PRIVACY POLICY

Version 1.0

Effective Date: 1st April 2026

1. About This Privacy Policy

This Privacy Policy explains in clear, plain language how [CompassPoint Consulting - FZCO] ('we', 'us', 'our', 'the Company') collects, uses, stores, shares, and protects personal information about you. It applies whenever you interact with us, whether through our website, by email, telephone, in person, or through any other channel.

We are committed to handling your personal information with integrity, transparency, and respect. Privacy is a fundamental value that shapes how we design our services, our technology, and our client relationships.

This Policy has been drafted to comply fully with the requirements of the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which apply to our UK operations and clients, and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, 'UAE PDPL'), which applies to our UAE operations and clients. Where the two frameworks impose different standards, we apply the higher standard of protection.

1.1 Who This Policy Applies To

This Policy applies to all individuals about whom we process personal information, including:

• Visitors to our website and any related web properties or mobile applications
• Prospective clients who contact us, complete an enquiry form, or attend an event we host
• Existing clients who have entered into a business relationship with us
• Former clients whose data we are required to retain for regulatory or legal purposes
• Third parties such as business referrers, introducers, or counterparties whose personal data we handle in the course of our business
• Job applicants (a separate Recruitment Privacy Notice is available on request)

1.2 What This Policy Covers

This Policy covers all personal information we hold in digital and physical form, collected through any channel. It should be read alongside our Cookie Notice (Section 12), our Terms of Business, and any specific consent forms or supplementary privacy notices provided to you during onboarding or at specific points of data collection.

2. The Legal Frameworks That Govern Us

A dual-jurisdiction regulatory environment shapes our approach to privacy. We summarise each framework below and explain how they interact. We strongly encourage clients in both jurisdictions to familiarise themselves with the key rights and protections afforded to them.

2.1 United Kingdom - UK GDPR and Data Protection Act 2018

The UK General Data Protection Regulation (UK GDPR) is the primary data protection law in the United Kingdom. It came into effect on 1 January 2021 following the end of the Brexit transition period, replacing the EU GDPR as retained in UK law. The UK GDPR is supplemented by the Data Protection Act 2018 (DPA 2018), which tailors certain provisions to the UK context, and by the Privacy and Electronic Communications Regulations 2003 (PECR), which govern electronic marketing, cookies, and telecommunications specifically.

The UK GDPR establishes seven core principles (Article 5) that govern all personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles underpin all of our data practices.

The UK GDPR was further amended by the Data (Use and Access) Act 2025, which introduced targeted reforms to data sharing frameworks, the governance of the Information Commissioner's Office (ICO), and the treatment of certain categories of data. Our practices reflect these amendments.

Serious violations of the UK GDPR can attract fines of up to GBP 17.5 million or 4% of total worldwide annual turnover, whichever is greater. The ICO also has powers to issue warnings, reprimands, and enforcement notices requiring specific remedial action.

2.2 United Arab Emirates - UAE Personal Data Protection Law (PDPL)

The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, referred to as the 'UAE PDPL' or simply 'the PDPL') is the UAE's first comprehensive federal data protection legislation. It came into force on 2 January 2022 and applies to any establishment or natural person that processes the personal data of individuals residing in the UAE, regardless of where the processing organisation is located. This means that our UK operations are also subject to the UAE PDPL insofar as we process data of UAE residents.

The UAE PDPL closely mirrors international standards such as the EU GDPR in its core philosophy, requiring organisations to obtain explicit, specific, informed, and unambiguous consent before processing personal data (unless an applicable exception applies), to uphold data subject rights, to implement appropriate security measures, and to report data breaches to the UAE Data Office. Unlike the UK GDPR, the UAE PDPL does not recognise 'legitimate interests' as a standalone lawful basis for processing in most circumstances.

Penalties for non-compliance with the UAE PDPL currently range from AED 50,000 to AED 5,000,000 depending on the nature and severity of the breach. The UAE Data Office, as the regulatory authority, has powers to conduct audits, issue guidance, and impose sanctions. Criminal penalties may also apply in cases of intentional breach.

