1) Who we are (Data Controller)

Controller: Tribes Capital Ltd (England & Wales).
Registered office: 20–22 Wenlock Road, London, N1 7GU, England.

Contact (privacy): dedicated privacy inbox (recommended) – compliance@tribes.capital

We are registered with the ICO (you state reference ZB414206).

2) What this policy covers

This policy applies to personal data processed via:

• our public website content and forms (e.g., newsletter, contact forms);

• our member portal (sign-in/sign-up flows) and member-only pages;

• our referral/affiliate pages (if used);

• communications (email, calls, messages) and events/webinars.

It does not cover third-party websites you may visit via links from our pages.

3) Personal data we collect

We collect personal data in four main ways:

A) Data you give us

• Identity & contact: name, email, phone, country/city, organisation, role.

• Account data: username/login, password (stored in hashed form by our platform providers), membership status.

• Preferences: newsletter preferences, communication choices, content interests.

• Communications: messages you send us, support requests, survey responses, feedback, testimonials/reviews you choose to provide.

• Event data: attendance, questions submitted, chat messages.

B) Data we collect automatically (cookies/usage)

• Device & usage: IP address, browser type, pages viewed, links clicked, timestamps, approximate location from IP, and cookie identifiers.

C) Verification / Eligibility data (where applicable)

If we restrict access to certain member-only investment-related materials, we may request additional information to verify eligibility and to meet compliance checks (e.g., KYC/AML screening). This may include date of birth, address, government ID details, and screening results provided by third-party verification providers (where used).

D) Partner / supplier / ecosystem participant data

If you register interest as a supplier, EPC/O&M, financier, or strategic partner, we may collect professional background, company details, and relevant capability information.

4) Why we use your data (purposes)

We use personal data to:

• run the portal and provide access to community content and member-only features;

• send newsletters, updates, webinar invitations, and community announcements;

• respond to enquiries and provide support;

• improve our site/portal performance, security, and user experience;

• prevent fraud, abuse, and security incidents;

• administer referrals/affiliate tracking via links (see Section 7);

• where applicable, conduct eligibility checks (including KYC/AML-type screening) before granting access to restricted materials.

5) Our lawful bases (UK GDPR)

We process personal data under one or more of these lawful bases:

• Contract: to provide portal access you requested and to deliver services/features.

• Legal obligation: where we must keep records or perform checks required by law (for example, where AML record-keeping applies in a given context).

• Legitimate interests: to operate and improve the community, secure our systems, measure engagement, and proportionately communicate with prospective members.

• Consent: for marketing emails where required, and for non-essential cookies/trackers.

6) Marketing communications (email, webinars, updates)

We may send:

• community education updates (articles, webinars, research notes);

• service updates (portal changes, policy updates);

• marketing messages (where you opted in or where “soft opt-in” legally applies).

We will always include an unsubscribe link in marketing emails and honour opt-outs promptly. We keep a suppression list to ensure we don’t message people who opted out.

7) Referrals and “share the portal” features

Be careful here: “tell-a-friend” email campaigns are high-risk under PECR because valid consent is hard to prove when someone else enters a friend’s contact details.

Our position:

• We encourage sharing via referral links (not by uploading friends’ emails/phone numbers).

• If we ever run an invitation feature, it will be limited, transparent, and designed to avoid sending marketing to people who haven’t consented.

8) Cookies and similar technologies

We use cookies and similar technologies to:

• keep the site functional (essential cookies);

• remember preferences;

• understand usage (analytics);

• measure campaign performance (where enabled).

Where required, we will request consent for non-essential cookies and provide cookie controls.

9) Who we share data with

We may share personal data with:

• platform/hosting providers used to run the website and member portal;

• email and communications providers (newsletter delivery, webinar hosting);

• analytics and security providers (to understand performance and prevent abuse);

• identity/verification providers (where eligibility/KYC-style checks are used);

• professional advisers (legal, audit, compliance) under confidentiality;

• regulators/law enforcement where legally required.

We do not sell personal data.

10) International transfers

Because our service providers and project ecosystem may involve processing outside the UK, your data may be transferred internationally.

Where we make restricted transfers, we use appropriate safeguards such as the UK IDTA or the UK Addendum to EU SCCs, and we perform transfer risk assessments where required.

11) How long we keep your data (retention)

We keep personal data only as long as necessary for the purpose it was collected.

Typical retention periods (guidance):

• Newsletter subscribers (no account): up to 24 months after last interaction, unless you unsubscribe sooner.

• Member accounts: for the life of the account, then typically up to 6 years after closure for audit/legal defence and record-keeping (where relevant).

• KYC/AML-type checks (where applicable): typically 5 years after the end of the relationship/transaction, unless a lawful exception applies.

• Support communications: typically 2–3 years (longer if needed for dispute handling).

• Security logs: typically 6–12 months (unless needed for investigation).

12) Security

We use administrative, technical, and organisational measures to protect personal data, including access controls and encryption in transit where supported by our providers. No internet transmission is risk-free; you should use strong passwords and keep them confidential.

13) Your rights

Depending on your location (and generally under UK GDPR), you may have the right to:

• access your data;

• correct it;

• delete it;

• restrict processing;

• object to processing (especially where we rely on legitimate interests);

• data portability;

• withdraw consent at any time (for consent-based processing).

To exercise rights, contact compliance@tribes.capital

14) Complaints

If you’re unhappy with our response, you can complain to the UK Information Commissioner’s Office (ICO).

15) Automated decision-making

If we use automated checks to help decide whether to grant access to restricted member areas (e.g., basic risk flags, duplicate detection, and eligibility screening), you can request human review and challenge the outcome by contacting us.

16) Children

Our portal is intended for adults and professional ecosystem participants. We do not knowingly collect data from children under 13. If you believe a child has provided data, contact us and we will delete it where appropriate.

17) Changes to this policy

We may update this policy from time to time. We’ll post the latest version on our site and may notify members of material changes by email or via the portal.

 

 

January 2026
Updated