Privacy

1. Introduction and Scope

1.1 Scope of Application

This Policy applies to Personal Data relating to the following categories of individuals:

Family members and principals of the Family Office
Beneficiaries, trustees, settlors, and protectors of trusts and similar structures
Directors, officers, partners, and shareholders of entities within the family structure
Employees, consultants, contractors, and interns
External advisors, legal counsel, auditors, and financial service providers
Counterparties to investment transactions, co-investors, and joint venture partners
Household staff, personal assistants, security personnel, and estate managers
Donors, philanthropic beneficiaries, and foundation stakeholders
Any other individuals whose Personal Data is processed in the course of our operations

1.2 Definitions

Term	Definition
Personal Data	Any information relating to an identified or identifiable natural person
Special Category Data	Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.
Processing	Any operation or set of operations performed on Personal Data
Controller	The natural or legal person which determines the purposes and means of Processing
Processor	A natural or legal person which processes Personal Data on behalf of the Controller
Data Subject	An identified or identifiable natural person to whom Personal Data relates
Consent	Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes
Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data

2. Data Protection Principles

All Processing of Personal Data shall be conducted in accordance with the following core principles:

Lawfulness, Fairness, and Transparency: Personal Data shall be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Personal Data shall be collected for specified, explicit, and legitimate purposes.
Data Minimisation: Personal Data shall be adequate, relevant, and limited to what is necessary.
Accuracy: Personal Data shall be accurate and, where necessary, kept up to date.
Storage Limitation: Personal Data shall be kept for no longer than is necessary for the purposes for which it is processed.
Integrity and Confidentiality: Personal Data shall be processed in a manner that ensures appropriate security.
Accountability: We shall be responsible for, and able to demonstrate compliance with, all of the above principles.

3. Categories of Personal Data Collected

3.1 Identity and Contact Data

Full legal name, maiden name, aliases, and preferred name
Date of birth, place of birth, nationality, and citizenship status
Government-issued identification numbers
Residential address, mailing address, email address, and telephone numbers
Photographs and biometric identifiers (where legally permitted)

3.2 Financial and Tax Data

Bank account details, credit and debit card information
Investment portfolios, asset valuations, net worth assessments
Tax residency, tax filing history, tax identification numbers
Sources of wealth and funds documentation
Trust and estate structures, beneficial ownership records
Insurance policies, pension details, and retirement accounts

3.3 Professional and Employment Data

Employment history, curriculum vitae, professional qualifications
Compensation, benefits, and equity arrangements
Performance evaluations and disciplinary records (for staff)
Professional memberships and board positions

3.4 Sensitive / Special Category Data

Health data (where necessary for insurance, duty of care, or travel arrangements)
Biometric data (fingerprint, facial recognition for security systems)
Political affiliations or contributions (for compliance purposes)
Criminal records and background check results (subject to legal basis)

3.5 Technical and Behavioural Data

IP addresses, device identifiers, browser type, and operating system
Website and portal usage data, login records, and access logs
Communication metadata (email timestamps, call logs)
CCTV and physical security system recordings at premises

4. Legal Bases for Processing

We process Personal Data under one or more of the following legal bases:

Contractual Necessity

Processing necessary for the performance of a contract, including investment management agreements, employment contracts, trust deeds, and service agreements.

Legal Obligation

Processing necessary for compliance with legal obligations, including AML, KYC, tax reporting (CRS/FATCA), sanctions screening, and regulatory filings.

Legitimate Interests

Processing necessary for legitimate interests, including protection of family assets and wealth, risk management, and due diligence.

Consent

Where no other legal basis applies, Processing may be conducted on the basis of the Data Subject's freely given, specific, informed, and unambiguous consent. Consent may be withdrawn at any time.

Vital Interests

Processing necessary to protect the vital interests of the Data Subject, such as in medical emergencies or security incidents.

Public Interest / Official Authority

Processing carried out in the exercise of official authority, such as compliance with court orders or regulatory investigations.

5. Purposes of Processing

Personal Data is processed for the following purposes:

Wealth management, investment advisory, portfolio management, and asset allocation
Trust administration, estate planning, and succession management
Tax planning, tax compliance, and multi-jurisdictional reporting
AML/KYC due diligence, sanctions screening, and PEP monitoring
Establishment and maintenance of corporate, trust, and foundation structures
Employment administration, payroll processing, and benefits management
Engagement and management of external advisors, vendors, and service providers
Physical security of family members, properties, and assets
IT services, cybersecurity, and system access management
Philanthropic activities, charitable donations, and foundation grant-making
Travel coordination, concierge services, and lifestyle management
Litigation management, dispute resolution, and legal proceedings
Internal auditing, compliance monitoring, and governance reporting
Insurance procurement, claims management, and risk mitigation
Communication management, including secure correspondence and document management

