  • Right of access (Article 15) — Request a copy of the personal data we hold about you
  • Right to rectification (Article 16) — Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17) — Request deletion of your personal data (subject to legal retention requirements)
  • Right to restrict processing (Article 18) — Request limitation of how we use your data
  • Right to data portability (Article 20) — Receive your data in a structured, machine-readable format
  • Right to object (Article 21) — Object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at contact@dealexchange.com. We will respond within one month of receipt of your request, as required by UK GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/SSL) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security reviews of our systems
  • Document watermarking for data room files
  • Row-level security policies on database tables

While we take reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Cookies

We use cookies and similar technologies to operate the Platform and analyse usage. For full details on the cookies we use and how to manage your preferences, please see our Cookie Policy.

14. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will take steps to delete such information.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Platform or sending you an email. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

Mitton Ridge Partners Ltd

Company No. 16690549

Registered in England and Wales

Registered Address: Brookmans Park Teleport, Great North Road, Brookmans Park, Hatfield, England, AL9 6NE

Email: contact@dealexchange.com