Privacy Policy

Purpose and scope

This Privacy Policy (the Policy) describes how Stratinova LTD, trading as Trading Integrity Bureau (TIB, we, us, or our), collects, uses, discloses, and safeguards personal data obtained through the TIB website, the public registry, forms submitted to us, correspondence, and related services (together, the Services).

The Policy is written to be compliant with the General Data Protection Regulation ((EU) 2016/679) (EU GDPR), the United Kingdom General Data Protection Regulation as incorporated by the Data Protection Act 2018 (UK GDPR), and the Cyprus Law 125(I)/2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data.

Data controller

The data controller in respect of personal data processed under this Policy is:

Controller	Stratinova LTD
Trading name	Trading Integrity Bureau
Registration	HE475207 · Republic of Cyprus
Registered office	Archiepiskopou Makariou III 228, Agios Pavlos Building, 3030 Limassol, Cyprus
Data protection contact	privacy@integritybureau.org

Stratinova LTD has not appointed a statutory data protection officer (DPO) under Article 37 GDPR, but the email address above is monitored by the individual with day-to-day responsibility for data protection compliance.

Definitions

In this Policy, terms defined in Article 4 of the UK and EU GDPR have the meanings given in those instruments, including personal data, processing, controller, processor, data subject, and consent.

Categories of personal data

We process the following categories of personal data, depending on your interaction with the Services:

Category	Source	Examples
Identity & contact	Provided directly by you	Name, business email address, job title, organisation, country of operation.
Engagement evidence	Submitted by a Firm during a verification	Operational records, policies, payout data, system-access logs. May incidentally include personal data of Firm personnel and participants.
Correspondence	Generated by your communications with us	Email content, meeting notes, enquiry form submissions.
Technical & usage	Collected automatically	IP address, device and browser type, referring URL, pages viewed, timestamps, session identifiers.
Cookie & analytics	Collected automatically with consent where required	First-party strictly-necessary cookies; aggregated analytics where enabled.

Purposes and lawful bases

We process personal data for the following purposes and under the lawful bases stated:

Purpose	Lawful basis	Categories
Operating the website and securing it against abuse.	Legitimate interests — Art. 6(1)(f) GDPR — operating and protecting our service.	Technical & usage.
Responding to enquiries submitted via forms or email.	Legitimate interests — Art. 6(1)(f) GDPR — responding to requests made to us. Where pre-contractual, Art. 6(1)(b).	Identity & contact; Correspondence.
Performing verification engagements.	Performance of a contract — Art. 6(1)(b) — between TIB and the Firm.	Identity & contact; Engagement evidence; Correspondence.
Maintaining the public registry.	Legitimate interests — Art. 6(1)(f) — market integrity and transparency. Registry entries of Firms are not personal data where the Firm is a legal person.	Limited data in registry entries.
Compliance with legal obligations, including record-keeping and response to lawful requests.	Legal obligation — Art. 6(1)(c) GDPR.	As necessary.
Optional communications (e.g. newsletter).	Consent — Art. 6(1)(a) GDPR — withdrawable at any time.	Identity & contact.

Where we rely on legitimate interests, we have conducted a balancing test considering the rights and freedoms of data subjects. A summary of the balancing test is available on request to privacy@integritybureau.org.

Cookies and similar technologies

Strictly necessary

We use first-party strictly-necessary cookies required for the Services to operate securely, including session management and protection against cross-site request forgery. These cookies do not require consent under Article 5(3) of the ePrivacy Directive.

Analytics

Where analytics cookies are set, they are set only after you have given consent through the cookie banner. Analytics data is aggregated and does not permit identification of individual data subjects.

Managing cookies

You can manage cookies through your browser settings. Blocking strictly-necessary cookies may impair the operation of the Services.

Disclosure to third parties

We do not sell personal data. We disclose personal data only to:

• Processors engaged to provide services on our behalf, under written data-processing agreements meeting the requirements of Article 28 GDPR — including hosting providers, email-delivery providers, and secure-storage providers;
• Professional advisers (lawyers, accountants, auditors) under contractual confidentiality, where necessary for the establishment, exercise, or defence of legal claims;
• Authorities where disclosure is required under Applicable Law or in response to a lawful request;
• A successor entity in the event of a merger, acquisition, reorganisation, or sale of assets, subject to equivalent data-protection commitments.

