Effective Date:
18-06-2021 Version: 1
20-05-2021 Version: 2
Main change: The Cookie Policy and list of sub-processors separated from this policy.
11.11.2022 (Date of latest review) Version: 3
Added clauses with respect to the use and grounds for processing of personal data, data protection measures, data subject’s rights, types of processed personal data;
14.03.2023 Version: 4
Added PDPA (Singapore) related clauses.
21.07.2025 Version: 5
Amendments related to the adoption of the EU AI Regulation; refinements in the legal basis for processing of Personal data; added references to UK and Swiss personal data protection legislation; updated list with Trustmoore entities;
KEY PRINCIPLES
Privacy is a fundamental human right and persons engaging with Trustmoore must trust that their Personal data is handled with care. Therefore, protection of privacy and security of Personal Data is very important to Trustmoore. Any processing of Personal data relating to identified or identifiable natural person may only be processed in accordance with this Policy.
1. Definitions
GR&CB | The Global Risk & Compliance Board is Trustmoore’s highest decision-making and executive body deciding on all risk and compliance matters that impact Trustmoore. |
CF | Compliance Function |
Client | Natural person or company with which TM enters into a business relationship or for which a trust service is performed. |
Data Controller[1] | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data; |
Data Processor | Natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller. |
Consent | It is any freely given, specific, informed and unambiguous indication of the data subject by which he or she agrees with the processing of their Personal Data. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, compromise, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by or on behalf of TMG, and which triggers regulatory obligations. |
Personal Data Incident | An event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. For the purpose of this Policy, Personal Data Incident may also refer to potential Personal Data Breach. |
Data Protection Laws |
The legislation regarding data privacy which may be applicable, based on the location of the TM service provider and of the Data Subject, such as the EU General Data Protection Regulation 2016/679 ("GDPR"), UK GDPR, Personal Data Protection Act (PDPA) Singapore, or any other applicable data protection, privacy laws or privacy regulations. |
Data Subject | A natural person to whom Personal Data relates and who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, etc. |
DPO | Data Protection Officer |
Joint Controllers | Entities that jointly determine the “means and purposes” of the processing of Personal Data. |
KYC | Know-your-client |
Personal Data |
Any information that relates to an identified or identifiable living individual (“Data Subject”). Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data. |
Processing of Personal Data |
Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Recipient | Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. |
Sub Processor | The legal or natural person appointed by the processor to process Personal Data on behalf of the Controller. |
Third Party | An individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to TM. |
TMG Staff (Employee) | Natural person who works part time or full time under a contract of employment (employment agreement) with a TMG entity or a natural person providing managerial services to TMG based on an agreement between TM and the natural person directly or via a management company indirectly, as well as other persons who act on behalf of TMG within the scope of its business activities and who are therefore in a similar position to the TMG staff, but who are not employed by TMG (e. g. self-employed or temporary workers). |
UBO | Ultimate beneficial owner |
[1] Controller, Joint Controller and Processor, and DPO are terms based on the GDPR, which will be only used for jurisdictions outside the European Union in those cases where GDPR is applicable or the local legislation implements similar terms (such as the PDPA in Singapore or UK GDPR).
Terms that are capitalized, but not defined in this Policy have the same meaning as in the TMG Compliance Charter and the TMG Compliance Risk Control Framework.
2. Background, Scope & Purpose
In this policy, “Trustmoore” or “TM” for short, “our”, “we” or “us” refers to the global group of entities within the Trustmoore Group, each of which is a separate legal entity, or refers to one or more of those entities. The controllers of your Personal Data are one or more of the Trustmoore entities listed in Annex I hereto “List of TM Entities & Data protection authorities and legislation”, depending on the type of service and jurisdiction in which you engage with Trustmoore.
TM entities in countries outside the European Union (EU) have appointed Trustmoore Coöperatief U.A., company number 34324881, with seat and registered address at De Lairessestraat 145 B, 1075 HJ Amsterdam, the Netherlands, as representative in the EU.
TM recognizes the expectations of the Data subjects, and the inherent risk regarding the privacy, confidentiality and security of their Personal data when it resides within TM.
