Introduction
1. Important Information and Who We Are
1.1. Purpose of This Privacy Policy
Arda Capital Limited("Arda" or "we") respects your privacy and is committed to protecting your Personal Data. This Privacy Policy applies to how we collect, process, and store your Personal Data through our online services, our Android and iOS Mobile apps, recipients of our emails, or when you otherwise interact with us. It describes the types of Personal Data we obtain, how we use it, andwith whom we share it. We also describe your rights, how the law protects you,and how you can contact us about our privacy practices, including how to make adata protection complaint directly to us.
References to"Arda", "we", "us" and "our"collectively refer to Arda Capital Limited. References to the "Information Commission" refer to the body formerly known as the Information Commissioner's Office ("ICO"), as renamed by the DUAA 2025
1.2 Identity and the Contact Details of the Controller
For the purposes ofthe UK General Data Protection Regulation ("UK GDPR") (as amended bythe DUAA 2025), Arda Capital Limited is the data controller responsible for the Personal Data we collect or that you provide to us.
If you have any questions about this Privacy Policy, how we collect, use or disclose Personal Data, or wish to update information we hold about you, please contact us:
· By email: compliance@ardacap.com
· By post: 19 Berkeley Street, London, W1J 8ED
1.3 Data Protection Contact
We have not appointed a dedicated Data Protection Officer. However, the person responsible for Data Protection can be contacted directly at: compliance@ardacap.com
2 The Data We Collect About You andHow We Use It
We will only use yourPersonal Data when the law allows us to. The lawful bases we rely on are:
2.1 Consent
When you give us your consent, for example, to access contacts on your phone or allow access to your location. You have the right to withdraw consent at any time via the Privacy Settings in our Android or iOS Mobile app or by contacting us at compliance@ardacap.com.
2.2 Contract
When we need to execute a contract, you have entered into with us. Where we need to collect Personal Data under the terms of a contract and you fail to provide that data, we may not be able to perform the contract and may have to cancel a service, but we will notify you if this is the case.
2.3 Legalor Regulatory Obligation
When we are required to collect Personal Data by law or regulation. Failure to provide that data mayresult in us being unable to perform our services, and we will notify you atthat time.
2.4 Legitimate Interests
Updated lawful basis - DUAA 2025
Legitimate Interest means the interest of Arda in processing yourPersonal Data, or the benefit Arda derives from that processing.
Where we rely on legitimate interests, we consider and balance anypotential impact on you and your rights before we process your Personal Data.Under the DUAA 2025, certain processing activities are designated as'recognised legitimate interests', meaning they are automatically treated as alegitimate basis for processing without a full Legitimate Interests Assessment(LIA) being required. These include certain fraud prevention, network security,and public safety-related activities. For all other legitimate interestsprocessing, we continue to conduct a full LIA.
We may also process certain special categories of data such as criminalconvictions and biometric data where we are lawfully permitted to do so, andonly for limited purposes such as fraud or money laundering and terroristfinancing prevention and detection. Apart from this, we do not collect SpecialCategories of Personal Data about you (including details about race orethnicity, religious or philosophical beliefs, sex life, sexual orientation,political opinions, trade union membership, health information or genetic data).
We also collect, use and share Aggregated Data (statistical ordemographic data) for any purpose. Aggregated Data is not considered PersonalData in law as it will not directly or indirectly reveal your identity. If we combine Aggregated Data with your Personal Data so that it can identify you, wetreat the combined data as Personal Data subject to this Privacy Policy.
The table below sets out all the ways we plan to use your Personal Dataand the legal basis we rely on to do so. Note that we may process your PersonalData for multiple legal reasons.
The following sets out each category of personal data we process, the purposes for which it isused, and the lawful basis on which we rely.
Submitted Information
Data types included:
· Full legal name
· Nationality/Citizenship
· Avatar
· Passport/ ID photo
· Address
· Proof of Address
· Proof of Source of Funds
· Tax declaration
· Payslip
· Country of Residence/Citizenship
· Passport dates
· Email address
· Phone number
· Liveness Selfie
· Date of Birth
Purpose 1
To verify your identity and liveness, to comply with financial crime and AML/CTF laws, protect against fraud, and confirm your eligibility to use our services.
