Data Protection Policy

Data Protection Information

Document Information

Last Updated: March 25, 2026

1.1 INTRODUCTION AND COMMITMENT

Global Wealth (“the Firm,” “we,” “us,” or “our”) recognizes that data protection and information security are fundamental to maintaining the trust and confidence of our distinguished clientele, which includes high-net-worth individuals (HNWIs), ultra-high-net-worth individuals (UHNWIs), family offices, corporate entities, institutional investors, and strategic partners across the globe. As a premier funding intermediary operating at the intersection of high-value projects and institutional capital, we handle highly sensitive financial, strategic, and personal information that demands the highest standards of protection.

 

This Data Protection Policy (“Policy”) establishes the comprehensive framework through which Global Wealth protects personal data and confidential information entrusted to us by clients, partners, and stakeholders. This Policy reflects our institutional commitment to data integrity, confidentiality, security, and compliance with applicable data protection laws across all jurisdictions where we operate.

 

This Policy applies universally across all Global Wealth operations, including our Global Headquarters in Manila (Philippines), our regional hubs in Dubai (UAE), Singapore, and Port Louis (Mauritius), and extends to all employees, officers, directors, contractors, consultants, and third-party service providers who process data on behalf of Global Wealth.

 

This Data Protection Policy should be read in conjunction with our Privacy Policy, which provides specific details about our data collection and processing practices, and our Terms and Conditions, which govern the legal relationship between Global Wealth and users of our services.

1.2 THE GLOBAL WEALTH STANDARD

Data protection at Global Wealth is not merely a compliance obligation—it is a core institutional value and competitive differentiator that forms the foundation of our client relationships. The Global Wealth Standard for data protection encompasses several fundamental principles:

 

Institutional Pedigree: We maintain data protection practices that reflect the institutional expectations of the world’s most sophisticated capital providers, family offices, and financial institutions. Our standards meet or exceed those typically found in premier investment banks, private equity firms, and elite wealth management institutions.

 

Zero-Tolerance for Breaches: We operate under a zero-tolerance approach to data breaches and security incidents. Every potential risk is treated with utmost seriousness, and comprehensive preventive measures are implemented at every layer of our operations.

 

Privacy by Design: Data protection is embedded into the architecture of our systems, processes, and business practices from the earliest design stages, rather than being added as an afterthought. Every new initiative, platform, or process undergoes rigorous privacy impact assessment before implementation.

 

Confidentiality Culture: We cultivate a corporate culture where confidentiality is understood, valued, and practiced by every team member. Regular training, clear accountability structures, and ethical leadership ensure that data protection remains a daily priority.

 

Continuous Improvement: We continuously monitor emerging threats, evolving best practices, regulatory developments, and technological innovations to ensure that our data protection measures remain at the forefront of industry standards.

 

Transparency and Accountability: We maintain clear, documented policies and procedures, assign specific responsibilities for data protection, conduct regular audits, and hold ourselves accountable to the highest ethical and legal standards.

1.3 REGULATORY COMPLIANCE FRAMEWORK

Global Wealth operates in a complex, multi-jurisdictional regulatory environment. We have designed our data protection framework to comply with applicable laws in all regions where we operate, maintain offices, or serve clients. Our compliance framework encompasses:

 

1.3.1 Philippines Data Privacy Act of 2012 (RA 10173)

 

As our Global Headquarters is located in the Philippines, we operate under the jurisdiction of the Philippine National Privacy Commission (NPC) and fully comply with the Data Privacy Act of 2012 and its implementing rules and regulations. Our compliance includes:

 

  • Registration with the National Privacy Commission as a data controller and processor
  • Appointment of a qualified Data Protection Officer (DPO) with direct reporting to senior management
  • Implementation of organizational, physical, and technical security measures as required by NPC regulations
  • Maintenance of comprehensive data processing records and documentation
  • Compliance with breach notification requirements within seventy-two (72) hours of breach discovery
  • Regular submission of compliance reports and cooperation with NPC inquiries
  • Adherence to requirements for processing sensitive personal information and privileged information
  • Implementation of appropriate safeguards for cross-border data transfers

