Privacy Notice

Chasquis Limited (trading as Chasq, “we”, “us”, “our” and “ours”) is a financial technology company providing a software platform that delivers financial analysis, data processing and strategic insights. We provide our platform both directly to business customers and through professional services firms (“partner firms”) who use the platform to deliver services to their own clients. We are registered in England and Wales as a limited company under number 17027569 and our registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

This notice will tell you how we look after your personal data, about your privacy rights, and about our compliance with and your protections under Data Protection Legislation.

In this notice “Data Protection Legislation” means any applicable law relating to the processing, privacy, and use of Personal Data, including the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020, and the Data (Use and Access) Act 2025.

Our role under the Data Protection Legislation depends on the context:

• Direct customers and visitors. Where you are a direct customer of Chasq, a prospective customer, a website visitor, or otherwise interact with us in a context where we determine the purposes and means of processing, we are the ‘data controller’ in respect of your personal data (see section 6 below).
• Customers using the platform. Where you are a direct customer of Chasq using the Chasq Platform to process data relating to your own clients, employees, suppliers or other contacts, you are the data controller in respect of that data and we are the data processor (see section 7 below).
• End-user clients of partner firms. Where a partner firm uses the Chasq Platform to deliver services to you as the partner firm’s client, the partner firm is the data controller in respect of your personal data and we are the data processor acting on the partner firm’s instructions (see section 7 below). In this scenario, you should refer to the partner firm’s own privacy notice for full details of how your personal data is handled.

We have appointed a Data Protection Officer. Our Data Protection Officer is our Data Protection Point of Contact. Should you wish to contact our Data Protection Point of Contact you can do so using the contact details noted at section 16 (Contact Us) below.

The information we hold about you may include the following:

• your personal details (such as your name, job title, and/or address);
• your account credentials and authentication information;
• details of contact we have had with you in relation to the provision, or the proposed provision, of our services;
• details of any services you have received from us, including platform usage data and activity logs;
• our correspondence and communications with you;
• information about any complaints, enquiries, and support requests you make to us;
• technical information such as IP addresses, browser type, device identifiers, and access timestamps; and
• information from research, surveys, and marketing activities.

Customer financial data. In the course of providing our platform services, we process financial data, accounting records, tax information and management information belonging to or provided by our customers and their end-user clients. Where we process such data on behalf of our customers, we act as a ‘data processor’ and process that data only in accordance with our customers’ instructions and the terms of our service agreements (see section 7 below).

We obtain your personal data directly from you when:

• you register for an account on our platform or request a demonstration;
• you request a proposal from us in respect of the services we provide;
• you engage us to provide our services and also during the provision of those services;
• you use our platform, including through automated data collection technologies such as cookies, server logs, and analytics tools; and
• you contact us by email, telephone, post, or social media.

We may also obtain your personal data indirectly:

• from our client or your employer when they engage us to provide services;
• from third-party integrations and connected financial systems where authorised by our clients; and
• from third parties and/or publicly available resources (for example, from Companies House or LinkedIn).

We may process your personal data for purposes necessary for the performance of our contract with you or your employer, our clients, and to comply with our legal obligations.

We may also process your personal data for the purposes of our own legitimate interests provided that those interests do not override any of your own interests, rights, and freedoms.

Situations in which we will use your personal data include to:

• provide, maintain, and improve our platform and services;
• carry out our obligations arising from any agreements entered into between you (or your employer) and us;
• carry out our obligations arising from any agreements entered into between our clients and us;
• provide technical support and respond to your enquiries;
• provide you with information related to our services, product updates, and our events;
• notify you about any changes to our services, terms, or policies;
• monitor platform usage, performance, and security; and
• analyse usage patterns and trends to improve our platform and develop new features.

Data retention

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate, we take into consideration the requirements of our business and the services provided, any statutory or legal obligations, our contractual obligations to our clients, and the purposes for which we originally collected the personal data.

Where we process personal data on the Chasq Platform on behalf of our customers (for example, financial data uploaded by a customer or by a partner firm acting for its own clients), the following retention periods apply on termination of the customer’s service agreement with us:

• Operational handover (90 days). We retain personal data in identifiable form for at least 90 days following termination to enable our customer to download or export the data and arrange handover to a successor provider.
• Legal claims and regulatory retention (6 years). Following the operational handover period, we may retain personal data in identifiable form for a further period of up to six years (or such longer period as may be required by law) for the purposes of defending or pursuing legal claims, complying with our regulatory and statutory obligations (including the Limitation Act 1980, anti-money laundering regulations, and tax and accounting record-keeping obligations). Access during this period is restricted to those personnel with a legitimate need to access it for these purposes.
• Anonymised data (indefinite). We may retain and use data in anonymised form indefinitely for the purposes of platform improvement, statistical analysis, benchmarking and the development of new products or features (see section 5 below). Anonymised data is data from which all identifiers have been irreversibly removed such that the data subject cannot be identified, and is no longer personal data for the purposes of the Data Protection Legislation.

You have the right to opt out of the anonymisation use case at any time. The route depends on who acts as data controller for your personal data:

• Where Chasq processes your personal data as data processor on behalf of one of our customers (whether a direct customer or a partner firm), you should notify the customer, who is your data controller and who will pass the opt-out to us.
• Where Chasq processes your personal data as data controller (for example, you are a direct customer’s account holder, a website visitor or another contact of ours), you may opt out by contacting us directly at info@chasq.com.

On receipt of a valid opt-out, we will not anonymise data relating to you for these purposes and will delete any anonymised data already derived from your data from our anonymised dataset to the extent technically feasible.

Change of purpose

Where we need to use your personal data for a reason other than the purpose for which we originally collected it, we will only use your personal data where that reason is compatible with the original purpose.

Platform Outputs and AI

The Chasq Platform automatically generates reports, analyses, insights and other outputs (“Platform Outputs”) based on data uploaded to it by our customers and their end-user clients. The Chasq Platform uses artificial intelligence (“AI”) and machine learning capabilities as part of its analytical functions.

Where Platform Outputs are generated from personal data, that processing is carried out in accordance with our data processing agreements with our customers and the Data Protection Legislation. We do not use personal data processed on behalf of our customers for any purpose other than the provision of our platform services and the generation of Platform Outputs in accordance with our customers’ instructions, save in respect of the anonymisation use case set out below.

Anonymised data and benchmarking

Subject to the opt-out described in section 4 (Data retention) above, we anonymise personal data processed on the Chasq Platform and retain the resulting anonymised data indefinitely for the purposes of:

• improving the Chasq Platform and its analytical functions;
• performing statistical analysis;
• developing benchmarks for use by professional services firms;
• developing new products and features; and
• training and improving our AI and machine learning systems.

Our legal basis for the anonymisation processing itself (which involves the processing of personal data to produce anonymised data) is legitimate interests. We have considered our interests in platform improvement and benchmark development against the interests, rights and freedoms of data subjects, and we are satisfied that the processing is justified. The factors we have taken into account include: (a) anonymisation removes the privacy risk to data subjects by ensuring they cannot be identified; (b) the resulting anonymised dataset has clear value for our customers and the wider professional services sector; (c) data subjects can opt out at any time; and (d) we have implemented technical and organisational measures to ensure the anonymisation is robust.

Our anonymisation methodology is documented and subject to regular review. The methodology is designed to comply with current ICO guidance on anonymisation and ensures that re-identification is not reasonably likely, taking into account all means likely to be used. We do not combine the anonymised data with any other dataset in a manner that would or might enable re-identification, and we do not disclose the anonymised data to any third party in a form that could enable re-identification.

Once data has been irreversibly anonymised, it is no longer personal data and falls outside the scope of the Data Protection Legislation. Our use of the anonymised data is therefore not subject to the same restrictions as our processing of personal data.

Where we determine the purposes and means of processing personal data, we act as data controller. Examples of when we act as data controller include:

• we hold personal data about our direct customers and their personnel for the purposes of providing the Chasq Platform and managing the customer relationship;
• we hold personal data about prospective customers and contacts who interact with us in a sales or marketing context;
• we hold personal data about visitors to our website (for example, through cookies and analytics); and
• we hold personal data about our own personnel, suppliers and advisers.

Where we act as data controller, the categories of personal data we hold are set out in section 2, our purposes and legal bases for processing are set out in section 4, our data retention periods are set out in section 4 (Data retention), and your rights as a data subject are set out in section 12 (Rights of Access, Correction, Erasure, and Restriction) and section 13 (Right to Withdraw Consent). Where we transfer personal data outside the United Kingdom, we comply with the safeguards described in section 10.

Where a customer (whether a direct customer or a partner firm) uses the Chasq Platform to process personal data, the customer is the data controller in respect of that data and we act as the data processor.

Examples of when we act as a data processor include:

• a direct customer uploads its own employees’, customers’ or suppliers’ personal data to the platform for analysis or reporting purposes;
• a direct customer uses the platform to generate reports or insights based on personal data it has uploaded;
• a partner firm uploads personal data relating to the partner firm’s own clients in the course of delivering services to those clients.

As data processor, we:

• process personal data only in accordance with our customer’s written instructions and only for the duration of the service agreement;
• do not process personal data for any purpose other than providing the Chasq Platform and related services, save where our customer has authorised the anonymisation use case described in section 5;
• maintain appropriate technical and organisational measures to protect personal data;
• notify our customer without undue delay (and in any event within 24 hours) of any actual or suspected security breach affecting personal data;
• do not transfer personal data outside the United Kingdom or the European Economic Area without our customer’s prior written consent;
• only engage sub-processors with our customer’s prior written consent and ensure equivalent data protection obligations are imposed on any sub-processor;
• apply the retention periods set out in section 4 (Data retention) above; and
• provide our customer with all information and assistance necessary to demonstrate compliance with the Data Protection Legislation, including permitting audits.

