Privacy Notice

Who we are

Custodire AI Ltd is a company registered in England and Wales (Company No. 16820849), with its registered office at 45 Albemarle Street, Mayfair, London W1S 4JL. We are the data controller for personal data processed in connection with our services and this website. Founder and person responsible for data protection: Hendrik Hansen. Contact: secure@custodire.ai. For individuals located in the Republic of Korea, privacy enquiries may also be directed to this contact.

Scope

This notice explains how Custodire AI Ltd collects, uses, holds, and protects personal data in connection with the secure enquiry process and client engagements. It applies to prospective clients, current clients, and principals whose data is processed in the course of an engagement. It does not apply to data processed on behalf of clients as part of a forensic or monitoring engagement. That data is governed by the applicable retainer agreement. Where we process personal information on behalf of a client, we do so only on documented instructions from that client, subject to the applicable engagement terms and applicable law. A Korean-language version of this Privacy Notice will be made available for individuals located in the Republic of Korea. In the event of inconsistency, the Korean version will govern to the extent required by applicable Korean law.

Data we collect

We collect only personal data provided directly through the secure enquiry process or in the course of an engagement. We do not supplement it with data obtained from third-party sources, data brokers, or public databases. The categories of data we may hold are: Contact and identity information — name, contact details, and identifying information provided at the point of enquiry or during an engagement. Engagement information — information provided in the course of an engagement, including material relevant to the threat being assessed or addressed. Biometric reference data — where collected as part of a principal protection engagement, voice baselines, facial reference material, or equivalent biometric identifiers. This data is treated as sensitive personal data under applicable law and is subject to enhanced handling controls throughout its lifecycle, as described in our Data Handling statement. Communications — the content of communications conducted through our secure enquiry channel. We do not process communications metadata beyond what is technically necessary to receive and respond to a message. We do not use analytics, tracking technologies, or cookies on this website. No personal data is collected through passive means.

Lawful basis

Contact and identity information, engagement information, and communications are processed on the basis of: performance of a contract, where processing is necessary to enter into or perform an engagement; legitimate interests, where processing is necessary for the security, integrity, and continuity of our operations and those interests are not overridden by the rights of the individual; and legal obligation, where retention or disclosure is required by applicable law. Biometric reference data is processed on the basis of explicit consent. Consent is obtained separately, in writing, before any biometric data is collected. Consent may be withdrawn at any time by writing to secure@custodire.ai. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. For individuals located in the People’s Republic of China, separate consent is obtained for each purpose for which biometric data is processed, in accordance with the Personal Information Protection Law 2021. For individuals located in Japan, the purpose of use of personal data is disclosed before or at the point of collection, in accordance with the Act on the Protection of Personal Information. For individuals located in the Republic of Korea, personal information is processed in accordance with the Personal Information Protection Act of Korea. Where processing is necessary to provide a requested service or to take steps at the request of the individual before entering into an engagement, we provide notice of that processing through this Privacy Notice. Where Korean law requires consent, including for the collection and use of sensitive personal information or biometric information, or for certain cross-border transfers, consent is obtained separately where required.

Special category and sensitive data

Biometric data constitutes special category or otherwise sensitive personal data under the UK GDPR, EU GDPR, the DIFC Data Protection Law 2020, the ADGM Data Protection Regulations 2021, the Personal Information Protection Law of the People’s Republic of China 2021, the Personal Information Protection Act of the Republic of Korea, and comparable frameworks. Where we collect biometric reference data, we do so only with explicit consent and under the enhanced handling controls described in our Data Handling statement. Biometric reference data is never shared with third parties, never processed by external AI systems or cloud platforms, and is held in physically isolated infrastructure with no external network connection. For individuals located in the Republic of Korea, biometric information and other sensitive personal information are handled in accordance with applicable Korean law, and separate consent is obtained where required before collection or use.

Security and handling

Personal data received into our secure environment is held in physically isolated infrastructure segregated from our commercial systems and external networks. This separation is enforced at the hardware level. Client data cannot be extracted from the secure environment through a network-based attack. All AI processing of client personal data and biometric reference material is performed exclusively on company-owned, physically isolated hardware. No client personal data or biometric reference material is processed by external AI services, cloud platforms, or software-as-a-service providers at any stage of the engagement lifecycle. Access is limited to personnel with a direct operational requirement within the engagement. Client identities are referenced internally by designator. Real identity is resolved only by authorised personnel under dual-authorisation controls where operationally necessary. Further detail is set out in our Data Handling statement.

