Fair Handover

Version 1.4 · Effective 26 May 2026

Privacy Policy

This Privacy Policy explains how Mitigate IT Limited (Company No. 16874891), trading as Fair Handover (“we”, “us”, “our”) collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

Summary

  • We collect only the data necessary to operate a business marketplace.
  • We do not sell personal data or use third-party advertising trackers.
  • Seller contact details are only shared after NDA execution.
  • Broker directory listings are published with the broker’s consent and can be withdrawn at any time.
  • You have full rights under UK GDPR (access, deletion, etc.).

1Who we are

Mitigate IT Limited (Company No. 16874891), trading as Fair Handover, is the data controller for personal data processed via the Platform.

  • Registered in England and Wales
  • Registered office: 41 Plassey Street, Penarth, CF64 1EL
  • Company number: 16874891
  • ICO registration number: ZC049130

Contact: privacy@fairhandover.co.uk

2Personal data we collect

We apply data minimisation and only collect what is necessary.

2.1 Account data

  • Name
  • Email address
  • Phone number (optional)
  • Encrypted authentication credentials (managed via Supabase)
  • Account role (buyer/seller/broker)

2.2 Seller data

  • Listing content (business details, financials, descriptions)
  • NDA-gated data (business identity, contact details)
  • Payment records (processed by Stripe — we do not store card data)

2.3 Buyer data

  • Identity details (name, email, optional phone)
  • Signed NDA records (including timestamp, IP address, and document version)
  • Messages sent via the Platform

2.4 Activity and technical data

  • IP address
  • Device/browser information
  • Platform interactions (views, searches, enquiries)

3Cookies and similar technologies

We use only strictly necessary storage required to operate the Platform:

  • Authentication session tokens
  • Locally stored draft listing data
  • Saved favourites

We do not use:

  • analytics cookies
  • advertising trackers
  • third-party marketing pixels

Under the Privacy and Electronic Communications Regulations (PECR), these are considered strictly necessary, and therefore no cookie consent banner is required.

You may clear storage via your browser settings at any time.

4Lawful basis for processing

We rely on the following lawful bases:

4.1 Contract

To provide Platform functionality, including:

  • account management;
  • listing publication;
  • NDA execution;
  • transactional communications.

4.2 Legitimate interests

We process data where necessary for our legitimate interests, including:

  • operating and securing the Platform;
  • fraud prevention and misuse detection;
  • service improvement (using aggregated or de-identified data);
  • enforcing contractual rights, including:
    • verifying fees owed;
    • investigating suspected breaches;
    • conducting proportionate audits where justified.

We conduct a balancing test to ensure these interests do not override your rights.

4.3 Legal obligation

Including:

  • financial record-keeping (HMRC requirements);
  • legal dispute handling;
  • regulatory compliance.

4.4 Consent

Used only where required, including:

  • optional communications (e.g. marketing, if introduced).

You may withdraw consent at any time.

5Data sharing

We do not sell personal data.

We share data only as necessary:

5.1 Between users

  • Buyer identity shared with seller after NDA
  • Seller contact details shared at same point

5.2 Service providers (processors)

We use the following processors under written agreements:

  • Supabase — database and authentication
  • Vercel — hosting
  • Resend — transactional email
  • Stripe — payments

Each acts as a data processor under Article 28 UK GDPR.

5.3 Legal disclosures

We may disclose data where required:

  • by law;
  • by court order;
  • to protect rights, safety, or prevent fraud.

5.4 Business transfers

If the business is sold or restructured, data may be transferred subject to equivalent safeguards.

5.5 Broker Directory

Where a broker firm opts into our public broker directory at fairhandover.co.uk/brokers/directory, the following firm details are published publicly on the Platform and may be indexed by third-party search engines:

  • firm name and brand identity;
  • logo (where uploaded);
  • postcode prefixes covered, or a nationwide coverage indication;
  • sectors handled;
  • public-facing firm bio;
  • public-facing contact email;
  • public-facing contact phone (optional).

Lawful basis: the processing is necessary for the performance of our agreement with the broker firm (Article 6(1)(b) UK GDPR), together with our legitimate interests in operating a searchable broker directory and enabling users of the Platform to identify relevant brokers (Article 6(1)(f) UK GDPR). The broker separately chooses whether to opt into public directory publication.

Withdrawal: brokers may withdraw from the Directory at any time by switching the opt-in off in their dashboard, or by contacting privacy@fairhandover.co.uk. Following withdrawal the Directory Profile will be removed from public display on the Platform within a reasonable period. Cached or archived copies held by third-party search engines or internet archiving services may continue to appear for a period outside our control.

Broker firms remain independently responsible for ensuring they have a lawful basis to provide and publish any personal data included within their Directory Profile, including individual contact details.

6Data retention

We retain data only as long as necessary:

  • Account data: duration of account + limited post-closure period.
  • NDA records: 6 years (legal evidence).
  • Listing private data: deleted within 30 days of closure.
  • Verification codes: expire within minutes and are deleted shortly after.
  • Activity logs: retained up to 12 months, then anonymised or deleted.
  • Payment records: 6 years (HMRC compliance).

7International data transfers

Data is primarily stored within the EEA.

Where data is transferred outside the UK/EEA (e.g. via Resend or Stripe), we ensure appropriate safeguards, including:

  • UK International Data Transfer Addendum (IDTA);
  • EU Standard Contractual Clauses (SCCs);
  • adequacy decisions where applicable.

8Your rights

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion
  • Restrict processing
  • Object to processing
  • Data portability
  • Withdraw consent

To exercise rights:

We respond within one calendar month.

You may complain to the ICO if dissatisfied.

9Security

We implement appropriate technical and organisational measures, including:

  • encryption in transit (HTTPS);
  • encryption at rest;
  • hashed passwords;
  • role-based access control;
  • database-level access restrictions.

Personal data breaches

If a breach occurs:

  • we will notify the ICO without undue delay and within 72 hours where required (UK GDPR Article 33);
  • we will notify affected users where there is a high risk to their rights and freedoms (UK GDPR Article 34).

10Children

The Platform is intended for adults (18+).

We do not knowingly collect data from children.

If such data is identified, it will be deleted promptly.

11Changes to this policy

We may update this policy from time to time.

  • Material changes will be notified;
  • Updated version date will be displayed.

Mitigate IT Limited (Company No. 16874891), trading as Fair Handover · Registered in England and Wales
Registered office: 41 Plassey Street, Penarth, CF64 1EL
For privacy questions, requests, or complaints: privacy@fairhandover.co.uk
See also our Terms of Service.

Privacy Policy version 1.4 · 26 May 2026