Lawful Basis
Legal obligation and legitimate interest (prevention of fraud, misuse of services, moneylaundering).
Purpose 2
To notify you about changes to our service and this Privacy Policy.
Lawful Basis
Legitimate interest (efficiency in meeting regulatory obligations).
Purpose 3
To comply with automatic exchange of financial account information between tax authorities.
Lawful Basis
Legal obligation.
Purpose 4
To carry outcontractual obligations arising from any transactions you conduct.
Lawful Basis
Fulfilling contracts.
Purpose 5
To provide you withinformation updates about our services.
Lawful Basis
Fulfilling contracts.
User Content
Data typesincluded:
· Customer service and marketing communications.
· Ratings and other content you provide.
Purpose 1
To carry out contractual obligations arising from transactions and placement of orders.
Lawful Basis
Fulfilling contracts.
Purpose 2
To provide a consistent experience for users on the platform.
Lawful Basis
Legitimate interest (product improvement).
Purpose 3
To facilitate real-time social interactions through our app.
Lawful Basis
Your consent.
Purpose 4
To communicate with customers via SMS to notify them of critical actions required.
Lawful Basis
Legitimate interest (ensuring customers act on critical requests).
Transactional Data
Data types included:
· Transaction Amount
· Account Number
· Beneficiary Data
· User/Account ID
· Destination Institution
Purpose 1
To carry out contractual obligations arising from financial transactions.
Lawful Basis
Fulfilling contracts.
Purpose 2
To comply withfinancial crime and AML/CTF laws.
Lawful Basis
Legal obligation and legitimate interest (prevention of fraud and money laundering).
Purpose 3
To comply with automatic exchange of financial account information between tax authorities.
Lawful Basis
Legal obligation.
Device Information
Data types included:
· Browser type and version
· Timezone
· IPaddress
· Operating system
· Devicetype
· Unique device identifier
Purpose 1
To verify your identity, comply with financial crime and tax laws, protect against fraud, and confirm eligibility.
Lawful Basis
Legal obligation.
Purpose 2
To administer, improve and secure our site and app.
Lawful Basis
Legitimate interest(improving products and services).
Geolocation Information
Data types included:
• Location identified by longitude/latitude, GPS, Wi-Fi or similar
Purpose 1
To maintain your eligibility as an Arda user.
Lawful Basis
Fulfilling contracts.
Purpose 2
To verify your registered address during onboarding.
Lawful Basis
Legitimate interest (improving customer experience).
Purpose 3
To verify users' location while using our services to combat financial fraud.
Lawful Basis
Legitimate interest (prevention of fraud and misuse of services).
Purpose 4
To provide location-specific options, functionality, or content.
Lawful Basis
Your consent and legitimate interest.
Marketing Campaigns
Data types included:
· Email address
· Fulllegal name
· Country of Residence
Purpose 1
To provide you with information regarding Arda products and services.
Lawful Basis
Your consent.
Statistical / Usage Information
Data types included:
· Full URLs
· Page lengths of visits
· Click stream
· Page response times
· Downloads
· Page interaction data
Purpose 1
To administer, improve and secure our site and app, and to provide you with information about goods and services.
Lawful Basis
Legitimate interest (developing new products and services and keeping you updated).
2.5 Marketing
We are committed to providing you with choices regarding your Personal Data, particularly aroundmarketing and advertising. We will get your consent before sending third-partydirect marketing communications to you via email or text message. You have theright to withdraw consent to receive third-party marketing at any time by contacting us.
You can expect to receive marketing communications from us if you have requested information orpurchased services from us and you have not opted out of receiving that marketing.
2.6 Change of purpose
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. We will delete Personal Data after fulfilling the intended purpose or after expiration of the applicable storage periods. If we need touse your data for an unrelated purpose, we will notify you and explain thelegal basis.
3 How Your Personal Data Is Collected
3.1 Information That You Provide to Us
Personal Data thatyou provide directly to us should be apparent from the context in which you provide it. For example, when you use our services, we collect your name, email address, and transaction information to complete your transactions. We will process Personal Data you choose to provide through our website and Mobile Apps,including your first and last name, physical address, email address, mobiledevice identifier, and transactional data.