Recipients and transfers

We do not share personal data with third-party processors, data brokers, advertising platforms, or analytics providers. We do not transfer personal data to external AI systems or cloud platforms. For individuals located in the Republic of Korea, where personal information is processed outside Korea or entrusted to a service provider outside Korea, we disclose in this Privacy Notice or otherwise in writing the destination country, the date and method of transfer, the categories of personal information transferred, the name and contact details of the recipient or entrusted processor, the purpose of use by that recipient or processor, and the retention and use period, as required by applicable Korean law. Where Korean law requires separate consent for an overseas transfer, we obtain it before transfer. Where no such consent is required because the transfer is necessary to perform a contract with the individual, we provide the disclosures required by law through this Privacy Notice or another written notice. We distinguish between third-party provision of personal information and entrustment of processing to a processor. Where personal data must move between operational systems within our secure environment, transfer is controlled by hardware-enforced unidirectional mechanisms. Where personal data of individuals located in the United Kingdom or European Economic Area is transferred outside those territories, the transfer is made under Standard Contractual Clauses adopted by the European Commission or another mechanism permitted under applicable UK GDPR or EU GDPR requirements. Where personal data of individuals located in the People’s Republic of China is transferred outside China, the transfer is made in accordance with the standard contracts for cross-border transfer issued by the Cyberspace Administration of China, or another mechanism permitted under the Personal Information Protection Law 2021. Where personal data of individuals located in the DIFC or ADGM is transferred internationally, the transfer is made to jurisdictions recognised as providing adequate protection or under contractual safeguards consistent with the applicable framework.

Retention and destruction

Enquiry data — where no engagement proceeds, enquiry data is deleted once it is clear that no engagement will proceed and any applicable follow-up period has concluded. We do not retain enquiry data beyond the point at which it serves a clear operational purpose. Engagement data — retained for the duration of the engagement and for seven years thereafter, unless a shorter period is specified in the retainer agreement or a longer period is required by applicable law or legal hold. Biometric reference data — deleted at the conclusion of the engagement, unless subject to legal hold or retained on the explicit written instruction of the principal or their authorised representative. At the end of any applicable retention period, destruction is carried out in accordance with NIST SP 800-88 or an equivalent recognised standard. Certificates of destruction are available on request. Destruction procedures and methods — At the end of the applicable retention period, personal data is deleted without undue delay unless retention is required by law or legal hold. Electronic records are destroyed using methods designed to prevent recovery, and any paper records are shredded or incinerated. Where a recognised technical destruction standard is used, destruction is carried out in accordance with that standard. For highly sensitive engagement material and biometric reference data, destruction is performed under controlled procedures within our isolated environment and logged internally. Certificates of destruction are available on request where appropriate.

Your rights

Depending on your jurisdiction of residence, you may have the following rights in relation to your personal data: Right of access — to obtain confirmation of whether we hold personal data about you and, if so, a copy of that data. Right of rectification — to have inaccurate personal data corrected. Right to erasure — to request deletion of personal data where there is no lawful basis for continued retention. Right to restriction — to request restriction of processing in certain circumstances. Right to data portability — to receive personal data in a structured, commonly used format where processing is based on consent or contract. Right to object — to object to processing based on legitimate interests. Right not to be subject to automated decision-making — we do not make decisions about individuals solely by automated means. Right to opt out of sale — we do not sell personal data. This is stated for completeness for individuals in California and other US states whose laws require it. We respond to rights requests within the period required by the applicable framework, including one month under the UK GDPR and EU GDPR, 30 days under the DIFC Data Protection Law, 30 days under the Japan APPI, 15 working days under the China PIPL, and 45 days under applicable US state law. All rights requests are handled under NDA and through a controlled manual process consistent with our isolated infrastructure model. For individuals located in the Republic of Korea, rights under applicable Korean law may include the right to request access to personal information, correction or deletion of personal information, and suspension of processing, subject to applicable legal limitations. Where a request is made through an authorised representative, we may require evidence of authority before acting on the request. To exercise any right, write to: secure@custodire.ai

Cookies and tracking

This website does not use cookies, analytics, or tracking technologies of any kind. No cookie consent is required. No data is collected through passive browsing.

Complaints

If you have a concern about how we handle your personal data, you may raise it with us directly at secure@custodire.ai. We will respond within the timeframe applicable to your jurisdiction. You may also lodge a complaint with the relevant supervisory authority: United Kingdom — Information Commissioner’s Office. European Union — the supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. UAE (DIFC) — Commissioner of Data Protection. UAE (ADGM) — Registration Authority. People’s Republic of China — Cyberspace Administration of China. Japan — Personal Information Protection Commission. Republic of Korea — Personal Information Protection Commission (PIPC). Individuals in Korea may also seek assistance from the Privacy Infringement Report Center operated by the Korea Internet & Security Agency, where applicable. United States — the relevant state attorney general or consumer protection authority, where applicable state law provides that right.

Changes to this notice

We review this notice periodically and update it where required. Material changes will be communicated to active clients through the secure channel applicable to their engagement. The date of last review is stated in this notice.

This notice is intended to support compliance with the UK GDPR, EU GDPR, the DIFC Data Protection Law 2020, the ADGM Data Protection Regulations 2021, the Personal Information Protection Law of the People’s Republic of China 2021, the Act on the Protection of Personal Information of Japan, the Personal Information Protection Act of the Republic of Korea, and applicable US state privacy law. It does not constitute legal advice.