Right of Access
Art. 15 GDPR
Rectification
Art. 16 GDPR
Erasure
Art. 17 GDPR
Right to Object
Art. 21 GDPR
1. Data Controller Identity
1.1 — ControllerThe data controller for the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018), and the California Consumer Privacy Act 2018 ("CCPA") is:
Stratos Dynamics
Global Trade Facilitation Services
Correspondence: compliance@stratosdynamics.org
Data Protection enquiries: privacy@stratosdynamics.org
1.2 — DPOWhere required by Article 37 of GDPR, Stratos appoints a Data Protection Officer (DPO). Enquiries regarding data protection matters may be directed to the DPO at the privacy contact above. The DPO operates independently of management in accordance with Article 38 of GDPR.
2. Personal Data We Collect
2.1 — Categories of DataWe collect and process the following categories of personal data, depending on your relationship with Stratos:
| Category | Examples | Source |
|---|---|---|
| Identity data | Full name, title, passport/national ID copy, date of birth | Provided by you (KYC) |
| Contact data | Business email, telephone, company address, postal address | Provided by you |
| Corporate data | Company name, registration number, jurisdiction, UBO details | Provided by you / public registers |
| Financial data | Bank account details, proof of funds, BCL, fee disbursement records | Provided by you |
| Transaction data | LOI content, SPA terms, commodity volumes, pricing, LOC details | Generated in course of business |
| Compliance data | Sanctions screening results, PEP status, adverse media records, SAR filings | Screening databases / public sources |
| Technical data | IP address, browser type/version, time zone, page visits, referral source | Automatically collected (website) |
| Communication data | Email correspondence, LOI submissions, contact form messages | Provided by you |
2.2 — Special Category DataWe do not intentionally collect special category personal data (as defined in Article 9 GDPR — health, biometric, political, religious, or trade union data). Where such data is inadvertently included in documentation you provide, it will be segregated and deleted unless legally required to be retained.
2.3 — Children's DataOur services are directed exclusively at businesses and trade professionals. We do not knowingly collect personal data from individuals under the age of 18. Any such data received will be deleted promptly upon discovery.
3. Legal Basis for Processing
3.1 — Basis OverviewWe rely on the following legal bases under Article 6 of GDPR for each category of processing activity:
| Processing Purpose | Legal Basis | GDPR Article |
|---|---|---|
| KYC/CDD verification | Legal obligation | Art. 6(1)(c) |
| Sanctions & PEP screening | Legal obligation / Legitimate interests | Art. 6(1)(c) / 6(1)(f) |
| Contract formation and execution (LOI, SPA) | Performance of a contract | Art. 6(1)(b) |
| Fee disbursement and IMFPA obligations | Performance of a contract | Art. 6(1)(b) |
| Trade finance documentation (L/C, SBLC) | Performance of a contract | Art. 6(1)(b) |
| AML record keeping (5-year retention) | Legal obligation | Art. 6(1)(c) |
| SAR filing with NCA/FinCEN | Legal obligation | Art. 6(1)(c) |
| Website analytics and security | Legitimate interests | Art. 6(1)(f) |
| LOI form submissions and trade enquiries | Pre-contractual steps at request of data subject | Art. 6(1)(b) |
| Direct marketing (where applicable) | Consent | Art. 6(1)(a) |
3.2 — Legitimate InterestsWhere we rely on legitimate interests (Article 6(1)(f) GDPR), we have conducted a Legitimate Interests Assessment (LIA). Our legitimate interests include: securing our business against fraud and financial crime; protecting third parties from counterparty default; and maintaining the integrity of our trade networks. These interests do not override the fundamental rights and freedoms of the data subjects concerned.
4. How We Use Personal Data
4.1 — Trade FacilitationPersonal data provided through the LOI submission form, KYC documentation, or direct correspondence is used exclusively for the purposes of: verifying counterparty identity and eligibility; facilitating commodity transactions; issuing and managing trade finance instruments; and coordinating SGS/Bureau Veritas inspection and shipping documentation.
