Skip to main content

Privacy Policy

Bespoke Champions League Ltd · Company No. 16778449 · Last updated: June 2026

1. Introduction

Bespoke Champions League Ltd (trading as Bespea) is committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025 (DUAA 2025), and all other applicable data protection laws. This policy explains how we collect, use, store, share and protect your personal data when you use the Bespea platform or apply for our pilot programme.

2. Data controller

Bespoke Champions League Ltd is the data controller for your personal information. Registered office: 39 Paxford Road, Wembley, England, HA0 3RQ. Company No. 16778449. Contact: privacy@bespea.com or contact@bespea.com.

3. What data we collect

We collect the following types of personal data: (a) Identity data: name, username, profile photo, business name, company registration details. (b) Contact data: email address, phone number, postal address. (c) Financial data: payment card details (tokenised via Stripe), bank account information for payouts, transaction history. (d) Technical data: IP address, device type, browser type, operating system, cookies, usage logs. (e) Profile data: portfolio images, project descriptions, certifications, skills, ratings, reviews. (f) KYC/AML data: identity verification documents (passport, driving licence), proof of address, business verification documents. (g) Behavioural data: platform activity, project interactions, messaging history, certification assessments.

4. How we collect data

We collect data through: (a) Direct input: when you create an account, complete the pilot application form, update your profile, upload portfolio content or submit forms. (b) Automated collection: cookies, analytics tools, session tracking, error logs. (c) Third parties: payment processors (Stripe), identity verification providers, social login providers (if used). Pilot application data is collected via our public intake form and is not persisted to a production database until we manually review and approve it.

5. Legal basis for processing

We process your data under the following legal bases: (a) Contract: to provide platform services, manage projects, process payments, issue certifications. (b) Legal obligation: to comply with KYC/AML regulations, tax reporting, fraud prevention, and court orders. (c) Legitimate interests: to improve platform security, prevent fraud, analyse usage patterns, and develop new features. (d) Consent: for marketing emails (opt-in), non-essential cookies, and optional analytics fingerprinting. Under the Data (Use and Access) Act 2025, we may also rely on recognised legitimate interests categories where applicable to data sharing in the public interest.

6. How we use your data

We use your personal data to: (a) provide core platform services (profile creation, project matching, payments, escrow, messaging), (b) verify identity and comply with KYC/AML requirements, (c) process certifications and maintain governed credentials, (d) detect and prevent fraud, abuse and security threats, (e) analyse platform usage and improve features, (f) send transactional emails (account updates, project notifications), (g) send marketing communications (with consent), (h) respond to support requests and legal inquiries.

7. Data sharing and disclosure

We share your data only as necessary: (a) Service providers: payment processors (Stripe), cloud hosting, email services, analytics. (b) Other users: your public profile, portfolio, ratings and reviews are visible to platform users. Private messages are encrypted. (c) Legal authorities: we disclose data when required by law, court order, or regulatory investigation. (d) Business transfers: in case of merger, acquisition or sale, your data may be transferred to the new owner with notice. We do not sell personal data.

8. Data retention

We retain your data for as long as necessary: (a) Account data: kept while your account is active, plus 7 years after closure for legal/tax compliance. (b) Transaction records: 7 years minimum (UK financial record-keeping requirements). (c) KYC documents: 5–7 years after account closure (AML regulations). (d) Marketing data: until you unsubscribe or withdraw consent. (e) Pilot application data: retained for 12 months from submission if not converted to a full account, then deleted.

9. Your data protection rights

Under UK GDPR and the Data (Use and Access) Act 2025, you have the right to: (a) Access: request a copy of your personal data. (b) Rectification: correct inaccurate or incomplete data. (c) Erasure: request deletion of your data (subject to legal retention requirements). (d) Restriction: limit how we process your data. (e) Portability: receive your data in a structured, machine-readable format. (f) Object: object to processing based on legitimate interests or for marketing purposes. (g) Withdraw consent: for consent-based processing (marketing emails, optional cookies). To exercise your rights, contact privacy@bespea.com. We respond within 30 days.

10. Data security

We implement industry-standard security measures: (a) Encryption: data in transit (TLS 1.3) and at rest (AES-256). (b) Access controls: role-based permissions, multi-factor authentication for admin accounts. (c) Monitoring: audit logs, security testing, structured logging with no PII in log payloads. (d) Incident response: breach notification procedures, user notification within 72 hours if required by law.

11. Cookies and tracking

We use cookies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR. PECR requires us to obtain your consent before setting any non-essential cookies. Cookie types: (a) Essential: authentication, session management, security (cannot be disabled under PECR). (b) Analytics: understanding usage patterns, feature adoption (requires consent). (c) Fingerprinting for abuse prevention (optional, requires explicit consent). You can manage cookie preferences via our cookie banner. See our Cookie Policy at /legal/cookies for full details.

12. International data transfers

Bespea operates primarily in the UK. However, some service providers (cloud hosting, analytics) may process data in the USA or other countries. Where transfers occur, we ensure adequate safeguards through: International Data Transfer Agreements (IDTAs) approved by the UK ICO (the UK post-Brexit mechanism replacing EU Standard Contractual Clauses); adequacy regulations for countries recognised by the UK as providing equivalent protection; and provider certifications (ISO 27001, SOC 2 where applicable).

13. The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA 2025) received Royal Assent on 19 June 2025 and supplements the UK GDPR framework. Where relevant, Bespea relies on DUAA 2025 provisions relating to recognised legitimate interests for fraud prevention, cyber security, and data sharing in the public interest. We will update this policy as ICO guidance on DUAA 2025 implementation develops.

14. Children's privacy

Bespea is not intended for users under 18. We do not knowingly collect data from children. If we discover data from a minor, we will delete it immediately. If you believe a child has provided data, contact us at privacy@bespea.com.

15. Marketing communications

We send marketing emails only with your consent. You can opt out at any time via: (a) Unsubscribe link in every email. (b) Account settings dashboard. (c) Email to privacy@bespea.com. Transactional emails (project updates, payment confirmations) cannot be disabled as they are essential to the service.

16. Automated decision-making

We may use automated systems for project matching and risk scoring. You have the right to request human review of automated decisions that significantly affect you. Contact privacy@bespea.com to exercise this right.

17. Changes to this policy

We may update this Privacy Policy to reflect legal, operational or feature changes. Updated policies are posted on this page with a new 'Last updated' date. Significant changes will be communicated via email or platform notification.

18. Complaints and supervision

If you have concerns about how we handle your data, contact us first at privacy@bespea.com. If unresolved, you can lodge a complaint with the UK Information Commissioner's Office (ICO): www.ico.org.uk, phone: 0303 123 1113.

19. Contact us

Bespoke Champions League Ltd · Company No. 16778449 · Registered office: 39 Paxford Road, Wembley, England, HA0 3RQ · Email: privacy@bespea.com or contact@bespea.com