Privacy Policy

This Privacy Policy explains how Tsadik ("we", "us", "Private Office") — a company incorporated in the Republic of Mauritius under registration number I25000256 — collects, uses, stores and protects your personal data when you visit privateoffice.io, request access to our services, or interact with our private office orchestration platform.

We act as the data controller for the personal data described below. We aim to align our practices with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the Mauritius Data Protection Act 2017, whichever affords you the strongest protection.

1. Data we collect

Depending on how you interact with us, we may collect:

• Identification & contact data — full name, email address, phone number, nationality, country of residence.
• Profile & mandate data — objectives, net worth band, tax residence, jurisdictions of interest, source of wealth declarations, and other information you provide when requesting a plan or onboarding.
• KYC / AML data — passport, proof of address, source-of-funds documentation and any identity verification data processed by our regulated partners (including Sumsub) for anti-money-laundering compliance.
• Usage data — pages visited, requests made, approximate location derived from IP, device and browser metadata, captured through privacy-respecting analytics.
• Communications — emails, messages and call notes when you contact us.

2. How we use your data

We process personal data to:

• Generate, deliver and refine your personalised wealth-structuring plan;
• Onboard you and any related parties, including identity verification (KYC) and anti-money-laundering checks (AML / KYB);
• Coordinate with the regulated partners (banks, trustees, law firms, tax advisors) that execute the recommended services on your behalf;
• Operate, secure and improve the website and platform;
• Comply with our legal, regulatory and tax obligations;
• Send you operational messages and, only with your consent, occasional editorial content.

3. Lawful bases

We rely on the following lawful bases under the GDPR:

• Contract — to take steps at your request and provide our services;
• Legal obligation — to meet AML/CFT, sanctions screening and record-keeping requirements;
• Legitimate interests — to operate and secure the platform, prevent fraud, and develop our offering;
• Consent — for non-essential cookies and marketing communications, which you can withdraw at any time.

4. Sharing & international transfers

We share personal data only with parties that have a clear role in delivering your mandate, including:

• Identity verification providers (e.g. Sumsub) for KYC/KYB;
• Regulated execution partners (banks, fiduciaries, law firms, tax advisors) you instruct us to engage;
• Infrastructure providers (cloud hosting, email, analytics) bound by data-processing agreements;
• Authorities and regulators where required by law.

Where personal data is transferred outside the EEA, the UK or Mauritius, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards. We never sell your personal data.

5. Retention

We keep personal data only as long as necessary for the purposes for which it was collected, plus any period required by law. KYC and transaction records are typically retained for seven (7) years after the end of the relationship, in line with AML legislation. Inactive prospect data is deleted or anonymised after 24 months.

6. Security

We apply technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, least-privilege access controls, audit logging, and regular security reviews. Sensitive documents are stored in jurisdictions and systems explicitly chosen for client confidentiality.

7. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, the right to data portability, and the right to withdraw any consent. To exercise these rights, write to privacy@privateoffice.io. You also have the right to lodge a complaint with your local data-protection authority, or with the Mauritius Data Protection Office.

8. Cookies

We use a minimal set of strictly necessary cookies to operate the site, and — only with your consent — privacy-respecting analytics to understand which content is useful. We do not run third-party advertising trackers.

9. Children

Our services are not directed at, and we do not knowingly collect data from, individuals under 18.

10. Changes to this policy

We may update this policy to reflect changes in our practices or the law. Material changes will be communicated by email to onboarded clients and signalled by an updated "Last updated" date at the top of this page.

11. Contact

Tsadik — registered in the Republic of Mauritius under company number I25000256, trading as Private Office. Privacy enquiries: privacy@privateoffice.io. General enquiries: contact@privateoffice.io.