Data protection

Privacy Policy

Last updated: 1 January 2026 - GDPR (EU) 2016/679 compliant

Table of contents

  1. 1. Data controller
  2. 2. Data collected
  3. 3. Purposes and legal bases
  4. 4. Data recipients
  5. 5. Retention periods
  6. 6. Your rights
  7. 7. Transfers outside the EU
  8. 8. Security
  9. 9. Changes
  10. 10. DPO contact

1. Data controller

The controller of your personal data is B.A.I.F S.A., 1 Bank Street, Canary Wharf, London E14 5JP. The Data Protection Officer (DPO) can be contacted at dpo@baif.com.

2. Data collected

We collect the following categories of data:

Identity data : Last name, first name, date and place of birth, nationality, ID document.

Contact data : Postal address, email, phone number.

Financial data : Income, assets, banking transactions, investment history.

Connection data : IP address, login logs, device used, approximate location.

Behavioural data : Pages viewed, actions taken on our website and app, preferences.

Compliance data (KYC) : Identity documents, proof of address and income, declaration of beneficial owners.

3. Purposes and legal bases

Purpose Legal basis
Opening and managing a bank account Performance of the contract
Anti-money laundering (AML-CFT) Legal obligation
Sending statements and contractual communications Performance of the contract
Risk analysis and scoring Legitimate interest
Improving our services and products Legitimate interest
Sending marketing communications Consent
Setting analytics cookies Consent

4. Data recipients

Your data may be shared with:

  • Authorised B.A.I.F staff (advisors, compliance teams, IT)
  • Technical providers under confidentiality agreement (host, software vendors)
  • Regulatory and supervisory authorities (FCA, HMRC, NCA) where legally required
  • Insurance and reinsurance partners for co-distributed products
  • Correspondent banks (SWIFT) for international transfers

We never sell your data to third parties for commercial purposes.

5. Retention periods

Active client data Duration of the contractual relationship + 5 years
KYC / AML-CFT data 5 years after the end of the relationship
Transaction data 10 years (legal accounting obligation)
Connection data (logs) 12 months
Analytics cookies 13 months maximum

6. Your rights

In accordance with the GDPR and the UK Data Protection Act, you have the following rights:

Access to your data
Rectification
Erasure (right to be forgotten)
Restriction of processing
Portability
Objection
Withdrawal of consent
Complaint to the supervisory authority

To exercise your rights: dpo@baif.com or by post to our DPO, B.A.I.F S.A., 1 Bank Street, Canary Wharf, London E14 5JP.

7. Transfers outside the EU

Some of our providers may process your data outside the European Union. In such cases, we ensure that these transfers are governed by appropriate safeguards: standard contractual clauses approved by the European Commission or an adequacy decision.

8. Security

B.A.I.F implements appropriate technical and organisational measures to protect your data against unauthorised access, modification, disclosure or destruction. Our systems are ISO 27001 and PCI-DSS certified. All communications are encrypted with TLS 1.3.

9. Changes

This policy may be updated to reflect regulatory developments or changes to our practices. The update date is shown at the top of the document. Substantial changes will be notified to you by email.

10. DPO contact

Data Protection Officer (DPO)

B.A.I.F S.A. - DPO Service
1 Bank Street, Canary Wharf, London E14 5JP
Email: dpo@baif.com

You may also lodge a complaint with the supervisory authority ICO: ico.org.uk