3.2 InformationThat We Collect Automatically
We use cookies,action tags and third-party analytics tools to collect data about your visitand usage of our services. This may include your IP address, browser type andversion, operating system, geographic location, device identifiers, andmovements on our online services.
3.3 Cookies
Cookie rules updated - DUAA 2025/PECR amendments (in force from 5 February 2026
We use cookies on ourwebsite. Under the DUAA 2025's amendments to the Privacy and ElectronicCommunications Regulations (PECR), which came into force on 5 February 2026,the following categories of cookies no longer require your prior consent to beset:
· Functionalitycookies - used to adapt how the site or app looks or works based on your device or preferences;
· Securitycookies - used for fraud prevention and device security;
· Softwareupdate cookies - used to deliver updates to our services.
For these exempt cookies, we do not need your active opt-in consent; however, we are still required to clearly inform you about their use (as we do in this Privacy Policy and our Cookie Policy) and to provide you with a simple, free mechanism to optout at any time.
The following types of cookies still require your prior consent under PECR:
· Advertising and targeting cookies
· Most third-party tracking cookies
· Social media plug-in cookies
Please note that PECR penalty levels have been raised by the DUAA 2025 to align with the UK GDPR - upto £17.5 million or 4% of global annual turnover for breaches, making cookie compliance more important than ever.
For full details about the cookies, we use and to manage your cookie preferences, please see our Cookie Policy. You can also adjust your browser settings to control cookies.
3.4 Action Tags
We may use action tags to identify pages you visit and how you use the content on those pages.Action tags collect and transmit data in a manner that identifies you if you have registered with our website and are logged into our Mobile apps. We may also use action tags in our emails to determine whether an email was opened orforwarded.
3.5 Do Not Track
Your browser settings may allow you to transmit a "Do Not Track" signal. Like many websites, we do not currently process or respond to "Do Not Track"signals. If we do so in the future, we will describe how in this Privacy Policy.
3.6 Information from Third Parties and Publicly Available Sources
Personal data may bereceived from the following categories of external providers:
Analytics providers, advertising networks, search information providers
Types of Data Received
Technical Information, Usage Data, Demographic Data, Device Identifiers
Country o fEstablishment
UK
Technical, payment and delivery service providers
Types of Data Received
Personal Identifiable Information, KYC/AML Data, Customer Account Data, Customer Communications
Country of Establishment
UK
Data brokers or aggregators
Types of Data Received
Consumer Demographi cData, Third-Party Risk or KYC Data
Country of Establishment
UK
Publicly available sources (e.g. Companies House, Electoral Register)
Types of Data Received
Company information, Individual names and addresses
Country of Establishment
UK
3.7 Third Party Links
Our website and Mobile apps may include links to third-party websites, plug-ins and applications. Clicking on those links may allow third parties to collect orshare data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the Privacy Policy of every website or app you visit. We are not responsible for the security of data you transmit over the Internet or provide directly to a third party's website.
4 Anti Money Laundering and Combating Terrorist Financing
Money laundering is defined as the process where the sources of funds are disguised so as to givean impression of legitimate income. Criminals target financial services firmsto launder criminal proceeds without the firms' knowledge or suspicion.
We process your Personal Data for AML/CTF purposes as described in the AML/KYC Privacy Notice below (section 10). The legal framework underpinning these obligations includes:
· The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations
· The Money Laundering and Terrorist Financing (Amendment) Regulations 2019
· The Money Laundering, Terrorist Financing and Transfer of Funds (Information on thePayer) Regulations 2017
· The Criminal Finances Act 2017
· The Proceeds of Crime Act 2002
· The Terrorism Act 2000 (as amended)
· The Terrorist Asset-Freezing etc Act 2010
· Counter-terrorism Act 2008, Schedule 7
5 Information We Share; Data Transfers
We do not sell orotherwise disclose Personal Data that you provide to us or that we collectthrough our services, except as described in this section:
· Marketing materials from third parties if you have provided consent;
· Professional advisers such as lawyers, banks, auditors and insurers providing such services;
· Regulators and other authorities who require reporting of processing activities in certaincircumstances;
· Where required by applicable laws or legal process;
· To protect the rights, property and safety of Arda, our users and the public - for example, in connection with court proceedings, to detect or prevent criminalactivity or fraud;
· Gathering your rating of our app, which is processed through a third-party service provider.
