Privacy Policy

Last updated: 13th November, 2025

This Privacy Policy explains how Cornerstone Sovereign Wealth & Capital Ltd (“CSWC”, “we”, “us”, or “our”) collects and uses personal data when you visit our website, contact us, or engage with us in connection with potential or actual investment, advisory, or co-investment activities.

We are committed to processing personal data in accordance with:

  • the UK General Data Protection Regulation (UK GDPR),

  • the Data Protection Act 2018, and

  • the Privacy and Electronic Communications Regulations 2003 (PECR) (as amended).

If anything in this notice conflicts with mandatory UK data protection law, the law will prevail.

1. Who we are (data controller details)

Controller:
Cornerstone Sovereign Wealth & Capital Ltd
Registered in: [England and Wales]

Contact for privacy matters:
Email: [privacy@cornerstonecapital.group]

We are the “data controller” of the personal data described in this notice.

We are not currently required to appoint a statutory Data Protection Officer, but you can contact us using the details above with any questions about this notice or your rights.

2. Who this notice applies to

This notice applies to:

  • Visitors to our website at cornerstonecapital.group

  • Individuals who contact us by email, phone, or via any contact form

  • Prospective and current co-investors, counterparties, or professional advisers

  • Individuals associated with entities we may transact or partner with (e.g. directors, shareholders or key personnel of a fund, SPV, advisory firm, or family office)

  • Any other person whose personal data we process in the context of operating CSWC as the private sovereign fund of a single principal.

3. What personal data we collect

The personal data we collect will vary depending on your relationship with us, but may include:

3.1 Data you provide directly

  • Identification and contact data

    • Name, title, job title, employer

    • Email address, phone number, postal address

    • Country of residence / nationality where relevant

  • Professional and business information

    • Role, organisation, and professional background

    • Details of your relationship with us or with our counterparties

    • Information in pitch decks, proposals, term sheets, or similar documents you share with us

  • KYC/AML and compliance information (for transactions and co-investment)

    • Copies of passports, ID documents, proof of address

    • Information about beneficial ownership, source of wealth/funds

    • Sanctions / PEP screening results and other compliance-related data as required by law

  • Communication content

    • Emails, letters, notes of calls or meetings, and messages submitted via any contact form

    • Any information you voluntarily provide when you contact us or send us documents

  • Recruitment data (if you apply to work with us)

    • CV / résumé, references, qualifications, work history and related information.

3.2 Data we collect automatically (website)

When you visit our website, we may collect:

  • Technical data

    • IP address, browser type and version, device type, operating system

    • Date/time of access, pages viewed, time spent on pages, referral URLs

  • Cookies and similar technologies

    • Strictly-necessary cookies needed for security and basic functionality

    • Subject to your consent, analytics and/or performance cookies (for example, to understand how the site is used).

For more detail, see Section 11 – Cookies.

4. For what purposes we use personal data and our legal bases

Under the UK GDPR we must have a “lawful basis” for each use of personal data.

4.1 Operating our website and responding to enquiries

Purposes

  • Operating, securing and improving our website

  • Responding to contact requests, enquiries, and correspondence

  • Managing relationships with prospective co-investors, counterparties, and advisers

Legal bases

  • Legitimate interests – to operate our website, communicate with people who contact us, and manage business relationships, where these interests are not overridden by your rights and freedoms.

  • Contract – where we communicate with you in connection with entering into, or performing, a contract with you or your organisation.

4.2 Evaluating and managing potential transactions and co-investments

Purposes

  • Assessing and diligencing potential transactions, co-investments, and strategic relationships

  • Conducting background checks, KYC/AML checks, and other due diligence where required

  • Negotiating and documenting agreements, and managing ongoing relationships

Legal bases

  • Legitimate interests – to evaluate, structure, and manage transactions and co-investments involving our principal’s capital while managing risk appropriately.

  • Legal obligation – where we are required by law (for example, anti-money laundering, financial crime prevention, tax, or sanctions laws) to verify identity, conduct checks, or retain records.

4.3 Compliance, risk management and governance

Purposes

  • Complying with legal and regulatory obligations (e.g. record-keeping, reporting, sanctions screening)

  • Responding to requests from regulators, courts, law-enforcement or other authorities

  • Managing risk, investigating potential or actual disputes, and enforcing our contractual or legal rights

Legal bases

  • Legal obligation – to comply with applicable laws and regulatory requirements.

  • Legitimate interests – to protect our business, our principal, our co-investors, and our counterparties; to manage risk and respond to issues or claims.

4.4 Marketing and relationship management (very limited)

CSWC does not operate mass-market marketing lists or public campaigns.

We may, on a very limited and targeted basis:

  • send one-to-one communications to existing contacts about transactions or opportunities we believe may be relevant; or

  • keep a record of contact history to avoid inappropriate or unwanted contact.

Legal bases

  • Legitimate interests – to maintain and develop professional and investment relationships in a proportionate and targeted way.

  • Consent – where required under PECR for certain electronic marketing communications, we will ask for your consent and you may withdraw it at any time.

You can ask us not to contact you for these purposes at any time (see Section 10).

4.5 Recruitment and engagement of staff or consultants

Purposes

  • Assessing applications and suitability for roles or engagements

  • Keeping a record of candidates who may be suitable for future opportunities

  • Managing the recruitment process and related communications

Legal bases

  • Contract – where processing is necessary to take steps at your request prior to entering into a contract.

  • Legitimate interests – to identify and engage suitable people to work with us.

