Privacy Policy

1. Introduction & Scope

This Privacy Policy explains how Sartori & Partners (“Sartori & Partners”, “we”, “us”, or “our”) collects, uses, shares, retains and protects personal information when you visit our website at www.sartoriglobal.com (the “Site”) or engage with our legal recruitment and executive search services as a candidate, client or other contact.

Sartori & Partners is the data controller responsible for the personal information described in this notice. We are a United States–based entity. For all privacy and data-protection matters, the designated and authoritative channel is privacy@sartoriglobal.com — this is the front door for questions, for exercising your rights, and for raising any concern before escalation to a regulator. General commercial enquiries should instead go to our contact page (contact@sartoriglobal.com), and candidate enquiries to careers@sartoriglobal.com.

This document is an information notice provided under Article 13 of the EU and UK General Data Protection Regulation (“GDPR” and “UK GDPR”) and the analogous transparency requirements of other applicable laws. It explains our processing so that you can understand it; it is not itself a request for your agreement; however, by submitting a form you confirm you have read this notice and the information you provide is accurate. Where the law requires your consent — for example, for analytics cookies, for any marketing, for SMS messaging, or before we share your candidate profile with a client — that consent is obtained separately and can be withdrawn at any time. By submitting any form on the Site you acknowledge that our Terms & Conditions — including their limitation of liability, disclaimers, and the no-guarantee-of-placement provisions — govern your use of the Site and our services. This Privacy Policy should be read together with those Terms & Conditions and our Cookie Policy.

2. Personal Information We Collect

We collect the following categories of personal information.

a. Information you provide directly

We collect personal information through three forms on our Site. We do not operate user accounts, and you do not create or log in to one.

CV / application form (submit your CV): full name, email address, phone number, LinkedIn URL, current firm, current title, years of post-qualification experience (PQE), practice area, preferred locations, relocation preference, your cover note, and your CV file (PDF, DOC or DOCX, up to 8 MB). On submission, we also record your explicit consent and the consent timestamp as evidence of permission, together with the source of the submission.
Contact / enquiry form: name, email address, phone number, company, role, whether you are a client or a candidate, the enquiry type, your message, and your explicit consent with a timestamp.
Report registration (to download a gated report): name, email address, company, role, the report reference, your explicit consent with a timestamp, and a single-use download token valid for seven days. The token validates your download; it is not an account.

b. Information collected automatically

With each form submission we record a pseudonymized IP address — the IP address is irreversibly pseudonymized at the point of collection, so the raw IP address is never stored — together with your browser user-agent string. To protect the forms against abuse, we also apply a hidden honeypot field and a bot-protection challenge; suspected automated submissions are silently dropped.
Site usage metrics (such as pages visited, time on site, links clicked and referring URLs) are collected only through our consent-gated analytics, and only if you accept analytics cookies. See Section 7 and our Cookie Policy. If you decline, these metrics are not collected.

c. Information relating to recruitment opportunities

We do not purchase personal data from data brokers or build candidate profiles from public databases. The personal information we hold about candidates and contacts comes from the forms described above and from your direct dealings with us in the course of a search.

d. Special-category / sensitive information

We do not ask for, and do not require, special-category or sensitive personal information (for example racial or ethnic origin, political opinions, religious beliefs, health, or sexual orientation). We ask that you do not include special-category information in your CV, cover note or messages. We do not seek it and have no need to process it; where it is volunteered we will, so far as practicable, disregard or delete it, we will not use it to make decisions about you, and we do not rely on it as part of our assessment. Separately, where you take part in optional diversity monitoring, that is a genuine, specific opt-in and our processing of any special-category data you provide for it relies on your explicit consent under Article 9(2)(a) of the GDPR and UK GDPR. For California residents, the same position applies: we do not seek sensitive personal information, and any that is volunteered is used only for the permitted recruitment and legal purposes described here and is never used to infer characteristics about you (see Section 15).

3. How and Why We Use Your Information

We use personal information only for the purposes below.