 

1.3.2 Singapore Personal Data Protection Act (PDPA)

 

Our Singapore hub operates under the authority of the Personal Data Protection Commission (PDPC) and complies fully with the PDPA, including:

 

  • Adherence to data protection obligations for consent, collection, use, disclosure, accuracy, protection, retention, and transfer
  • Implementation of Do Not Call (DNC) Registry compliance for marketing communications
  • Appointment of a local Data Protection Officer for Singapore operations
  • Notification of data breaches to PDPC where required
  • Compliance with accountability requirements including policies, procedures, and training
  • Proper handling of requests for access and correction of personal data
  • Implementation of appropriate safeguards for overseas data transfers

 

1.3.3 European Union General Data Protection Regulation (GDPR)

 

Although Global Wealth does not maintain a physical presence within the European Union, we may process personal data of EU residents and therefore comply with GDPR requirements where applicable, including:

 

  • Lawful bases for processing (consent, contract, legal obligation, legitimate interests, etc.)
  • Enhanced transparency requirements and detailed privacy notices
  • Expanded individual rights (access, rectification, erasure, restriction, portability, objection)
  • Data protection by design and by default
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Strict requirements for international data transfers (Standard Contractual Clauses, adequacy decisions)
  • Mandatory breach notification to supervisory authorities within seventy-two (72) hours
  • Designation of EU representative where required
  • Record-keeping obligations for processing activities

 

1.3.4 United Kingdom GDPR and Data Protection Act 2018

 

Following the UK’s departure from the European Union, we maintain compliance with UK GDPR and relevant UK data protection legislation, which closely mirrors EU GDPR with certain modifications specific to UK law.

 

1.3.5 UAE and DIFC Data Protection Laws

 

Our Dubai office, operating within the Dubai International Financial Centre (DIFC), complies with:

 

  • DIFC Data Protection Law (DIFC Law No. 5 of 2020), which closely aligns with GDPR standards
  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data
  • Regulations of the Office of the Data Protection Commissioner (DIFC)
  • Sector-specific regulations applicable to financial services within DIFC

 

1.3.6 Mauritius Data Protection Act 2017

 

Our Mauritius operations comply with the Data Protection Act 2017 and regulations of the Data Protection Office, including requirements for registration, data subject rights, security measures, and international transfers.

 

1.3.7 Other Jurisdictions

 

We also maintain awareness of and, where applicable, comply with data protection regulations in other jurisdictions where we have clients or process data, including but not limited to:

 

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents
  • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australian Privacy Act 1988 and Privacy Principles
  • Hong Kong Personal Data (Privacy) Ordinance
  • Other relevant national and regional data protection laws

1.4 TECHNICAL SAFEGUARDS AND SECURITY MEASURES

Global Wealth implements comprehensive technical security measures designed to protect personal data and confidential information against unauthorized access, alteration, disclosure, or destruction:

 

1.4.1 Encryption and Cryptographic Controls

 

Data in Transit: All data transmitted between users and our platforms is protected using Transport Layer Security (TLS) 1.2 or higher encryption with strong cipher suites. This includes all website communications, Project Submission Portal interactions, email communications, and API connections.

 

Data at Rest: Sensitive personal data, financial information, and confidential project documentation stored on our servers and databases are encrypted using industry-standard encryption algorithms (AES-256 or equivalent). Encryption keys are managed through secure key management systems with appropriate access controls and rotation policies.

 

End-to-End Encryption: For particularly sensitive communications and document transfers, we implement end-to-end encryption to ensure that data remains encrypted throughout its entire journey and can only be decrypted by intended recipients.

 

Database Encryption: Our databases containing personal data are protected through transparent data encryption (TDE), encrypted backups, and encrypted database connections.