5. Special categories of data and criminal records

We do not intentionally seek to collect “special category” data (such as health data, political opinions, religious beliefs, or information about your sex life or sexual orientation), nor criminal convictions data, except where:

  • such information appears incidentally in KYC/AML documents or screening results; or

  • we are required to process limited information of this kind to comply with legal or regulatory obligations.

Where we do so, we will only process such data:

  • where permitted by UK data protection law (for example, for the establishment, exercise or defence of legal claims, or where necessary for reasons of substantial public interest under UK law); and

  • with appropriate safeguards in place.

6. Who we share personal data with

We may share personal data, on a strictly need-to-know basis, with:

  • Professional advisers and consultants (law firms, auditors, tax advisers, corporate finance advisers, and similar)

  • Service providers (IT, cloud hosting, email, secure data-room providers, website hosting, analytics providers acting as our processors)

  • Counterparties and their advisers, where necessary for due diligence, transaction execution or ongoing management

  • Regulators, courts, law-enforcement or government authorities, where required or permitted by law

  • Any person to whom we transfer or may transfer all or part of our business or assets (for example, as part of a reorganisation or restructuring).

We require service providers who act as “processors” to process personal data only on our documented instructions and to implement appropriate security measures, consistent with UK GDPR requirements.

We do not sell personal data to third parties.

7. International transfers

Because CSWC operates in international investment and financial markets, it is possible that personal data will be transferred to, and processed in, countries outside the UK (for example where counterparties, advisers or service providers are located abroad).

Where we transfer personal data internationally, we will:

  • transfer only where necessary for the purposes described in this notice; and

  • ensure an appropriate safeguard is in place as required by UK GDPR, such as:

    • an adequacy regulation for the destination country; or

    • standard contractual clauses / international data transfer agreement approved under UK law, together with additional protections where appropriate.

You can contact us for more information about international transfer safeguards (see Section 1).

8. How long we keep personal data

We retain personal data only for as long as necessary for the purposes described in this notice, including:

  • for as long as we have an ongoing relationship with you or your organisation;

  • for as long as required to comply with legal, regulatory, tax, AML or accounting obligations (which may require retention for several years after our relationship ends); and

  • for the period during which we may need the data in connection with actual or potential legal claims.

Typically, this will mean that:

  • basic contact and relationship data is kept for up to seven (7) years after the end of the relevant relationship, and

  • AML/KYC records may be kept for at least the minimum period required by law (for example, five (5) years after the end of the business relationship or transaction, subject to any applicable extensions).

We may retain data for longer where required by law or where necessary for the establishment, exercise or defence of legal claims.

9. How we protect personal data

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These may include:

  • access controls and need-to-know restrictions

  • secure storage, encryption and/or pseudonymisation where appropriate

  • contractual protections and due diligence for service providers and counterparties

  • internal policies and training on confidentiality and data protection.

However, no transmission of information via the internet is completely secure. We cannot guarantee the security of information transmitted to us electronically, and any such transmission is at your own risk.

10. Your rights under UK data protection law

Under the UK GDPR, you have a number of rights in relation to your personal data, subject to certain conditions and exemptions.

These include:

  • Right of access – to obtain confirmation whether we process your personal data and to receive a copy.

  • Right to rectification – to have inaccurate or incomplete personal data corrected.

  • Right to erasure – to request deletion of your personal data in certain circumstances.

  • Right to restriction of processing – to request that we restrict processing in certain circumstances.

  • Right to data portability – to receive personal data you have provided to us in a structured, commonly used and machine-readable format and have it transmitted to another controller, where applicable.

  • Right to object – to object to our processing of your personal data where we are relying on legitimate interests, including profiling based on those interests.

  • Right to withdraw consent – where we rely on consent (for example, certain electronic marketing or non-essential cookies), you can withdraw that consent at any time.

If you wish to exercise any of these rights, please contact us using the details in Section 1. We may need to verify your identity before responding.

10.1 Your right to complain to the ICO

You also have the right to lodge a complaint with the UK data protection regulator:

Information Commissioner’s Office (ICO)
Website: ico.org.uk
Telephone: +44 (0)303 123 1113

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first.

11. Cookies and similar technologies

Our website may use cookies and similar technologies.

  • Strictly necessary cookies – required for basic site functionality and security; these are set without consent under PECR’s “strictly necessary” exception.

  • Analytics or performance cookies – used, if at all, only with your consent to understand how visitors use our website (for example, page views, time on page, and technical diagnostics).

When you first visit our site, you will be presented with a cookie banner providing clear information and options to:

  • accept all non-essential cookies;

  • reject all non-essential cookies; or

  • manage your preferences in more detail.

We will not set non-essential cookies (such as analytics or advertising cookies) unless and until you have provided your consent, which you may withdraw at any time via our cookie settings.

You can also control cookies through your browser settings. Note that blocking some cookies may affect how the website functions.

Further detail on the cookies we use (name, purpose, and duration) is available in our Cookie Notice [LINK TO COOKIE NOTICE].

12. Children

Our website and services are not intended for use by children, and we do not knowingly collect personal data relating to anyone under the age of 18.

If you believe that a child has provided us with personal data, please contact us so that we can take appropriate steps.

13. Third-party links

Our website may contain links to third-party websites, services or content that are not controlled by CSWC. We are not responsible for the privacy practices of those third parties.

We encourage you to read the privacy notices of any third-party sites you visit.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in:

  • our processing activities; or

  • applicable law or regulatory guidance (including updates or new guidance from the ICO and changes to UK data protection law).

We will post the updated version on our website and update the “Last updated” date at the top of this page. We encourage you to review this notice periodically.

15. Contact us

If you have any questions about this Privacy Policy or how we handle personal data, please contact: