Privacy Policy · Finquest Capital Group

01

Introduction

Finquest Capital Limited (“Finquest”, “we”, “our” or “us”) is committed to protecting the personal data of every visitor to www.finquestcapitalgroup.com and every prospective or existing client of the Finquest Capital Group ecosystem. This Privacy Policy explains what personal data we collect, why we collect it, on what legal basis, with whom we share it, how long we retain it, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Irish Data Protection Act 2018.

This Policy applies to the corporate website of Finquest Capital Group and to commercial relationships entered into with Finquest Capital Limited as data controller. Separate, dedicated privacy notices apply to: (i) the Finquest Exchange operated by PowrAI Digital Exchange sp. z o.o. (Poland) under Polish law and the supervision of UODO and GIIF; and (ii) the tokenisation activities conducted through Finquest Tokenisation S.à r.l. (Luxembourg). Where you interact with those entities, please refer to the privacy notice published by the relevant entity.

02

Data Controller

The data controller for the processing described in this Policy is:

Legal entity — Finquest Capital Limited

Registered office — No. 12, Commerce House, 14 Washington Street West, Cork City, Cork, T12 K376, Ireland

Company number — Companies Registration Office (CRO) 726903 — EUID IECRO.726903

We have not appointed a statutory Data Protection Officer (DPO) as none of the criteria in Article 37 GDPR currently apply. Privacy queries are handled by an internal privacy lead under the direct responsibility of the Founder & CEO.

03

Categories of Personal Data We Process

Identification data — name, date of birth, nationality, government-issued identification documents (passport, ID card, residence permit), photographic identification.
Contact data — postal address, email address, telephone number, language preference.
Professional data — occupation, employer, position, professional qualifications, source of wealth and source of funds information.
Financial & investor classification data — investor categorisation (qualified / professional / non-eligible), bank account details, transaction information, portfolio holdings.
Compliance data — AML/CFT screening results, sanctions and PEP screening, adverse media screening, KYC documentation.
Technical data — IP address, browser type, device identifiers, operating system, referring URL, pages visited, session duration, and cookie identifiers (see Cookie Policy).
Communications data — the content and metadata of correspondence, calls, video meetings and chat messages exchanged with us.

04

Sources of Personal Data

We collect personal data directly from you (when you complete forms, schedule a call, contact us by email or telephone, or otherwise interact with our website or staff) and from third-party sources, including: regulated electronic identity verification providers; commercial AML / sanctions / PEP / adverse-media screening databases; corporate registries; public sources; and our group entities and partners (Woudlaw, Fireblocks).

05

Purposes of Processing and Legal Bases

We process your personal data for the following purposes, each on the legal basis indicated:

Pre-contractual and contractual processing — to assess your interest, perform suitability checks, onboard you as a client and execute our services. Legal basis: Article 6(1)(b) GDPR (performance of a contract or pre-contractual measures).
Anti-money-laundering, counter-terrorist-financing, sanctions and tax-transparency compliance — including KYC, ongoing monitoring, suspicious-activity reporting and record-keeping. Legal basis: Article 6(1)(c) GDPR (legal obligation), in particular under Directive (EU) 2015/849 as amended, the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 of Ireland, and equivalent legislation in the jurisdictions in which our group entities operate.
Provision and improvement of the website — including security monitoring, analytics, and prevention of fraud or abuse. Legal basis: Article 6(1)(f) GDPR (legitimate interests), or Article 6(1)(a) where consent is required (e.g. non-essential cookies).
Marketing and investor relations — including newsletters and product updates to existing and prospective qualified investors. Legal basis: Article 6(1)(a) GDPR (consent) or Article 6(1)(f) (legitimate interests within an existing business relationship). You may withdraw consent or object at any time.
Establishment, exercise and defence of legal claims — and compliance with court orders. Legal basis: Article 6(1)(f) GDPR (legitimate interests) and Article 6(1)(c) (legal obligation).

06

Recipients and Disclosures

We share personal data with the following categories of recipients, only to the extent necessary for the purposes stated in Section 5:

Other entities of the Finquest Capital Group ecosystem (including PowrAI Digital Exchange sp. z o.o. and Finquest Tokenisation S.à r.l.) on the basis of an intra-group data-sharing arrangement;
External legal counsel, including Woudlaw (Luxembourg);
External corporate-services, compliance and audit providers;
Technology and infrastructure providers, including Fireblocks (custody);
Banks, payment service providers and notaries acting in the context of transactions to which you are a party;
Competent supervisory, tax and law-enforcement authorities, where required by law.

We do not sell personal data and we do not share personal data with third parties for their own marketing purposes.

07

International Transfers

Finquest operates across Ireland, Spain, Poland, Luxembourg, Switzerland and Monaco. Where we transfer personal data outside the European Economic Area (EEA), we rely on one of the safeguards permitted by Chapter V GDPR — typically an adequacy decision (Switzerland) or Standard Contractual Clauses (SCCs) supplemented, where necessary, by additional technical and organisational measures. A copy of the relevant safeguards is available on request.

08

Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting or reporting obligations:

KYC / AML records — 5 years from the end of the business relationship, extendable to 10 years where required by competent authorities.
Accounting records — minimum 6 years (Irish Companies Act 2014, section 281).
Contractual records — for the duration of the contract and 6 years thereafter (Irish statute of limitations on contract claims).
Website analytics — as set out in our Cookie Policy.
Marketing data — until you withdraw consent or object, plus a short reference period to evidence the withdrawal.

09

Your Rights

Subject to the conditions of the GDPR you have the right to: (i) access your personal data (Article 15); (ii) request rectification (Article 16); (iii) request erasure (Article 17); (iv) request restriction of processing (Article 18); (v) data portability (Article 20); (vi) object to processing based on legitimate interests, including profiling (Article 21); and (vii) withdraw consent at any time (Article 7(3)) without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us using the details in Section 13. We may ask you to verify your identity. We will respond within one month of receipt; this period may be extended by a further two months where necessary, taking into account the complexity and number of the requests.

You also have the right to lodge a complaint with the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — www.dataprotection.ie — or with the supervisory authority of the EU Member State of your habitual residence.

10

Automated Decision-Making

We do not take decisions producing legal or similarly significant effects concerning you which are based solely on automated processing within the meaning of Article 22 GDPR. Initial AML/sanctions screening relies on automated tools, but every alert and every onboarding decision is reviewed by a human compliance officer.

11

Security

We apply technical and organisational measures appropriate to the risk, including transport-layer encryption, role-based access control, multi-factor authentication, encryption-at-rest for sensitive records, segregation of duties, vendor due diligence and a documented incident-response process. Personal-data breaches are handled in accordance with Articles 33 and 34 GDPR.

12

Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in law or in our practices. Material changes will be communicated by prominent notice on our website and, where appropriate, by direct notice to affected data subjects. The “Effective” date at the top of this document indicates the version in force.

13

Contact

General enquiries: info@finquestcapitalgroup.com
Postal address: Finquest Capital Limited, No. 12, Commerce House, 14 Washington Street West, Cork City, Cork, T12 K376, Ireland.