Privacy Policy (UK & EU)

Effective date: 29 September 2025
Version: 1

This Privacy Policy explains how Severus Capital (“Severus Capital”, “we”, “us”, “our”) collects, uses, shares, and protects personal data. It applies to individuals in the United Kingdom and the European Economic Area (EEA).

  • For the UK, we comply with the UK GDPR and the Data Protection Act 2018.
  • For visitors, clients, and other individuals in the EEA (“EU traffic”), we comply with the EU GDPR (Regulation (EU) 2016/679).

1) Who we are (Data Controller)

Severus Capital
Cannon Green, 27 Bush Lane, London, EC4R 0AA, United Kingdom

Contact:
Email: info@severuscapital.com

2) Scope of this policy

This policy covers personal data we process when:

  • providing investment, advisory, and related professional services to clients and prospective clients;
  • carrying out legal and regulatory checks (e.g., AML/KYC);
  • operating our websites, portals, and digital services (see Cookies below);
  • managing relationships with suppliers and business partners; and
  • conducting marketing and business development activities.

Jurisdictional note: References to “data protection law” mean the UK GDPR & DPA 2018 for UK individuals and the EU GDPR for EEA individuals. Where this policy refers to rights, bases, or transfer mechanisms, these should be read to include the relevant UK or EU variants, as applicable.

3) Personal data we collect

We may collect and process:

  • Identity & Contact Data: name, title, date of birth, nationality, identification documents, addresses, email, telephone.
  • KYC/AML & Due Diligence Data: source of funds/wealth, beneficial ownership, PEP/sanctions results, adverse media.
  • Financial & Transaction Data: bank details, payment instructions, transactions relating to our services, fees/billing.
  • Professional & Relationship Data: employer, role, investment preferences, correspondence/meeting notes, engagement history.
  • Technical & Usage Data: IP address, device identifiers, login data, browser type/version, time zone, OS, interactions with our sites/portals.
  • Marketing & Communications Data: preferences for receiving marketing and your communication settings.

We do not intentionally collect special category data unless necessary and lawful (e.g., for legal claims or where you provide it and the law permits processing).

4) How we collect data

  • Directly from you (forms, onboarding, calls/meetings, correspondence).
  • From third parties (KYC providers, screening and fraud‑prevention agencies, intermediaries, banks, professional advisers).
  • From public sources (e.g., Companies House, sanctions lists, media).
  • Automatically via our websites/portals (see Cookies).

5) Our legal bases (UK GDPR & EU GDPR)

We process personal data only when permitted by law under the UK GDPR/DPA 2018 and, for EEA individuals, the EU GDPR. Our principal purposes and lawful bases include:

  • Providing and administering our services (onboarding, executing instructions, account management): Performance of a contract; Legitimate interests (to deliver and improve services).
  • Identity verification and regulatory compliance (AML/KYC, sanctions/PEP screening, record‑keeping, regulatory reporting): Legal obligation; Public interest.
  • Business and relationship management (billing, client service, supplier management, risk management): Legitimate interests.
  • Security and fraud prevention (access controls, incident response): Legitimate interests; Legal obligation.
  • Marketing and communications (updates, insights, events): Consent where required; otherwise Legitimate interests. You can opt out at any time.
  • Legal claims (establishing, exercising, or defending claims): Legitimate interests; Legal obligation.

Where we rely on consent, you may withdraw it at any time (this will not affect processing already carried out).

6) Sharing your data

We may share data with:

  • Service providers and professional advisers (IT/cloud hosting, KYC/AML screening, communications, auditors, legal counsel) acting on our instructions;
  • Financial institutions and intermediaries involved in transactions/custody arrangements at your request;
  • Regulators and authorities (e.g., FCA, HMRC, law enforcement) when required;
  • Credit reference and fraud‑prevention agencies, sanctions/PEP screening providers; and
  • Other parties where you instruct us or where law permits/mandates it.

Where third parties act as processors, they must only process personal data on our instructions and with appropriate safeguards.

7) International data transfers

Some recipients may be outside the UK or EEA. We use appropriate safeguards to protect your data when transferring internationally, such as:

  • UK transfers: UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs; transfers to countries with a UK adequacy regulation; and, where applicable, the UK–U.S. Data Bridge for certified U.S. organisations.
  • EEA transfers: EU Standard Contractual Clauses (SCCs); transfers to countries with an EU adequacy decision; and, where applicable, the EU–U.S. Data Privacy Framework for certified U.S. organisations.

Contact us for details of the specific safeguards in place for your data.

8) Data retention

We retain personal data only for as long as necessary for the purposes set out in this policy and to satisfy legal, accounting, or reporting requirements. Indicative periods:

  • Client/matter files: typically 6 years after the relationship/mandate ends (longer if needed for legal claims).
  • AML/KYC records: typically 5 years after the end of the business relationship or last transaction (or longer where law permits/requires).
  • Marketing data: until you unsubscribe or your data becomes inactive for a reasonable period.

9) Security

We implement appropriate technical and organisational measures (access controls, encryption, network security, staff training, supplier due diligence) to protect personal data. No system is completely secure, but we work to prevent unauthorised access, use, alteration, or loss.

10) Your rights (UK & EEA)

Your rights under the UK GDPR/EU GDPR include the right to: access, rectify, erase, restrict processing, object to processing, data portability, and to withdraw consent where relied upon.

To exercise your rights, contact us using the details in Section 1. We may need to verify your identity and may charge a reasonable fee where permitted (e.g., if a request is manifestly unfounded or excessive).

Right to complain:

  • UK: Information Commissioner’s Office (ICO) — ico.org.uk | Tel: 0303 123 1113 | Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK.
  • EEA: You can lodge a complaint with your local supervisory authority (typically in your Member State of residence, place of work, or alleged infringement). A list of EU supervisory authorities is available from the European Data Protection Board.

11) Automated decision‑making and profiling

We do not make decisions about you based solely on automated processing that have legal or similarly significant effects. We may use automated tools for AML/KYC screening and fraud prevention as part of our legal obligations and risk management. You can request human review and contest a decision where required by law.

12) Marketing

We may send updates about our services and events if you are an existing client or if you have asked us to. You can opt out at any time via the unsubscribe link or by contacting us. We may still send service or legally required communications.

13) Cookies and similar technologies

Our websites/portals use cookies and similar technologies. For details about the types we use and how to manage your preferences (including consent for non‑essential cookies under PECR/EU ePrivacy rules), see our Cookie Policy.

14) Third‑party links

Our websites may include links to third‑party sites, plug‑ins, or applications. Clicking those links may allow third parties to collect or share data about you. We do not control those sites and are not responsible for their privacy statements.

15) Children

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps.

16) Changes to this policy

We may update this policy to reflect changes in law, regulation, or our practices. We will post the updated version with a new effective date.

17) How to contact us

Email: info@severuscapital.com
Post: Data Protection Lead, Severus Capital, Cannon Green, 27 Bush Lane, London, EC4R 0AA, United Kingdom