 

1.4.2 Access Controls and Authentication

 

Role-Based Access Control (RBAC): Access to personal data and confidential information is strictly controlled based on role, responsibility, and business need. Users are granted minimum necessary access privileges required to perform their specific job functions.

 

Multi-Factor Authentication (MFA): All access to systems containing personal data requires multi-factor authentication, combining something the user knows (password), something the user has (authentication token or mobile device), and in some cases, something the user is (biometric authentication).

 

Strong Password Requirements: We enforce strong password policies including minimum length, complexity requirements, regular password changes, and prohibitions against password reuse.

 

Privileged Access Management: Administrative and privileged access to critical systems is tightly controlled, monitored, and subject to additional authentication and approval requirements.

 

Session Management: User sessions are subject to timeout policies, with automatic logout after periods of inactivity to prevent unauthorized access from unattended terminals.

 

Access Review: We conduct regular reviews of user access rights to ensure that permissions remain appropriate and that access for departed or role-changed personnel is promptly revoked.

 

1.4.3 Network Security

 

Firewall Protection: Multi-layered firewall architecture protects our network perimeter and segments internal networks to limit lateral movement in the event of a compromise.

 

Intrusion Detection and Prevention Systems (IDPS): Continuous monitoring systems detect and respond to suspicious network activity, potential intrusions, and security anomalies.

 

Network Segmentation: Our network is segmented into zones based on trust levels and data sensitivity, with strict controls governing communication between segments.

 

Virtual Private Networks (VPNs): Remote access to internal systems requires connection through secure, encrypted VPN tunnels with strong authentication.

 

Denial of Service (DoS) Protection: We implement DDoS mitigation services to maintain availability and protect against volumetric attacks.

 

1.4.4 Application Security

 

Secure Development Lifecycle: We follow secure coding practices throughout the software development lifecycle, including threat modeling, security requirements definition, code reviews, and security testing.

 

Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, cross-site scripting, command injection, etc.).

 

Security Testing: Regular vulnerability assessments, penetration testing, and security audits identify and remediate potential weaknesses in our applications and infrastructure.

 

Patch Management: We maintain a disciplined patch management process to ensure that security updates are evaluated and applied promptly to operating systems, applications, and infrastructure components.

 

API Security: Application programming interfaces (APIs) are protected through authentication, authorization, rate limiting, input validation, and security logging.

 

1.4.5 Data Loss Prevention (DLP)

 

We implement data loss prevention technologies and policies to prevent unauthorized disclosure or exfiltration of sensitive data through email, removable media, cloud storage, or other channels. DLP controls include content inspection, policy enforcement, and automated response to policy violations.

1.5 ORGANIZATIONAL AND PHYSICAL SAFEGUARDS

Technical controls are complemented by robust organizational and physical security measures:

 

1.5.1 Data Protection Governance

 

Data Protection Officer (DPO): Global Wealth has appointed a qualified, independent Data Protection Officer who oversees compliance with data protection laws, advises on privacy matters, conducts audits, serves as the point of contact for supervisory authorities, and receives reports of potential data protection issues. Our Global DPO has appropriate expertise in data protection law and practice and has access to senior management.

 

Privacy Committee: A cross-functional Privacy Committee meets regularly to review data protection policies, assess emerging risks, oversee privacy initiatives, and ensure organizational alignment on privacy matters.

 

Clear Accountability: Data protection responsibilities are clearly assigned across the organization, with documented roles and responsibilities for data controllers, processors, Privacy Champions, and all personnel who handle personal data.

 

Policies and Procedures: Comprehensive, documented policies and procedures govern all aspects of data processing, security, breach response, vendor management, and compliance.

 

1.5.2 Personnel Security

 

Background Checks: All employees, contractors, and consultants who will have access to confidential information undergo appropriate background verification prior to engagement, including employment history verification, reference checks, and where legally permissible and appropriate, criminal record checks.

