Our Privacy
PRIVACY/POLICY
Privacy Policy – Asset Flow Ltd
Effective date: 29 August 2025
This page explains how AssetFlow Ltd (“we”, “our”, “us”) collects, uses, stores, and protects personal data when you visit https://assetflow.ltd or interact with any of our services (investment planning, portfolio management, newsletters, webinars, etc.).
Why it matters for you: Understanding our privacy practices helps you feel confident that your personal and financial information is handled securely, lawfully, and transparently.
NOTE: This policy is written for general informational purposes only. For legal advice that applies to your specific situation, consult a qualified solicitor.
1. Who We Are
Detail Information
Company name: AssetFlow Ltd (registered in England & Wales – company number 12345678)
Registered address10 Bishopsgate, London, EC2N 4AJ, United Kingdom
Contact e‑mail: privacy@assetflow.ltd
Data Protection Officer (DPO)Jane Hart – dpo@assetflow.ltd
We are a fiduciary‑registered wealth‑management firm that offers cryptocurrency‑focused investment planning and portfolio services. Because we handle sensitive financial data, we adhere to the UK General Data Protection Regulation (UK‑GDPR), the Data Protection Act 2018, and any additional sector‑specific rules (e.g., FCA guidance).
2. What Personal Data We Collect
Category Examples How It Is Collected
Identity data: Full name, date of birth, national ID/passport number (only when required for KYC) Account registration forms, KYC / AML questionnaires
Contact data: Email address, phone number, mailing address Contact forms, newsletter sign‑ups, service‑request pages
Financial data: Bank account details, crypto‑wallet addresses, investment objectives, risk‑tolerance scores, source‑of‑wealth information On‑boarding questionnaire, client portal uploads
Technical data: IP address, device type, operating system, browser, screen resolution, click‑stream data Automatically via server logs, Google Analytics, cookies, beacons
Marketing data Newsletter preferences, webinar attendance, content download history Newsletter sign‑up, gated‑content forms
Communication data Email correspondence, call recordings (audio‑only), chat transcripts Customer‑service platform, live‑chat widget
We never collect data that is not strictly necessary for the purpose it serves (principle of data minimization).
3. Lawful Basis for Processing
We rely on the following lawful bases under UK‑GDPR:
Basis When We Use It
Performance of a contract Managing your investment account, delivering portfolio reports, processing payments.
Legal obligation KYC/AML compliance, tax reporting, regulatory record‑keeping (minimum 5 years).
Legitimate interests Fraud prevention, network security, website analytics, improving service quality (balanced against your rights).
Consent Sending marketing e‑mail newsletters, delivering optional promotional material, placing non‑essential cookies.
Vital interests (rare)If a life‑or‑death situation required us to share emergency contact details.
When we rely on consent, you can withdraw it at any time (see “Your Rights” section). When we rely on legitimate interests, you have the right to object (see below).
4. How We Use Your Personal Data
Purpose Data Used Description
Account creation & management Identity, contact, financial dataset up client profile, verify identity, comply with KYC/AML, generate legal agreements.
Service delivery Financial & technical data Execute investment orders, rebalance portfolios, calculate performance, produce statements.
Regulatory compliance All categories Record‑keeping for FCA, HMRC, and anti‑money‑laundering rules.
Communication Contact & communication data Respond to inquiries, schedule calls, send alerts about account activity.
Marketing & educational outreach Marketing & contact data (with consent) Send newsletters, webinar invitations, blog updates, e‑book downloads.
Analytics & improvement technical data (aggregated)Understand site usage, improve UI/UX, monitor security threats.
Third‑party service provision Varies (as listed in Section 6) Enable payments, email delivery, video‑hosting, CRM, cloud storage.
We never sell your personal data to third parties. All sharing is either contractual, legal, or with your explicit consent.
5. International Data Transfers
Some service providers (e.g., cloud hosting, email marketing) are located outside the United Kingdom (primarily the United States and the European Economic Area).
When we transfer data internationally, we ensure at least one of the following safeguards:
Adequacy decision – The EU‑US Privacy Shield is no longer valid, so we rely on Standard Contractual Clauses (SCCs) approved by the UK ICO.
Binding Corporate Rules (BCRs) – For transfers within our corporate group.
Explicit consent – You are asked to consent before any transfer that is not covered by an adequacy decision or SCC.
All international transfers are documented and subject to strict contractual obligations on data protection.
6. Who We Share Your Data With
Recipient Reason for Sharing Safeguards
Regulatory bodies (FCA, HMRC, etc.) Legal compliance, reporting Confidentiality agreements, limited to required fields
KYC/AML verification providers (e.g., Onfido, Trulioo)Identity verifications sscs, encrypted transmission
Custodians & brokerage partners (e.g., Fireblocks, Coinbase Custody) Secure storage & execution of crypto assets Custodial licenses, ISO‑27001, SCCs
Payment processors (Stripe, Worldpay) Process fees and client contributions PCI‑DSS compliance, tokenisation
Email & marketing platforms (Mailchimp, HubSpot) Newsletter delivery, marketing automation Data‑processing agreements, consent‑based usage
Analytics & performance tools (Google Analytics, Hotjar) Site‑usage statistics, heat‑maps IP‑anonymization, opt‑out option
Professional advisors (tax consultants, legal counsel) Advisory services (upon client request) Confidentiality & NDA in place
IT service providers (AWS, Microsoft Azure) Cloud hosting, backup, disaster recovery Encryption at rest & in transit, SOC‑2 Type II compliance
We require written data‑processing agreements with each third party that obligate them to protect the data to at least the same standard we apply.
7. Data Retention
Data Type Retention Period Reason
KYC/AML records Minimum 5 years after client relationship ends (or longer if required by law) Regulatory requirement (FCA, AML).
Financial transaction data7 years (tax & accounting laws) HMRC compliance.
Client communications3 years after the last contact (unless a dispute arises) Business necessity.
Marketing consent records Until you withdraw consent or we delete the record Consent management.
Website analytics (aggregated)24 months (automatic deletion) Performance monitoring.
Cookies (non‑essential)30 days (unless you extend) Consent‑based tracking.
We review retention schedules annually and delete or anonymize data that is no longer needed.
8. Security Measures
We employ defence‑in‑depth security architecture: firewalls, intrusion‑detection systems, and regular vulnerability scans.
All data in transit is encrypted with TLS 1.3 (HTTPS).
Data at rest (databases, backups) is encrypted using AES‑256.
Access to personal data is role‑based and logged; only authorised personnel may view it.
Multi‑factor authentication (MFA) is mandatory for all staff and for client portal logins.
Regular ISO‑27001 and SOC‑2 audits verify compliance.
In the unlikely event of a data breach, we will notify the Information Commissioner’s Office (ICO) within 72 hours and inform affected individuals without undue delay.
9. Your Rights (under UK‑GDPR)
You have the following rights in relation to your personal data. All requests can be sent to privacy@assetflow.ltd with “Data Subject Request” in the subject line. We will verify your identity before responding.
Right What It Means How to Exercise
Right to be informed Receive clear information about how your data is used (this policy). Already provided.
Right of access Request a copy of the personal data we hold about you. Submit a “Subject Access Request” (SAR).
Right to rectification Ask us to correct inaccurate or incomplete data. Email us the corrected information.
Right to erasure (“right to be forgotten”) Request deletion of your data where there is no legal obligation to retain it. Email request; we may need to keep certain records for tax/AML.
Right to restriction of processing Ask us to limit how we use your data (e.g., during a dispute).Email request; we will suspend processing where possible.
Right to data portability Receive your data in a structured, machine‑readable format (e.g., CSV) and transmit it to another controller. Email request.
Right to object Object to processing based on legitimate interests or direct marketing. Email request; we will stop the processing unless we have overriding legitimate reasons.
Right not to be subject to automated decision‑making Opt‑out of any decisions that have legal or similarly significant effects made solely by automated means. In our case, portfolio decisions are human‑oversighted, so this right does not apply.
We will respond to any request within one calendar month (extendable by two further months for complex cases) and, where a fee is required (e.g., for excessive or unfounded requests), we will inform you before charging.
10. Cookies & Tracking Technologies
What are cookies? Small text files stored on your device that help us remember your preferences and analyze site usage.
Cookie TypePurposeDurationExample
Strictly necessaryEnable core website functions (session, security, login).SessionASP.NET_SessionId
PreferencesRemember language, region, or display settings.1 yearlang_pref
AnalyticsTrack page views, bounce rate, user flow (Google Analytics).2 years (IP‑anonymised)_ga, _gid
MarketingShow personalized ads, retargeting (Google Ads, Facebook).30 daysfr, IDE
FunctionalEnable live‑chat, video embeds.1 yearhubspotutk
Your choices:
Cookie banner appears on your first visit – you may Accept All, Reject All, or Customize.
You can change preferences any time via the “Cookie Settings” link in the website footer.
Browsers allow you to block or delete cookies altogether; however, disabling necessary cookies may prevent you from using some site features (e.g., client portal login).
Do we use “Do Not Track” (DNT)? We respect DNT signals for analytics and marketing cookies, opting not to set non‑essential cookies when DNT is enabled.
11. Third‑Party Links & Services
Our site may contain links to independent third‑party websites (e.g., regulatory bodies, partner custodians, news outlets).
We are not responsible for the privacy practices of those sites.
When you click a third‑party link, you leave the AssetFlow domain and should read the destination site’s privacy notice.
12. Children’s Privacy
Our services are intended for adults (18 years or older). We do not knowingly collect personal data from children. If we discover that a child’s data has been inadvertently submitted, we will delete it promptly.
13. Changes to This Privacy Policy
We review this policy at least once a year and after any major change to our data‑processing activities.
When a material change occurs, we will:
Post the revised policy on this page with an updated “Effective date.”
Send a notification to registered email addresses (if you have an active account).
You are encouraged to review this policy periodically.
14. How to Contact Us
If you have any questions, concerns, or wish to exercise your data‑subject rights, please contact our Data Protection Officer:
Jane Hart – Data Protection Officer
Email: dpo@assetflow.ltd
Phone: +44 0 123 456 7890
Mailing address: AssetFlow Ltd, 10 Bishopsgate, London, EC2N 4AJ, United Kingdom
You may also reach the general enquiries line at info@assetflow.ltd.
Legal Documents
Terms Documents • User guide Doc.
Mktg Document • Operational Docs.