Privacy Policy

1. Introduction

Sesame Vault Inc ("Sesame Vault", "we", "us", or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our platform, website, and related services (collectively, the "Services").

This Privacy Policy applies to:

• Clients and their authorised users who access the Sesame Vault platform
• Visitors to our website at sesamevault.com
• Prospective clients who request a demo or otherwise engage with us
• Any other individuals whose personal data we process in connection with our business

Sesame Vault Inc is the data controller for personal data processed under this Policy. We are registered in England and Wales. If you have questions about how we handle your data, please contact us at privacy@sesamevault.com.

2. Data We Collect

2.1 Information You Provide Directly

• Account and registration data: When you create an account or are onboarded as an authorised user, we collect your name, work email address, job title, employer name, and account credentials.
• Demo and contact requests: When you request a demo or contact us, we collect your name, email address, company name, job title, and the contents of your message.
• Communications: If you correspond with us by email, phone, or through the platform, we retain records of those communications.
• Identity verification data: Where required by applicable law or our compliance obligations, we may collect identity documentation, beneficial ownership information, or other know your customer (KYC) data.

2.2 Information We Collect Automatically

• Usage data: We collect information about how you interact with the platform, including pages viewed, features used, actions taken, timestamps, and session duration.
• Device and technical data: We collect your IP address, browser type and version, operating system, device identifiers, and referring URLs.
• Log data: Our servers automatically record certain information when you access the platform, including access times, error logs, and API call records.
• Cookies and similar technologies: We use cookies and similar tracking technologies as described in Section 8 of this Policy.

2.3 Information We Receive from Third Parties

• Identity and compliance verification: We may receive data from third-party identity verification providers, sanctions screening services, and credit reference agencies as part of our onboarding and compliance processes.
• Integration partners: If you connect third-party services or data feeds to the platform (such as custodian APIs or portfolio management systems), we may receive data through those integrations.
• Publicly available sources: We may supplement your data with information from publicly available sources, including company registries, regulatory filings, and professional networking platforms.

3. How We Use Your Data

We use your personal data for the following purposes, each supported by a lawful basis under applicable data protection law:

3.1 Providing and Managing the Platform
Lawful basis: Contract. We use your data to create and manage your account, authenticate your identity, provide access to the platform, process transactions, and deliver the services you have contracted for.

3.2 Client Communications and Support
Lawful basis: Contract / Legitimate Interests. We use your contact details to respond to support requests, send service notifications, provide product updates, and communicate about your account or subscription.

3.3 Onboarding and Compliance
Lawful basis: Legal Obligation / Legitimate Interests. We use identity and organisational data to conduct due diligence, comply with anti-money laundering (AML) and know-your-customer (KYC) obligations, screen against sanctions lists, and fulfil other regulatory requirements applicable to our business.

3.4 Security and Fraud Prevention
Lawful basis: Legitimate Interests / Legal Obligation. We use technical and usage data to monitor for unauthorised access, detect and prevent fraud, investigate security incidents, and protect the integrity of the platform and our clients' data.

3.5 Product Improvement and Analytics
Lawful basis: Contract / Legitimate Interests. We use aggregated and anonymised usage data to understand how the platform is used, identify areas for improvement, and develop new features and services.

3.6 Marketing and Business Development
Lawful basis: Consent / Legitimate Interests. Where you have opted in or where we have a legitimate interest, we may contact you with information about Sesame Vault products, services, research, and events that may be relevant to you. You may opt out of marketing communications at any time as described in Section 7.

3.7 Legal Compliance and Enforcement
Lawful basis: Legal Obligation / Legitimate Interests. We use and retain data as necessary to comply with applicable laws and regulations, respond to lawful requests from public authorities, enforce our Terms and Conditions, and protect our legal rights.

4. How We Share Your Data

We do not sell your personal data. We share personal data only in the following circumstances:

4.1 Service Providers. We share data with carefully selected third-party service providers who process data on our behalf to help us deliver the platform and operate our business. These include cloud infrastructure providers, data analytics platforms, customer relationship management tools, email delivery services, identity verification providers, and security monitoring services. All service providers are bound by data processing agreements and may only use your data as instructed by us.

4.2 Professional Advisors. We may share data with our legal, financial, and compliance advisors where necessary in connection with the conduct of our business, subject to professional obligations of confidentiality.

4.3 Regulatory and Law Enforcement Authorities. We may disclose personal data to regulators, law enforcement agencies, courts, or other public authorities where required to do so by law, regulation, or court order, or where we believe disclosure is necessary to protect the rights, property, or safety of Sesame Vault, our clients, or others.

4.4 Business Transfers. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

4.5 With Your Consent. We may share your data in other circumstances with your explicit prior consent.

5. International Data Transfers

Sesame Vault is based in the United Kingdom. Some of our service providers and partners are located outside the UK and the European Economic Area (EEA). Where we transfer personal data internationally, we ensure that appropriate safeguards are in place, including:

• Transfers to countries that the UK or EU has determined provide an adequate level of data protection
• Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority
• Binding Corporate Rules where applicable
• Other lawful transfer mechanisms as permitted under applicable data protection law

You may request further information about our international transfer safeguards by contacting us at privacy@sesamevault.com.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, and as required by applicable law. Our general retention principles are as follows:

• Account and platform data: Retained for the duration of the client relationship and for seven (7) years following termination, in accordance with financial record-keeping requirements.
• KYC and compliance records: Retained for a minimum of five (5) years following the end of the business relationship, as required under applicable AML legislation.
• Marketing and communications data: Retained until you withdraw consent or opt out, plus a reasonable period thereafter to record your preference.
• Website and usage data: Retained for up to twenty-four (24) months from the date of collection.
• Correspondence and support records: Retained for three (3) years from the date of last communication.

When data is no longer required, we securely delete or anonymise it in accordance with our data retention and disposal procedures.

7. Your Rights

Depending on your location, you may have the following rights in relation to your personal data. To exercise any of these rights, please contact us at privacy@sesamevault.com. We will respond to all verified requests within one calendar month.

• Right of access: You have the right to request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification: You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.
• Right to erasure: You have the right to request that we delete your personal data in certain circumstances, such as where it is no longer necessary for the purposes for which it was collected.
• Right to restriction: You have the right to request that we restrict our processing of your personal data in certain circumstances, for example while a dispute about accuracy is being resolved.
• Right to data portability: Where we process your data by automated means on the basis of your consent or a contract, you have the right to receive your data in a structured, commonly used, machine-readable format.
• Right to object: You have the right to object to our processing of your personal data where we rely on legitimate interests as our lawful basis, including for direct marketing purposes.
• Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
• Right to withdraw consent: Where we rely on your consent to process your data, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority. In the United Kingdom, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the European Union, you may contact the supervisory authority in your member state.

8. Cookies

Sesame Vault uses cookies and similar tracking technologies on our website and platform. Cookies are small text files placed on your device that help us provide and improve our services.

• Strictly necessary cookies: Essential for the platform to function. These cannot be disabled as they are required for authentication, security, and session management.
• Analytics cookies: Help us understand how visitors interact with our website and platform so we can improve performance and user experience. We use tools such as Google Analytics for this purpose.
• Functional cookies: Remember your preferences and settings to provide a more personalised experience.
• Marketing cookies: Used to deliver relevant advertising and track the effectiveness of our marketing campaigns. These are only set where you have provided your consent.

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the platform. For more information about cookies and how to manage them, visit allaboutcookies.org.

9. Data Security

We implement and maintain appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:

• Encryption of data in transit using TLS and at rest using AES-256 encryption
• Role-based access controls and principle of least privilege
• Multi-factor authentication for all platform access
• Regular penetration testing and vulnerability assessments
• Security incident response procedures and breach notification processes
• Staff training on data protection and information security

While we take the protection of your data seriously, no method of transmission over the internet or electronic storage is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

10. Children's Data

The Sesame Vault platform is intended solely for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us immediately at privacy@sesamevault.com and we will take steps to delete it promptly.

11. Third-Party Links

Our website and platform may contain links to third-party websites, products, or services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access through links on our platform, as we have no control over and accept no responsibility for their privacy practices.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, the Services, or applicable law. Where changes are material, we will provide at least thirty (30) days prior notice by email or by posting a prominent notice on our website. The date of the most recent update is always shown at the top of this page. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Policy.

13. Contact and Data Controller Details

If you have any questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact our Privacy team:

Sesame Vault Inc — Privacy & Data Protection Team privacy@sesamevault.com

If you are located in the United Kingdom or European Union and have an unresolved complaint, you have the right to contact your local data protection authority:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: Your national supervisory authority — edpb.europa.eu