This Privacy Policy (“Policy”) explains how Novakastro Partners Ltd (“Novakastro,” “we,” “us,” or “our”) processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Cyprus Law 125(I)/2018, and relevant regulatory requirements, including those set by the Cyprus Securities and Exchange Commission (CySEC).

By accessing our services, using our website (www.novakastro.cy), communicating with us, or otherwise interacting with Novakastro, you acknowledge that you have read and understood this Policy and consent to the processing of your personal data as described herein.

1. About Novakastro

Novakastro Partners Ltd is a Cypriot-based and CySEC-regulated Administrative Service Provider (ASP) offering fiduciary, corporate, fund administration, accounting, and related professional services to both local and international clientele.

• Incorporation Date: 13 October 2023

• CySEC License Number: 230/196

• License Effective From: 8 November 2024

• Business Address:
  66 Makarios Avenue III, Cronos Court, Office 54
  1077 Nicosia, Cyprus

• Email: info@novakastro.cy

• Website: www.novakastro.cy

2. Scope of This Privacy Policy

This Policy applies to all personal data processed by Novakastro in the context of:

• Existing and prospective clients (natural persons and legal entities)

• Client representatives, directors, shareholders, and beneficial owners

• Employees, job applicants, and interns

• Business partners, suppliers, and consultants

• Visitors to our premises and website

This Policy covers all processing activities whether conducted electronically, manually, or via third parties acting on our behalf.

3. Categories of Personal Data Collected

The types of personal data we collect vary depending on your relationship with us and may include:

A. Client and Corporate Data

• Full name, title, address, email, phone number

• Identification documents (passport, ID card, driver’s license)

• Tax Identification Number (TIN), VAT numbers, and national insurance numbers

• Company formation documents, certificates, and registers

• Ultimate Beneficial Owner (UBO) and shareholder data

• Bank account information

• Source of funds and wealth documentation

• Contracts, legal documents, and correspondence

B. Digital Interaction and Website Data

• IP address, browser type, operating system, device type

• Date/time of access, visited URLs, session logs

• Submitted online forms, contact requests

• Marketing preferences and consent records

C. Employment and HR Data

• CVs, academic and professional qualifications

• References, criminal background checks (if applicable)

• Social insurance, payroll, and benefits information

• Employment contracts and emergency contact details

D. Special Categories of Data (Sensitive Data)

We process special categories of personal data only when necessary and lawful, such as:

• Criminal record checks (for regulatory or employment screening)

• Health data (e.g., medical certificates, where legally required)

Processing of such data is based on explicit consent or as mandated by applicable laws.

4. Legal Basis for Data Processing

We rely on the following legal grounds under Article 6 and, where applicable, Article 9 of the GDPR:

• Performance of a Contract – To provide our services to you

• Legal and Regulatory Obligations – Compliance with AML/CFT, tax, corporate, and CySEC obligations

• Legitimate Interests – To manage and grow our business, secure our systems, and prevent fraud

• Consent – For marketing, optional cookies, or non-essential data processing

• Public Interest or Regulatory Requirement – As mandated by CySEC or other competent bodies

Where consent is relied upon, you may withdraw your consent at any time without affecting the lawfulness of prior processing.

5. Purposes of Processing

We collect and use personal data for the following purposes:

• Client onboarding, due diligence, and Know Your Customer (KYC)/Anti-Money Laundering (AML) checks

• Delivering fiduciary, administrative, accounting, and fund-related services

• Invoicing, payment processing, and reporting

• Legal, tax, and regulatory compliance (e.g., FATCA, CRS, CySEC directives)

• Employment management and human resources administration

• Service improvement, system analytics, and website functionality

• Direct marketing and client communication (where consented)

6. Data Sharing and Disclosures

We may share your personal data with:

A. Regulators and Government Authorities

• CySEC, Tax Department, MOKAS, Police, Court Orders, or other statutory bodies

• As required by law or regulatory frameworks

B. Professional and Technical Service Providers

• Legal, tax, or audit advisors

• Cloud, hosting, and IT infrastructure providers

• Banks and payment processors

• Background and compliance screening tools

All third parties are bound by strict confidentiality and Data Processing Agreements (DPAs), ensuring compliance with GDPR principles.

C. Cross-Border Data Transfers

When data is transferred outside the European Economic Area (EEA), we ensure:

• Adequacy decisions by the European Commission

• Standard Contractual Clauses (SCCs) adopted by the EU

• Binding Corporate Rules (BCRs), where applicable

• Explicit consent from the data subject (as last resort)

7. Data Retention Periods

We retain personal data only for the period necessary to fulfill the processing purposes and comply with legal obligations. Typical periods include:

• Client Data: Minimum 7 years post-termination (per AML Law)

• Accounting & Tax Records: 10 years (as per Tax Law)

• Employment and Payroll Records: As required by employment law

• Marketing Data: Until consent is withdrawn

Upon expiration of the retention period, data is either securely erased or anonymized.

8. Your Data Protection Rights

You have the following rights under Articles 12–23 of the GDPR:

• Right of Access – Obtain a copy of your personal data

• Right to Rectification – Correct any inaccurate or incomplete information

• Right to Erasure (“Right to be Forgotten”) – In certain circumstances

• Right to Restrict Processing – Temporarily limit use of your data

• Right to Object – To processing based on legitimate interests or direct marketing

• Right to Data Portability – Receive your data in a structured format or transfer to another controller

• Right to Withdraw Consent – At any time, for processing based on consent

• Right to Lodge a Complaint – With the Office of the Commissioner for Personal Data Protection in Cyprus

To exercise your rights, please contact:
Email: admin@novakastro.cy

9. Data Security Measures

We implement robust technical and organizational security controls to safeguard personal data, including:

• Secure encrypted servers (SSL/TLS) and HTTPS encryption

• Role-based access controls and multi-factor authentication

• Regular system audits, penetration testing, and vulnerability scans

• Enforced data minimization and least privilege principles

• Staff training and strict confidentiality agreements

Despite our efforts, no security system is infallible. You are encouraged to use strong passwords and report suspicious activities.

10. Confidentiality Obligations

All information shared with us is treated as strictly confidential. We are legally and contractually bound to uphold professional secrecy, and we disclose personal data only where permitted or required by law or with your authorization.

11. Cookies and Tracking Technologies

Our website uses cookies and similar technologies for the following purposes:

• Ensuring core functionality and session security

• Understanding website usage through analytics tools

• Remembering user preferences (e.g., language settings)

You may manage or disable cookies via your browser settings. Please consult our Cookies Policy for detailed information.

12. Children’s Privacy

Our services are intended strictly for individuals aged 18 and above. We do not knowingly collect or process personal data from minors. If such data is inadvertently collected, it will be promptly deleted.

13. Third-Party Links

Our website may contain links to external websites. We are not responsible for their content or privacy practices. Users are encouraged to review the respective privacy policies of any third-party sites they visit.

14. Policy Updates and Notifications

We may update this Privacy Policy periodically to reflect legal, operational, or technological changes. Updates will be posted on our website with the new Effective Date. Where legally required, significant changes will be communicated directly.

15. Contact Information

For any inquiries, requests, or concerns regarding this Policy or our data practices, please contact:

Novakastro Partners Ltd
66 Makarios Avenue III, Cronos Court, Office 54
1077 Nicosia, Cyprus
Email: info@novakastro.cy
Website: www.novakastro.cy