Privacy Policy
& Data Protection.

Who We Are

Citizen Sure ('Citizen Sure', 'we', 'us', 'our') is a company registered in England and Wales (Company No. 03456789), with registered offices at 1 Canada Square, Canary Wharf, London E14 5AB. We are registered with the Information Commissioner's Office (ICO) as a data controller. The Data Protection Officer is contactable at [email protected].

Definitions

"Personal data" means any information relating to an identified or identifiable living individual. "Processing" means any operation performed on personal data — collection, storage, retrieval, transmission, deletion. "Controller" determines purposes and means of processing; "Processor" processes on behalf of the controller. Citizen Sure acts as Controller in respect of website visitors and prospective clients, and as Controller (or jointly with co-counsel where applicable) for engaged clients.

Information We Collect

We collect information you provide directly: name, email, phone, nationality, country of residence, investment budget, programme interests, and any free-text notes. For engaged clients we collect additional information required by the issuing authority — passport scans, source-of-funds documentation, due-diligence questionnaires, and dependant information where applicable. Technical data (IP, browser, pages visited, referrer) is collected automatically via cookies and analytics — see our Cookie Policy for the full inventory.

How We Use Your Information

We process personal data to: respond to enquiries; prepare and submit applications under engagement; comply with due-diligence and anti-money-laundering obligations; send programme alerts and updates with your consent; improve the Website and its services; and meet our legal and regulatory obligations. We never sell your data. Sharing is limited to: (i) the relevant government authority for the programme you are applying to; (ii) vetted legal counsel, notaries, and translators bound by confidentiality; (iii) infrastructure and email service providers under written data-processing agreements; and (iv) where required by law or court order.

Legal Basis for Processing

We rely on the following lawful bases under UK GDPR Article 6: (a) contract performance for delivery of advisory services; (b) legitimate interests for responding to enquiries, securing the platform, and pursuing our regular business operations; (c) legal obligation for AML / KYC due diligence and tax-information reporting; (d) consent for marketing communications and non-essential cookies — withdrawable at any time without affecting the lawfulness of prior processing.

Sub-processors

Citizen Sure uses a small set of vetted sub-processors under written DPAs: (i) HubSpot for CRM and lead capture; (ii) Mailgun for transactional and alert email; (iii) MailerLite for editorial newsletters; (iv) Cloudflare for performance and DDoS protection; (v) Google reCAPTCHA for bot mitigation on public forms; (vi) Google Analytics 4 for anonymised usage measurement (with consent only). A current list with operator countries and applicable safeguards is available on request.

International Data Transfers

Citizen Sure operates globally and may transfer personal data outside the UK / EEA in connection with programme applications and engagement of regional counsel. International transfers are made under Standard Contractual Clauses, UK Addendum, adequacy decisions issued by the UK Government, or equivalent safeguards. A copy of the relevant transfer mechanism is available on request.

Data Retention

Enquiry data is retained for 2 years from last contact, then erased or anonymised. Client engagement data — including AML / KYC records — is retained for 7 years from end of engagement under MLR 2017 obligations. Marketing data is retained until you withdraw consent. Application files held by issuing authorities are governed by that authority's retention policy. Erasure requests are honoured subject to mandatory retention obligations.

Your Rights

Under UK GDPR you have the right to: access your personal data; rectify inaccurate data; erase data (subject to retention rules above); restrict processing; object to processing on legitimate-interests grounds; port your data to another controller; and withdraw consent at any time. Exercise these by emailing [email protected] — we respond within 30 days. You may also lodge a complaint with the Information Commissioner's Office at ico.org.uk.

Automated Decision-Making

We do not use automated decision-making with legal or similarly significant effects. Programme-eligibility and due-diligence outcomes are reviewed by named human advisors. Bot-mitigation systems on the Website (rate-limit, captcha) make low-stakes access decisions automatically — these decisions can be challenged by emailing the address above.

Children's Privacy

The Website and Services are intended for adults. We do not knowingly collect personal data from children under 16. Where applications include dependant minors, the personal data of those minors is processed under the contract with the parent or legal guardian and held under the same retention and security safeguards as adult application data.

Marketing Communications

Marketing communications (newsletter, programme alerts) are sent only with your prior opt-in consent. Each email includes a one-click unsubscribe link; preferences are also editable via the link in the footer of any marketing email. Withdrawing marketing consent does not affect transactional or engagement-related communications, which we send under contract performance.

Security

Citizen Sure operates a documented information-security management programme. Personal data is stored on encrypted infrastructure with role-based access control and multi-factor authentication for all data-access roles. Data in transit is protected by TLS 1.3. Backups are encrypted and rotated weekly. We commission annual independent penetration testing and run a continuous security-monitoring stack. All staff handling personal data complete data-protection training on hire and annually thereafter.

Personal Data Breach

In the event of a personal data breach likely to result in a risk to the rights and freedoms of data subjects, we will notify the ICO within 72 hours and, where the risk is high, communicate with affected data subjects without undue delay. We maintain an internal breach register and conduct post-incident reviews to harden controls.

Cookies & Tracking

Strictly necessary cookies are deployed without consent under the legitimate-interests basis. Analytics, preferences, and marketing cookies are deployed only after explicit opt-in via the consent banner. Manage preferences at any time via the consent settings link in the footer. Withdrawing non-essential cookies does not affect core Website functionality. See the Cookie Policy for the full inventory and lawful-basis breakdown.

Changes to this Policy

We may update this policy to reflect changes in law, technology, or our practices. The "Last updated" date reflects the most recent revision. Material changes will be flagged via the consent banner; non-material changes (clarifications, formatting) take effect on publication.

Contact Us About Privacy

For data-protection enquiries, contact [email protected] or write to: Data Protection Officer, Citizen Sure, 1 Canada Square, Canary Wharf, London E14 5AB, United Kingdom. We respond to all legitimate requests within 30 days.

Questions about this policy?

Our Data Protection Officer is available to answer any questions about how we handle your personal data.