5.1 International Data Transfers
Updated - DUAA2025 'Data Protection Test' and UK-US Data Bridge
Arda is headquartered in the UK. We may transfer your data to countries outside the UK/EEA to theextent necessary to perform our services.
Under the DUAA 2025,a new 'data protection test' applies to international transfers. Beforetransferring personal data to a third country, we must assess whether thestandard of data protection in the destination country is 'not materiallylower' than the standard in the UK. This test applies both to formal adequacyassessments and to our own assessment before relying on standard contractualclauses or other appropriate safeguards.
Transfers to countries within the EEA are not restricted. For transfers to countries outsidethe UK/EEA, we rely on one or more of the following safeguards:
· Anadequacy decision made by the UK Secretary of State confirming that thedestination country provides an adequate level of data protection
· Standardcontractual clauses (SCCs) approved by the UK Secretary of State or theInformation Commission
· Bindingcorporate rules
· Compliancewith an approved code of conduct or certification mechanism
Regarding transfersto the United States: the UK-US Data Bridge (a UK adequacy decision under the UK Extension to the EU-US Data Privacy Framework) came into force on 12 October2023. UK companies may transfer personal data to US organisations certified underthe Data Privacy Framework without additional safeguards. Where we rely on thismechanism, we will confirm it in our processing records. The EU-US Data PrivacyFramework survived its first legal challenge before the EU General Court in September 2025, though further challenges remain possible; we monitor developments and maintain backup transfer mechanisms accordingly.
Please note: theprevious reference in this Privacy Policy to "Privacy Shield" hasbeen removed, as that framework was invalidated by the CJEU's Schrems IIdecision in July 2020 and has been superseded by the mechanisms describedabove.
Further details onour transfer safeguards can be obtained by contacting compliance@ardacap.com.
6 Security Measures
We have put in place appropriate security measures to prevent your Personal Data from beinga ccidentally lost, used or accessed in an unauthorised way, altered ordisclosed. We limit access to your Personal Data to those employees, agents,contractors and other third parties strictly required under the provisions of aservice agreement with them. They will only process your Personal Data on ourinstructions and are subject to duties of confidentiality and compliance withdata protection procedures.
We have put in place procedures to deal with any suspected or actual Personal Data breach. We willnotify you and any applicable authority of a breach where we are legallyrequired to do so.
7 Protection of Minors
Arda does notknowingly collect or solicit Personal Data from anyone under the age of 18. Ifyou are under 18, please do not attempt to register for our services or sendany Personal Data about yourself to us.
In accordance withour obligations under the Children's Code (Age Appropriate Design Code) and the requirements of the DUAA 2025, which requires online service providers toexplicitly consider children's interests when processing personal data, we have assessed our services and implemented appropriate safeguards.
8 Data Retention
We retain information about you for as long as your account is active, or as is reasonably needed to fulfil the purposes for which we collected it and to provide our services, andas required by applicable laws, including to comply with our legal, regulatory,tax, accounting or reporting obligations, to resolve disputes or complaints,and to enforce our agreements.
In some circumstanceswe will anonymise your Personal Data for research or statistical purposes,after which it ceases to be Personal Data, and we may use it without furthernotice to you. Please note that when interacting with the blockchain we may notbe able to ensure that your Personal Data is deleted.
The following setsout our retention periods by data type, together with the justification foreach.
Details of Third-Party Service Providers
Includes
Name, address, bankdetails
Retention Period
6 years from date of expiration/termination of the contract (or duration of renewal)
Justification
Contractual requirements.
Details of Suppliers
Includes
Email, name, address, bank details
Retention Period
6 years from date of expiration/termination of the contract (or duration of renewal)
Justification
Settling invoices, payment for services, and defending/establishing potential legal claims.
Suspicious Transaction / Activity Reports
Retention Period
Upon expiration of purpose or AML/CFT retention requirement of 5 years minimum under AML, or expiration of relationship plus 6-year limitation period
Justification
Compliance with AML/CFT and KYC obligations.