This Data Privacy Policy describes the privacy practice standards of TM for mitigating the risk regarding the processing of Personal Data: what type of Personal Data TM collects, why and how TM collects, uses and stores it; the legal basis for processing it; and TM’s rights and obligations in relation to such processing.
TM entities globally apply this Policy as a minimum standard for protecting Personal Data. Simultaneously, each TM entity will ensure the application of local Data protection laws ensuring highest standard of privacy, security and transparency.
In particular, TM entities will ensure that data privacy and protection is methodically embedded into relevant business processes and procedures and integrated into affected IT systems and applications (privacy by design and by default). TM entities consider the state of the art, cost of implementation and the nature, scope, context and purposes of processing, as well as the severity and likelihood of risks to the rights and freedoms of Data subjects posed by the processing. Thus, TM entities implement appropriate technical and organizational measure (e. g. pseudonymization and data minimization) in an effective manner and integrate the necessary safeguards into the processing of Personal data.
3. PURPOSES FOR WHICH TM PROCESSES PERSONAL DATA
TM processes Personal data for a variety of purposes. We collect this personal data directly from you, for example, if you work for TM, engage us to provide services to you as a Client, if you visit our website, if you submit your contact details to receive marketing communications from us, if you submit event-related data to attend TM events, you provide services to TM, or submit a job application via the TM careers website.
Alternatively, we process your personal data in the context of providing professional services to an entity that you represent or of which you are a UBO.
Finally, we obtain your personal data via publicly available sources, such as LinkedIn, or through screening platforms in compliance with our KYC obligations. This privacy notice and related privacy statements (Website privacy statement and TMG Employee privacy notice) are intended to cover all of the above-mentioned scenarios.
The purposes, types of Personal Data that TM processes, legal grounds, and concerned Data subjects, depend on the type and scope of the activities engaged:
3.1. Services:
In providing our services (Corporate Expansion Services, Fund Services; Private Wealth Solutions; Capital Markets Services), TM entities will process information and documents that contain Personal data, such as personal identification documents, bank statements, company records and protocols, accounting and tax data, etc., of the Client, UBO and related parties.
More specifically, but not exhaustively, the Data subjects concerned in Personal data processing related to our services, can be the following:
- Clients;
- UBOs;
- investors (if physical persons);
- directors of Client companies and affiliate entities;
- Client’s shareholders;
- Client’s employees;
- business associates (contact persons, ambassadors, etc.);
- trustees;
- beneficiaries;
- Client’s service providers, e.g. managers, consultants, auditors, lawyers, etc.;
- other individuals with which the Client engages;
Examples of categories of processed Personal data in relation to our services are:
- Name (first name, middle name, family name);
- Address (personal and/or corporate);
- Telephone number (personal and/or corporate);
- Email address (personal and/or corporate);
- Nationality;
- Date of birth;
- Place of birth;
- Gender;
- Tax / Social / National identification number;
- Job title;
- Copy of identification document;
- Bank account details;
- Financial information (e.g. source of funds or source of wealth);
- Professional life data;
- Politically exposed person (PEP) status;
3.2. Human Resources and Payroll - (job candidates, employees, managers):
Trustmoore processes personal of job candidates, employees and managers in compliance with the TMG Employee privacy notice.
3.3. Third-parties:
Trustmoore processes personal data about Third parties to manage the contractual relationship with the respective party and/or to perform the respective due diligence checks as required by law.
Generally, the personal data processed in this relation is limited to representative (directors or authorised individuals) and contact information, such as:
- Name;
- telephone number;
- email; and
- financial information (payment-related information);
- other contact details as needed.
In some cases, we also may use Third parties’ personal data to check any potential conflicts of interest and perform due diligence (background) checks required by law (e.g. adverse media, bribery and corruption, crimes, etc.).
3.4. Special categories of Personal data:
In few cases, as some of the Trustmoore entities are licensed and regulated under a strict set of rules, e.g. when applying enhanced due diligence measures as per the applicable AML&CTF legislation and performing background checks and screenings thereunder, TM may process special categories of Personal data such as Personal data relating to:
- Biometric data (facial recognition) for the purposes of identity verification as part of KYC procedures. This is processed on the basis of:
- Your explicit consent (Article 9(2)(a)), or
- Where necessary for reasons of substantial public interest (Article 9(2)(g)), as provided for under applicable AML&CFT laws.
- Data relating to criminal convictions and offences, where required for background checks, fraud prevention, or compliance with our legal obligations under anti-money laundering (AML) regulations and only in case the respective background information cannot be verified by other means. This processing is carried out in accordance with:
- Article 10 GDPR (or local equivalents), and
- The provisions of applicable anti-money laundering and applicable AML&CFT laws.
- Health and and health status, which will be processed only where strictly necessary for employment-related purposes, and in accordance with Article 9(2)(b) of the GDPR (processing necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment and social security law), provision of additional benefits to employees (such as health insurance) and handling of HR activities (sick leaves). TM will only process such Personal data of the Data subject’s after having them informed about the reasons for collecting such Personal data.
Trustmoore will implement appropriate technical and organizational safeguards to protect such data, including restricted access, data minimisation, and the use of Data Protection Impact Assessments (DPIAs) where applicable.
In principle, Trustmoore does not process Personal data of minors (below the age of 16). There can be cases where a minor, through their parents or guardians, uses Trustmoore’s services as a way to benefit their economical status. In such cases, Trustmoore processes Personal data of minors only with the parents’/guardians’ explicit consent.
Trustmoore does not knowingly collect data related to religious or philosophical beliefs, sex life, sexual orientation, political views, information about genetic. If such data is accidentally received, it will be deleted from TM’s systems.
4. LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA:
4.1 KYC and background checks:
Trustmoore is obligated under the respective AML&CTF laws, outsourcing regulations and other applicable legal obligation to perform KYC and background checks on individuals with which Trustmoore engages. Such checks can be performed on any individual as mentioned in the previous section 3 using the data listed there. The legal grounds for such processing is Trustmoore’s legal obligations under the AML&CTF legal acts and other applicable legislation in force, as well as Trustmoore’s internal KYC procedures.
4.2. Services:
When a Client engages Trustmoore with the provision of professional services, Trustmoore will collect and use Personal data when Trustmoore has a valid business reason to do so, in connection with those services. In the context of providing professional services to Clients, Trustmoore processes Personal data of individuals who are not directly Trustmoore’s Clients (for example: Client’s employees, customers or suppliers, Ultimate Beneficial Owners, Client’s directors or shareholders, business associates, others as the case may require). The legal grounds for processing such Personal data are:
- Performance of the contract between the Client and TM;
- Legitimate interest in providing the Client with seamless, consistent, high-quality services with respect to data of individuals related to the Client;
4.3. Human resources (HR):
TM processes data of its employees and job applicants for HR and payroll purposes. Legal basis and purposes are described in details in Trustmoore’s Employee privacy notice.
4.4. Third parties:
TM processes personal data about Third parties in order to manage TM’s relationship and contract with them, and to receive services from the respective suppliers. Legal grounds for processing personal data of Third parties is the legitimate interest in managing receipt of the services, payments, fees and charges; understanding any conflict of interest, conducting or defending in legal proceedings; safeguarding against dealing with the proceeds of criminal activities or assist in any other unlawful or fraudulent activities.
TM shall not store, transfer, modify, amend or alter, disclose or permit the disclosure, or process the Personal data in any other way other than as appointed above. In cases where processing is required, but not explicitly envisaged in this Policy, then the affected Data subject will be notified accordingly and without undue delay.
5. RETENTION OF PERSONAL DATA BY TRUSTMOORE
Personal data will be kept for the duration of the relationship with Trustmoore and the years after for as long as the latter is needed for complying with all legal, regulatory, and internal policy purposes as defined in Trustmoore’s Data Retention policy and Retention schedules thereto, where in general cases Personal data will not be retained for longer than 10 years after termination of the respective relationship with the Data subject, unless there is a reason for keeping the data for a longer period (e.g. legal proceedings, etc.). After expiration of respective retention period, the corresponding data are routinely deleted and any hard copies of them are destroyed. For more information regarding specific retention periods, contact TMG DPO at privacy@trustmoore.com.
