Privacy Policy
finconduit.com and engagement-related processing

finconduit (“finconduit”, “we”, “us”, “our”) is a UK-registered regulatory-advisory firm. We work with virtual asset service providers (VASPs), crypto-asset service providers (CASPs), electronic money institutions (EMIs), and payment service providers (PSPs) on authorisation, banking access, AML programme design, and operational compliance across the UK and the European Economic Area. Our primary jurisdiction of establishment is the United Kingdom; most engagement counterparties are based in the EEA.

For all matters arising under this Privacy Policy, finconduit is the data controller. The registered office is 35 Folgate Street, Spitalfields, London, E1 6BX, United Kingdom. The privacy contact is info@finconduit.com.

This Privacy Policy applies to:

• finconduit.com and all its subdomains, including the blog, the EEA Regulated-Fintech Tracker, the glossary, RSS feeds, the AI markdown mirrors, and the practitioner tools and calculators.
• All forms hosted on the site, including the contact form and the regulatory-assessment form that produces a proposal.
• Email correspondence with prospective and active engagement counterparties.
• Marketing communications, where you have opted in.
• Any advisory engagement, to the extent the engagement letter and DPA cross-refer to this policy or are silent on a given processing activity.

This policy does not apply to third-party websites linked from finconduit.com, including the websites of national competent authorities, statutory texts, industry bodies, and vendor pages. Those websites are governed by their own privacy notices.

(a) Contact data submitted through forms

When you submit the contact form or the regulatory-assessment form, finconduit collects: full name, business email address, telephone number where you provide it, institution name and corporate role, and the substantive content you write into the free-text fields. The assessment form also captures structured fields covering target jurisdictions, regulated activity, current authorisation status, and the immediate operational question driving the enquiry.

(b) Engagement data shared during advisory work

During an active engagement, finconduit receives the documentation needed to deliver the work. The categories typically include: corporate documents (incorporation, registers, ownership and control structure charts), regulatory filings (authorisation applications, supervisory correspondence, MLRO reports), policy and procedure documentation, banking history (account opening packs, prior rejections, correspondent relationships), beneficial ownership and PEP information for KYC-on-the-firm purposes, and operational evidence such as transaction-monitoring outputs or sanctions-screening logs. This material is processed under the engagement letter and DPA.

(c) Technical data from your use of the site

finconduit.com records technical data automatically on each request: IP address, user-agent string, referring URL, requested URL, timestamp, response code, and (where consent has been given) the cookie identifiers described in our Cookies notice at /cookies. Server access logs are retained for 90 days for security and fraud-prevention purposes.

(d) Marketing-engagement data

finconduit does not run a CRM-driven marketing programme. Where you have explicitly subscribed to receive updates, we record the subscription itself and basic open/click telemetry on the messages sent. The dataset is small and limited to subscribers; it is deleted within 30 days of unsubscribe.

finconduit processes personal data on the bases set out in Article 6 of the UK GDPR and, in parallel, Article 6 of the EU GDPR for EEA-based individuals. Each processing activity is mapped to a single lawful basis. The bases applied are:

finconduit does not solicit special category data within the meaning of Article 9(1) UK GDPR / EU GDPR. Forms do not request information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life, or sexual orientation. You should not submit special category data through the site forms.

Special category data may be incidentally disclosed during an advisory engagement — for example, in identification documents submitted as part of beneficial-ownership evidence, or in occupational-health information that surfaces in a fitness-and-propriety assessment. Where incidental disclosure occurs, processing is conducted strictly under Article 9(2)(g) (reasons of substantial public interest, where the engagement supports compliance with regulatory or AML obligations) or Article 9(2)(f) (establishment, exercise, or defence of legal claims). Such data is segregated within engagement-specific encrypted storage, access is limited to engagement personnel with a direct need to know, and retention follows the rule applicable to the underlying document category.

The purposes for which finconduit processes personal data, and the lawful basis applied to each purpose, are:

• Responding to enquiries. Triage of the contact form and assessment form, follow-up correspondence, and preparation of a proposal. Basis: pre-contractual steps under Art. 6(1)(b).
• Delivering the advisory engagement. Drafting, reviewing, and delivering work product, advising on authorisation strategy, AML programme design, and banking access. Basis: contract under Art. 6(1)(b), as scoped in the engagement letter and DPA.
• Complying with AML and counter-terrorist-financing obligations. Customer-due-diligence on engagement counterparties where finconduit is itself in scope of the Money Laundering Regulations 2017, recording of source-of-funds verification, retention of CDD records. Basis: legal obligation under Art. 6(1)(c).
• Operating and securing the site. Serving pages, throttling abuse, blocking malicious traffic, defending against denial-of-service. Basis: legitimate interests under Art. 6(1)(f).
• Measuring how visitors use the site, where you consent. GA4 aggregate analytics with IP anonymisation, Hotjar masked-input behaviour analytics. Basis: consent under Art. 6(1)(a) and PECR reg. 6.
• Sending marketing updates, where you have opted in. Periodic substantive updates to subscribers. Basis: consent under Art. 6(1)(a) and PECR reg. 22.
• Defending legal claims and meeting tax and statutory accounting obligations. Retention of engagement records and invoices. Basis: legitimate interests under Art. 6(1)(f) and legal obligation under Art. 6(1)(c).