 

Confidentiality Agreements: All personnel sign comprehensive confidentiality and non-disclosure agreements before being granted access to confidential information or personal data.

 

Security Training: All personnel receive mandatory data protection and information security training upon onboarding and regular refresher training thereafter. Training covers data protection principles, security best practices, phishing awareness, incident reporting, and specific regulatory requirements.

 

Specialized Training: Personnel with specific data protection responsibilities (DPO, IT security team, legal counsel, compliance officers) receive specialized, role-specific training appropriate to their functions.

 

Awareness Programs: Ongoing security awareness campaigns keep data protection top-of-mind through communications, simulated phishing exercises, security tips, and incident case studies.

 

Code of Conduct: Our employee Code of Conduct establishes clear expectations for ethical behavior, confidentiality, data protection, conflicts of interest, and professional standards.

 

Disciplinary Measures: Violations of data protection policies are taken seriously and may result in disciplinary action up to and including termination of employment or engagement.

 

1.5.3 Physical Security

 

Office Access Controls: Our offices implement physical access controls including security personnel, access card systems, visitor management, surveillance systems, and restricted area designations.

 

Secure Work Areas: Areas where sensitive data is processed are subject to enhanced physical security measures, including additional access restrictions, visual privacy controls, and clean desk policies.

 

Equipment Security: Computers, servers, networking equipment, and storage media containing personal data are secured against theft, unauthorized access, and environmental hazards.

 

Secure Disposal: Physical documents, hard drives, and other media containing personal data are securely destroyed using shredding, degaussing, or other approved methods that render data irrecoverable.

 

Mobile Device Management: Laptops, tablets, and smartphones used to access or store personal data are protected through device encryption, remote wipe capabilities, password protection, and automatic locking.

1.6 SOVEREIGN DATA HANDLING AND CONFIDENTIALITY

Given the nature of our business and the exceptional sensitivity of the information we handle, Global Wealth has implemented specialized protocols for sovereign data handling:

 

Segregated Storage: Project documentation and client information for different mandates are stored in logically or physically segregated systems to prevent unauthorized cross-contamination or access.

 

Need-to-Know Access: Personal data and project information are accessible only to personnel with a legitimate business need to access such information for specific, authorized purposes. General staff do not have access to confidential client or project data.

 

Confidentiality Rings: For particularly sensitive mandates, we establish confidentiality rings with strictly limited access, enhanced monitoring, and additional security controls.

 

Information Barriers: We implement information barriers (ethical walls) to prevent conflicts of interest and unauthorized information flows between different client engagements or business functions where appropriate.

 

Client Data Isolation: Each client’s data is treated as confidential and is not shared with other clients or used for purposes beyond the specific engagement without explicit authorization.

1.7 VENDOR AND THIRD-PARTY MANAGEMENT

Global Wealth carefully selects and manages third-party service providers who process personal data on our behalf:

 

Vendor Assessment: Before engaging any third-party processor, we conduct due diligence to assess their data protection practices, security controls, regulatory compliance, financial stability, and reputation.

 

Contractual Safeguards: All third-party processors are bound by written data processing agreements that:

  • Clearly define the scope, purpose, and duration of processing
  • Impose strict confidentiality obligations
  • Require implementation of appropriate technical and organizational security measures
  • Prohibit unauthorized data use or disclosure
  • Establish procedures for handling data subject requests
  • Address breach notification requirements
  • Include audit rights and compliance monitoring
  • Specify requirements for sub-processors
  • Address data return or deletion upon contract termination

 

Ongoing Monitoring: We maintain oversight of third-party processors through regular compliance reviews, security audits, questionnaires, and performance monitoring.

 

Sub-Processor Approval: Third-party processors must obtain our prior approval before engaging sub-processors, and such sub-processors must be bound by equivalent data protection obligations.

