Important: This is a financial promotion. Capital at risk. For Professional Clients and Eligible Counterparties only. Not investment advice.

Website Privacy Policy

www.penwarne.com | Penwarne Digital Assets Ltd | Effective: February 2026 | Version 2.0

1. INTRODUCTION

1.1 This Privacy Policy (the “Policy”) explains how Penwarne Digital Assets Ltd (“Penwarne”, “we”, “us”, or “our”), a company incorporated in England and Wales under company number 16919154, with its registered office at the address filed at Companies House, collects, uses, stores, discloses, and protects your personal data when you access or use www.penwarne.com (the “Website”).

1.2 This Policy is issued in compliance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (“PECR”), and the Data (Use and Access) Act 2025 (“DUAA”) where applicable.

1.3 By accessing the Website, you acknowledge that you have read and understood this Policy. This Policy should be read in conjunction with our Website Terms and Conditions and Cookie Policy.

2. DATA CONTROLLER IDENTITY AND CONTACT

2.1 The data controller is: Penwarne Digital Assets Ltd, Company No. 16919154, England and Wales. Email: investments@penwarne.com (FAO: Data Protection).

2.2 We have not appointed a DPO. Data protection queries are handled by the director responsible for compliance.

2.3 You may lodge a complaint with the ICO: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Tel: 0303 123 1113. www.ico.org.uk.

3. CATEGORIES OF PERSONAL DATA WE COLLECT

(a) Data You Provide Directly (Article 13 UK GDPR)

  • Investor Qualification Data: Name, email, professional title, firm name, investor classification, self-certification declarations, date/time of certification, country of residence.
  • Correspondence Data: Name, email, telephone number, and content of any communications.
  • Subscription/Registration Data: Name, email, professional capacity, entity details.
  • Due Diligence Data: Identity verification documents, proof of address, source of funds/wealth, PEP status, sanctions screening data, and other AML/KYC information.

(b) Data Collected Automatically (Article 13 UK GDPR)

  • Technical Data: IP address, browser type/version, OS, device type, screen resolution, time zone, referring URL, unique device identifiers.
  • Usage Data: Pages visited, access times, time on page, scroll depth, click patterns, document download history, navigation paths.
  • Cookie Data: Information collected through cookies and similar technologies (see Section 10).

(c) Data Obtained from Third Parties (Article 14 UK GDPR)

  • Referral Data: Name, contact details, professional capacity, and investor classification received from intermediaries, financial advisers, family offices, or placement agents.
  • Screening Data: Results from sanctions, PEP, and adverse media screening via third-party databases (e.g., Refinitiv World-Check, Dow Jones Risk & Compliance).
  • Publicly Available Data: Information from Companies House, FCA Register, FINMA Register, and other public sources.

3.2 Where we obtain your personal data from a source other than you, we will provide you with the information in this Policy within a reasonable period of obtaining the data and no later than one calendar month, in accordance with Article 14(3)(a) UK GDPR.

3.3 We do not intentionally collect special category data (Article 9 UK GDPR) unless strictly required for AML/KYC (e.g., biometric data from ID verification). Where processed, the lawful basis is substantial public interest (Schedule 1, Part 2, DPA 2018).

4. PURPOSES OF PROCESSING AND LAWFUL BASES

4.1 We process your personal data for the following purposes:

Purpose Description Lawful Basis
Website Access & Qualification Operating the Qualification Gate, verifying investor status, granting restricted access Art.6(1)(b) Contract / Art.6(1)(f) Legit. Interest
AML / KYC Compliance Identity verification, sanctions screening, source of funds checks, ongoing monitoring Art.6(1)(c) Legal Obligation (MLR 2017)
Investor Communications Product updates, NAV reports, performance data, material changes to the AMC Art.6(1)(f) Legit. Interest / Art.6(1)(a) Consent
Regulatory Record-Keeping Records of investor classification, financial promotions compliance, qualification records Art.6(1)(c) Legal Obligation (FSMA/FPO)
Website Analytics Understanding visitor behaviour to improve content and user experience (via cookie banner) Art.6(1)(a) Consent
Service Provider Coordination Coordinating with Profin, GenTwo, InCore Art.6(1)(f) Legit. Interest
Legal Claims Establishing, exercising, defending claims Art.6(1)(f) Legit. Interest

4.2 Where we rely on legitimate interests (Art.6(1)(f)), we have conducted a Legitimate Interests Assessment and concluded that our interests do not override your rights, taking into account the professional nature of our audience and reasonable expectations of institutional investors.

4.3 Provision of Investor Qualification Data and Due Diligence Data is a contractual requirement for access to the restricted areas of the Website and a statutory requirement under the Money Laundering Regulations 2017. If you do not provide this data, we will be unable to grant you access to restricted content or process any investment subscription.

4.4 Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

5. DATA SHARING AND RECIPIENTS

5.1 We may share your personal data with:

  • AMC Service Providers: Profin Partners Ltd (FCA FRN 595504); GenTwo Pro AG (FINMA); InCore Bank AG (FINMA); Interactive Brokers (SEC/FINRA); SIX SIS AG (FINMA).
  • Legal Advisers: Edwin Coe LLP.
  • Placement Agents: Where you were introduced by an intermediary, we may share limited enquiry status information, subject to consent or legitimate interest.
  • Compliance Providers: Third-party AML/KYC verification and sanctions screening databases.
  • Technology Providers: Website hosting, email, CRM, analytics (subject to Art.28 data processing agreements).
  • Regulatory Authorities: FCA, HMRC, NCA, FINMA, and any other authority where required by law.

5.2 We will never sell, rent, or trade your personal data. All third-party processors operate under Art.28-compliant data processing agreements.

6. INTERNATIONAL DATA TRANSFERS

6.1 Your personal data may be transferred to Switzerland and the United States. Safeguards include:

  • Switzerland: UK adequacy decision (The Data Protection (Adequacy) (Switzerland) Regulations).
  • United States: UK Extension to the EU-US Data Privacy Framework for DPF-participating organisations; UK IDTA or UK Addendum to EU SCCs for non-DPF transfers.

6.2 You may request a copy of the safeguards at investments@penwarne.com.

7. DATA RETENTION

Data Category Retention Period Legal Basis
Investor Qualification Data Relationship + 6 years Limitation Act 1980; FCA fin. promo. compliance
AML / KYC Data 5 years post-relationship MLR 2017 Reg.40
Correspondence 3 years from last contact Legitimate interest
Marketing Consent Records Consent + 2 years Accountability (Art.5(2))
Website Analytics / Cookies Maximum 13 months ICO analytics guidance
Technical / Server Logs 90 days Security; fraud prevention
Due Diligence / Screening 5 years from screening MLR 2017; POCA 2002

7.1 At end of retention, data is securely deleted or irreversibly anonymised. Longer retention may apply where required for ongoing legal proceedings or regulatory investigations.

8. YOUR RIGHTS UNDER UK GDPR

  • Right of Access (Art.15): Confirmation of processing and copy of your data.
  • Right to Rectification (Art.16): Correction of inaccurate or incomplete data.
  • Right to Erasure (Art.17): Deletion in certain circumstances (subject to AML retention obligations).
  • Right to Restriction (Art.18): Restriction of processing where you contest accuracy.
  • Right to Data Portability (Art.20): Receive data in structured, machine-readable format.
  • Right to Object (Art.21): Object to legitimate-interest processing; we will cease unless compelling grounds exist.
  • Right to Withdraw Consent (Art.7(3)): Withdraw at any time without affecting prior processing.
  • Automated Decision-Making (Art.22): We do not carry out automated decision-making or profiling with legal or similarly significant effects.

8.1 To exercise any right, email investments@penwarne.com (subject: “Data Protection Request”). We will respond within one month (extendable by two months for complex requests per Art.12(3)). Identity verification may be required. No fee applies unless manifestly unfounded or excessive (Art.12(5)).

9. DATA SECURITY

9.1 We implement appropriate technical and organisational measures under Art.32 UK GDPR: TLS 1.2+ encryption in transit; AES-256 at rest; multi-factor authentication; need-to-know access controls; ISO 27001-equivalent hosting; periodic security testing.

9.2 In the event of a personal data breach: (a) we will notify the ICO within 72 hours of becoming aware (Art.33); (b) we will notify affected data subjects without undue delay where the breach is likely to result in a high risk to rights and freedoms (Art.34); (c) our notification will include the nature of the breach, likely consequences, and measures taken or proposed.

9.3 We conduct Data Protection Impact Assessments (DPIAs) under Art.35 UK GDPR where processing is likely to result in high risk. A DPIA has been considered for the Qualification Gate processing; given the limited scale and professional audience, it is not mandatory but has been completed as good practice.

10. COOKIES AND SIMILAR TECHNOLOGIES

10.1 We use: (a) Strictly Necessary Cookies — session management, Qualification Gate authentication, CSRF protection (no consent required); (b) Analytical Cookies — privacy-focused analytics, aggregated data only (consent required); (c) Functionality Cookies — preference storage (consent required).

10.2 We do NOT use advertising cookies, tracking pixels, social media plugins, or behavioural profiling technologies.

10.3 Non-essential cookies are blocked until affirmative opt-in consent is given. Withdrawal is available via the cookie settings link in the Website footer, which is as easy to access as the consent mechanism. Cookie consent records are retained for audit purposes.

11. DIRECT MARKETING

11.1 We send marketing only with explicit consent or under the PECR Reg.22 soft opt-in. Every communication includes a clear unsubscribe mechanism. We maintain a suppression list.

12. CHILDREN’S DATA

12.1 The Website is not directed at persons under 18. If we become aware of data from a minor, it will be immediately deleted.

13. GOVERNING LAW

13.1 This Policy is governed by English law. Disputes are subject to the exclusive jurisdiction of the English courts, without prejudice to your right to complain to the ICO.

14. CONTACT

14.1 Penwarne Digital Assets Ltd, Co. 16919154, England & Wales. Email: investments@penwarne.com (FAO: Data Protection). Website: www.penwarne.com.

Issued by Penwarne Digital Assets Ltd. Compliant with UK GDPR, DPA 2018, PECR, DUAA, and ICO guidance. Version 2.0, February 2026.