Recruitment and search: assessing your suitability for current and future opportunities with our clients, communicating with you about applications, and managing the search process.
Sharing candidate profiles with clients: presenting information that identifies you to a prospective employer, which we do only with your explicit consent for that opportunity. We may discuss your profile with a client on a no-names, anonymized basis to gauge interest before seeking your consent to a named introduction (see Section 5).
Business development and responding to enquiries: handling enquiries from clients and candidates, operating our services, and promoting our recruitment and executive-search services.
Delivering requested reports and insights: providing the gated reports you register to download.
Operating and securing the Site: running the Site, preventing abuse and fraud (including the honeypot and bot-protection challenge), and maintaining security.
Analytics: understanding how the Site is used, only where you have accepted analytics cookies.
Legal compliance: meeting our legal obligations, enforcing our Terms, and protecting our rights, your safety, the safety of others, or our property where lawful to do so.

AI text processing. We use a third-party AI service to summarize and anonymize the text of job openings — that is, the hiring firm’s own listing text. No candidate or visitor personal information is ever sent to any AI service, and personal information is never used to train AI models.

We do not carry out any automated decision-making that produces legal or similarly significant effects on you. Decisions about candidates are made by our people.

4. Lawful Bases for Processing (EU GDPR & UK GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following lawful bases, mapped to each purpose.

Holding and assessing your candidate data, including CV handling — Article 6(1)(b) (steps taken at your request prior to a possible engagement) and/or Article 6(1)(f) legitimate interests in operating our recruitment and executive-search service.
Sharing your profile with a specific client — your consent for that opportunity.
Any special-category data you volunteer or provide through optional diversity monitoring — Article 9(2)(a) explicit consent.
Client enquiries, business development, and promoting our services — our legitimate interests in operating and promoting our legal recruitment and executive-search business, and/or the performance of a contract.
Marketing to individuals in the EEA, UK or Switzerland — your consent.
Analytics cookies — your consent (in accordance with ePrivacy / PECR rules).
Legal-compliance purposes — compliance with a legal obligation.

Where we rely on legitimate interests, we balance them against your interests, rights and freedoms, and you may ask us about that assessment. You have the right to object (Article 21), and an absolute right to object to the use of your personal information for direct marketing at any time, in which case we will stop on request. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose personal information only as set out below.

Clients, with your explicit consent: we share information that identifies you with a prospective employer only where you have authorized us to do so for that opportunity. We may discuss your profile with a client on a no-names, anonymized basis to gauge interest before seeking your consent to a named introduction.
Service providers (by category only): we engage trusted providers who act on our behalf as processors. They are bound by written terms that restrict them to our business purposes, require appropriate security, and prohibit them from selling, sharing, or otherwise using the data for their own purposes. These categories are:
- Cloud hosting and edge infrastructure — website delivery, secure data storage, and protection of the Site against abuse.
- Communications and messaging providers — providers of our internal shared mailboxes, and the communications/collaboration platform through which we send transactional SMS to candidates and clients.
- Our internal candidate-management system — where candidate and enquiry records are maintained.
- Web analytics — consent-gated, as described in our Cookie Policy.
- A third-party AI text-processing service — used only on the hiring firm’s own job-opening text. No candidate or visitor personal information is ever sent to it, and personal information is never used to train AI.
Legal and safety: we may disclose personal information where we believe in good faith it is necessary to comply with a legal obligation or lawful request, to enforce our Terms, to protect our rights or property, to investigate possible wrongdoing, or to protect the safety of any person or the public.
Business transfers: if we are involved in a merger, acquisition, financing, or sale of all or part of our business, personal information may be transferred as part of that transaction, subject to this Privacy Policy. We will give notice where required.

SMS data. SMS opt-in and consent data is never sold, rented, or shared with any third party, affiliate, or partner for marketing or promotional purposes. It is used solely for direct communication between you and Sartori & Partners (see Section 10).

6. International Data Transfers

We aim to process your personal information primarily in your own region. However, some of our service providers (described above by category only) may process personal information elsewhere, including in the United States. We do not assert a single storage location, and we do not name our providers.

Where personal information is transferred out of the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of protection, we put in place appropriate safeguards, which may include the European Commission’s Standard Contractual Clauses, and for UK transfers the UK International Data Transfer Agreement (IDTA) or the UK Addendum to those Clauses, together with any supplementary measures we assess to be required. You may ask us about the safeguards that apply to a particular transfer by contacting privacy@sartoriglobal.com.

