Privacy Policy | Capitalio

Privacy Notice

UK GDPR and Data Protection Act 2018

1. Overview
This Privacy Notice explains how Capitalio collects, uses and shares personal data when you visit our website, contact us, or engage us in connection with Italian real-estate opportunities and related advisory or coordination services.
If you do not wish to provide certain information, you may still browse parts of the website; however, we may be unable to respond fully to enquiries or provide services where information is necessary.

2. Data controller and contact details
Capitalio Ltd (“Capitalio”, “we”, “our”, “us”) is a private company limited by shares, incorporated in England & Wales (company number 16311642), with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
UK Information Commissioner’s Office (ICO) registration: CAPITALIO LTD, reference ZB978715 (see ico.org.uk/register).
Email: legal@capitalio.co.uk.

3. The personal data we collect
Depending on how you interact with us, we may collect the following categories of personal data:
• Identification and contact data (e.g., name, address, email address, telephone number).
• Professional data (e.g., employer, role, introducer details) where relevant.
• Transaction and service data (e.g., property search criteria, budgets, preferences, viewing notes, communications).
• Compliance data for anti-money laundering and counter-terrorist financing (AML/CTF) purposes, including KYC documents (e.g., passport/ID, proof of address, proof of funds, source-of-funds/source-of-wealth information) and screening results.
• Technical and usage data (e.g., IP address, browser type/version, device identifiers, referring pages, time zone, and information about how you use the website).
• Marketing and communications preferences.
• Special category data: we do not intentionally collect special category data. If you provide it voluntarily (for example within correspondence), we will handle it in accordance with applicable law and minimise its use.

4. Where we get personal data from
We may collect personal data:
• Directly from you (forms, email, telephone, messaging, video calls, events, or correspondence).
• From professional advisers and counterparties (e.g., Italian estate agents, brokers, lawyers, notaries, accountants, mortgage providers) where you ask us to coordinate with them.
• From verification and screening providers (e.g., AML/KYC screening databases) and from public sources where lawful.
• From cookies and similar technologies when you use our website (see section 9).

5. How we use your personal data and our legal bases
We process personal data only where we have a lawful basis under Article 6 UK GDPR. The main purposes and legal bases are set out below.

• Operate, maintain and secure the website; prevent fraud and misuse
Legal basis: Legitimate interests
• Respond to enquiries and communicate with you
Legal basis: Steps prior to entering a contract and/or contract
• Provide our services and manage the relationship (including administration and record-keeping)
Legal basis: Contract and legitimate interests
• Conduct AML/KYC, sanctions and fraud screening where required. Where we are required to carry out AML/KYC checks, failure to provide the requested information may mean we cannot onboard you or progress your matter
Legal basis: Legal obligation and legitimate interests
• Manage introducer/referral relationships and prevent circumvention or misconduct
Legal basis: Legitimate interests and/or contract
• Send marketing communications (including newsletters and event invitations). You can opt out at any time.
Legal basis: Consent and/or legitimate interests (as applicable)
• Analytics to improve the website and services
Legal basis: Legitimate interests (and consent where required for non-essential cookies)
• Comply with legal requests, enforce rights, and handle disputes
Legal basis: Legal obligation and legitimate interests
• To liaise with and provide necessary information to counterparties (real estate agencies, notaries, lawyers and other professionals) to prepare and progress your transaction

Where we rely on legitimate interests, we consider and balance our interests against your rights and expectations. You may object to processing based on legitimate interests in certain circumstances (see section 11).

6. Sharing and disclosure
We may share personal data with:
• Italian estate agents, sellers’ representatives and brokers for the purpose of sourcing opportunities and arranging viewings.
• Professional advisers (e.g., solicitors, notaries, accountants, surveyors, architects) where you ask us to coordinate. This may include sharing necessary documentation (including identification and, where required, AML/KYC, proof of funds, and source-of-funds/source-of-wealth information) to prepare and progress transaction documents and appointments (for example, preliminary agreements and completion/Deed appointments).
• Service providers and processors (e.g., IT and cloud hosting, CRM, email, analytics, document management, payment providers).
• Compliance providers (e.g., AML/KYC screening, fraud prevention, identity verification).
• Regulators, law enforcement, courts and public authorities where we are legally required or where necessary to protect rights.
• Potential purchasers/investors of our business and their advisers (in which case we will take steps to protect confidentiality).
We do not sell personal data. We require processors to act only on our instructions and to implement appropriate security measures.

7. International transfers
We may transfer personal data to Italy and to other countries where our suppliers or counterparties operate. Where transfers are made outside the UK, we rely on recognised safeguards such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), and/or other measures appropriate to the transfer.

8. Security
We use organisational and technical measures designed to protect personal data, including access controls, multi-factor authentication, encryption where appropriate, and staff confidentiality obligations. No method of transmission or storage is completely secure; however, we take reasonable steps to reduce risk and respond to incidents.

9. Cookies and similar technologies
Our website may use cookies and similar technologies to enable core functionality, to measure audience and performance, and to improve user experience. Where required by law, we will seek your consent for non-essential cookies. You can control cookies through your browser settings and, where available, through on-site cookie controls.

10. Retention
We retain personal data for as long as necessary for the purposes described in this Notice. As a general rule, we retain client and transaction records for six (6) years after the end of our relationship, or longer where required by law (including AML/CTF obligations), to establish, exercise or defend legal claims, or for other legitimate and documented reasons.