6. Data Sharing and Disclosure to Third Parties

6.1 Categories of Recipients

Legal counsel, tax advisors, auditors, and accountants
Banks, custodians, broker-dealers, and investment managers
Insurance companies, underwriters, and claims adjusters
Trust companies, fiduciaries, and corporate service providers
Regulatory authorities, tax authorities, and government bodies
Technology service providers (IT support, cloud hosting, cybersecurity)
Background check and due diligence providers
Physical security companies and private investigation firms
Travel agencies, aviation services, and concierge providers
Real estate agents, property managers, and construction firms
Co-investors, joint venture partners, and fund administrators (on a need-to-know basis)

6.2 Contractual Safeguards

All third-party recipients are required to enter into data processing agreements that include:

Obligation to process Personal Data only on documented instructions
Confidentiality obligations binding on all personnel
Implementation of appropriate technical and organisational security measures
Restrictions on sub-processing without prior written authorisation
Cooperation in responding to Data Subject rights requests
Obligation to notify of any Data Breach without undue delay
Deletion or return of all Personal Data upon termination
Submission to audits and inspections

6.3 No Sale of Personal Data

We do not sell, rent, lease, or trade Personal Data to any third party for commercial purposes. We do not engage in data brokerage or share Personal Data for targeted advertising.

7. International Data Transfers

Personal Data may be transferred to countries outside the Data Subject's country of residence. Where such transfers occur, we shall ensure appropriate safeguards are in place, including:

Transfers to countries recognised as providing an adequate level of data protection
Standard Contractual Clauses (SCCs), supplemented by Transfer Impact Assessments
Binding Corporate Rules (BCRs) approved by the relevant supervisory authority
Derogations for specific situations as permitted under Article 49 GDPR
Data transfer agreements compliant with the UK IDTA or Addendum
Adherence to the EU-U.S. Data Privacy Framework and equivalent frameworks

8. Data Retention

Personal Data shall be retained only for as long as necessary. The following retention periods apply unless a longer period is required by law:

Data Category	Retention Period	Basis
Investment records and portfolio data	Duration of relationship + 10 years	Regulatory obligations
AML/KYC documentation	5–10 years post-termination	Anti-money laundering regulations
Tax records and filings	7–15 years	Tax authority requirements
Trust and estate records	Lifetime of the trust + 21 years	Trust law; beneficiary rights
Employment records	Duration of employment + 7 years	Labour law; pension obligations
CCTV and security footage	30–90 days	Proportionality; security needs
Communication logs	7 years	Regulatory and litigation requirements
IT system access logs	3 years	Cybersecurity; audit trail
Contracts and engagement letters	Duration of contract + 10 years	Limitation periods
Philanthropic and foundation records	Duration of entity + 10 years	Regulatory; audit requirements

Upon expiry of the applicable retention period, Personal Data shall be securely deleted or anonymised.

9. Data Subject Rights

Subject to applicable law, Data Subjects may exercise the following rights:

Right of Access

The right to obtain confirmation of whether Personal Data is being processed and to access a copy of such data.

Right to Rectification

The right to request correction of inaccurate Personal Data or completion of incomplete data.

Right to Erasure ("Right to Be Forgotten")

The right to request deletion of Personal Data where it is no longer necessary, consent has been withdrawn, or the data has been unlawfully processed.

Right to Restriction of Processing

The right to request the restriction of processing where accuracy is contested or processing is unlawful.

Right to Data Portability

The right to receive Personal Data in a structured, commonly used, and machine-readable format.

Right to Object

The right to object to processing based on legitimate interests or public interest, including profiling.

Right Not to Be Subject to Automated Decision-Making

The right not to be subject to a decision based solely on automated processing which produces legal effects.

Right to Withdraw Consent

Where processing is based on consent, the right to withdraw such consent at any time.

We shall respond to all valid requests within one (1) calendar month of receipt, extendable by a further two (2) months where necessary.

10. Data Security

10.1 Technical Measures

Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
Multi-factor authentication (MFA) for all systems containing Personal Data
Role-based access control (RBAC) with the principle of least privilege
Endpoint detection and response (EDR) on all devices
Network segmentation, IDS/IPS, and firewall protection
Regular vulnerability assessments and penetration testing
Secure backup and disaster recovery with encrypted offsite storage
Data loss prevention (DLP) tools

10.2 Organisational Measures

Mandatory data protection and cybersecurity training for all staff
Comprehensive information security policies and procedures
Background checks and security vetting for personnel
Non-disclosure agreements and confidentiality clauses
Clean desk and clear screen policies
Physical access controls at premises
Periodic audits and reviews of data protection compliance
Vendor security assessments prior to and during engagement

11. Data Breach Notification and Response

11.1 Notification to Supervisory Authorities

Where a Data Breach is likely to result in a risk to the rights and freedoms of natural persons, we shall notify the relevant supervisory authority within seventy-two (72) hours.

