Privacy Policy

Last updated: 10 April 2026

Bramston & Associates Ltd (“Bramston”, “we”, “us” or “our”) is committed to protecting personal data in a manner that is lawful, fair, secure and proportionate. This Privacy Policy explains how we collect, use, store, disclose and otherwise process personal data through our website, our communications, our business relationships and our professional activities.

This Policy is intended to reflect the requirements of the Mauritius Data Protection Act 2017 and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

By using this website or otherwise engaging with Bramston, you acknowledge that your personal data may be processed in accordance with this Privacy Policy.

1. Who we are

Bramston & Associates Ltd
Carleton Tower, 19 Wall Street
Cybercity Ebene, 72201
Mauritius

Business Registration Number (BRN): C10044944
Telephone: +230 650 0690
Email: info@bramston.co
Website: www.bramston.associates

For data protection enquiries, requests relating to your personal data, or privacy-related concerns, you may contact us at:

Email: info@bramston.co
Subject line: Privacy / Data Protection Request

If Bramston has appointed a Data Protection Officer or nominated data protection contact, that officer may also be contacted through the details published on the relevant contact page or notice.

2. Scope of this Policy

This Privacy Policy applies to personal data processed by Bramston in connection with:

your use of our website;
contact forms, emails and other communications sent to us;
requests for information, meetings, proposals or professional engagement;
distribution of publications, insights, alerts or other communications;
business development and relationship management;
recruitment and career-related enquiries;
supplier, partner and service-provider interactions; and
any other situation in which Bramston collects or processes personal data in the ordinary course of its activities.

This Policy does not apply to third-party websites, platforms or services that may be linked from our website. Those services remain governed by their own privacy notices and terms.

3. The personal data we may collect

Depending on the nature of your interaction with us, we may collect and process the following categories of personal data:

3.1 Information you provide directly

This may include:

your name;
job title;
organisation name;
email address;
telephone number;
country or jurisdiction;
subject matter of your enquiry;
the contents of messages, correspondence or attachments you send to us;
information you provide when requesting a meeting, proposal, briefing or speaking engagement;
CVs, professional history and application materials if you apply for a role with us;
any other personal data you choose to provide.

3.2 Information collected automatically through website use

When you use our website, we may collect certain technical and usage information, including:

IP address;
browser type and version;
operating system;
referral source;
pages visited;
time spent on pages;
date and time of access;
device identifiers;
approximate geographic location derived from IP;
cookie identifiers and similar online identifiers.

3.3 Information received from third parties

We may receive personal data from:

your employer or organisation;
professional contacts or referral sources;
event organisers;
service providers supporting our website or communications;
publicly available sources such as corporate websites, professional profiles, publications or official registers.

We will process such data only where there is a lawful basis for doing so.

4. Special categories of personal data

Bramston does not ordinarily seek to collect special categories of personal data through its website.

Where special categories of personal data are provided to us, or where such data become relevant in the context of a professional engagement, recruitment process, legal obligation or other legitimate activity, we will process them only where there is a valid lawful basis and, where required, an additional condition permitting such processing, together with appropriate safeguards.

We ask that you do not send sensitive personal data to us through general website forms unless it is strictly necessary and appropriate to do so.

5. How and why we use personal data

We may process personal data for the following purposes:

to respond to your enquiries and requests;
to communicate with you;
to assess whether and how we may engage with a proposed matter or opportunity;
to provide briefings, publications, alerts, event invitations or other communications you have requested or for which there is another lawful basis;
to manage and maintain our relationships with clients, counterparties, partners, suppliers and other contacts;
to operate, secure, improve and administer our website and digital infrastructure;
to monitor website performance, user experience and content relevance;
to prevent abuse, fraud, malicious activity or other misuse of our systems;
to manage recruitment and careers processes;
to comply with legal, regulatory, governance and record-keeping obligations;
to establish, exercise or defend legal claims; and
for other legitimate and proportionate purposes consistent with the context in which the data were collected.

We do not use personal data for purposes that are incompatible with the original purpose of collection unless we are permitted or required to do so by law.