11. Your rights
You have rights under the UK GDPR, subject to conditions and exemptions, including the right to:
• Request access to your personal data.
• Request rectification of inaccurate or incomplete data.
• Request erasure (in certain circumstances).
• Request restriction of processing (in certain circumstances).
• Object to processing based on legitimate interests (and to direct marketing at any time).
• Request data portability where processing is based on consent or contract and carried out by automated means.
• Withdraw consent at any time where we rely on consent (without affecting the lawfulness of processing before withdrawal).
To exercise your rights, contact legal@capitalio.co.uk. We may need to verify your identity and may request additional information to locate the relevant data. We may refuse or charge a reasonable fee for manifestly unfounded or excessive requests as permitted by law.
Complaints: you can complain to the UK Information Commissioner’s Office (ICO).

Please note that some rights may be limited where we are required by law to retain information (for example, AML/CTF record-keeping obligations).

12. Automated decision-making
We may use automated screening tools for AML/KYC, sanctions and fraud prevention. Where we make decisions that have legal or similarly significant effects, we will do so in accordance with the UK GDPR, including providing human review where required.

13. Changes to this Notice
We may update this Notice from time to time. The latest version will be published on our website. Where appropriate, we will notify you of material changes.

Data Protection & Information Security Policy

Capitalio Ltd (“Capitalio”, “we”, “our”, “us”) is a private company limited by shares, incorporated in England & Wales (company number 16311642), with its registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom.
UK Information Commissioner’s Office (ICO) registration: CAPITALIO LTD, reference ZB978715 (see ico.org.uk/register).
Status: This document is a high-level summary of Capitalio’s internal controls. It is published for transparency and does not form part of any contract with visitors to our website or clients, except to the extent required by applicable law.

1. Purpose
This Policy sets out the organisational and technical measures Capitalio uses to protect personal data and confidential information. It is designed to support compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and to reduce risks arising from unauthorised access, loss, misuse, alteration or disclosure of information.

2. Scope
This Policy applies to all Capitalio directors, officers, employees, agency staff and contractors (together, Personnel), and to all information processed by or on behalf of Capitalio, including personal data, client documentation, commercial information, and credentials for Capitalio systems.
Personnel must comply with this Policy as a condition of access to Capitalio systems and information. Capitalio may suspend or revoke access, and may take disciplinary or contractual action, where this Policy is breached.

3. Core data-protection principles
Capitalio processes personal data in accordance with the seven UK GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

4. Governance and accountability
Capitalio maintains a governance framework for privacy and security, including:
• Board-level accountability for data protection and information security.
• A designated Data Protection Lead responsible for oversight, advice and incident coordination.
• Documented records of processing activities where required, and periodic reviews of high-risk processing.
• Supplier and processor due diligence and contractual controls appropriate to risk.

5. Key security controls
Capitalio applies a risk-based approach and maintains measures including:
5.1 Access control
• Role-based access controls and least-privilege permissions.
• Mandatory multi-factor authentication for cloud services and administrative accounts.
• Secure onboarding/offboarding procedures and prompt removal of access on role changes or termination.
• Sensitive client documents (ID, proof/source of funds) are stored in restricted-access locations and are accessible only to authorised senior staff on a need-to-know basis.
5.2 Encryption and secure communications
• Encryption in transit using modern TLS (1.2 or higher) where supported.
• Encryption at rest for laptops, portable devices and supported cloud storage.
5.3 Monitoring, vulnerability management and testing
• Security logging and monitoring proportionate to the systems in use.
• Regular patching and vulnerability remediation based on severity and exploitability.
• Periodic vulnerability scans and periodic penetration testing for internet-facing systems, where appropriate.
5.4 Resilience and backups
• Backups and disaster-recovery measures for critical business systems, tested periodically.
• Business continuity measures designed to maintain essential operations during disruption.
5.5 Training and confidentiality
• Mandatory confidentiality obligations for Personnel and need-to-know handling of client information.
• Periodic security and data-protection training, and targeted training for higher-risk roles.

6. Data lifecycle controls
6.1 Collection and use
Personal data is collected and used only for defined purposes, and only to the extent necessary for those purposes. Where required, Capitalio provides privacy information and obtains consent for specific activities (for example, certain marketing).
6.2 Retention and deletion
Capitalio retains personal data in accordance with documented retention periods, considering legal, regulatory and operational requirements. Data is securely deleted or anonymised when no longer required.
6.3 International transfers
Where personal data is transferred outside the United Kingdom, Capitalio uses recognised safeguards such as adequacy regulations, the International Data Transfer Agreement (IDTA) and/or contractual and technical measures appropriate to the transfer risk.

7. Incident and breach management
Capitalio maintains procedures for identifying, containing, investigating and remediating security incidents and personal-data breaches.
• Personnel must report suspected incidents immediately to the Data Protection Lead.
• Capitalio assesses risk and, where required, notifies the ICO without undue delay and, where feasible, within 72 hours of awareness.
• Where required, Capitalio notifies affected individuals and relevant partners in a timely manner.
• Capitalio maintains incident records and implements corrective actions to prevent recurrence.

8. Contractor and supplier requirements
Contractors and suppliers that access Capitalio information must, as applicable:
• Use only Capitalio-approved systems and follow documented security requirements.
• Keep all information confidential and restrict access to authorised personnel only.
• Notify Capitalio promptly of any suspected incident affecting Capitalio data.
• Return or securely delete Capitalio data on termination or on request.
• Submit to reasonable audits or compliance checks proportionate to the services provided.

9. Review and changes
This Policy is reviewed at least annually and whenever there is a material change in Capitalio’s processing activities, systems or risk profile. Capitalio may update this Policy from time to time; the latest version will be published on our website.

10. Contact
Questions about this Policy may be directed to: legal@capitalio.co.uk.