7. Cookies and Consent

We use a small number of cookies and similar technologies. In summary:

Strictly-necessary / security cookies and a bot-protection challenge keep the Site secure and functioning. These are always active and do not require consent.
Analytics is denied by default. Under Consent Mode v2, our cookie banner offers Accept or Decline; analytics loads and analytics storage is granted only if you click Accept, and your choice is stored in your browser’s localStorage. IP anonymization is on. Conversion events (such as clicks on email, phone, or call-to-action links and successful form submissions) are sent to analytics only after consent. This banner applies to all visitors, not only those in the EEA or UK.
We use no advertising, targeting, or cross-context behavioral cookies. Aside from the strictly-necessary and security mechanisms described above (and a small browser-storage entry that simply remembers your cookie choice), we do not use functionality or personalization cookies.

Our Cookie Policy is the canonical, fuller description of the cookies we use, including how to withdraw or change your consent.

8. Data Retention

We keep personal information only for as long as we need it, using the following concrete model:

Transient submission data is purged on success. When you submit a form, the data and any uploaded file (CV or report) first land in transient edge storage. Once a submission has been successfully ingested into our internal recruitment system, that transient edge row and the uploaded file are deleted promptly as part of that process.
Report registrations are retained only until the single-use download token expires (seven days), which is the period needed to validate the download.
Candidate and enquiry records are retained within our internal system for as long as needed for legitimate recruitment purposes — the duration of an active search and a reasonable period thereafter so that we can consider you for suitable future opportunities — and are then deleted or anonymized. Where we cannot fix a single period in advance, we determine retention by reference to the nature and sensitivity of the data, the purpose, the relationship’s currency, and any legal requirement.

You can ask us to review or delete your record at any time by contacting privacy@sartoriglobal.com.

9. How We Protect Your Information

We maintain technical and organizational measures that we consider appropriate to the personal information we handle, which currently include, by function:

Encryption in transit (HTTPS/TLS) and encryption at rest.
Access controls and least-privilege access.
Pseudonymization of the IP address at the point of collection — the raw IP address is never stored.
Data minimization and prompt deletion of transient submission data after processing (purge-on-success).
A bot-protection challenge and a hidden honeypot on all forms.

No method of transmission over the internet or of electronic storage is completely secure, so while we work to protect your information we cannot guarantee absolute security. Please send us only the information relevant to your enquiry or application.

10. SMS / Text Messaging

We may send SMS or text messages to candidates and clients. Where you opt in to SMS, you consent to receive transactional and conversational messages from Sartori & Partners — such as interview confirmations and scheduling. We do not send marketing or promotional text messages. SMS opt-in is a separate, optional choice captured with a timestamp; it is never triggered merely by giving us a phone number, and it is never a condition of any service or of your candidacy.

You can reply STOP at any time to unsubscribe, or HELP for assistance. Message and data rates may apply. After you reply STOP, we will not text you again unless you provide a new opt-in; you can opt in again by replying START or by giving us a fresh opt-in, which we record with a timestamp. Messages are sent under an A2P 10DLC registration maintained to satisfy carrier-registration compliance. As stated in Section 5, SMS opt-in data is never sold or shared with third parties for marketing.

11. Your Data-Protection Rights

Depending on your location and the applicable law, you have rights over your personal information. Under the EU and UK GDPR, these include:

Access — to obtain a copy of the personal information we hold about you.
Rectification — to have inaccurate or incomplete information corrected.
Erasure — to have your information deleted, subject to legal limits.
Restriction — to limit how we process your information in certain circumstances.
Portability — to receive certain information in a machine-readable format and, where technically feasible, have it transmitted to another controller.
Objection — to object to processing based on legitimate interests, and an absolute right to object to direct marketing.
Withdraw consent — at any time, without affecting processing carried out before withdrawal.
Complain to a supervisory authority — as described below.

As a baseline, we extend the rights listed above to all individuals, wherever located, to the extent their local law provides for them. California residents have additional rights described in Section 15, and individuals elsewhere retain whatever rights their local data-protection law grants (see Section 12).

How to exercise your rights. Please contact privacy@sartoriglobal.com. This is our designated channel for all rights requests. We will respond in accordance with applicable law and may need to verify your identity before acting on a request.

Complaints and escalation. Please raise any concern with us first at privacy@sartoriglobal.com so we can try to resolve it. If you remain dissatisfied, you may complain to a regulator: in the UK, the Information Commissioner’s Office (ICO); in the EEA, your national data protection authority; in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); and in California, the California Privacy Protection Agency (CPPA) or the California Attorney General.