ClientIdentification Data
Includes
Full name, liveness selfies, national ID, address, date of birth, phone, email, bank info, security selfies, IP, OS, location, KYC/blockchain data
Retention Period
Upon expiration of relationship or regulatory requirement - minimum of 5 years post-termination
Justification
Compliance with AML/CFT and KYC obligations.
Account Creation/ App and Platform Usage Data
Retention Period
Upon account termination, save for transaction data which may need to be retained for 6 years. Maximum of 5 years for KYC and AML/CFT ongoing monitoring.
Justification
Contractual requirements; legal obligation under the Income Tax Act; KYC/CDD obligations under AML/CFT legislation.
9 Your Rights and Choice
9.1 Rightto Information and Access
You have the right to be informed about the processing of your Personal Data and to access your Personal Data held by us. To exercise this right, contact us at compliance@ardacap.com.
When handling Subject Access Requests (SARs), consistent with the DUAA 2025, our obligation is to provide data found following a reasonable and proportionate search of our systems and records. We may also pause the SAR response clock where we need toverify your identity or request clarification about the scope of your request; the clock restarts once that information is received. We will inform you promptly if we pause the clock and why.
9.2 Rightto Rectification
You have the right tohave inaccurate or incomplete Personal Data about you corrected. If you need toadvise us of any changes to your Personal Data, please contact us using the details provided in this Privacy Policy.
9.3 Rightto Erasure (‘Right to be Forgotten’)
You have the right to request the erasure of your Personal Data in the following circumstances:
· The Personal Data is no longer necessary for the purpose for which it was collected;
· You withdraw your consent and no other legal justification applies;
· We unlawfully processed your Personal Data;
· Erasure is required to comply with a legal obligation.
Please be aware that by requesting erasure, we will need to close your Arda account; this action is not reversible, and we will no longer be able to provide Arda's services toyou. This does not affect the lawfulness of any processing carried out before your erasure request. Where we interact with blockchain, we may not be able toensure deletion.
We may refuse an erasure request where continued retention is necessary to: comply with a legal obligation under applicable law; establish, exercise or defend legal claims.
9.4 Right to Restrict Processing
You have the right torestrict processing of your Personal Data where: you contest its accuracy; you believe processing is unlawful and prefer restriction over erasure; we no longer need the data, but you require it for legal claims or regulatory requirements. Restricting processing may require us to close your Arda account.
9.5 Right to Data Portability
Where the legal basisfor processing your Personal Data is consent or contract, and processing iscarried out by automated means, you have the right to receive your PersonalData in a structured, commonly used and machine-readable format.
9.6 Right to Object to Direct Marketing
You have the right to object to the processing of your Personal Data for direct marketing purposes.On each marketing communication, we will provide an option to exercise this right by clicking the 'unsubscribe' button or similar opt-out mechanism. Administrative or service-related communications generally do not offer an option to unsubscribe as they are necessary to provide the services you have requested.
9.7 Rightto Object – Other Processes
You also have theright to object to processing based on legitimate interests or forscientific/historical research and statistics. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds thatoverride your interests, rights and freedoms, or the processing is necessary for the exercise or defence of legal claims.
9.8 Rightto Withdraw Consent
Where the legal basisfor processing is your consent, you may withdraw that consent at any time by contacting compliance@ardacap.com or via the Privacy Settings in our Mobile app. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Please be aware that withdrawal may require usto close your Arda account.
9.9 Rights Related to AutomatedDecision Making
Updated - DUAA 2025 liberalised ADM framework
We use semi-automated processes including screening of KYC and AML data to assess whether we are legally able to allow you to use our services. All automated screening matches are manually reviewed by Arda compliance analysts, who determine whether cases should be cleared or escalated to the MLRO.
Under the DUAA 2025,the framework governing automated decision-making (ADM) has been updated. Where Arda makes significant automated decisions about you (i.e. decisions madesolely by automated means that produce legal or similarly significant effects),you have the following rights regardless of the lawful basis relied upon:
· To be clearly informed that your data is subject to automated decision-making andhow that process works
· To contest an automated decision
· To request meaningful human review of the decision
Where automated decisions involve special category data (such as health or biometric data),stricter conditions continue to apply. Our compliance analysts provide the human review mechanism for all significant automated screening decisions.
