Legal

Privacy Policy

Last updated: May 4, 2026

BW International Ltd ("BW Horizons," "we," "us," or "our") is committed to protecting the privacy of our members and platform users. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

BW Horizons acts as the data controller for personal data processed through the Platform.

1. Data We Collect

We collect the following categories of data:

  • Account and Identity Data: Name, email address, job title, company name, company registration number, and any KYC/AML documentation submitted during verification.
  • Professional and Financial Data: Investment mandates, deal history, offer and request submissions, transaction communications, and document vault contents.
  • Payment Data: Billing details processed by Stripe. We do not store full card numbers; payment data is held by Stripe under their own PCI-DSS certification.
  • Usage Data: IP addresses, browser type, device identifiers, pages visited, features used, and interaction timestamps collected via server logs and analytics.
  • Communications Data: Messages, support tickets, and correspondence with our team.

2. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract performance — to provide and maintain your subscription;
  • Legal obligation — to comply with AML, sanctions screening, and UK regulatory requirements;
  • Legitimate interests — to improve the Platform, prevent fraud, and ensure security;
  • Consent — for optional communications where you have opted in.

3. How We Use Your Data

Your data is used to:

  • Provision and operate your account and subscription;
  • Conduct KYC/AML and sanctions screening as required by law;
  • Process payments and manage billing;
  • Deliver platform notifications, deal alerts, and product updates;
  • Detect and prevent fraud, abuse, and security threats;
  • Analyse usage to improve Platform performance and features;
  • Comply with legal and regulatory obligations.

4. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

  • Service providers: Trusted processors including Supabase (cloud database), Stripe (payments), Resend (transactional email), and Vercel (hosting), each operating under data processing agreements.
  • KYC/AML partners: Identity verification and screening services where required for regulatory compliance.
  • Legal requirements: Where required by law, court order, or a regulatory authority with jurisdiction.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, subject to continued data protection obligations.

Counterparty identities and deal communications are never disclosed to other members without explicit consent.

5. International Transfers

Some of our service providers operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or adequacy decisions. Supabase and Vercel infrastructure is primarily hosted within the EU/EEA under standard contractual clauses.

6. Data Retention

We retain personal data for as long as necessary to provide the service and fulfil legal obligations:

  • Active account data: retained for the duration of your subscription plus 7 years for financial records;
  • KYC/AML records: retained for a minimum of 5 years post-relationship as required by UK AML regulations;
  • Usage and log data: retained for up to 12 months;
  • Deleted accounts: personal data anonymised or deleted within 30 days of account closure, subject to legal holds.

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — request correction of inaccurate or incomplete data;
  • Erasure — request deletion where data is no longer necessary or consent is withdrawn;
  • Restriction — request limited processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interests;
  • Withdraw consent — where processing is consent-based, withdraw at any time.

To exercise any right, contact us at privacy@bwhorizons.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We employ industry-standard technical and organisational measures to protect your data, including encryption at rest and in transit (TLS 1.2+), role-based access controls, regular security assessments, and isolated database environments. We are working towards SOC 2 Type II certification.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

9. Cookies and Tracking

The Platform uses strictly necessary cookies for session authentication and security. We do not use third-party advertising cookies. Analytics are performed using privacy-preserving server-side logging without persistent client tracking.

10. Children's Privacy

The Platform is intended exclusively for business users. We do not knowingly collect personal data from individuals under the age of 18. If we become aware of such data, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes via email or in-platform notice at least 14 days before they take effect.

12. Contact

Data Controller: BW International Ltd, United Kingdom
Privacy enquiries: privacy@bwhorizons.com
General support: support@bwhorizons.com

Privacy Policy — BW Horizons