(a) Sub-processors

finconduit relies on a defined set of sub-processors to run the website and the associated operational infrastructure. Each sub-processor is engaged under a written contract that imposes confidentiality obligations and, where transfers leave the UK or EEA, the relevant transfer mechanism. The current sub-processor list is:

Transfer-risk assessments under the ICO's Transfer Risk Assessment guidance have been completed for each sub-processor whose processing involves a restricted transfer. Where a sub-processor is replaced or added, this policy is updated with the same prominence as a material change.

(b) Professional advisers

finconduit may disclose personal data to professional advisers — solicitors, accountants, auditors, and insurers — where disclosure is necessary to obtain professional advice or to manage a specific risk. Advisers are subject to professional duties of confidentiality and to a written instruction limited to the specific purpose.

(c) Regulators and law enforcement

finconduit discloses personal data to regulators or law enforcement only on receipt of a lawful request — a statutory information notice, court order, or other binding instrument. Where the law does not prohibit notification, finconduit notifies the affected data subject. finconduit does not provide personal data to commercial third parties for marketing, profiling, or sale.

Several sub-processors operate from outside the United Kingdom and the European Economic Area. Restricted transfers from the UK are made under the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. Restricted transfers from the EEA are made under the European Commission's 2021 Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor, as relevant).

For transfers to the United States, finconduit relies primarily on the UK Extension to the EU–US Data Privacy Framework where the recipient is self-certified, with the IDTA or SCCs as a contractual backstop. For all restricted transfers, finconduit has completed a transfer risk assessment that considers the destination jurisdiction's legal environment, the technical and organisational measures applied by the recipient, and the practical likelihood of access by public authorities. The assessments are reviewed annually.

finconduit retains personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. The retention schedule is:

On expiry of the retention period, personal data is either securely deleted or anonymised. Backups are subject to the same retention rule on a delayed basis: a record removed from primary storage is removed from incremental backups at the next backup cycle and from full backups within 90 days.

Under UK GDPR Articles 15 to 22, you have a clear set of rights in respect of your personal data. Equivalent rights apply under the EEA GDPR if you are based in the EEA. The right of complaint runs to the ICO in the UK, or to the national supervisory authority of your habitual residence, place of work, or place of the alleged infringement, in the EEA.

finconduit.com uses a small number of strictly necessary cookies for core site function. Non-essential cookies — analytics and behaviour analytics — load only after explicit consent through the cookie banner, as required by PECR regulation 6 and UK GDPR Article 7. Consent is recorded server-side and is withdrawable at any time using the banner controls.

The full Cookies notice — including the categories, names, durations, and purposes of each cookie, and instructions for changing your preferences — is published at /cookies. To avoid duplication, the operational detail is not repeated here.

finconduit applies technical and organisational measures appropriate to the risk of the processing, consistent with UK GDPR Article 32. The principal measures are:

• TLS 1.3 in transit for all connections to finconduit.com, with HSTS enforced and only modern cipher suites enabled.
• Encryption at rest for all stored client documentation in engagement-specific folders, with keys held under the principle of least privilege.
• Multi-factor authentication required for all administrative access to the website, the CMS, the hosting platform, the email infrastructure, and any system where engagement data is stored.
• Role-based access control. Engagement data is segregated by client; access is granted on a need-to-know basis and audited.
• Periodic sub-processor security reviews, including a review of each sub-processor's SOC 2 / ISO 27001 reports or equivalent attestations.
• A documented incident response procedure, with personal-data-breach assessment under UK GDPR Art. 33 and notification to the ICO within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons.
• No engagement data is stored outside engagement-specific encrypted folders. Email is not used as long-term storage.

No security control eliminates risk. finconduit reviews controls at least annually and updates them as the threat environment, regulatory expectations, or the firm’s own processing change.

finconduit’s services are directed at regulated financial institutions and their advisers. The site is not directed at children, and finconduit does not knowingly collect personal data from anyone under 18. If you believe a child has submitted personal data through the site, contact info@finconduit.com and we will delete it.

finconduit reviews this Privacy Policy at least annually, and on the occurrence of any material change in processing — for example, the addition or removal of a sub-processor, a change of lawful basis, or a change in retention periods. Material changes are surfaced via the cookie banner and reflected in the "Last updated" date at the top of this page.

The current version of this policy supersedes all earlier versions. Earlier versions are available on request to info@finconduit.com.

Direct any question, request, or complaint about how finconduit handles personal data to info@finconduit.com. If you are not satisfied with the response, you have the right to lodge a complaint with the ICO or with your national EEA supervisory authority.