2.3 DIFC and ADGM - Special Free Zone Frameworks

Dubai International Financial Centre (DIFC): If you are located in or transacting through the DIFC, the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020), administered by the DIFC Commissioner of Data Protection, also applies to your data. This framework is substantially aligned with the EU GDPR and affords strong rights to data subjects.

Abu Dhabi Global Market (ADGM): If you are located in or transacting through the ADGM, the ADGM Data Protection Regulations 2021, administered by the ADGM Registration Authority, apply. These regulations are also closely aligned with EU GDPR standards.

2.4 How We Apply Multiple Frameworks

Where a client or a transaction involves both UK and UAE jurisdiction, for example, a UK-resident client investing through a UAE structure, we apply both frameworks concurrently. In the event of any conflict between the two, we adopt the more protective standard. Our internal Cross-Jurisdictional Data Framework document governs how such situations are managed and is available to regulatory authorities upon request.

3. What Personal Information We Collect

We collect only the personal information that is genuinely necessary for a clearly identified purpose. The principle of data minimisation is central to how we operate, we do not collect data 'just in case', we do not build profiles beyond what our services require, and we do not retain information beyond defined retention periods.

3.1 Categories of Personal Information

Depending on your relationship with us, we may collect and process the following categories of personal information:

3.2 Information We Do Not Collect

Unless explicitly required by applicable law or with your express, specific consent, we do not collect:

• Biometric data (such as fingerprints or facial recognition data) for the purpose of identifying you
• Genetic data
• Data concerning sexual orientation or gender identity
• Data relating to criminal convictions and offences, beyond what is strictly required by AML/KYC obligations
• Information about individuals under the age of 18

If we become aware that we have inadvertently collected personal data from a person under the age of 18 without appropriate parental or guardian consent, we will take immediate steps to securely delete that data from our systems. If you believe we may hold data relating to a minor, please contact our DPO immediately.

3.3 Consequences of Not Providing Information

Where we ask you for information in the context of providing regulated financial services, some of that information is mandatory, for example, identity documents required for KYC compliance under AML law. If you do not provide mandatory information, we may be unable to open an account for you, provide advice, or continue the business relationship. We will always make clear at the point of collection whether providing information is mandatory or optional, and what the consequences of not providing it are.

4. How We Collect Your Personal Information

We collect personal information through a variety of direct and indirect channels. In all cases, we aim to be transparent at the point of collection about what we are gathering and why.

4.1 Information You Provide to Us Directly

The majority of personal information we hold comes directly from you. We collect this when you:

• Complete an enquiry, contact, or callback form on our website
• Submit a client onboarding or account opening application
• Provide identity and address documents during our Know Your Customer (KYC) process
• Complete risk assessment and financial suitability questionnaires
• Correspond with us by email, letter, or secure message
• Speak with us by telephone
• Attend a meeting, consultation, or event hosted by us
• Submit a complaint, feedback, or subject access request
• Register for a webinar, newsletter, or marketing event
• Engage with us via social media platforms by direct message or public interaction

4.2 Information Collected Automatically

When you visit our website, certain technical and usage data is collected automatically without you needing to take any action. This data helps us understand how our site is used and to maintain its security and performance. It includes:

• Your IP address and approximate geographic location (country/city level)
• The type of browser and device you are using
• The pages you visit and in what order, and how long you spend on each
• The website or search engine that referred you to our site
• Error logs and performance data

Where this automated collection relies on cookies or tracking technologies, we will only do so with your consent (except for strictly necessary cookies).

4.3 Telephone Call Recording

We may record some or all telephone calls to or from our offices. Call recording serves the following purposes: compliance with regulatory obligations under UK FCA rules (including the Markets in Financial Instruments Directive II, UK MiFID) and applicable UAE financial services regulations; maintaining accurate records of instructions, advice, and commitments made during calls; and staff training and quality assurance.