11.2 Notification to Data Subjects

Where a Data Breach is likely to result in a high risk, we shall communicate the breach to affected Data Subjects without undue delay.

11.3 Internal Procedures

All staff are required to report suspected breaches immediately
A breach register shall be maintained documenting all incidents
Post-breach reviews shall be conducted to identify root causes
Where required, external forensic investigation firms shall be engaged

12. Cookies and Digital Platforms

A separate Cookie Policy shall detail the types of cookies used, their purposes, and how users may manage preferences
Consent for non-essential cookies shall be obtained via a compliant consent management platform
Client portal access shall be protected by MFA and session timeout controls
Analytics tools shall be configured to anonymise IP addresses where possible
Third-party tracking technologies shall not be deployed without prior assessment

13. Children's Data

We may process Personal Data relating to minor children in the context of trust administration, estate planning, education planning, healthcare, travel, and security. Such processing shall be subject to enhanced safeguards:

Processing shall be limited to what is strictly necessary
Consent shall be obtained from the holder of parental responsibility where required
Access shall be restricted to authorised personnel on a strict need-to-know basis
The best interests of the child shall be a primary consideration

14. Data Protection Impact Assessments

We shall conduct a Data Protection Impact Assessment ("DPIA") prior to any processing activity likely to result in a high risk, including:

Systematic and extensive evaluation of personal aspects (profiling)
Large-scale processing of Special Category Data
Systematic monitoring of publicly accessible areas (CCTV)
Implementation of new technologies that process Personal Data
Cross-border transfers involving sensitive personal or financial data

15. Governance and Accountability

15.1 Record of Processing Activities

We maintain a comprehensive Record of Processing Activities (ROPA) documenting all processing activities, their purposes, legal bases, data categories, recipients, retention periods, and applicable safeguards.

15.2 Training and Awareness

All personnel with access to Personal Data shall receive data protection training upon commencement and at least annually thereafter.

15.3 Policy Review

This Policy shall be reviewed at least annually, or more frequently as required by changes in applicable law or following a significant incident.

16. Jurisdiction-Specific Provisions

16.1 United States — CCPA/CPRA

For California residents:

Right to Know: You may request disclosure of the categories and specific pieces of Personal Data collected
Right to Delete: You may request deletion of your Personal Data
Right to Correct: You may request correction of inaccurate Personal Data
Right to Opt-Out: We do not sell or share Personal Data for cross-context behavioural advertising
Right to Limit Use: You may limit the use of sensitive personal information
Non-Discrimination: We will not discriminate against you for exercising any of these rights

16.2 European Economic Area and United Kingdom

For Data Subjects in the EEA or UK, we process Personal Data in accordance with the GDPR and UK GDPR respectively. The rights and procedures described in Sections 9 through 14 are directly applicable.

16.3 Switzerland

For Data Subjects in Switzerland, we comply with the revised Swiss Federal Act on Data Protection (revFADP). Swiss Data Subjects enjoy rights substantially equivalent to those described in Section 9.

16.4 Singapore

For Data Subjects in Singapore, we comply with the Personal Data Protection Act 2012 (PDPA), including obligations relating to consent, purpose limitation, notification, accuracy, protection, retention, transfer, access and correction.

16.5 United Arab Emirates (Dubai)

For Data Subjects in the United Arab Emirates, the Family Office processes Personal Data in compliance with the following applicable laws and regulations:

Federal Decree-Law No. 45 of 2021 (PDPL): The UAE's federal Personal Data Protection Law, which establishes requirements for consent, purpose limitation, data minimisation, accuracy, storage limitation, and cross-border transfers
DIFC Data Protection Law (DIFC Law No. 5 of 2020): For activities conducted within the Dubai International Financial Centre, we comply with the DIFC's comprehensive data protection framework, which is closely aligned with the GDPR
ADGM Data Protection Regulations 2021: For activities within the Abu Dhabi Global Market, we adhere to the ADGM's data protection standards

UAE-based Data Subjects have the right to access, rectify, and request erasure of their Personal Data, as well as the right to restrict or object to processing. Cross-border transfers are conducted in compliance with the adequacy and safeguard requirements under the applicable UAE data protection framework.

16.6 Other Jurisdictions

We are committed to complying with all applicable data protection laws in jurisdictions where we operate.

17. Complaints

If you believe that we have not handled your Personal Data in accordance with this Policy or applicable law, you have the right to:

Contact us internally to allow the opportunity to address your concerns
Lodge a complaint with the relevant supervisory authority in your jurisdiction

We encourage you to contact us first before escalating to a supervisory authority.

Privacy Policy