Privacy Policy &
GDPR Compliance Notice

finconduit (“finconduit”, “we”, “us”, or “our”) is committed to protecting the personal data of our clients, prospective clients, website visitors, and other individuals whose data we process in connection with our regulatory advisory services.

This Privacy Policy describes how we collect, use, disclose, retain, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and where applicable, the EU GDPR.

Scope of this policy

This policy applies to all personal data processed by finconduit, including data obtained from: direct client engagements; our website at finconduit.com; marketing and communications activities; and in the course of providing regulatory, compliance, and banking access advisory services.

Where we process personal data on behalf of our clients as a data processor (for example, processing employee data during a compliance programme implementation), our obligations are governed by the relevant data processing agreement rather than this policy.

Client and institutional data

In the course of providing advisory services to regulated institutions, we collect personal data relating to the individuals who represent those institutions. This typically includes:

• Contact details: name, email address, telephone number, job title, and business address
• Identity verification data: passport or national ID details for KYC purposes where required
• Professional background: qualifications, regulatory history, and fitness and propriety information
• Communications: email correspondence, meeting notes, and engagement records
• Financial information: invoicing details and payment records

Website visitors

When you visit our website, we may collect technical data including your IP address, browser type and version, operating system, referral source, length of visit, and page views. This data is collected via cookies and analytics tools (see Section 09).

• Enquiry data submitted via contact or assessment request forms
• Marketing preferences and communication consent records
• Interaction data: pages visited, content downloaded, and webinar attendance

The nature of finconduit's advisory services means we routinely handle documentation that is commercially sensitive, legally privileged, or operationally confidential. While such institutional documentation may not always contain personal data per se, where it does we apply heightened processing standards consistent with the sensitivity of the information.

The table below classifies the principal categories of regulatory data we handle, the legal basis for processing, and applicable retention periods:

Handling of legal privilege

Where documentation handled in the course of an engagement attracts legal professional privilege (for example, legal opinions prepared in conjunction with our legal panel), that privilege is maintained and such documentation is subject to enhanced access controls within our document management infrastructure.

finconduit processes personal data only where a valid legal basis exists under Article 6 of the GDPR. For each category of processing activity, the applicable legal basis is documented in our Record of Processing Activities (RoPA), maintained by our Data Protection Officer.

Third parties with whom we share data

We do not sell, rent, or trade personal data. We share personal data only in the following circumstances and with the following categories of recipient:

• Banking partners and correspondent institutions: where you have engaged us to make banking introductions, we share the documentation package with pre-identified banking partners on your authorisation
• Legal panel members: solicitors and barristers engaged to prepare or review legal opinions as part of your engagement
• Regulatory authorities: where required by applicable law, supervisory body, or court order
• IT and infrastructure providers: cloud storage, document management, and communications platforms operating under appropriate DPAs
• Professional advisors: accountants, auditors, and insurers, subject to confidentiality obligations

International transfers

Where personal data is transferred outside the UK or EEA, finconduit ensures that appropriate safeguards are in place, including:

• UK adequacy regulations or EU adequacy decisions (where the recipient country has been granted adequacy status)
• Standard Contractual Clauses (SCCs) as approved by the European Commission or the ICO under the International Data Transfer Agreement (IDTA)
• Binding Corporate Rules (BCRs), where applicable
• Derogations under Article 49 GDPR for specific transfers in limited circumstances

finconduit retains personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable legal and regulatory obligations. Our Data Retention Schedule (available on request from dpo@finconduit.com) specifies the retention period applicable to each category of data.

Principal retention periods

• Active client engagement data: retained for the duration of the engagement plus 5 years
• AML/KYC documentation: minimum 5 years from end of business relationship (MLR 2017 obligation)
• Regulatory correspondence and licensed documentation: 7–10 years post-engagement
• Website enquiry and contact data: 24 months from last interaction
• Marketing consent records: 3 years from consent date, or until withdrawn
• Contractual documentation: 7 years from contract end (Limitation Act 1980)
• Invoice and payment records: 7 years (HMRC requirement)

Upon expiry of the relevant retention period, personal data is securely deleted or anonymised in accordance with our Data Disposal Procedure. For cloud-hosted data, we use certified deletion processes that meet ISO 27001 standards.

Under the UK GDPR and EU GDPR, data subjects have clearly defined rights in respect of their personal data. The rights below apply to personal data relating to natural persons within your institution. Institutional clients should note that commercially confidential compliance documentation is not necessarily subject to these rights in full — please contact our DPO for guidance specific to your engagement.

If you are dissatisfied with our handling of your personal data or a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or with your local supervisory authority if you are based in the EU.

finconduit implements technical and organisational security measures appropriate to the risk profile of the data we process. Given the commercially and regulatory sensitive nature of our work, our security framework is designed to institutional standards.

Technical measures

• AES-256 encryption at rest for all stored client documentation
• TLS 1.3 in transit for all data transfers and communications
• Multi-factor authentication (MFA) required for all staff access to client data systems
• Zero-trust network architecture with role-based access controls (RBAC)
• Regular penetration testing and vulnerability assessments (minimum annual)
• ISO 27001-aligned information security management system

Organisational measures

• All staff complete mandatory GDPR and data protection training on engagement and annually thereafter
• Data protection impact assessments (DPIAs) conducted for all high-risk processing activities
• Confidentiality agreements in place with all staff, contractors, and third-party processors
• Incident response plan with defined notification procedures and escalation paths
• Regular internal audits of data processing activities against this policy and our RoPA

Our website uses cookies and similar technologies to ensure core functionality, remember your preferences, and gather aggregate analytics to improve our service. We do not use third-party advertising or tracking cookies.

You may withdraw consent for non-essential cookies at any time by adjusting your browser settings or by using our cookie preference centre. Disabling essential cookies may affect core website functionality.

For any queries relating to this Privacy Policy, to exercise your GDPR rights, or to raise a concern about how we handle your personal data, please contact our Data Protection Officer using the details below.

If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the ICO at any time. We encourage you to contact us first so we can address your concern directly.