A current list of principal processors is available on request to privacy@integritybureau.org.

International transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, we rely on one or more of the following safeguards:

• Transfers to countries subject to an adequacy decision of the European Commission or the UK Secretary of State;
• Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914) or the UK International Data Transfer Agreement / UK Addendum;
• Other safeguards expressly permitted under Article 46 GDPR, or derogations under Article 49 GDPR where strictly necessary.

A copy of the relevant safeguard can be obtained on request to privacy@integritybureau.org.

Retention periods

Category	Retention period
Enquiry data (where no engagement follows)	24 months from last contact.
Engagement evidence and verification records	Duration of the Firm's Registry listing plus 7 years.
Revoked Registry entries and associated evidence	Retained indefinitely in the Registry history, in accordance with the legitimate interest of market integrity; access is controlled.
Correspondence	Maximum 6 years (contractual limitation period) unless a longer period is required by law or to defend legal claims.
Technical logs	Maximum 90 days unless required for incident investigation.
Cookies	As set out in the cookie banner. Session cookies are deleted on browser close.
Marketing consent records	Until consent is withdrawn, plus the period necessary to evidence lawful processing.

At the end of the applicable retention period, personal data is securely deleted or fully anonymised.

Security

We apply technical and organisational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) across all public-facing services;
• Encryption at rest for sensitive evidence repositories;
• Role-based access controls on a least-privilege basis with multi-factor authentication for administrative access;
• Segregation of commercial and review functions to limit access to engagement evidence;
• Logging and monitoring of access to systems containing personal data;
• Secure software-development practices and periodic review of our security posture.

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of data subjects, we notify the competent supervisory authority without undue delay and where feasible within 72 hours, and we notify affected data subjects where required by Article 34 GDPR.

Your rights

Subject to the conditions and exceptions set out in the UK and EU GDPR, you have the following rights in respect of your personal data:

• Right of access — to obtain confirmation of processing and a copy of your personal data (Art. 15);
• Right to rectification — to correct inaccurate or incomplete personal data (Art. 16);
• Right to erasure — in the circumstances set out in Article 17;
• Right to restriction of processing — in the circumstances set out in Article 18;
• Right to data portability — where processing is based on consent or contract and carried out by automated means (Art. 20);
• Right to object — to processing based on legitimate interests, including profiling (Art. 21);
• Right to withdraw consent — at any time where processing is based on consent (Art. 7(3));
• Right to lodge a complaint — with a supervisory authority (see § 14).

To exercise any of these rights, contact privacy@integritybureau.org. We respond within one month of receipt, extendable by up to two further months where necessary. We may ask for identity verification. There is no fee unless your request is manifestly unfounded, excessive, or repetitive.

Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

Children's data

The Services are directed at professional users and are not intended for children under the age of 16. We do not knowingly collect personal data of children. If you believe a child has provided personal data to us, contact privacy@integritybureau.org and we will take steps to delete the data.

Complaints

If you have a concern about our processing of your personal data, please contact us first at privacy@integritybureau.org and we will aim to resolve it. You also have the right to lodge a complaint with a supervisory authority, in particular:

• The Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (Γραφείο Επιτρόπου Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) — dataprotection.gov.cy;
• The supervisory authority of the EU Member State of your habitual residence, place of work, or place of the alleged infringement;
• In the United Kingdom, the Information Commissioner's Office (ico.org.uk).

Updates to this Policy

We may update this Policy from time to time. Each version is labelled with an effective date and version number. Material changes will be notified by a prominent notice on the Services and, where appropriate, by email to affected data subjects.

Contact the data protection lead

• Email: privacy@integritybureau.org
• Post: Stratinova LTD, Archiepiskopou Makariou III 228, Agios Pavlos Building, 3030 Limassol, Cyprus, marked FAO: Data Protection

When contacting us about a personal-data matter, please provide sufficient information to enable us to identify you and respond — typically your name, the email address used in your interactions with us, and the substance of your request.