The types of personal data we may process as data processor include: names and contact details of the customer’s personnel, clients, employees, suppliers and other contacts; trading and activity history; financial information; and commercial information.

Our data processing obligations are documented in our Terms of Service, which applies to both direct customers and partner firms. Where a customer relationship is governed by separately negotiated terms, our data processing obligations are documented in that Master Services Agreement or a separate data processing agreement.

Our platform and website use cookies and similar technologies. We use:

• Strictly necessary cookies: Required for the operation of our platform.
• Analytical/performance cookies: Allow us to recognise and count visitors and see how they move around our platform.
• Functionality cookies: Used to recognise you when you return to our platform.

You can set your browser to refuse all or some cookies.

We will share your personal data with third parties where we are required by law or where we have a legitimate interest in doing so.

Third-party service providers include: cloud hosting and infrastructure services, IT and security services, professional advisory services, analytics services, marketing services, payment processing services, and banking services.

Sub-processors

Where we act as a data processor on behalf of our customers, we may engage sub-processors to assist in providing our platform services. We will only engage sub-processors with the prior written consent of the relevant customer and will ensure that equivalent data protection obligations are imposed on any sub-processor. We remain responsible for the acts and omissions of our sub-processors.

Our platform servers are located in Frankfurt, Germany, within the European Economic Area. Germany is a member state of the European Union, and the UK has adequacy regulations in place for the EU, which means that the EU is recognised as providing an adequate level of protection for personal data under the Data Protection Act 2018. Personal data transferred to our servers in Germany is therefore treated as offering equivalent safeguards to UK data protection standards.

Where data is transferred to a country that does not benefit from an adequacy decision, we will ensure that appropriate safeguards are implemented, such as standard contractual clauses approved by the ICO, to ensure your personal data is protected.

Further details about adequacy regulations can be found on the ICO’s website at ico.org.uk.

We have put in place commercially reasonable and appropriate security measures to protect personal data, including:

• encryption of data in transit and at rest;
• access controls to limit access to personal data to those with a business need to know;
• regular vulnerability assessments and penetration testing;
• monitoring and logging of access to personal data; and
• a documented information security policy.

All personnel authorised to process personal data are subject to a duty of confidentiality.

Where we process personal data on behalf of our customers, we have committed under our service agreements to maintaining appropriate technical and organisational measures and to notifying our customers without undue delay (and in any event within 24 hours) of any actual or suspected security breach affecting personal data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. Should your personal information change, please notify us of any changes by contacting us using the contact details below.

Your rights in connection with personal data

Under certain circumstances, by law you have the right to:

• Request access to your personal data.
• Request correction of the personal data that we hold about you.
• Request erasure of your personal data.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party). You also have the right to object where we are processing your personal information for direct marketing purposes, or for the anonymisation use case described in section 5.
• Request the restriction of processing of your personal data.
• Request the transfer of your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible.

If you want to exercise any of the above rights, please contact the Data Protection Point of Contact at info@chasq.com.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee for the administrative costs of complying with the request if your request is manifestly unfounded or excessive.

Routing of data subject rights requests. Where you are a data subject in respect of personal data we process as data processor on behalf of one of our customers, you should contact our customer directly to exercise your rights, as our customer is the data controller. This applies whether our customer is a direct customer of Chasq or a partner firm. We will cooperate with our customers in responding to data subject requests. Where you are a direct data subject of Chasq (for example, an account holder or website visitor), you may contact us directly using the details below.

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent at any time by emailing info@chasq.com.

Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

In the interests of transparency, we disclose the following connected party relationship.

Ben Leadbetter, the founder and sole director of Chasquis Limited, is also the founder and sole director of The Lumen Collective Limited (“TLC”), a finance consultancy and advisory firm regulated by the Institute of Chartered Accountants in England and Wales (ICAEW). TLC is registered in England and Wales under company number 16682576 and its registered office is at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

TLC is one of our partner firms and uses the Chasq Platform to deliver professional services to its clients. In that context, TLC is the data controller in respect of personal data uploaded to the platform by TLC and Chasq acts as TLC’s data processor (see section 7 above). TLC’s own privacy notice, which provides further information on how TLC processes personal data including through the Chasq Platform, is available at thelumencollective.co/privacy.

This connected party relationship does not affect our obligations under the Data Protection Legislation or our commitments in this privacy notice. It does not affect our direct customer relationships, in respect of which we contract independently and process personal data on the same terms as we would for any other direct customer. We document this relationship and review it periodically.

Any changes we may make to our privacy notice in the future will be provided via an updated privacy policy on our website.

This privacy notice was last updated on 31 May 2026.

If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please email our Data Protection Point of Contact at info@chasq.com.

You also have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time.

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk/concerns