Capital Contracts
Policy

Confidentiality & Data Protection

Effective date: 14 June 2026Contact: info@capitalcontracthk.com

1. Purpose

Capital Contracts works with information that may be commercially sensitive, legally privileged, confidential, personal, project-critical or dispute-sensitive. This policy sets out how Capital Contracts expects such information to be protected.

This policy should be read together with the Capital Contracts Privacy Policy, Cookie Policy, Code of Conduct and any project-specific confidentiality or data processing obligations agreed with clients.

2. Scope

This policy applies to:

  • client information;
  • project records;
  • contracts and commercial documents;
  • claim and dispute materials;
  • correspondence and meeting records;
  • schedules, cost reports, dashboards and registers;
  • personal data submitted through the website, contact forms, recruitment processes or project communications;
  • confidential information received from clients, suppliers, partners, counterparties or public sources under restriction.

3. Confidential Information

Confidential information includes any non-public information that a reasonable person would understand to be confidential, whether marked confidential or not. Examples include:

  • contract documents and amendments;
  • tender and procurement information;
  • claim strategy and negotiation positions;
  • cost, schedule and project controls data;
  • client internal reports and board materials;
  • project correspondence and meeting minutes;
  • legal, expert or dispute-related materials;
  • personal data and CVs;
  • passwords, access credentials and system information.

4. Data Protection Principles

Capital Contracts aims to handle personal data in line with internationally recognised privacy principles, including transparency, lawful and fair use, purpose limitation, data minimisation, accuracy, appropriate retention, security and respect for individual rights.

Where the EU GDPR, UK GDPR, Turkish data protection law, Hong Kong privacy law, UAE data protection law, US privacy laws or other local requirements apply, Capital Contracts will seek to comply with applicable obligations according to the nature of the processing and the relevant jurisdiction.

5. Need-to-Know Access

Confidential information should be accessed only by people who need it for a legitimate business or project purpose. Capital Contracts may apply access controls, folder permissions, role-based access, password protection, secure transfer methods or other restrictions depending on the sensitivity of the information.

6. Handling Client Project Records

Client project records should be handled with particular care because they may later become evidence in claims, audits, negotiations, adjudications, arbitrations or court proceedings. Capital Contracts personnel should:

  • preserve document integrity;
  • avoid unauthorised alteration;
  • maintain version control;
  • respect agreed document naming and filing structures;
  • keep records within approved systems where required;
  • avoid using personal accounts or uncontrolled storage for project material.

7. Personal Data

Personal data may include names, email addresses, telephone numbers, job titles, company details, CVs, employment history, project roles, signatures, photographs, identification information, correspondence and website usage data.

Capital Contracts will seek to collect only personal data that is reasonably necessary for legitimate purposes such as responding to inquiries, managing client relationships, reviewing job applications, delivering consulting services, maintaining business records and complying with legal obligations.

8. Information Security

Capital Contracts expects reasonable technical and organisational measures to protect information, including:

  • password protection and secure authentication;
  • restricted access to sensitive folders;
  • secure file transfer where appropriate;
  • device security;
  • anti-malware and system updates;
  • care when using public networks;
  • verification before sending sensitive information externally;
  • prompt reporting of suspected loss, unauthorised access or disclosure.

9. Third Parties

Capital Contracts may need to share confidential information with approved advisers, consultants, technology providers, cloud hosting providers, legal counsel, auditors or client-approved parties. Where appropriate, third parties should be subject to confidentiality obligations and reasonable data protection expectations.

10. International Transfers

Because Capital Contracts operates internationally, information may be accessed or processed from more than one country. Where personal data is transferred internationally, Capital Contracts will seek to use appropriate safeguards where required by applicable law.

11. Retention and Deletion

Confidential information and personal data should not be kept longer than necessary for the purpose for which it was collected, unless retention is required for legal, contractual, audit, accounting, dispute, insurance or legitimate business reasons.

Project records may need to be retained for longer periods because claims, limitation periods, audits and close-out obligations can continue after project completion.

12. Breach Reporting

Any suspected loss, unauthorised access, mistaken disclosure, cyber incident or confidentiality breach should be reported promptly. Capital Contracts will assess the incident, take appropriate containment steps and consider whether client notification, regulatory notification or other action is required.

13. Review

This policy may be reviewed periodically to reflect operational, technological and legal developments.