You will be informed at the start of any recorded call that the call is being recorded. If you do not wish to be recorded, please inform the member of staff at the beginning of the call and we will advise you on alternative ways to conduct your business with us. Call recordings are retained in accordance with the schedule set out in Section 7 and are accessible only by authorised personnel. You may request access to a recording of a call involving you by submitting a Subject Access Request.

4.4 Information Received from Third Parties

We may also receive personal information about you from third parties. In all such cases, those third parties are required to confirm that they have a lawful basis for sharing your data with us. Sources include:

• Credit reference agencies — to support creditworthiness assessments and identity verification
• Fraud prevention databases and organisations — to detect and prevent financial crime
• Sanctions screening services and politically exposed person (PEP) databases
• Regulatory registers such as the FCA Register, Companies House, DIFC Entity Search, and ADGM Entity Search
• Business introducers, financial advisers, and referral partners — subject to their own privacy policies and our agreement with them
• Publicly available sources such as company websites, news publications, and professional networking platforms where relevant to our business relationship
• Other financial institutions (for example, in the context of a client transfer or portfolio consolidation)

5. Why We Use Your Personal Information — Lawful Bases

Every time we process your personal information, we must have a valid legal reason to do so. These are called 'lawful bases' under UK GDPR and 'legal bases' under the UAE PDPL. We will never process your personal information without a lawful basis.

The table below explains the main purposes for which we process your data and the legal basis we rely upon.

6. How Long We Keep Your Personal Information

We keep your personal information only for as long as is necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, and to resolve any disputes or enforce our agreements. We do not retain personal data indefinitely. The specific retention periods we apply are set out below, and are informed by:

• Regulatory retention requirements under UK FCA rules, including COBS, SYSC, and DISP
• Anti-Money Laundering legislation in both the UK (Proceeds of Crime Act 2002; Money Laundering Regulations 2017) and the UAE (Federal Decree-Law No. 20 of 2018)
• Tax and accounting obligations (UK HMRC requirements; UAE Federal Tax Authority requirements)
• Legal limitation periods — generally 6 years in England and Wales for contract-related claims; up to 15 years in some circumstances
• ICO guidance on retention and the UAE Data Office's emerging guidance

At the end of any applicable retention period, personal data is securely and irreversibly deleted or anonymised in accordance with industry best practices (including NIST SP 800-88 guidelines for electronic media). We conduct periodic data audits to ensure compliance with these schedules. Where we are uncertain whether we still need data, we apply the principle of privacy by default and delete it. We do not archive personal data indefinitely as a contingency measure.

7. Who We Share Your Personal Information With

We do not sell, rent, lease, or otherwise trade your personal information to any third party, under any circumstances. We share your personal information externally only where necessary, only for defined purposes, and always under strict contractual controls. Every third party with whom we share your data is required to:

• Process your data only on our documented, written instructions
• Implement appropriate technical and organisational security measures to protect your data
• Not sub-process your data without our prior written approval
• Assist us in fulfilling our obligations to you as a data subject (for example, supporting subject access requests)
• Return or securely delete all personal data at the end of the contractual relationship

7.1 Categories of Recipients

We maintain a Register of Data Processing Agreements covering all third-party relationships involving personal data. This register is reviewed at least annually. We conduct security due diligence on all processors before engaging them, and carry out periodic reviews of existing processor relationships.

8. Transferring Your Information Internationally

As a firm with operations in both the United Kingdom and the United Arab Emirates, and with technology providers and business partners located in various countries around the world, it may be necessary to transfer your personal information outside the UK or the UAE. We take international data transfers extremely seriously and apply strict controls to ensure your information remains protected regardless of where it is processed.

