Privacy Policy
How Xyra Group Holdings Limited collects, processes, shares and protects personal data.
1. Who We Are and What This Policy Covers
Xyra Group Holdings Limited, a private limited company incorporated in England and Wales under company number 16105093, with its registered office at 42–44 Bishopsgate, London EC2N 4AH (referred to herein as "Xyra Group", "we", "us" or "our"), is the data controller in respect of personal data collected through this website (xyragroup.com), through correspondence with our offices, and through the course of our investor, acquisition, advisory and recruitment activities.
This Privacy Policy describes the categories of personal data we collect, the purposes for which we process it, the lawful bases on which we rely, the parties with whom we share it, the international transfers we make, the periods for which we retain it, and the rights you may exercise in respect of it.
2. Data We Collect, Why, and the Lawful Basis
We collect identification and contact data (name, title, employer, postal and electronic addresses, telephone numbers); professional and investor-status data (occupation, regulatory categorisation, source of wealth and source of funds where required for anti-money laundering purposes, accreditation declarations and supporting evidence); commercial and counterparty data (the substance of correspondence, deal information, and records of communications relating to actual or prospective transactions); technical data (internet protocol address, browser type and version, device identifiers, time-zone setting, and pages visited); and recruitment data where you submit a curriculum vitae or speculative application.
We process such data: (i) where necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract; (ii) where necessary for compliance with a legal obligation, including obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Bribery Act 2010, applicable sanctions regimes, and the financial-promotions regime of the Financial Services and Markets Act 2000; (iii) where necessary for the purposes of our legitimate interests in evaluating, executing and managing investment opportunities, communicating with counterparties, securing and improving this website, and recruiting personnel, save where such interests are overridden by your fundamental rights; and (iv) where you have given clear and specific consent, including in respect of marketing communications and non-essential cookies, which consent you may withdraw at any time without affecting the lawfulness of processing carried out before withdrawal.
3. Sharing, International Transfers and Retention
We share personal data, on a need-to-know basis and under appropriate written safeguards, with: our directors, officers, employees and affiliated entities; our professional advisers (including legal, accounting, audit, tax, regulatory, banking and risk advisers, such as our regulatory and risk counsel and counterparties of comparable standing); our information-technology, hosting, email, customer-relationship management and document-management providers acting as data processors; competent regulatory, tax, law-enforcement and governmental authorities where lawfully required; and prospective or actual counterparties to a transaction where disclosure is necessary, proportionate and subject to confidentiality.
Where personal data is transferred outside the United Kingdom or the European Economic Area, we rely upon an adequacy decision of the Secretary of State or, as applicable, of the European Commission, or, in the absence of adequacy, upon the United Kingdom International Data Transfer Agreement, the European Commission's 2021 Standard Contractual Clauses, or the United Kingdom Addendum thereto, in each case supported by such supplementary technical and organisational measures as a transfer risk assessment requires. We retain personal data only for so long as is necessary for the purposes for which it was collected, including the satisfaction of legal, accounting, regulatory and reporting obligations: ordinarily, contact and counterparty data is retained for the duration of the relationship and for seven years thereafter; investor due-diligence and anti-money-laundering records are retained for at least five years following the end of the business relationship; recruitment data not resulting in engagement is retained for twelve months unless you consent to a longer period; and unsuccessful website enquiries are retained for twenty-four months.
4. Your Rights and How to Exercise Them
Subject to the conditions and exceptions set out in applicable law, you have the right to be informed of the processing of your personal data; the right of access to a copy of the personal data we hold concerning you; the right to rectification of inaccurate or incomplete data; the right to erasure ("the right to be forgotten") in defined circumstances; the right to restriction of processing; the right to data portability in respect of data you have provided to us and which is processed by automated means on the basis of consent or contract; the right to object to processing carried out on the basis of our legitimate interests or for direct-marketing purposes; and the right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects, of which we currently undertake none in connection with this website.
You may exercise any of these rights, withdraw consent previously given, or raise any concern, by writing to the Office of the Chief Legal Officer at the address above or by electronic mail to info@xyragroup.com; we shall respond within one calendar month, save where the request is complex or numerous, in which case we may extend that period by up to two further months and shall inform you accordingly. Should you remain dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk; 0303 123 1113), or with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.