The Privacy Policy.

The data controller responsible for personal data processed under this policy is Noble & Hours LLC, a New York limited liability company (NY DOS filing no. 5884721), with principal offices at 685 Fifth Avenue, 20th Floor, New York, NY 10022, USA.

For matters relating specifically to data protection — including any question about this policy, any request to exercise your rights under it, or any complaint — our designated point of contact is the Director of Privacy, reachable at privacy@nobleandhours.com.

For data processing connected with engagements that take place within the European Economic Area or the United Kingdom, our representative for the purposes of GDPR Article 27 is reachable at the same address.

We collect only what we need. The categories below are exhaustive — if a category is not listed here, we do not collect it.

• Identification data — full legal name, preferred name, date of birth, residential address, country of residence.
• Contact data — email, telephone, preferred secure messaging channel, emergency contact details.
• Engagement data — the occasion, dates, location, guests, and preferences relating to a booked or proposed engagement.
• Financial data — billing address and tax residence; we never store credit-card numbers ourselves (payment is handled by our PCI-DSS-compliant processor).
• Verification data (clients only) — the limited identity-verification information required by our vetting process: redacted government identification, professional reference, and a single source-of-funds attestation.
• Application data (companion applicants only) — full information submitted through the application form, including photographs, languages, professional history, and references.
• Sensitive personal data — only where directly relevant to an engagement (for example, a dietary restriction or medical condition you choose to disclose). We never collect sensitive data without your explicit consent.
• Technical data — IP address, browser type, and device type, captured automatically when you visit this website. See section XII.

Personal data reaches the House through one of three channels and no others:

• Directly from you — through the inquiry form on our website, the application form (for prospective companions), email, telephone, or in-person consultation with a client director.
• From your authorised representative — where a family-office principal, executive assistant, or legal counsel makes contact on your behalf, with your express authorisation.
• From third-party verification services — limited to the discrete checks required by our vetting protocol (sanctions screening, public-records checks, and identity verification through accredited providers).

We do not buy data lists. We do not scrape social media. We do not enrich the records you provide with third-party data brokers. The only personal data we hold about you is what you (or someone authorised by you) chose to share.

We use personal data only for the following purposes, and no others:

• To respond to your inquiry and assess whether the House is the right fit for what you're seeking.
• To conduct our pre-engagement vetting process, in service of the safety and dignity of our clients and our companions equally.
• To prepare for, deliver, and follow up on a confirmed engagement.
• To process payment and meet our tax, accounting, and anti-money-laundering obligations under applicable law.
• To respond to questions about a past engagement, including by reference to internal post-engagement notes.
• To improve our services through aggregated, de-identified analysis (no individual record is used for this purpose).
• To comply with legal, regulatory, or court-ordered requirements where they arise.

We do not use personal data for marketing without your separate, freely-given, opt-in consent. If you have not affirmatively asked to hear from us, you will not.

For residents of the EU, the United Kingdom, and other jurisdictions where lawful basis must be specified, we rely on the following grounds (in the language of GDPR Article 6):

• Contract (Art. 6(1)(b)) — for processing necessary to deliver an engagement we have agreed to undertake.
• Legitimate interests (Art. 6(1)(f)) — for our pre-engagement vetting, post-engagement record-keeping, and the protection of our clients, our companions, and the House. Our legitimate interests are balanced against your rights, and we will not rely on this basis where your rights would override.
• Legal obligation (Art. 6(1)(c)) — for tax, accounting, anti-money-laundering, and other regulatory record-keeping required by law.
• Consent (Art. 6(1)(a)) — for any processing of sensitive personal data (Art. 9), and for any optional or marketing-adjacent processing. Consent given may be withdrawn at any time.

For California residents under the CCPA / CPRA, we are a "business" within the meaning of those statutes; we do not "sell" or "share" personal information for cross-context behavioural advertising; we have not done so in the preceding twelve months; and we have no plans to do so.

Personal data leaves the House only in the following limited circumstances:

• Within the House — only to the named individuals (Founder, Director of Clients, Director of Vetting, the assigned Client Director, and the assigned Companion) whose roles directly require access. Access is logged.
• Service providers bound by written confidentiality and data-processing agreements: our payment processor, our calendar and booking system, our encrypted communications provider, and our accounting firm. Each is contractually limited to processing only what is necessary for the service it provides.
• Verification partners who conduct the limited identity, sanctions, and public-records checks required by our vetting protocol.
• Legal and tax advisors bound by professional duties of confidence.
• Authorities only where compelled by valid legal process — court order, subpoena, or binding regulatory demand — and only to the minimum extent so required. Where law permits, we will notify you before any such disclosure.

We do not share personal data with advertisers, data brokers, social media platforms, or any other third party for any commercial purpose.

The House operates worldwide; data necessarily moves between jurisdictions in the ordinary course of arranging international engagements. Where data is transferred from the EU/UK to the United States or another non-adequate country, we rely on the following safeguards:

• The European Commission's Standard Contractual Clauses (2021/914), or the UK Information Commissioner's International Data Transfer Agreement, in force with each of our service providers as applicable.
• Where available, the EU-US Data Privacy Framework certification of the receiving processor.
• Supplementary measures (encryption in transit and at rest; access controls; pseudonymisation where feasible) to address the risks identified in Schrems II and subsequent guidance.

A copy of the relevant transfer instruments is available on request to the Director of Privacy.

Personal data is stored on encrypted, access-controlled systems hosted in jurisdictions with strong data-protection regimes. Specifically:

• Encryption — at rest (AES-256) and in transit (TLS 1.3 minimum).
• Access — by named individual under written confidentiality agreement; multi-factor authentication required for every login; access is logged and reviewed.
• Network segregation — client identification data is held on a separate, more restricted system than engagement-coordination data.
• Backup — encrypted, geographically separated, retained only as long as the operational record requires.
• Breach notification — in the event of a personal data breach affecting you, we will notify you within 72 hours of becoming aware (per GDPR Article 34) and notify the relevant supervisory authority where required, regardless of jurisdiction.

We hold personal data only for as long as we have a clear, lawful reason to. The retention schedule below applies in every case, with no exceptions other than those required by law:

• Inquiries that do not progress to engagement — deleted automatically within 90 days of the last contact, unless you have asked us to keep your record open.
• Companion applications declined — deleted automatically within 90 days of the decision, with the limited exception of the applicant's name and date of decision, retained on a separate list to honour the applicant's wishes if they should reapply.
• Companion applications accepted — held for the duration of the working relationship and seven years thereafter, in line with our tax, employment, and contractual record-keeping obligations.
• Active client records — held for the duration of the relationship.
• Closed client records — retained for seven years following the last engagement (in line with US, UK, and EU statute-of-limitations and tax record-keeping requirements), then permanently destroyed.
• Financial records — retained for the period required by tax law in each relevant jurisdiction (typically seven years), then destroyed.
• Photographs and Client-facing visual materials — destroyed within 30 days of engagement completion, save those you have explicitly authorised us to retain.

"Deletion" means permanent destruction across all live systems and backups. We do not retain "soft-deleted" or anonymised residual records of personal data beyond the periods above.

Depending on your jurisdiction, you have some or all of the following rights in respect of personal data we hold about you. We honour all of them in every jurisdiction in which we operate, regardless of whether they are technically required.

• Right of access — to receive a copy of the personal data we hold about you, free of charge, within 30 days.
• Right of rectification — to have inaccurate or incomplete data corrected.
• Right of erasure ("right to be forgotten") — to have your personal data deleted, subject only to legal obligations preventing deletion.
• Right of restriction — to limit our processing of your data while a query is being resolved.
• Right of portability — to receive your data in a structured, commonly-used, machine-readable format.
• Right to object — to processing based on legitimate interests, or for marketing.
• Right to withdraw consent — at any time, where processing is based on your consent.
• Right to non-discrimination (CCPA / CPRA) — we will not discriminate against you for exercising any privacy right.
• Right to lodge a complaint — with the data-protection authority in your jurisdiction.

To exercise any right above, contact privacy@nobleandhours.com. We will respond, by a named human, within seven days, with a substantive answer within thirty.

The House does not use automated decision-making or profiling (within the meaning of GDPR Article 22) in any aspect of its work. Every vetting decision, every engagement match, every accept-or-decline determination is made by a named human, with the time and attention the matter deserves.

This website uses only the cookies and tracking technologies strictly necessary for it to function. Specifically:

• Strictly necessary cookies — for session continuity and form-submission integrity. Cannot be declined; the site will not function without them.
• Aggregate analytics — privacy-respecting, IP-anonymised, no third-party tracking. We use this only to understand whether the site is working, not to identify any visitor.

We do not use advertising cookies. We do not use social media tracking pixels. We do not embed any third-party script that profiles visitors. If you have arrived here from a paid advertisement, the only data passed to us is the originating campaign — never your identity.

The services of the House are offered exclusively to adults. We do not knowingly collect personal data from any person under the age of 18 (or the age of majority in their jurisdiction, whichever is higher). If you become aware that personal data of a minor has been provided to us, please contact privacy@nobleandhours.com and we will delete it immediately upon verification.

We review this policy every six months and update it whenever the law, our practice, or our service materially changes. The version number and effective date at the top of this page indicates the current iteration; a full history of past versions, and a summary of changes between them, is available on request.

Where a change is material — meaning it expands what we collect, what we do with it, or who it goes to — we will notify active clients directly, by their preferred channel, and ask for renewed consent where the new processing requires it.

For any question about this policy, or any exercise of your rights under it (access, correction, deletion, portability), please contact our director of operations:

• By email: privacy@nobleandhours.com — answered by a named human within 24 hours.
• By post: Noble & Hours LLC, Director of Privacy, 685 Fifth Avenue, 20th Floor, New York, NY 10022, USA.
• By telephone: +1 (212) 555 · 0199, 24 hours.

For regulatory complaints unresolved by the above, the relevant supervisory authority in your jurisdiction (for EU residents, your national data-protection authority) may be contacted directly. We do not ask that you come to us first — only that you give us the chance to make it right.