12. Governing Law and Your Local Rights

Our services are governed by our Terms & Conditions, which provide that they are governed by the laws of the State of Wyoming, USA, and which specify the forum for disputes. That choice of law and forum does not deprive you of the mandatory, non-waivable rights, protections, and remedies available under your local law. If you are in the EEA, the United Kingdom, Switzerland, or California, those local rights — including the GDPR and UK GDPR right to complain to a supervisory authority, and California CCPA/CPRA rights — continue to apply notwithstanding the choice of Wyoming law. If you are an individual elsewhere in the world, you retain whatever rights are granted to you by the data-protection law of your jurisdiction.

13. Children

Our Site and services are intended for legal professionals and business contacts and are not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, please contact privacy@sartoriglobal.com and we will take appropriate steps to delete it.

14. Personal-Data Breaches

In the event of a personal-data breach that is likely to affect your rights, we will assess and contain the incident and, where required by applicable law, notify the relevant supervisory authority and affected individuals without undue delay.

15. California Privacy Notice (CCPA / CPRA)

This section supplements the rest of this Privacy Policy and applies to California residents (“consumers” or “you”). It is provided under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, “CCPA/CPRA”).

Notice at collection. Through each of our forms we collect personal information for the purposes described in Section 3, retain it for the periods in Section 8, and do not sell or share it. This notice is provided at or near the point of collection by linking to this policy.

Categories of personal information collected (preceding 12 months):

Identifiers — such as name, email address, phone number, and LinkedIn URL.
Professional or employment-related information — such as current firm, current title, PQE, practice area, preferred locations, cover note, and CV.
Internet or other electronic network activity — the user-agent string and a pseudonymized IP address (the raw IP is never stored), plus consent-gated analytics metrics if you accept analytics cookies.
Sensitive personal information — we do not request it; any that you volunteer is used only for the permitted recruitment and legal purposes above and not to infer characteristics about you.

Sources: directly from you through our forms, and automatically with each submission as described in Section 2. We do not acquire personal information from data brokers.

Business or commercial purposes: as described in Section 3.

Recipients: our clients (only with your explicit authorization, for recruitment), the service-provider categories listed in Section 5 (engaged as service providers or contractors under written terms that restrict them to our business purposes and prohibit selling or sharing), and government authorities or other parties where required by law.

No sale; no sharing. We do not sell personal information as that term is defined under the CCPA/CPRA, and we do not share personal information for cross-context behavioral advertising. We have not done so in the preceding 12 months. Because there is no sale or sharing, no “Do Not Sell or Share My Personal Information” link is required. Our analytics runs only after your affirmative consent and can be declined or withdrawn through the cookie banner, which functions as the control.

Your California rights: to know / access, to delete, to correct, to opt out of sale or sharing (not applicable, as we do neither), to limit the use of sensitive personal information (not applicable, as we do not use it for purposes that trigger this right), and to be free from discrimination for exercising any right.

Exercising your rights. Contact privacy@sartoriglobal.com. We verify your request by matching you to the information we already hold — for example the name, email, or phone number you submitted through the relevant application, enquiry, or report-registration form — and we may request additional information only as needed to meet the level of certainty the law requires for the type of request. You may use an authorized agent, who should submit the request via privacy@sartoriglobal.com with proof of authorization; we may still verify you directly. Per-category retention is described in Section 8.

16. Do Not Track and Global Privacy Control

We do not sell or share personal information for cross-context behavioral advertising, so there is no sale or share to opt out of. Analytics is denied by default and runs only with your affirmative consent; where your browser sends a recognised opt-out preference signal such as Global Privacy Control (GPC), we treat it consistently with that choice and do not grant analytics consent. We do not respond to legacy “Do Not Track” (DNT) browser signals, as there is no common industry standard for them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the “Last Updated” date above. For material changes that affect how we process personal information you have already provided, we will take reasonable steps to notify you (for example by email to the address you supplied or a prominent notice on the Site) before the change takes effect, and where the law requires your consent we will obtain it. We encourage you to review this page periodically.

18. Contact Us

For any question about this Privacy Policy or our data practices, or to exercise your rights, contact us at privacy@sartoriglobal.com. This is the designated channel for privacy and data-protection matters. For other enquiries — whether you are a firm looking to hire legal talent or a lawyer ready to explore a move — please see our contact page. This policy should be read alongside our Terms & Conditions and Cookie Policy.