Last revision date: 13 July 2025

1. Introduction

Aegis Griffin (“the Firm,” “we,” “our”) is committed to safeguarding the privacy and confidentiality of its clients, in alignment with our core principles of discretion and legal compliance. This Privacy Policy governs the collection, processing, and protection of personal data in accordance with the following frameworks:

  • European Union General Data Protection Regulation (GDPR)
  • United States California Consumer Privacy Act (CCPA) & State Laws
  • China Personal Information Protection Law (PIPL) & Cybersecurity Law (CSL)
  • Swiss Federal Act on Data Protection (FADP)
  • Singapore – Personal Data Protection Act (PDPA)
  • United Arab Emirates (UAE) – Dubai Data Law & ADGM/ADGM Data Protection Regulations
  • Hong Kong – Personal Data (Privacy) Ordinance (PDPO)
  • India – Digital Personal Data Protection Act (DPDPA) 2023
  • International Anti-Money Laundering (AML) Directives

Aegis Griffin adheres to the data protection laws of all jurisdictions in which we operate. This includes but is not limited to the EU, UK, US, China, Switzerland, Singapore, UAE, Canada, Australia, and Brazil. As part of our compliance framework, we adhere to guidelines from the Financial Action Task Force (FATF). Where local requirements impose stricter standards than those outlined herein, we will comply with the higher threshold. Engagement with our services constitutes acknowledgment of this Policy.

2. Scope & Definitions

Personal Data refers to any information relating to an identified or identifiable individual, including but not limited to:

  • Full name, date of birth, and government-issued identification.
  • Financial records, tax identifiers, and bank account details.
  • Professional affiliations and politically exposed person (PEP) status, where applicable.

Sensitive Data includes special categories under GDPR (e.g., biometric data) or PIPL (e.g., financial accounts), processed only under explicit consent or legal mandate.

3. Data Collection & Lawful Basis

We collect personal data through the following means:
3.1 Direct Interactions

  • Client Onboarding: Identity verification, source-of-wealth documentation, and contractual agreements.
  • Service Delivery: Entity formation documents, transactional records, and residency applications.
  • Communications: Electronic correspondence.

Lawful Basis:

  • Performance of a Contract (GDPR Art. 6(1)(b)): To execute offshore structuring per client instructions.
  • Legal Obligation (GDPR Art. 6(1)(c)): Compliance with Swiss AML laws or EU DAC6 reporting.
  • Legitimate Interest (GDPR Art. 6(1)(f)): Fraud prevention or network security.

3.2 Automated Technologies

  • Website Cookies: Essential session cookies (non-negotiable); analytics cookies (opt-out via banner).
  • Metadata: IP addresses and device identifiers for security audits.

4. Data Utilization & Purpose Limitation

Personal data is strictly used for:

  • Entity Formation: Establishing offshore corporations, trusts, or foundations.
  • Regulatory Compliance: FATF-guided AML checks and tax transparency reporting (e.g., CRS).
  • Client Support: Dispute resolution and asset protection advisory.

No secondary marketing use absent express opt-in consent.

5. Data Disclosure & Third-Party Transfers

5.1 Controlled Sharing

Data is disclosed only to:

  • Licensed Financial Institutions: For bank account openings (limited to KYC requirements).
  • Legal Advisors & Auditors: Bound by attorney-client privilege or confidentiality agreements.
  • Government Authorities: Under subpoena or pursuant to tax treaties (e.g., IRS, HMRC).
5.2 Cross-Border Transfers
  • EU/EEA Transfers: Rely on Swiss adequacy status or Standard Contractual Clauses (SCCs).
  • China-Specific: PIPL-compliant security assessments for data exports.
  • U.S. Safeguards: SCCs + CCPA contractual clauses (post-Privacy Shield invalidation).

6. Data Retention & Erasure

Retention periods adhere to:

  • Swiss AML Law: 10-year retention for KYC records.
  • Statute of Limitations: 7 years post-contract termination for transactional data.
  • GDPR “Right to Be Forgotten”: Upon request, where no overriding legal basis exists.

7. Data Subject Rights

Clients may exercise the following rights, subject to jurisdictional applicability:

Jurisdiction Key Rights
GDPR (EU/EEA) Access, rectification, erasure, portability, objection to profiling.
CCPA (California) Opt-out of “sales” (not applicable), know/delete personal data.
PIPL (China) Consent withdrawal, data portability, explanation of automated decisions.

Requests must be submitted in writing to compliance@aegisgriffin.com, with verification protocols to prevent unauthorized access.

8. Security & Breach Protocols

8.1 Technical Measures
  • Encryption: AES-256 for data at rest and in transit.
  • Access Controls: Role-based permissions and multi-factor authentication (MFA).
8.2 Organizational Measures
  • Staff Training: Annual GDPR/PIPL compliance training.
  • Data Protection Officer (DPO): Oversees adherence to this Policy.
8.3 Breach Notification
  • 72-Hour Reporting: To EU supervisory authorities (GDPR) or CAC (PIPL).
  • Client Notice: For high-risk breaches affecting confidentiality.

9. Policy Amendments

Material changes will be:

  • Published on our website with a revised effective date.
  • Communicated via encrypted email to active clients 30 days prior.

10. Contact & Regulatory Designations

Data Protection Officer (DPO):
Aegis Griffin AG
Sihlstrasse 55,
8001 Zürich,
Switzerland
Email: compliance@aegisgriffin.com

EU Representative (Article 27 GDPR):
Lucie Byrne

The Anchorage,
Grand Canal Dock,
Dublin, Ireland