Privacy Policy

1. Who we are

The data controller for personal data collected via this website and in the course of our UK advisory services is:

References in this policy to "Lydiam UK," "we," "us," or "our" are to Lydiam Group Ltd.

2. Scope

This policy applies to personal data Lydiam UK collects and processes as a data controller. Lydiam UK is a UK-incorporated advisory and consultancy firm. We do not conduct regulated financial services, hold client money, or execute financial transactions. Where regulated services are delivered by other members of the Lydiam group (for example, Lydiam Group Sp. z o.o. in Poland or Lydiam Pay Corp in Canada) or by third-party regulated providers, those parties act as separate data controllers and will provide their own privacy notices at the point of engagement.

3. Personal data we collect

We may collect and process the following categories of personal data:

• Identity and contact data: name, role, employer, business address, email address, and telephone number — provided when you contact us, submit an enquiry, or engage our services.
• Due diligence and onboarding data: information necessary for client acceptance, anti-money-laundering (AML) and know-your-customer (KYC) checks, beneficial ownership verification, source-of-funds and source-of-wealth evidence, sanctions screening, and politically exposed persons (PEP) checks.
• Engagement data: correspondence, documents, and information you provide or we generate in the course of an advisory engagement.
• Website and technical data: IP address, browser type and version, device information, pages visited, and the date and time of access, collected through cookies and similar technologies.

We do not knowingly collect special category personal data through this website. Any special category data provided in the course of an engagement will be processed only where we have an appropriate lawful basis and condition under Article 9 of the UK GDPR.

4. How we use your data and our lawful bases

We process personal data for the following purposes, relying on the lawful bases set out below:

• To respond to enquiries and provide information — on the basis of our legitimate interests in operating our business and responding to prospective clients.
• To perform client onboarding, due diligence, and AML/KYC checks — on the basis of compliance with our legal obligations (including the Money Laundering Regulations 2017 and the Proceeds of Crime Act 2002) and our legitimate interests in managing risk.
• To deliver advisory and consultancy services under an engagement letter — on the basis of performance of a contract to which you are a party, or steps taken at your request prior to entering into a contract.
• To maintain records, manage our business, and exercise or defend legal claims — on the basis of our legitimate interests and compliance with legal obligations.
• To operate and improve this website — on the basis of our legitimate interests and, where required, your consent (for non-essential cookies).

5. Sharing within the Lydiam group

We may share personal data with other members of the Lydiam group where necessary for the purposes described in this policy — for example, where a client requires a regulated service provided by a group entity in another jurisdiction and asks us to coordinate the introduction or handover.

Group members with which data may be shared include:

• Lydiam Group Sp. z o.o. (Poland) — VASP registered under RDWW-1486, for cryptoasset-related services where relevant;
• Lydiam Pay Corp (Canada) — for payments-related services where relevant;
• Lydiam Group L.L.C-FZ (United Arab Emirates) — for advisory coordination where relevant.

Each group entity acts as a separate controller of the personal data it receives. Where we share personal data with a group entity, we do so on the basis of your consent (where appropriate), performance of your contract, or our legitimate interests in operating as an integrated advisory group, and we put in place appropriate safeguards.

6. International transfers

Some of our group entities and third-party providers are located outside the United Kingdom, including in the European Economic Area (Poland), Canada, and the United Arab Emirates. Where we transfer personal data outside the UK, we rely on one or more of the following transfer mechanisms:

• transfers to countries recognised by the UK as providing an adequate level of protection (for example, the European Economic Area and Canada, in respect of commercial organisations subject to PIPEDA);
• the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses, combined with any supplementary measures identified by a transfer risk assessment;
• another lawful transfer mechanism permitted under Chapter V of the UK GDPR.

Further information about the safeguards applied to a specific transfer is available on request.

7. Third-party service providers

We engage third-party service providers who process personal data on our behalf — for example, IT and hosting providers, email service providers, professional advisers, identity verification and sanctions screening providers, and document storage platforms. These providers act as processors under our instructions and are bound by appropriate contractual commitments under Article 28 of the UK GDPR.

Where a regulated service (such as payments or foreign exchange) is required by a client, we may introduce the client to an authorised third-party provider (including, in the UK, FCA-authorised payment institutions). Those providers contract with the client directly and act as independent data controllers of any personal data the client shares with them.

8. Disclosures required by law

We may disclose personal data where required or permitted by law, including to regulators, law enforcement, courts, tax authorities, or other public bodies, or where necessary to investigate or prevent fraud, financial crime, or breaches of our terms or applicable law.

9. Retention

We retain personal data for as long as is necessary to fulfil the purposes for which it was collected, including to comply with legal, regulatory, tax, accounting, or reporting requirements. Records collected for AML/KYC purposes are generally retained for five years following the end of the business relationship, consistent with the Money Laundering Regulations 2017. Engagement records are retained for the period set out in our records retention schedule, which reflects limitation periods for professional liability claims and other applicable obligations.

10. Your rights

Under the UK GDPR you have, in specified circumstances, the right to:

• be informed about how your personal data is processed;
• request access to a copy of your personal data;
• request the rectification of inaccurate or incomplete data;
• request erasure of your personal data;
• restrict or object to processing of your personal data;
• request data portability where processing is based on consent or contract and carried out by automated means;
• withdraw consent at any time where we rely on it as our lawful basis (without affecting the lawfulness of processing before withdrawal).

You may exercise these rights by contacting us at info@lydiamgroup.co.uk. We will respond within one month, subject to any extension permitted by the UK GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) — see ico.org.uk — if you believe our processing of your personal data infringes UK data protection law.

11. Security

We maintain appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. No system is wholly secure; where a notifiable personal data breach occurs, we will act consistently with our obligations under the UK GDPR and the Data Protection Act 2018.

12. Cookies

This website uses strictly necessary cookies required for it to function. We do not use non-essential analytics, advertising, or profiling cookies without your consent. You can configure your browser to refuse cookies; disabling strictly necessary cookies may affect the functionality of this website.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the date of the most recent version. Material changes will be notified where required.

14. Contact us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us at: