PRIVACY POLICY

Galveston Group Limited
Registered Office: 6 Waterloo Place, Edinburgh, Scotland

Effective Date: 05/12/25

TABLE OF CONTENTS

1. Purpose and Scope
2. Data Controller and Contact Information
3. Categories of Personal Data Collected
4. Lawful Bases for Processing
5. Purposes of Data Processing
6. Data Recipients and Third-Party Disclosures
7. International Data Transfers
8. Data Security and Protection Measures
9. Data Retention Periods
10. Data Subject Rights
11. Automated Decision-Making
12. Cookies and Similar Technologies
13. Changes to this Privacy Policy
14. Complaints and Regulatory Authority
15. Governing Law

1. PURPOSE AND SCOPE

1.1 Introduction

This Privacy Policy sets forth the manner in which Galveston Group Limited ("Galveston," "we," "us," or "our") collects, processes, stores, and protects personal data in accordance with applicable data protection legislation, including the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").

1.2 Scope of Application

This Privacy Policy applies to all personal data processed by Galveston in connection with the provision of our geopolitical intelligence and risk analysis platform ("Platform") and associated professional services to institutional clients.

1.3 Data Controller

Galveston Group Limited acts as the data controller for personal data processed through our Platform and services. Our registered office is located at 6 Waterloo Place, Edinburgh, Scotland.

2. DATA CONTROLLER AND CONTACT INFORMATION

2.1 Contact Details

Galveston Group Limited
6 Waterloo Place
Edinburgh, Scotland
United Kingdom

Email: admin@galvestongroup.com
Data Protection Officer: dpo@galvestongroup.com

2.2 Regulatory Authority

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: ico.org.uk

3. CATEGORIES OF PERSONAL DATA COLLECTED

3.1 Account and Identification Data

We collect and process the following identification and account information:

• Full name and professional title
• Corporate email address
• Business telephone number
• Employer and organizational details
• Job function and seniority level
• Authentication credentials

3.2 Financial and Billing Information

For the purpose of service provision and billing administration:

• Billing address and contact details
• Payment instrument information (processed via PCI DSS compliant third-party payment processors)
• Purchase order references
• Transaction history and invoicing records

3.3 Platform Usage and Technical Data

We automatically collect technical and usage data, including:

• Internet Protocol (IP) addresses
• Browser type and version
• Device identifiers and operating system information
• Session data and timestamps
• Platform feature utilization metrics
• Search queries and report generation activity
• Alert configuration preferences
• Geographic location data (derived from IP address)

3.4 Portfolio and Investment Data

Subject to explicit instruction and consent, we may process:

• Portfolio holdings and investment positions
• Asset allocation data
• Securities identifiers and exposure metrics
• Risk parameter configurations
• Custom watchlists and proprietary screening criteria

Confidentiality Notice: All portfolio and investment data is processed under strict confidentiality obligations and is never shared with third parties, utilized for cross-client analysis, or employed to train machine learning models accessible to other clients.

3.5 Communications and Correspondence

Records of professional communications, including:

• Service inquiries and support tickets
• Correspondence with our Client Success team
• Feedback and survey responses
• Recorded telephone communications (where legally permissible and disclosed)

4. LAWFUL BASES FOR PROCESSING

4.1 Contractual Necessity (Article 6(1)(b) UK GDPR)

Processing is necessary for the performance of our contractual obligations to deliver Platform access and intelligence services pursuant to executed Master Services Agreements or Terms of Service.

4.2 Legitimate Interests (Article 6(1)(f) UK GDPR)

We process certain personal data based on legitimate interests, including:

• Maintaining Platform security and preventing fraudulent activity
• Improving service quality and developing new analytical capabilities
• Conducting business operations and internal administration
• Ensuring network and information security
• Direct marketing to existing clients regarding service enhancements

Such processing is conducted only where our legitimate interests are not overridden by your fundamental rights and freedoms.

4.3 Legal Obligation (Article 6(1)(c) UK GDPR)

Processing may be required to fulfill legal and regulatory obligations, including:

• Financial services regulatory compliance
• Anti-money laundering (AML) requirements
• Counter-terrorism financing obligations
• Tax reporting and record-keeping requirements
• Compliance with court orders and lawful requests from competent authorities

4.4 Consent (Article 6(1)(a) UK GDPR)

Where required by law, we obtain explicit consent for:

• Non-essential marketing communications
• Optional platform features requiring enhanced data processing
• Deployment of non-essential cookies and tracking technologies

You maintain the right to withdraw consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.