9.10 How to Exercise Your Rights
You can exercise any of the above rights free of charge by contacting us at compliance@ardacap.com. Most rights are subject to limitations and exceptions. We will provide reasons if we are unable to comply with any request.
10. Data Protection Complaints
New mandatorycomplaints mechanism - DUAA 2025 (in force from 19 June 2026)
Under the Data (Useand Access) Act 2025, Arda is required to maintain a formal process forhandling data protection complaints made directly to us. We encourage you tocontact us first before escalating to the Information Commission, as we may beable to resolve your concern quickly and directly.
If you believe wehave handled your Personal Data in a manner that infringes the UK GDPR orapplicable data protection law, you have the right to make a complaint directlyto Arda. Our complaints process works as follows:
· Submit your complaint: contact us at compliance@ardacap.com, in writing to 19 Berkeley Street, London, W1J 8ED;
· Acknowledgement: we will acknowledge receipt of your complaint within 30 days;
· Investigation: we will make reasonable enquiries and investigate your complaint without unduedelay, keeping you informed of progress;
· Outcome :we aim to provide a substantive response and outcome within three months ofreceipt, unless exceptional circumstances apply. Outcomes will be communicatedin plain, accessible language;
· Escalation: you will be informed of your right to escalate to the Information Commission ifyou are dissatisfied with our response;
All complaintsreceived and their outcomes are logged and reviewed by our Data Protection contact as part of ongoing compliance monitoring.
11 Supervisory Authority - Right to Lodge a Complaint
If we have not responded to you within a reasonable time, or if you feelyour complaint has not been resolved to your satisfaction, you have the rightto lodge a complaint with the Information Commission (formerly the Information Commissioner's Office):
The Information Commission
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Telephone: 0303 1231113
Website: www.ico.org.uk
12 Updates to This Privacy Policy
We keep this Privacy Policy under regular review. Changes may become necessary as we develop our online services and Mobile apps, to implement newlegal requirements (including further provisions of the DUAA 2025 as they arephased in through 2026), or to improve our services. If we change this PrivacyPolicy in the future, we will post the revised version on our website www.ardacap.com together with the version number and date of change. You shouldcheck this Privacy Policy from time to time when you visit our website.
It is important that the Personal Data we hold about you is accurate andcurrent. Please keep us informed if your Personal Data changes during yourrelationship with us.
13 AML/KYCPrivacy Notice
We will process your identifying data and profile data within operations such as identification (Know Your Customer, "KYC") and profiling (Customer Due Diligence,"CDD") for the purposes of our Anti-Money Laundering("AML") and Counter-Terrorism Financing ("CTF") customer identification and verification obligations.
When Arda requests CDD,this refers to proof of address and proof of identification. Without KYC, wemay unknowingly become involved with illicit activities and therefore face reputational, operational and legal risks. Failure to provide required KYC/CDD information may (in extreme cases) lead to the blocking of accounts or refusalof services.
13.1 AML Policies
Our AML policy is designed to prevent money laundering by meeting UK standards, including having adequate systems and controls in place to mitigate the risk of being used to facilitate financial crime.
Our AML policy setsout minimum standards, including:
· Appointinga Money Laundering Reporting Officer (MLRO) with sufficient seniority and independence;
· Establishing and maintaining a Risk-Based Approach (RBA) to assessing and managing money laundering and terrorist financing risks;
· Establishing risk-based Customer Due Diligence, KYC and verification procedures, including enhanced due diligence for higher-risk customers such as Politically Exposed Persons (PEPs);
· Establishing systems and procedures for monitoring ongoing customer activity;
· Establishing procedures for reporting suspicious activity internally and to relevant law enforcement authorities;
· Maintaining appropriate records for prescribed minimum periods;
· Providing training for and raising awareness among relevant employees.
13.2 Sanctions Policy
Arda is prohibited from transacting with individuals, companies and countries on prescribed sanctions lists. We screen against United Nations, European Union, UK Treasury and US OFAC sanctions lists in all jurisdictions in which we operate.