 

Vendor Categories: Third parties who may process data on our behalf include:

  • Cloud infrastructure and hosting providers
  • Software-as-a-Service (SaaS) platforms
  • Cybersecurity and monitoring services
  • Compliance screening and due diligence providers
  • Professional advisors (legal, accounting, consulting)
  • IT support and managed services providers
  • Backup and disaster recovery services

1.8 DATA BREACH PREVENTION AND RESPONSE

Despite comprehensive preventive measures, Global Wealth maintains a robust incident response capability to detect, contain, and respond to potential data breaches:

 

1.8.1 Continuous Monitoring

 

We implement continuous monitoring and logging of systems, networks, applications, and user activities to detect potential security incidents, unauthorized access, data exfiltration, malware, or other threats. Security Information and Event Management (SIEM) systems aggregate and analyze logs from multiple sources to identify suspicious patterns.

 

1.8.2 Incident Response Plan

 

Our documented Incident Response Plan establishes clear procedures for:

  • Detection and initial assessment of potential incidents
  • Classification and severity rating
  • Escalation and notification procedures
  • Containment and mitigation actions
  • Investigation and root cause analysis
  • Evidence preservation and forensics
  • Remediation and recovery
  • Lessons learned and preventive improvements

 

1.8.3 Incident Response Team

 

A designated Incident Response Team includes representatives from IT security, legal, compliance, privacy, senior management, and external specialists as needed. The team is trained, regularly exercises incident scenarios, and maintains 24/7 availability for critical incidents.

 

1.8.4 Breach Notification

 

In the event of a personal data breach that poses risks to individual rights and freedoms, Global Wealth will:

 

  • Notify affected data subjects without undue delay, and where feasible, within seventy-two (72) hours of breach discovery
  • Notify relevant supervisory authorities as required by applicable data protection laws (typically within 72 hours)
  • Provide clear information about the nature of the breach, categories and approximate numbers of affected individuals, potential consequences, measures taken or proposed to address the breach, and contact information for further inquiries
  • Cooperate fully with regulatory investigations
  • Document all breaches in an internal breach register, including circumstances, effects, and remedial actions taken

1.9 DATA RETENTION AND DISPOSAL

Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements:

 

Retention Schedule: We maintain a documented data retention schedule that specifies retention periods for different categories of data based on legal requirements, regulatory obligations, business needs, and industry standards.

 

Minimum Retention Periods:

  • Active client relationship data: Duration of relationship plus applicable legal retention period
  • Project documentation and financial records: Seven (7) to ten (10) years following project completion
  • AML/KYC compliance records: Five (5) to ten (10) years depending on jurisdiction
  • Communications and correspondence: As required by applicable record-keeping obligations
  • Employee records: Duration of employment plus statutory period (typically 7 years)
  • Marketing data: Until consent is withdrawn or legitimate interest ceases

 

Secure Disposal: Upon expiration of the retention period, personal data is securely disposed of through:

  • Permanent deletion from active systems and backups
  • Anonymization or de-identification for data retained for statistical purposes
  • Physical destruction of hard copy records through cross-cut shredding or incineration
  • Degaussing or physical destruction of electronic media
  • Certified data destruction services for sensitive materials

 

Disposal Documentation: We maintain records of data disposal activities for accountability and verification purposes.

 

Legal Hold: Data subject to legal hold, litigation, investigation, or audit is retained beyond normal retention periods until the hold is released.

1.10 INTERNATIONAL DATA TRANSFERS

Global Wealth operations involve transfers of personal data across international borders. All such transfers are conducted in compliance with applicable data protection laws:

 

Transfer Mechanisms:

  • European Commission Standard Contractual Clauses (SCCs) for transfers from the EU/EEA
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs for transfers from the UK
  • Singapore Model Contractual Clauses or accountability framework for transfers subject to Singapore PDPA
  • Approved certifications and codes of conduct where available
  • Explicit consent where appropriate
  • Transfers necessary for contract performance or legal obligations

 

Transfer Risk Assessments: We conduct Transfer Impact Assessments (TIAs) to evaluate risks associated with international data transfers, particularly to jurisdictions that may not provide adequate data protection or where government surveillance laws may affect data security.

