This policy outlines the basis on which any personal data we collect from you, or that you provide to us, will be processed by SG Analysis Limited via the Shadow Governance Intel website. Please read this policy carefully to understand how we will treat your personal information when you use our site.

SG Analysis Limited (also trading as ‘Shadow Governance Intel’, collectively referred to as “SG”), is committed to complying with internationally recognised standards of privacy protection, and with various privacy laws including the Data Protection Act 1988 (the Act) and the EU General Data Protection Regulation (GDPR).

The data controller is SG Analysis Limited of Chestney House, 149 Market Street, St. Andrews KY16 9PF, U.K.

SG collects the following categories of personal data:

Contact Data: We may collect information about data subjects such as name and contact details (email, phone number, etc.) in order to communicate and facilitate the provision of our services with our clients or potential clients. For example, information that you provide by filling in forms on (e.g. membership, newsletter sign-up), that may include, but is not limited to your name, address, and job details); information provided to us when you report a problem on our site; if you contact us we may keep a record of that correspondence; details of any transactions that you may carry out through our site and of the fulfilment of orders.

Services Data: Personal data may be provided to us by clients to the extent required to perform the services. SG may also acquire personal data from a third party at the direction of our client as required to perform services. 

Marketing Information: We may collect information to respond to inquiries regarding our products and services or to provide you with information, reports, or updates.

Website Visitor Information: when you visit our website, we may collect information about your visit such as your IP address and the pages you visited and when you use our services we may collect information on how you use those services. This is statistical data about our users’ browsing actions, and does not identify an individual.

Clients and other Third parties who provide personal information to SG must do so in compliance with applicable data privacy regulations. 

We collect personal data to offer and administer our services and products. These include political risk, stakeholder profiling, relationship mapping, and other related research and analysis services. As part of providing these services, our clients may require us to collection information on individuals to fulfil our client’s compliance obligations or legitimate business purposes. When we process information on individuals in the context of an investigation, SG is the data controller for European data protection law purposes.

The data you provide to us will be processed in accordance with the purposes specified in this notice, namely:

  • To provide the products or perform the services requested by clients and individuals pursuant to a letter of engagement, statement of work, or similar (where the processing is necessary for our legitimate business interests in conducting and managing our business)
  • To provide the products or perform the services requested by clients and individuals using our website or web applications (where the processing is necessary for our legitimate business interests in conducting and managing our business)
  • For complying with obligations provided by laws and current regulations (where processing is based on a legal obligation)
  • For legitimate business purposes to advise you through e-mail, phone call, or post, in the framework of our ordinary commercial relationship, about other products or services similar to the products or services we have provided to you and that we think will be of interest to you (where the processing is necessary for our legitimate business interests)
  • For marketing purposes. For example, we may use your information to further discuss your interest in the Services and to send you information regarding SG and its group companies such as information about promotions, events, products or services. 
    • If you are located in the EU, we will only send you marketing communications and updates about our products, services and events with your prior consent. You can withdraw your consent at any time. 
    • If you are not located in the EU, you may opt-out of receiving marketing communications and updates at any time.  
    • You can manage your receipt of marketing and non-transactional communications by clicking on the «unsubscribe» link located on the bottom of SG’s marketing emails. Additionally, you may send a request to
    • For operating and improving SG’s website and your customer experience. For example, we may collect and analyse data on your use of our website and process it for the purpose of improving our online experience. Please see our Cookies Policy for additional information.
    •  For security purposes. For example, we may use your data to protect SG and its third parties against security breaches and to prevent fraud and violation of SG’s applicable agreements (where the processing is necessary for our legitimate business interests).

Whenever we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.

How Data is Processed
Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We permit only authorised SG employees and Third-Party processors to have access to your information. Such employees and Third-Party processors are appropriately designated and trained to process data only according to the instructions we provide them.

Where appropriate, we anonymise personal information collected, and we carry out regular checks to ensure that we are not collecting or holding more personal information than is necessary.

SG will retain personal data for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with country specific regulations and requirements, and in accordance with SG’s Document Retention Schedule.

We only share your personal data with your consent or in accordance with this policy. We will not otherwise share, sell or distribute any of the information you provide to us except as described in this Privacy Notice.

  • We share personal data with SG’s parent company for the purposes set out in this notice.
  • SG may share your information with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of SG. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. SG requires these third parties to undertake security measures consistent with the protections specified in this notice.
  • SG may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
  • If SG’s business enters into a joint venture with or is merged with another business entity, your information may be disclosed to our new business partners.

If we and the other data controllers listed above are processing your data jointly for the same purposes, SG and the other data controllers may be "joint data controllers" which mean we are all collectively responsible to you for your data. Where each of the parties listed above are processing your data for their own independent purposes then each of us will be independently responsible to you and if you have any questions, wish to exercise any of your rights (see section below) or wish to raise a complaint, you should do so directly to the relevant data controller.

Cross – Border Transfers of Personal Data
SG may transfer personal information collected in Europe to our clients located outside the European Economic Area, but we take steps to ensure that this information is adequately protected..

You have the following rights concerning your data processed by SG:

  • Access: You have the right to access personal information that SG holds about you. Once we have received your request, we will respond within 30 days. There are no fees or charges for the first request, but additional requests for the same personal data or requests which are manifestly unfounded or excessive may be subject to an administrative fee.
  • Rectification: You have the right to ask us to rectify information SG holds about you if it is inaccurate or not complete.
  • Erasure: You can request that SG erase your personal data. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
  • Restrict Processing: You have the right to ask SG to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.
  • Object to Processing: Where processing is based on legitimate interests, you have the right to object to SG processing your data. SG will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing.  We will keep basic data to identify you and retain it solely for preventing further unwanted processing.
  • Portability: Where processing is based on consent or performance of a contract, you have the right to data portability. SG must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data. This right only applies to personal data that you have provided to SG as the Data Controller. Once we have received your request, we will respond within 30 days.

Please contact to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.

When exercising any of the rights listed below, in order to process your request, we may need to verify your identity for your security. In such cases we will need you to respond with proof of your identity before you can exercise these rights.

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

SG does not make automated decisions using personal data. If automated decisions are to be made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.

If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s). 

SG retains personal data, as necessary, for the duration of the relevant business relationship. We may also retain personal data for longer than the duration of the business relationship should we need to retain it to protect ourselves against legal claims, use it for analysis or historical record-keeping, or comply with our information management policies and schedules. If you request that we delete your personal data, SG will make reasonable attempts to delete all instances of the information in their entirety. For requests for access, corrections, or deletion, please refer to the "Your Rights" section of this Privacy Policy. 

We are not responsible for the privacy practices of any non- SG operated websites, mobile apps or other digital services, including those that may be linked through SG websites or services, and we encourage you to review the privacy policies or notices published thereon.

SG reserves the right to make changes to this policy without notice, visitors are advised to revisit this policy on a regular basis to see our latest terms and conditions.

Cookies are small amounts of information that are sent from a web server to your browser. Stored on the hard drive of your computer, cookies contain information about the internet sites that you have visited. We may use cookies to store and/or track information about you so that we can deliver a better and more personalised service.

Most web browsers automatically accept cookies, but you can usually change your browser to prevent this. Please note that some of the cookies that we use are essential for the site to operate.

Please contact us at SG with questions, concerns, or complaints:

SG Analysis Limited
Chestney House
149 Market Street
St Andrews
Fife, KY16 9PF