5. PURPOSES OF DATA PROCESSING

5.1 Service Provision and Platform Operation

Personal data is processed to:

• Authenticate user identity and maintain secure account access
• Deliver personalized geopolitical intelligence and risk analytics
• Generate customized reports, briefings, and alert notifications
• Process and analyze uploaded portfolio data for risk assessment
• Provide technical support and respond to service inquiries
• Maintain Platform functionality, performance, and availability

5.2 Service Enhancement and Development

On an aggregated and anonymized basis, we analyze usage patterns to:

• Refine machine learning algorithms and predictive models
• Develop enhanced analytical features and capabilities
• Optimize user interface and experience
• Identify and remediate technical issues

5.3 Business Communications

We utilize contact information to:

• Deliver critical security and service notifications
• Provide mandatory regulatory communications
• Share Platform updates and new feature releases
• Distribute requested intelligence briefings
• Conduct client satisfaction surveys
• Send marketing communications regarding service enhancements (with consent)

5.4 Compliance and Risk Management

Processing is conducted to:

• Fulfill legal and regulatory obligations
• Prevent fraud, money laundering, and terrorist financing
• Maintain audit trails and compliance records
• Respond to lawful requests from regulatory authorities
• Enforce our Terms of Service and protect legal rights
• Manage litigation and regulatory proceedings

6. DATA RECIPIENTS AND THIRD-PARTY DISCLOSURES

6.1 Service Providers and Processors

We engage carefully selected third-party service providers who process personal data on our behalf pursuant to written data processing agreements incorporating UK GDPR Article 28 requirements:

Cloud Infrastructure Providers: Amazon Web Services (AWS), Microsoft Azure
Payment Processing: Stripe Payments Europe Limited
Customer Relationship Management: Salesforce UK Limited
Communications Infrastructure: SendGrid (Twilio Inc.)
Analytics and Monitoring: Mixpanel, Datadog

All processors are contractually bound to process data solely on our documented instructions and maintain appropriate technical and organizational security measures.

6.2 Professional Advisors

We may disclose personal data to professional advisors, including legal counsel, auditors, and compliance consultants, where necessary for the provision of professional services under duties of confidentiality.

6.3 Regulatory and Law Enforcement Authorities

Personal data may be disclosed to competent authorities where required by law or where necessary to:

• Comply with court orders or regulatory investigations
• Respond to lawful requests from law enforcement
• Protect against fraud or security threats
• Enforce legal rights or defend legal claims
• Comply with Financial Conduct Authority (FCA) requirements

6.4 Corporate Transactions

In the event of a merger, acquisition, corporate reorganization, or sale of assets, personal data may be transferred to successor entities. We will provide advance notice of any such transfer and inform you of choices available regarding your data.

6.5 Confidentiality of Client Investment Data

Critical Assurance: Your portfolio holdings, investment positions, trading strategies, and proprietary screening criteria are never disclosed to any third parties, including other clients, market participants, data vendors, or service providers, except where explicitly required by law or court order.

7. INTERNATIONAL DATA TRANSFERS

7.1 Data Storage and Processing Locations

Personal data is primarily stored and processed within the United Kingdom and European Economic Area (EEA). Our primary data centers are located in London (United Kingdom) and Dublin (Ireland).

7.2 Transfers to Third Countries

Where we engage service providers located outside the UK/EEA, we ensure adequate safeguards through:

• UK Adequacy Decisions: Transfers to jurisdictions recognized by the UK Government as providing adequate data protection
• International Data Transfer Agreement (IDTA): Implementation of the UK Information Commissioner's Office standard contract clauses
• Supplementary Measures: Additional technical and organizational safeguards as recommended by the European Data Protection Board

7.3 UK-US Data Transfers

For transfers to United States-based service providers, we rely on:

• Standard Contractual Clauses incorporating UK GDPR provisions
• Supplementary technical measures including encryption and pseudonymization
• Contractual restrictions on government data access
• Participation in recognized certification mechanisms

Details of our international data transfer safeguards are available upon request to our Data Protection Officer.