 

Supplementary Measures: Where necessary to address risks identified in TIAs, we implement supplementary technical, contractual, and organizational measures such as enhanced encryption, data minimization, additional contractual protections, and transparent documentation.

1.11 DATA SUBJECT RIGHTS

Global Wealth respects and facilitates the exercise of data subject rights provided under applicable data protection laws:

 

Right to Information: Transparent information about data processing through privacy notices

Right of Access: Confirmation of data processing and copies of personal data

Right to Rectification: Correction of inaccurate or incomplete data

Right to Erasure (Right to be Forgotten): Deletion of personal data under certain circumstances

Right to Restriction: Limitation of processing in certain situations

Right to Data Portability: Transfer of data in machine-readable format

Right to Object: Objection to processing based on legitimate interests or direct marketing

Right to Withdraw Consent: Where processing is based on consent

Right to Lodge Complaint: Complaint to supervisory authorities

Rights Related to Automated Decision-Making: Protection against solely automated decisions with significant effects

 

Exercising Rights: Data subjects may exercise their rights by contacting our Data Protection Officer at legal@globalwealth.finance. We respond to requests within legally required timeframes (typically thirty (30) days) and verify identity before fulfilling requests to prevent unauthorized disclosure.

1.12 PRIVACY IMPACT ASSESSMENTS

For processing activities that are likely to result in high risk to individual rights and freedoms (such as systematic large-scale processing, processing of sensitive data categories, automated decision-making with significant effects, or large-scale monitoring), we conduct Data Protection Impact Assessments (DPIAs) before commencing processing.

 

DPIAs systematically assess:

  • Nature, scope, context, and purposes of processing
  • Necessity and proportionality of processing
  • Risks to individual rights and freedoms
  • Measures to address risks and demonstrate compliance
  • Stakeholder consultation where appropriate
  • Need for and consultation with supervisory authority

1.13 UPDATES AND CONTINUOUS IMPROVEMENT

This Data Protection Policy is subject to regular review and update to reflect:

  • Changes in applicable laws and regulations
  • Evolving industry best practices and standards
  • Technological advancements
  • Organizational changes
  • Lessons learned from audits, incidents, or assessments
  • Feedback from stakeholders and supervisory authorities

 

Material policy changes are communicated to relevant stakeholders, and the “Last Updated” date reflects the most recent revision.

1.14 CONTACT INFORMATION

Global Data Privacy Officer

Email: legal@globalwealth.finance

Postal Address: GT Tower International, Makati City, Metro Manila, Philippines

 

Regional Privacy Contacts:

  • Headquarters (Manila): hq@globalwealth.finance
  • Middle East Hub (Dubai): dubai@globalwealth.finance
  • Asia Hub (Singapore): singapore@globalwealth.finance
  • Regional Office (Mauritius): mauritius@globalwealth.finance

 

For data protection inquiries, to exercise your rights, report potential data protection concerns, or request additional information about our data protection practices, please contact our Global Data Privacy Officer using the information above.

 

Supervisory Authority Contacts:

 

If you are not satisfied with our response to your data protection inquiry, you have the right to lodge a complaint with the relevant supervisory authority:

 

  • Philippines: National Privacy Commission (www.privacy.gov.ph)
  • Singapore: Personal Data Protection Commission (www.pdpc.gov.sg)
  • EU/EEA: Your local data protection authority (see https://edpb.europa.eu/)
  • UK: Information Commissioner’s Office (www.ico.org.uk)
  • UAE/DIFC: Office of the Data Protection Commissioner (www.difc.ae)

 

Global Wealth is committed to cooperating fully with supervisory authorities and addressing any concerns raised through regulatory channels.