6. SUB-PROCESSING AND DATA RECIPIENTS:
TM may be required to appoint certain sub-processors to provide part of the services to its Clients or Employees, or assist with provision of the services, or render technical support, to which Personal data may be disclosed. Also, TM may share Personal data with authorized Recipients for the due performance of its activities. Such sub-processors or recipients can be: entities within the Trustmoore Group; I.T. service providers; banks and financial institutions; accountancy and legal firms; auditors or other suppliers as required by law or contract.
Each TM entity maintains an extensive third-party register and outsourcing register. In case a query with respect to these registers is made, the DPO at privacy@trustmoore.com can provide the relevant information.
Sub-processors are in each case subject to the terms and conditions laid down by Trustmoore, which are no less protective than those set out in this Policy. With each Sub-processor will be concluded a respective data processing agreement regulating the rights and obligations under the Data protection laws.
7. ARTIFICIAL INTELLIGENCE:
Trustmoore utilises Artificial Intelligence (AI) tools to enhance its services, including the use of the following tools:
- Vartion Pascal AI for adverse media background checks: https://pascal.vartion.com/;
- FIS for investors onboarding and KYC: https://www.fisglobal.com/;
- MS CoPilot: https://www.fisglobal.com/;
- Tessian by Proofpoint for mailbox protection: https://www.proofpoint.com/us/tessian-is-now-proofpoint;
- Others that will enhance Trustmoore’s service provision or organization security;
Trustmoore leverages Artificial Intelligence (AI) to support specific business processes, improve operational efficiency, enhance security, and ensure regulatory compliance — particularly in areas such as:
- Client onboarding and identity verification, including automated screening against sanctions and watchlists where screening results are always reviewed by TM’s compliance team;
- Risk assessments related to anti-money laundering (AML) and counter-terrorist financing (CTF) measures where the risk assessments are always reviewed by TM’s compliance team;
- Internal security measures where the measures and reports thereof are reviewed byt TM’s IT team;
Legal Basis and Safeguards
Any use of AI systems that involves automated processing of personal data is conducted based on a valid legal basis under Article 6 GDPR, such as:
- Compliance with legal obligations under the AML&CTF laws; or
- Legitimate interests of Trustmoore to enhance its internal security measures and internal processes, provided such interests are not overridden by the data subject’s rights and freedoms;
Trustmoore does not make solely automated decisions that would have a legal or similarly significant effect on individuals without appropriate human oversight.
Trustmoore ensures that all AI-based processing is subject to:
- Regular testing and validation to detect and mitigate bias, errors, or unintended discrimination;
- Data Protection Impact Assessments (DPIAs) if required by law;
- Human-in-the-loop controls;
- Transparency mechanisms in accordance with data subject rights under Articles 13–15 GDPR;
8. RIGHTS OF DATA SUBJECTS
Trustmoore takes appropriate measures to comply with Data Protection Laws in order to ensure Data Subjects rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact Trustmoore via privacy@trustmoore.com. Any written question, request or complaints should have a clear subject related to the rights of the Data Subjects.
Subject to the applicable local legislation, all Data Subjects will have at least the following rights with respect to their Personal data:
- The right to withdrawal or revocation of any consent given to TM: Data subjects have the right to withdraw or revoke any consent given to TM.
- The right to be informed: Data Subjects have the right to be informed about the collection and use of their personal data. Data Subjects have also the right to be informed of the recipients or classes of recipients to whom their Personal data has been or may be disclosed.
- The right of access: Data subjects will have a right to access their Personal Data. TM can refuse the request if it is manifestly unfounded or excessive. Trustmoore will provide its response within a month as of receipt of the request, though this can be extended by two months if the request is too complex.
- The right to rectification: Data Subjects have the right to request from TM the rectification of inaccurate personal data concerning them.
- The right to erasure (right to be forgotten): Data Subject can ask that their data is deleted in certain circumstances unless there is a legal obligation or other legal grounds for Trustmoore to retain the Personal data.
- The right to restrict processing: Data subjects have the right to request the restriction or suppression of their Personal data in certain circumstances.