8. DATA SECURITY AND PROTECTION MEASURES

8.1 Technical Security Controls

Galveston implements enterprise-grade technical safeguards, including:

Encryption:

• Data in transit: TLS 1.3 with perfect forward secrecy
• Data at rest: AES-256 encryption
• Database-level encryption with key rotation
• End-to-end encryption for sensitive communications

Access Controls:

• Multi-factor authentication (MFA) mandatory for all user accounts
• Role-based access control (RBAC) with principle of least privilege
• Privileged access management (PAM) for administrative functions
• Regular access reviews and certification

Network Security:

• Next-generation firewalls and intrusion detection systems (IDS)
• Distributed denial-of-service (DDoS) protection
• Web application firewall (WAF) with OWASP Top 10 protection
• Network segmentation and microsegmentation
• Virtual private network (VPN) for remote access

Application Security:

• Secure development lifecycle (SDLC) practices
• Regular penetration testing by independent third parties
• Vulnerability scanning and patch management
• Code review and static/dynamic analysis
• Security by design principles

8.2 Organizational Security Measures

Personnel Security:

• Background verification for employees with data access
• Confidentiality and non-disclosure agreements
• Mandatory information security awareness training
• Role-specific security training for technical staff
• Clear desk and clear screen policies

Operational Security:

• Security Operations Center (SOC) monitoring 24/7/365
• Automated security event logging and analysis
• Incident response and breach notification procedures
• Business continuity and disaster recovery plans
• Regular backup with geographically distributed storage

8.3 Compliance Certifications

Galveston maintains the following security certifications and attestations:

• SOC 2 Type II: Annual attestation by independent auditor
• ISO 27001: Information Security Management System certification (in progress)
• Cyber Essentials Plus: UK Government scheme certification

Independent audit reports are available to enterprise clients upon execution of non-disclosure agreements.

8.4 Client Data Segregation

Portfolio and investment data is maintained in logically segregated environments with:

• Client-specific encryption keys
• Database-level isolation
• Separate processing environments for machine learning inference
• Contractual and technical prohibitions on cross-client data access

9. DATA RETENTION PERIODS

9.1 Retention Principles

Personal data is retained only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by applicable law. Retention periods are determined based on:

• Contractual requirements
• Regulatory obligations
• Legitimate business needs
• Legal limitation periods

9.2 Specific Retention Periods

Active Client Accounts:

• Account and profile data: Duration of contract plus 90 days
• Usage and technical logs: 24 months
• Communications records: 36 months
• Portfolio data: Duration of contract plus 90 days (unless earlier deletion requested)

Closed Accounts:

• Account data: 90 days following account closure (unless legal obligation requires retention)
• Financial and billing records: 7 years (UK tax and accounting requirements)
• Compliance records: 7 years (FCA and regulatory requirements)

Anonymized Data:

• Aggregated analytics: Indefinite (genuinely anonymized data is not personal data)

Legal Proceedings:

• Data subject to litigation hold: Retained until final resolution of proceedings

9.3 Secure Disposal

Upon expiry of retention periods, personal data is securely destroyed using:

• Cryptographic erasure for encrypted data
• Secure deletion protocols for unencrypted data
• Certificate of destruction for physical media
• Verification and audit logging of disposal activities

10. DATA SUBJECT RIGHTS

10.1 Rights Overview

Under the UK GDPR and DPA 2018, you are entitled to exercise the following rights:

Right of Access (Article 15)
Request confirmation of whether we process your personal data and obtain a copy of such data along with supplementary information regarding processing activities.

Right to Rectification (Article 16)
Request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure (Article 17)
Request deletion of personal data where:

• Data is no longer necessary for the purposes collected
• You withdraw consent (where consent is the lawful basis)
• You object to processing and no overriding legitimate grounds exist
• Data has been unlawfully processed
• Erasure is required for compliance with legal obligations

Right to Restriction of Processing (Article 18)
Request limitation of processing where:

• You contest the accuracy of data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you require it for legal claims
• You have objected to processing pending verification of legitimate grounds

Right to Data Portability (Article 20)
Receive personal data concerning you in a structured, commonly used, machine-readable format and transmit such data to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

Right to Object (Article 21)
Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms.

Right to Withdraw Consent (Article 7(3))
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.

Right Not to Be Subject to Automated Decision-Making (Article 22)
Not be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect you.

10.2 Exercising Your Rights

To exercise any of the above rights, submit a written request to:

Data Protection Officer
Galveston Group Limited
6 Waterloo Place
Edinburgh, Scotland
United Kingdom

Email: dpo@galvestongroup.com

10.3 Response Timeframe

We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests, in which case we will inform you of such extension and the reasons for delay.

10.4 Identity Verification

To protect your personal data from unauthorized disclosure, we will require verification of your identity before processing requests. We may request additional information necessary to confirm your identity.

10.5 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office if you believe your data protection rights have been violated:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk

11. AUTOMATED DECISION-MAKING

11.1 Use of Automated Processing

Galveston employs automated processing, including artificial intelligence and machine learning algorithms, to deliver intelligence analytics, risk assessments, and predictive scenarios. However, we do not make solely automated decisions that produce legal effects or similarly significantly affect you.

11.2 Human Oversight

All automated risk assessments and intelligence outputs are intended as decision-support tools. Final investment decisions, portfolio adjustments, and strategic actions remain under the sole control and judgment of our clients and their authorized personnel.

11.3 Profiling

We do not engage in profiling activities that would produce legal effects or significantly affect individuals. Platform usage analytics and feature recommendations are based on aggregated behavioral patterns and do not result in differential treatment of individual users.

12. COOKIES AND SIMILAR TECHNOLOGIES

12.1 Cookie Usage

Galveston utilizes cookies and similar tracking technologies to enhance Platform functionality, analyze usage patterns, and improve user experience. Detailed information regarding our use of cookies is set forth in our Cookie Policy, accessible at [URL].

12.2 Cookie Categories

Strictly Necessary Cookies
Essential for Platform operation, including authentication, session management, and security functions. These cannot be disabled without severely affecting Platform functionality.

Performance and Analytics Cookies
Collect information about Platform usage to help us understand user behavior and improve service delivery. These cookies may be disabled through cookie preference settings.

Functional Cookies
Remember user preferences and settings to enhance user experience. These cookies may be disabled, though this may affect certain Platform features.

12.3 Cookie Management

You may control cookie preferences through:

• Browser settings and privacy controls
• Platform cookie preference center (accessible in Account Settings)
• Third-party opt-out mechanisms for analytics providers

Please note that disabling certain cookies may impair Platform functionality and service delivery.

13. CHANGES TO THIS PRIVACY POLICY

13.1 Policy Updates

Galveston reserves the right to modify this Privacy Policy to reflect changes in:

• Legal and regulatory requirements
• Industry best practices and standards
• Our data processing activities and Platform features
• Corporate structure or business operations

13.2 Notification of Material Changes

In the event of material changes to this Privacy Policy that would adversely affect your rights, we will:

• Provide advance written notice via email to your registered account address
• Display prominent notice on the Platform login page
• Provide a minimum of 30 days' notice prior to changes taking effect

13.3 Continued Use

Continued use of the Platform following the effective date of an updated Privacy Policy constitutes acceptance of the revised terms. If you do not agree to the updated Privacy Policy, you must discontinue use of the Platform and may request account closure.

13.4 Version Control

Each version of this Privacy Policy will display an "Effective Date" and "Last Revised" date. Historical versions are maintained and available upon request.

14. COMPLAINTS AND REGULATORY AUTHORITY

14.1 Internal Complaints Process

If you have concerns regarding our processing of your personal data, we encourage you to contact our Data Protection Officer in the first instance:

Email: dpo@galvestongroup.com

We are committed to investigating and resolving complaints promptly and will provide a substantive response within 30 days of receipt.

14.2 Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the UK Information Commissioner's Office:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom

Telephone: 0303 123 1113
Website: ico.org.uk
Email: casework@ico.org.uk

14.3 Cross-Border Complaints

For EEA residents, you may also lodge a complaint with the supervisory authority in your EU Member State of residence or place of work.

15. GOVERNING LAW

15.1 Applicable Law

This Privacy Policy and all matters relating to your access to and use of the Platform shall be governed by and construed in accordance with the laws of Scotland and the United Kingdom, without regard to conflict of law principles.

15.2 Jurisdiction

You irrevocably agree that the courts of Scotland shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Privacy Policy or its subject matter or formation (including non-contractual disputes or claims).

15.3 Primacy of Data Protection Law

Notwithstanding the above, nothing in this Privacy Policy shall be construed to limit or exclude your rights under the UK GDPR, DPA 2018, or other applicable data protection legislation. In the event of conflict between this Privacy Policy and applicable data protection law, the provisions of such law shall prevail.

ACKNOWLEDGMENT

By accessing or using the Galveston Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree to these terms, you must not access or use the Platform.

For inquiries regarding this Privacy Policy, please contact:

Galveston Group Limited
6 Waterloo Place
Edinburgh, Scotland
United Kingdom

General Inquiries: admin@galvestongroup.com
Data Protection Officer: dpo@galvestongroup.com

‍

‍

‍

‍