13.3 Automated Decision Making in AML/KYC
We use semi-automated processes, including screening KYC and AML data, to assess whether we are legally able to allow you to use our services. All automated screening matches are manually reviewed by Arda compliance analysts, who determine whether cases should be cleared or escalated to the MLRO. This human review process forms themandatory safeguard required under the DUAA 2025 for significant automated decisions.
13.4 Third Parties AML/KYC Processors
Where processing ofpersonal data is carried out on behalf of Arda by a third-party provider, we conclude a separate contract with that processor to ensure compliance with UK data protection regulations and to define appropriate technical and organisational safeguards for the protection of your rights.
14 Categories of Providers
The following provider categories are engaged in the delivery of ourservices:
Infrastructure
Service Description
Cloud computing
Jurisdiction
UK
Legal
Service Description
Consulting (lawyers, auditors); public bodies in connection with court proceedings, detecting or preventing criminal activity, fraud, or establishing legal rights
Jurisdiction
UK
Finance
Service Description
Accountancy, insurers, banking institutions and payment services
Jurisdiction
UK
Human Resources
ServiceDescription
Human resources software as a service
Jurisdiction
UK
Product
ServiceDescription
Document sharing
Jurisdiction
UK
Compliance
ServiceDescription
Client/institutional onboarding and enhanced due diligence services; KYCproviders; identity verification software; database querying services;regulators and other authorities requiring reporting
Jurisdiction
UK
Marketing
Service Description
Marketing campaigns
Jurisdiction
UK
Job Postings
Service Description
Job applicant data
Jurisdiction
UK
Customer Care
Service Description
CRM, FAQ and content provision
Jurisdiction
UK
Appendix A - Summary of DUAA 2025 Changes
The following table summarises the key changes made to this Privacy Policy as a result of the Data (Use and Access) Act 2025:
Section 2.4 - Legitimate Interests
Topic
Legitimate Interests
Previous Position
Standard Legitimate Interests Assessment (LIA) required for all legitimate interests processing.
Updated Position
Recognised legitimate interests introduced. No LIA required for certain activities (fraud prevention, network security, public safety). Full LIA still required for all other legitimate interests processing.
Section 3.3 - Cookies
Topic
Cookies
Previous Position
Consent required for analytics, functionality and security cookies.
Updated Position
Four cookie categories now exempt from prior consent (in force 5 February 2026): analytics, functionality, security, and software update cookies. Clear notice and an easy opt-out mechanism are still required. PECR fines raised to £17.5m or 4% of global annual turnover.
Section 5.1 - International Transfers
Topic
International Transfers
Previous Position
Reference to Privacy Shield (now invalid); adequacy decision framework inplace.
Updated Position
Privacy Shield reference removed. New 'data protection test' under DUAAapplies. UK-US Data Bridge (October 2023) enables transfers to US organisations certified under the Data Privacy Framework. EU-US DPF survived legal challengein September 2025.
Section 9.1 - Subject Access Requests
Topic
Subject Access Requests
Previous Position
No explicit scope standard; no statutory clock-stop provision.
Updated Position
Obligation is to conduct a reasonable and proportionate search. DUAA codifies clock-stop for identity verification and scope clarification requests.
Section 9.9 - Automated Decision Making
Topic
Automated Decision Making
Previous Position
Semi-automated processes with manual review described.
Updated Position
ADM framework updated under DUAA: full range of lawful bases now permitted; mandatory safeguards confirmed (notice, right to contest, human review). Special category data restrictions remain in place.
Section 10 (NEW)- Mandatory Complaints Mechanism
Topic
Mandatory Complaints Mechanism
Previous Position
No formal complaints mechanism required by law.
Updated Position
DUAA s.164A (in force 19 June 2026) requires a formal complaints process: accessible submission method, 30-day acknowledgement, investigation without undue delay, substantive response within 3 months, communication in plain language, and notification of escalation rights to the Information Commission.
SectionThroughout - ICO / Information Commission
Topic
ICO / Information Commission
Previous Position
References to 'Information Commissioner's Office (ICO)' throughout.
Updated Position
Renamed 'Information Commission' throughout. Enhanced enforcement powers; PECR fines aligned to UK GDPR levels.