8.1 Transfers Outside the United Kingdom

UK GDPR restricts the transfer of personal data to countries outside the UK unless those countries are subject to an adequacy regulation, or appropriate safeguards are in place. We rely on the following mechanisms when transferring data outside the UK:

• Adequacy Regulations: The UK government has formally recognised certain countries as providing an adequate level of data protection — including the EEA countries. Transfers to these countries can proceed without additional safeguards.
• International Data Transfer Agreements (IDTAs): Contractual clauses approved by the ICO that bind overseas recipients to standards equivalent to UK GDPR. We use IDTAs for transfers to countries without adequacy status.
• UK Addendum to EU Standard Contractual Clauses: Where EU SCCs are in place between parties, we apply the UK Addendum to extend protections to UK data subjects.
• Binding Corporate Rules (BCRs): For intra-group transfers, where BCRs have been approved by the ICO.
• Transfer Impact Assessments (TIAs): For all significant transfers, we assess the laws and practices of the destination country and implement supplementary measures where the destination country's legal environment poses risks to the effectiveness of our transfer safeguards.

8.2 Transfers Outside the United Arab Emirates

The UAE PDPL restricts transfers of personal data outside the UAE. Transfers are permitted in the following circumstances:

• The destination country has been assessed by the UAE Data Office as providing an adequate level of protection
• Appropriate contractual safeguards are in place between us and the recipient, such as standard contractual clauses or equivalent mechanisms approved by the UAE Data Office
• You have given your explicit, informed consent to the transfer, having been made aware of the potential risks arising from the absence of an adequacy decision
• The transfer is strictly necessary for the performance of a contract to which you are party, or for the implementation of pre-contractual measures taken at your request
• The transfer is necessary for the establishment, exercise, or defence of legal claims

8.3 UK–UAE Bilateral Data Flows

Data flows between our UK and UAE operations are a normal part of delivering services to clients with interests in both jurisdictions. We have assessed these bilateral flows and put in place appropriate transfer mechanisms in both directions. A summary of our international transfer mechanisms is available from our DPO upon request.

8.4 Your Right to Information About Transfers

You have the right to request details of any international transfers of your personal data, including the countries involved, the transfer mechanism relied upon, and the safeguards implemented.

9. How We Protect Your Information

We take data security seriously and have implemented a comprehensive, layered programme of technical and organisational measures designed to protect your personal information against unauthorised access, accidental loss, destruction, alteration, or disclosure. Our security programme is informed by the ISO/IEC 27001 information security standard and is reviewed by our DPO and senior management at least annually.

9.1 Technical Security Measures

9.2 Organisational Security Measures

• All employees, contractors, and temporary staff undergo data protection and information security training upon joining the organisation and at least annually thereafter
• All staff and contractors with access to personal data are bound by written confidentiality obligations
• Appropriate background screening is conducted for staff in roles with elevated access to sensitive personal data
• Our clean desk and clear screen policies ensure personal data is not left unattended in physical or digital form
• Physical access to our offices is controlled by access card systems; visitor registers are maintained
• A formal Incident Response Plan is maintained and tested annually through simulation exercises
• All third-party processors are subject to security due diligence assessments before engagement and periodic re-assessments thereafter
• We maintain a formal Privacy by Design policy requiring privacy considerations to be embedded into all new products, systems, and processes from inception

9.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay. Under the UK GDPR (Article 33), we will report qualifying breaches to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. Under the UAE PDPL, we will notify the UAE Data Office within the timeframe prescribed by applicable regulations.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, providing clear information about the nature of the breach, its likely consequences, and the measures we have taken or propose to take in response. Notification to you may not be required where we have implemented appropriate technical protection measures (such as encryption) that render the data unintelligible to any person not authorised to access it, where we have taken subsequent measures that ensure the high risk is no longer likely to materialise, or where individual notification would involve disproportionate effort (in which case we will issue a public communication).

All data breaches, whether or not they meet the threshold for regulatory notification, are logged in our internal Data Breach Register and are subject to root cause analysis and remedial action.

10. Your Privacy Rights

Both the UK GDPR and the UAE PDPL give you meaningful rights over your personal information. We are fully committed to honouring these rights promptly, transparently, and without unnecessary barriers. The rights set out below apply to all individuals whose data we process — we do not restrict these rights based on your nationality or jurisdiction, though the precise legal basis for each right may vary slightly between frameworks.

10.1 The Right to Be Informed

You have the right to receive clear and comprehensive information about how your personal data is collected, used, and shared — before or at the point of collection. This Privacy Policy, together with our Cookie Notice and any supplementary privacy notices provided to you during onboarding, fulfils this obligation. If there is anything in this Policy that is unclear, or if you have questions about specific data uses not addressed here, please contact our DPO.

10.2 The Right of Access (Subject Access Request - 'SAR')

You have the right to obtain confirmation of whether we process personal data about you, and if so, to receive a copy of that data along with information about:

• The purposes for which we process it
• The categories of data concerned
• The recipients or categories of recipients to whom it has been or will be disclosed
• The anticipated retention period, or the criteria used to determine that period
• Your other rights in relation to the data (rectification, erasure, restriction, objection)
• The existence of any automated decision-making, including profiling, and meaningful information about the logic involved
• Where data was not collected directly from you, information about its source

We will respond to your SAR within 30 calendar days of receipt. Where your request is complex or numerous, we may extend this by up to two further months, we will notify you within the first 30 days if an extension is needed and explain why. Responses will be provided in writing (by email or post) in a clear and intelligible format. There is no charge for a SAR unless it is manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline to respond, explaining why.

10.3 The Right to Rectification

If any personal data we hold about you is inaccurate, misleading, or incomplete, you have the right to ask us to correct it without undue delay. We will action rectification requests within 30 calendar days. In some cases, we may ask you to provide supporting documentation (for example, a copy of a new address document or updated identification). Where we have shared inaccurate data with third parties, we will inform them of the correction where this is possible and not disproportionate.

10.4 The Right to Erasure ('Right to be Forgotten')

You have the right to request the deletion of your personal data. We will act on this right where one of the following grounds applies:

• Your data is no longer necessary for the purpose for which it was originally collected
• You withdraw the consent on which processing was based and there is no other lawful basis
• You object to processing under legitimate interests (UK GDPR) and we have no overriding legitimate grounds
• Your data has been unlawfully processed
• Your data must be erased to comply with a legal obligation

However, this right is not absolute. We may lawfully decline to erase your data, and will always explain why, where retention is necessary to:

• Comply with a legal obligation (for example, AML record-keeping requirements impose mandatory minimum retention periods that we cannot override)
• Establish, exercise, or defend legal claims
• Carry out a task in the public interest

Where we are unable to erase your data due to a legal retention obligation, we will restrict processing to the minimum extent required by that obligation and will erase the data as soon as the mandatory retention period expires.

10.5 The Right to Restrict Processing

You may request that we temporarily suspend processing of your personal data — without deleting it — in the following circumstances:

• You contest the accuracy of your data and we need time to verify it
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you require it to be retained for the establishment, exercise, or defence of legal claims
• You have objected to processing on legitimate interests grounds and we are in the process of assessing whether our grounds override yours

During a restriction period, we will only process your data with your consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest. We will inform you before lifting any restriction.

10.6 The Right to Data Portability

Under UK GDPR, where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format (such as JSON, CSV, or XML). You also have the right to request that we transmit this data directly to another organisation where this is technically feasible.

This right is not currently provided as an explicit standalone right under the UAE PDPL, though the practical effect of the right of access is similar. We extend the right of portability to all our clients regardless of jurisdiction, as a matter of best practice.

10.7 The Right to Object

Direct Marketing: You have an absolute right to object to the processing of your personal data for direct marketing purposes at any time. Upon receiving your objection, we will stop all marketing processing without delay — there are no grounds on which we can override this right. We will action marketing opt-out requests within 5 business days and send you a written confirmation.

Legitimate Interests: Where we process your data on the basis of legitimate interests (UK GDPR), you have the right to object on grounds relating to your particular situation. We will then cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

10.8 Rights in Relation to Automated Decision-Making

You have the right not to be subject to a decision that: (a) is based solely on automated processing (including profiling); and (b) produces significant legal or similarly significant effects on you. Where such automated processing occurs, you have the right to:

• Be informed that an automated decision is being made and request human review of that decision
• Express your own perspective and contest the decision
• Receive a meaningful explanation of the logic involved in the automated processing and the likely consequences of such processing for you

We do not make significant automated decisions about individuals without a human reviewer being involved. Where automated tools assist in decision-making, a qualified professional retains final authority. See Section 5 (Lawful Bases) for further details on our use of automated processing in relation to suitability profiling.