6. Lawful bases for processing

We process personal data only where we have a lawful basis to do so. Depending on the circumstances, the lawful basis may include:

consent, where you have clearly agreed to a specific use of your personal data;
performance of a contract, or steps taken at your request before entering into a contract;
compliance with a legal obligation to which Bramston is subject;
legitimate interests, where processing is necessary for the legitimate interests pursued by Bramston or a relevant third party and those interests are not overridden by your rights and freedoms;
vital interests, where necessary to protect someone’s life or essential interests;
public interest or lawful authority, where applicable.

Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before that withdrawal.

Where we rely on legitimate interests, those interests may include the orderly operation of our website, information security, fraud prevention, institutional communications, relationship management, and the careful development of Bramston’s professional activities in a measured and proportionate manner.

7. Cookies and similar technologies

Our website may use cookies and similar technologies to support core functionality, improve user experience, understand website traffic, maintain security and analyse site performance. The public site already presents a cookie notice indicating that cookies may be used for traffic analysis and website optimisation. (Bramston & Associates)

Some cookies may be strictly necessary for the operation of the site. Others may be used for analytics, performance measurement, embedded content or preferences, subject to applicable law and any required consent mechanisms.

Further detail should be set out in Bramston’s separate Cookies Policy, which should identify, with specificity, the categories of cookies used, their purpose, their duration, and how users can manage or withdraw preferences.

8. If you do not provide personal data

You are generally free not to provide personal data. However, if you do not provide certain information, Bramston may be unable to:

respond to your enquiry;
process a request;
consider a proposal or meeting request;
send requested materials;
progress a recruitment application; or
provide or manage certain website functions.

Where the provision of data is mandatory by law or necessary for a contract or engagement, we will say so where appropriate.

9. How we share personal data

We do not sell personal data.

We may disclose personal data only where reasonably necessary and lawful, including to:

employees, officers or authorised personnel of Bramston who need access for legitimate business purposes;
IT, hosting, security, website management, analytics, communications or administrative service providers acting on our behalf;
professional advisers, including legal, compliance, audit or risk advisers;
regulators, public authorities, courts, law enforcement bodies or supervisory authorities where required by law or lawful process;
counterparties, clients, project participants or relevant stakeholders where required in connection with a legitimate and properly scoped professional matter; and
a purchaser, successor or reorganised entity in connection with a merger, restructuring, transfer or disposal of business assets, subject to appropriate confidentiality and legal safeguards.

Where third parties process personal data on our behalf, we require them to act only on documented instructions, maintain appropriate security and confidentiality, and comply with applicable legal requirements.

10. International transfers

Given the international nature of Bramston’s activities, personal data may be processed in, accessed from, or transferred to jurisdictions outside Mauritius and, where applicable, outside the European Economic Area.

Where personal data are transferred outside Mauritius, Bramston will do so only in accordance with the conditions permitted by the Mauritius Data Protection Act 2017, including where appropriate safeguards are in place, where explicit consent has been obtained after appropriate information has been provided, or where another lawful condition for transfer applies. Mauritius’ section 36 is expressly concerned with transfers to another country and the use of appropriate safeguards. (Data Protection Mauritius)

Where GDPR applies and personal data are transferred outside the EEA to a country not recognised as providing an adequate level of protection, Bramston will seek to use an appropriate transfer mechanism, such as European Commission Standard Contractual Clauses, together with supplementary safeguards where necessary. (European Commission)

11. Data retention

Bramston retains personal data only for as long as reasonably necessary for the purpose for which it was collected, or as required by law, regulation, professional obligations, record-keeping requirements, dispute management or the protection of legal rights.

Retention periods may therefore vary depending on the category of data and the context in which it was collected.

When personal data are no longer required for the relevant purpose, we will securely delete, anonymise or otherwise dispose of them in accordance with applicable law and appropriate retention controls. The Mauritius framework expressly provides that where the purpose for keeping personal data has lapsed, controllers should destroy the data as soon as reasonably practicable. (Data Protection Mauritius)

12. Security of processing

Bramston implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

These measures may include, where appropriate:

access controls and least-privilege principles;
authentication controls;
secure hosting and system administration;
encryption and secure transmission where appropriate;
confidentiality obligations;
logging, monitoring and security review;
backup and resilience measures;
vendor and processor due diligence; and
internal procedures for incident handling and escalation.

No website, network, storage environment or transmission method can ever be guaranteed to be completely secure. However, Bramston seeks to apply proportionate and appropriate safeguards in light of the nature of the data and the risks involved.