- The right to data portability: Data subjects will also have a right to data portability where the condition for processing Personal data is consent or the performance of a contract. It entitles Data subjects to obtain any personal data they have “provided” to Trustmoore in a machine-readable format. Data Subjects can also ask for the data to be transferred directly from one controller to another.
- Right to object: A Data Subject can object to their Personal Data being processed for direct marketing purposes at any time. This includes the processing of their Personal data for profiling purposes.
- Rights in relation to automated decision making and profiling: TM does not use automated decision making and profiling.
9. RIGHTS OF DATA SUBJECTS
Personal Data Incidents and Personal Data Breaches are handled according to the Data Protection Laws and in accordance with TMG Data Breach Procedure whereunder Trustmoore entities (Data Controllers) and Data Processors have implemented and maintain effective processes to ensure timely notification to the DPO and respective Data protection authorities.
10. Safeguarding Measures
10.1. Confidentiality and Security:
TM keeps the Personal data confidential and will ensure its employees, managers and Sub-processors are bound by the same confidentiality obligation.
10.2. Training and Awareness:
Trustmoore ensures proper level of awareness of this Policy and Trustmoore’s obligations under the Data protection laws by means of providing trainings and awareness sessions to Employees and Sub-processors. Each Trustmoore Employee must adhere to and comply with this Policy.
10.3. Technical safeguarding measures:
Trustmoore has adopted and implemented the following technical measures, but are not limited to:
- Data encryption tools;
- Desktop and laptop firewalls;
- Antivirus and anti-malware software;
- Multifactor authentication;
- Automated patching and security vulnerability assessments;
- Strong physical, environmental, network and perimeter controls;
- Intrusion, detection and prevention technologies;
- Monitoring and detection systems;
- SOC;
- Inbound mailbox protection;
11. INTERNATIONAL TRANSFERS OF PERSONAL DATA
Trustmoore entities operate in more than one jurisdiction. Certain aspects of Trustmoore infrastructure are centralized, including information technology services provided to Trustmoore entities. In addition, where engagements with TM Clients span more than one jurisdiction, certain information will need to be accessed by all those within TM who are working on the matter on a need-to-know basis. Therefore, Personal Data may be made available or transferred to and stored outside the country in which Data subjects are located. This may also include countries outside the European Economic Area (EEA).
TM ensures appropriate security and legal precautions to protect the safety and integrity of Personal data that is transferred within the Trustmoore Group by entering into respective standard data protection clauses (SCCs) as adopted by the European Commission with all third-parties outside the EEA.
Any other data transfer will be performed under the most suitable safeguarding measure e.g. adequacy decisions or SCCs, ensuring at least the same level of security as stated in this Policy.
12. Other Disclosures
TM discloses your personal data:
- Where this is appropriate for the purposes described in Section 4 “Use of Personal data, Purposes and Legal grounds”, including within the TM group itself;
- If required, by applicable law;
- In order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry;
- With Data subject’s consent;
- TM has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under AML&CTF acts or related legislation. TM also reports suspected criminal activity to the police and other law enforcement bodies;
- Third-party recipients such as: banks and financial institutions, professional advisors, law firms, tax advisors or auditors, insurers, public registries of company directors and shareholdings, regulatory bodies, providers of background checks services, service providers, support providers.
TM does not share any Personal Data for advertising or direct marketing purposes without the Data subject’s explicit consent.
13. Complaints
Data Subjects have the right to lodge a complaint to the respective data protection authority in their country. List of data protection authorities in the jurisdictions within which TM operates is indicated in Annex I “List of TM Entities & Data protection authorities and legislation & Data protection authorities and legislation”. Complaints may also be submitted to privacy@trustmoore.com.
14. DPO
Group DPO is Katya Mihaylova available at privacy@trustmoore.com. The DPO advises on all topics related to Data privacy and protection laws, regulations, regulatory guidance, as well as compliance therewith and must support and liaise with other functions on related topics. The DPO liaises with authorities, regulators, associations and other stakeholders on matters related to Data privacy and protection, monitors TM entities’ implementation and adherence to this Policy in conjunction with other relevant functions at TM or through independent reviews, maintains and updates the Data Privacy Policy and notifies TM entities of any such changes without undue delay.