Privacy notice
Draft, pending qualified legal review. This notice is structurally complete and technically accurate, but the wording has not yet been reviewed by a UK/EU data-protection solicitor. The final, counsel-approved version will replace this one before any first-customer go-live with real personal data.
AEGIS by Hu (“AEGIS”, “we”, “us”) processes personal data in two capacities: as a Processor on behalf of our regulated-firm customers (the bulk of our processing), and as a Controller for our own marketing-site visitors and contract counterparties.
1. Who we are
AEGIS by Hu is operated by <company legal name and number TBC>, registered office <address TBC>. Our security contact is security@aegiscompliant.com; for privacy and data-protection enquiries, contact our DPO at dpo@aegiscompliant.com.
2. When we are a Processor
When you use AEGIS through your firm’s account, we process the personal data your firm uploads (including your end-customers’ KYC data, screening outcomes, transaction metadata) on your firm’s instructions. Your firm is the Controller and is responsible for the lawful basis. The terms of that processing are set out in the Data Processing Agreement we sign with your firm — the template is published in our source repository at docs/templates/DPA.md.
For data-subject requests against this processing, please contact your firm first — they are the Controller. If we receive a request directly we will forward it to your firm without undue delay.
3. When we are a Controller
We are the Controller for the following processing:
3.1 Marketing-site visitors
| Data | Lawful basis | Retention |
|---|---|---|
| IP address (for DDoS protection via Cloudflare) | Legitimate interests (security) | Per Cloudflare default — typically < 30 days |
| Page-view metrics (anonymous, no IPs stored) | Legitimate interests (product improvement) | Per analytics provider — see Subprocessors page |
| Cookie preferences (where applicable) | Consent | 13 months from last interaction |
3.2 Sales / contract counterparties
| Data | Lawful basis | Retention |
|---|---|---|
| Names, work emails, work phones of contacts at prospect / customer firms | Legitimate interests (precontractual / contractual) | Active relationship + 7 years (UK Limitation Act for contract claims) |
| Correspondence (email, support tickets) | Legitimate interests / contract performance | Active relationship + 7 years |
3.3 Platform users (when your firm is signed up)
Names, work emails, role assignments, and audit trails of platform actions taken by users of your firm. Lawful basis is contract performance with your firm and legal obligation (record-keeping under FCA SYSC, DFSA AML Module, MAS Notices, PRA Rulebook). Retention default is 7 years post relationship-end; configurable per tenant per the DPA.
4. Subprocessors and recipients
Where we engage third parties to deliver the platform, the full list (with region, certifications, and DPA links) is published at /legal/subprocessors. We give 30 days’ advance notice of any change.
5. International transfers
Customer personal data is pinned to the region your firm elected at signup (UK / EU_WEST / DIFC / SG / HK / US_EAST). Where a subprocessor processes data outside that region, we rely on the appropriate transfer mechanism: Standard Contractual Clauses (EEA), the UK Addendum (UK), or DIFC/PDPA/PCPD-compliant equivalents. Transfer Impact Assessments are performed for each non-adequate recipient and provided on reasonable request.
6. Your rights
You have the right to:
- Access the personal data we hold about you (UK GDPR Art 15).
- Have it rectified if inaccurate (Art 16).
- Have it erased where we have no overriding lawful basis (Art 17).
- Restrict processing (Art 18).
- Receive a portable copy (Art 20) where applicable.
- Object to processing based on legitimate interests (Art 21).
- Withdraw consent (where consent is the basis), at any time.
- Lodge a complaint with the UK Information Commissioner (ico.org.uk) or your local Supervisory Authority.
For data we hold as Processor: contact your firm first. For data we hold as Controller: email dpo@aegiscompliant.com. We respond within 30 days, free of charge except where the request is manifestly unfounded or excessive.
7. Automated decision-making
AEGIS uses AI / LLM features to support compliance decisions (e.g. drafting Suspicious Activity Reports, summarising regulatory change). These are decision support, not decisions — every state-changing action requires human sign-off, audit-logged. We do not make solely-automated decisions with legal effect on data subjects within the meaning of UK GDPR Article 22.
8. Security
See /legal/security for the platform’s security posture: tenant isolation, encryption, audit logging, incident response, and disclosure.
9. Changes to this notice
We update this notice when our processing changes. The version in force is the one currently published at this URL. Material changes will be notified to active customers and contract counterparties at least 30 days in advance.
Last reviewed: 2026-06-25. This notice is in draft pending qualified legal review.