4.2 — Compliance ObligationsWe are legally required to process certain personal data to comply with AML regulations, sanctions screening obligations, and SAR filing requirements. This processing cannot be avoided on the basis of objection or consent withdrawal — it is a mandatory legal obligation.
4.3 — No Automated Decision-MakingStratos does not use solely automated decision-making — including profiling — that produces legal or similarly significant effects on individuals, as defined in Article 22 of GDPR. Human review is applied to all counterparty risk assessments and transaction approvals.
4.4 — No Sale of Personal DataStratos does not sell personal data to third parties. This applies equally under the CCPA, which grants California residents the right to opt out of the sale of their personal information (Cal. Civ. Code §1798.120). We confirm: we do not sell personal data.
5. Third-Party Disclosure
5.1 — Permitted DisclosuresWe disclose personal data only to the following categories of recipient, and only to the extent necessary for the stated purpose:
Financial Institutions
Issuing and confirming banks in L/C transactions; correspondent banks verifying SWIFT MT700 or MT760 instruments. Disclosure is limited to information necessary for instrument issuance and document examination under UCP 600.
Regulatory Authorities & FIUs
National Crime Agency (NCA/UKFIU), FinCEN, FCA, HMRC, OFAC, and equivalent competent authorities where disclosure is required by law or by a lawful request. We may not be able to notify you of such disclosures.
Inspection & Certification Bodies
SGS S.A., Bureau Veritas, and equivalent inspection agencies who require counterparty and cargo information to issue COQ, COW, and loading reports. Disclosure is transaction-specific.
Legal Advisors & Arbitrators
Solicitors, barristers, and ICC arbitration panels where disclosure is necessary to pursue or defend legal proceedings, or to enforce or protect contractual rights under English law or ICC Rules 2021.
Technology & Infrastructure Providers
Cloud hosting, email delivery, and CRM service providers acting as data processors under Article 28 GDPR data processing agreements. All processors are bound by contractual obligations not to use personal data for their own purposes.
5.2 — International TransfersWhere personal data is transferred outside the European Economic Area (EEA) or the UK, Stratos ensures that an appropriate safeguard is in place, as required by Chapter V of GDPR. Appropriate safeguards include: adequacy decisions by the European Commission; Standard Contractual Clauses (SCCs, 2021 version); or the UK International Data Transfer Agreement (IDTA, 2022). Details of applicable transfer mechanisms are available on request from our DPO.
6. Data Retention
6.1 — Retention SchedulePersonal data is retained for the periods set out below, after which it is securely deleted or anonymised:
| Data Category | Retention Period | Basis |
|---|---|---|
| KYC/CDD documentation | 5 years from end of relationship | MLR 2017 / EU 4AMLD Art. 40 |
| Transaction records (LOI, SPA, L/C) | 5 years from transaction date | MLR 2017 / Statutory limitation |
| Sanctions screening records | 5 years from screening date | OFAC / Legal obligation |
| NCNDA / IMFPA correspondence | Protected Period + 2 years | Contractual necessity |
| LOI submission form data | 2 years from submission | Legitimate interests |
| Website technical data (server logs) | 90 days | Security / Legitimate interests |
| Email correspondence (general) | 3 years | Legitimate interests |
6.2 — Extended RetentionWhere personal data is subject to a legal hold — for example, in connection with ongoing litigation, regulatory investigation, or an open SAR — the retention period is extended for the duration of such proceedings plus one year.
7. Your Rights as a Data Subject
7.1 — GDPR RightsIf you are located in the EEA or the UK, you have the following rights under GDPR (Articles 15–22) in respect of personal data we hold about you:
Art. 15 — Right of Access
Obtain confirmation that we process your data and receive a copy of that data, along with information about the purposes, categories, recipients, and retention periods.
Art. 16 — Right to Rectification
Request correction of inaccurate personal data or completion of incomplete data, without undue delay.
Art. 17 — Right to Erasure
Request deletion of your personal data where the processing is no longer necessary, consent is withdrawn, or data has been unlawfully processed. This right is subject to legal retention obligations (e.g., AML/MLR 2017).
Art. 18 — Right to Restriction
Request restriction of processing while accuracy is contested, processing is unlawful, or you have objected and we are assessing your objection.
Art. 20 — Right to Portability
Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.
Art. 21 — Right to Object
Object to processing based on legitimate interests (Art. 6(1)(f)) or for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds which override your interests.
Art. 7(3) — Withdraw Consent
Withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.
Art. 77 — Lodge a Complaint
Lodge a complaint with your local supervisory authority. In the UK: the Information Commissioner's Office (ICO). In the EU: your national DPA.
7.2 — Exercising Your RightsTo exercise any of the rights listed above, submit a written request to privacy@stratosdynamics.org. We will respond within one calendar month (extendable by two further months where the request is complex or numerous, with notice). We do not charge a fee for reasonable requests. Where requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse the request, with reasons provided.
7.3 — Identity VerificationWe may require proof of identity before processing a data subject rights request to prevent unauthorised disclosure of personal data to third parties.
7.4 — CCPA Rights (California Residents)California residents have the following rights under the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.): the right to know what personal information is collected; the right to know whether personal information is sold or disclosed and to whom; the right to opt out of the sale of personal information (we do not sell — see Section 4.4); the right to deletion; and the right to non-discrimination in service or price for exercising CCPA rights. Requests may be submitted to privacy@stratosdynamics.org.
8. Cookies & Website Tracking
8.1 — Types of CookiesOur website uses the following categories of cookies:
- Strictly Necessary: Essential for the website to function. Cannot be disabled. Examples: session state, security tokens.
- Performance / Analytics: Used to understand how visitors interact with the website (page views, referral sources, session duration). Data is aggregated and anonymous. Requires consent under ePrivacy Directive / UK PECR.
- Functional: Remember preferences (language, layout). Requires consent.
We do not use advertising, targeting, or third-party retargeting cookies.
8.2 — Cookie ConsentOn first visit, users are presented with a cookie consent notice. Strictly necessary cookies are set without consent. Performance and functional cookies are set only upon affirmative consent. Consent can be withdrawn at any time by clearing browser cookies and revisiting the site.
8.3 — Third-Party ScriptsOur website uses Google Fonts (served via Google's CDN) and Tailwind CSS (served via CDN). Google Fonts may collect IP address data; see Google's privacy policy for details. We do not use Google Analytics, Facebook Pixel, or other behavioural tracking tools.
9. Security
9.1 — Technical MeasuresWe implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in accordance with Article 32 of GDPR. Measures include: TLS encryption for data in transit; access controls with role-based permissions; audit logging; and secure document destruction procedures.
9.2 — Data Breach NotificationIn the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of GDPR. Where the breach is likely to result in a high risk, affected individuals will also be notified directly under Article 34.
10. Changes to This Policy
10.1 — UpdatesWe review this Privacy Policy at least annually and update it to reflect changes in applicable law, regulatory guidance, and our processing activities. The "Effective" date at the top of this page indicates when the current version came into force. Where changes are material, we will provide notice via the website and, where we hold your contact details, by direct communication.
10.2 — Governing VersionThe English language version of this Policy is the governing version. In the event of any conflict between translated versions (if provided) and the English version, the English version prevails.
11. Contact
For all privacy and data protection enquiries — including data subject rights requests, complaints, or DPO correspondence — please contact us at:
Data Protection Officer — Stratos Dynamics
Email: privacy@stratosdynamics.org
Subject line: "Data Subject Request — [your name]" or "Privacy Enquiry"
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (UK): ico.org.uk, or with the supervisory authority in your EU member state of residence.