13. Personal data breaches

If Bramston becomes aware of a personal data breach, it will assess the incident promptly and take such steps as are appropriate in the circumstances, including containment, remediation, internal escalation, record-keeping and notification where required by law.

Under the Mauritius framework, personal data breach notification to the Data Protection Office is expected without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach; where the breach is likely to result in a high risk to the rights and freedoms of individuals, affected individuals should also be informed without undue delay. Similar timing and risk logic exists under GDPR. (Data Protection Mauritius)

14. Your rights

Subject to applicable law and any lawful limitations or exemptions, you may have the right to:

be informed about how your personal data are processed;
request access to your personal data;
request correction of inaccurate or incomplete personal data;
request erasure of personal data in appropriate circumstances;
request restriction of processing in appropriate circumstances;
object to processing, including processing for direct marketing;
withdraw consent where processing is based on consent;
request portability of certain data, where GDPR applies and the legal conditions are met;
object to, or seek review of, certain automated decisions or profiling.

Mauritius’ Data Protection Office materials expressly refer to rights of access, rectification/erasure/restriction, objection, and protections around automated individual decision-making, while GDPR includes those rights plus portability and other transparency rights. (Data Protection Mauritius)

To exercise your rights, please contact us at info@bramston.co with enough detail to allow us to understand and verify your request.

We may need to verify your identity before acting on a request. We will respond within the period required by applicable law. Mauritius’ Data Protection Office guidance states that access should be provided free of charge and within one month following a written request. (Data Protection Mauritius)

15. Complaints

If you have a concern about how Bramston processes your personal data, we encourage you to contact us first so that we may try to address the matter promptly and fairly.

You also have the right, where applicable, to lodge a complaint with a competent supervisory authority.

In Mauritius, complaints may be made to the Data Protection Office / Data Protection Commissioner, which publishes complaint procedures and contact details, including the complaint email dpo@govmu.org and its office in Ebene. (Data Protection Mauritius)

Where GDPR applies, you may also have the right to complain to a competent supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.

16. Marketing communications

Where lawful, Bramston may send you publications, alerts, invitations, insights or other communications that we consider relevant to your professional interests or that you have requested.

Where consent is required, we will seek it. Where lawful under applicable rules, we may also rely on legitimate interests for measured professional communications of an institutional nature.

You may opt out of non-essential communications at any time by following the unsubscribe mechanism in the message, where available, or by contacting us directly.

We will not use your personal data for aggressive, indiscriminate or incompatible marketing practices.

17. Recruitment and careers data

If you apply for a role with Bramston or otherwise submit career-related information, we may process your personal data for recruitment, candidate assessment, communication, interview administration, verification, record-keeping and, where lawful, future opportunities reasonably related to your profile.

This may include contact details, CV data, employment history, qualifications, references, correspondence and interview notes.

If special categories of personal data become relevant in the recruitment process, they will be handled only where necessary and lawful, and with appropriate safeguards.

18. Children’s data

Bramston’s website and services are not directed to children.

We do not knowingly collect personal data from children through our general website in circumstances where parental or guardian authorisation would be required by law. Under the Mauritius Data Protection Office guidance, where online services are provided to a child and consent is relied upon as the lawful basis, consent must be given or authorised by a person with parental responsibility for children under 16. (Data Protection Mauritius)

If you believe that a child has provided personal data to us inappropriately, please contact us so that we may review and, where appropriate, delete the information.

19. Automated decision-making and profiling

Bramston does not ordinarily make decisions producing legal or similarly significant effects based solely on automated processing through this website.

If that position changes in any material respect, Bramston will provide additional notice where required by law and implement appropriate safeguards.

20. Third-party links and embedded content

Our website may contain links to third-party websites, social media pages, embedded content or external publications. We are not responsible for the privacy, security or data handling practices of those third parties.

You should review the privacy notices of those third parties before submitting personal data to them or interacting with their services.

21. Changes to this Policy

We may amend this Privacy Policy from time to time to reflect legal, operational, technological or organisational developments.

The most current version published on our website will apply from the date of publication. Where changes are material, we may also take additional steps to bring them to attention where appropriate.

22. Contact us

For privacy-related questions, requests, objections, complaints or other data protection matters, please contact: