This Privacy Policy explains how we collect, use, and protect personal data submitted through this site and during advisory engagements. It is drafted to align with the EU GDPR, the UK Data Protection Act 2018, and the UAE PDPL.
1. Data controller
Become Global Citizen Ltd. is the data controller of personal data collected through this site and our services.
2. Personal data we collect
Contact data: name, email, phone, country of residence, nationality. KYC and AML data: passport copies, proof of address, source-of-funds documentation, police clearances. Technical data: IP address, device type, browser, usage logs. Marketing data: communication preferences and consent records.
3. How we use your data
To deliver advisory services and process applications. To comply with KYC, AML, and sanctions-screening obligations. To communicate with you about your engagement. To improve our site and services. To send marketing communications where you have consented.
4. Legal bases (GDPR)
Performance of a contract or pre-contractual steps. Compliance with a legal obligation (KYC/AML). Legitimate interests (security, fraud prevention). Consent (marketing).
5. Sharing of data
We share personal data with: government authorities and licensed agents involved in processing your application; due-diligence service providers and financial institutions; IT service providers (hosting, CRM, email) bound by data-processing agreements.
6. International transfers
Where personal data is transferred outside the EEA or the UAE, we rely on Standard Contractual Clauses or equivalent safeguards.
7. Data retention
KYC and AML data is retained for the minimum period required by law (typically 5 to 10 years after the end of the engagement). Other data is retained for the duration of the relationship plus a reasonable archival period.
8. Your rights
Subject to applicable law, you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. Privacy requests can be sent to our legal address.
9. Security
We use organisational and technical measures to protect personal data, including encryption in transit, restricted access, and audit logs.
10. Sub-processors and DPAs
A current list of sub-processors (hosting, transactional email, analytics, CRM) is available on written request. Corporate clients and EU-resident individuals who require a signed Article 28 Data Processing Agreement should ask before any data beyond the contact form is exchanged.
11. Updates to this policy
We may update this policy from time to time. The latest version is always available on this page.