10.9 The Right to Withdraw Consent

Where we rely on your consent to process your personal information, you may withdraw that consent at any time and without giving a reason. Withdrawal of consent does not affect the lawfulness of any processing we carried out prior to withdrawal, nor does it affect processing we carry out on a different lawful basis. You can withdraw your consent through any of the following channels:

• Clicking the 'Unsubscribe' link at the bottom of any marketing email we send you
• Logging into your client portal and navigating to 'Privacy & Preferences'
• Sending a written request to our registered address

We will process all consent withdrawal requests within 5 business days and will send you written confirmation of the withdrawal and its effect.

11. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device by a website. They are widely used to make websites work more efficiently, to remember your preferences, and to provide information to the owners of the site. They cannot run programmes, install malware, or transmit viruses.

11.1 The Legal Position on Cookies

Under the UK Privacy and Electronic Communications Regulations 2003 (PECR), we are required to obtain your consent before placing any cookies on your device that are not strictly necessary for the functioning of the website. Under UAE PDPL principles, similar consent standards apply to the collection of technical data through tracking technologies. We use a cookie consent management platform to capture and record your cookie preferences.

11.2 Categories of Cookies We Use

11.3 Managing Your Cookie Preferences

When you first visit our website, a cookie consent banner will be displayed. You can choose to:

• Accept All Cookies — enable all categories of cookies including analytics and marketing
• Reject Non-Essential Cookies — only strictly necessary cookies will be used; your visit remains fully functional
• Manage My Preferences — select exactly which categories of cookies you wish to enable

You can update your preferences at any time by clicking the 'Cookie Settings' link in the footer of any page on our website. You may also control cookies through your web browser settings, most browsers allow you to view, delete, and block cookies. Please note that blocking all cookies may affect the functionality of some parts of our website.

11.4 Third-Party Cookies

Some cookies placed on our website originate from third-party providers such as analytics platforms, social media plugins, and advertising networks. These third parties may process your data under their own privacy policies, which we encourage you to review.

11.5 Cookie Retention Periods

12. Links to Other Websites

Our website may contain hyperlinks to websites operated by third parties, including affiliated firms, industry bodies, regulatory authorities, and other organisations. We include these links for your convenience and information.

We have no control over third-party websites and are not responsible for their content, privacy practices, or security. Clicking a link to a third-party website means you are leaving our website and entering a site governed by that organisation's own privacy policy and terms of use. We strongly encourage you to read the privacy policy of any third-party website you visit before providing any personal information to that site.

The presence of a link on our website to a third-party site does not constitute an endorsement or recommendation of that site, its contents, or its privacy practices.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes may be required to reflect developments in data protection law (including new legislation, regulatory guidance, or ICO and UAE Data Office decisions), changes in our business practices, new products or services, or updated security practices. We review this Policy at a minimum on an annual basis.

When we make changes to this Policy, we will:

• Update the 'Version' number and 'Effective Date' shown at the top of this document
• Publish the updated Policy on our website with immediate effect
• Where changes are material — meaning they significantly affect how we use your data or your rights — notify you directly by email with at least 30 days' notice before the changes take effect
• Display a prominent notification banner on our website for at least 30 days following any material change
• Where the change affects processing for which we relied on consent, seek fresh, specific consent from you before implementing the change

We encourage you to review this Policy periodically to stay informed about how we protect your information. If you disagree with any change to this Policy and wish to withdraw from our services, please contact us and we will discuss your options.

Glossary — Key Terms Explained

The following definitions apply throughout this Privacy Policy. Where a term is used but not defined here, it carries the meaning given to it under the UK GDPR, the UAE PDPL, or other applicable legislation.