Privacy Policy

1. Introduction

Ravenstone Advisory (F.Z.C), trading as CSP Software ("CSP Software", "we", "us", or "our") is committed to protecting the personal data of individuals who interact with our platform, website, and related services. This Privacy Policy explains how we collect, use, share, and safeguard personal data in connection with the CSP Software platform — an enterprise software-as-a-service solution designed for corporate service providers, trust companies, fund administrators, and related professional services firms.

This policy applies to all personal data processed by CSP Software in connection with (i) the provision of our software platform and professional services to our clients and their authorised users; (ii) visitors to our website at cspsoftware.com; and (iii) individuals who contact us, attend our events, or otherwise engage with us for commercial purposes.

CSP Software operates in compliance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR) and equivalent legislation in the jurisdictions in which we operate. We are registered with the Information Commissioner's Office (ICO) in the United Kingdom.

Please read this policy carefully. If you have questions about our data practices, contact details are provided in Section 11.

2. Information We Collect

We collect personal data in the following categories, depending on your relationship with us:

Account and User Data. When a client organisation subscribes to CSP Software, we collect information about the subscribing entity and the authorised users nominated to access the platform. This includes: full name, job title, professional role, business email address, telephone number, employer organisation name, and system credentials (username, hashed password, and multi-factor authentication details).

Platform Usage Data. As users interact with the platform, we collect records of actions taken within the system — such as entity records created or modified, documents generated, tasks completed, and compliance deadlines acknowledged. This data is used for audit trail purposes, platform integrity, and service improvement. We also collect technical metadata including IP address, browser type, operating system, session duration, and page-level interaction data.

Corporate Entity Data. Our platform processes data relating to the corporate entities, trusts, and structures managed by our clients. This may include data about beneficial owners, directors, shareholders, and other individuals associated with those entities — as entered by our clients in their capacity as data controllers. In this context, CSP Software acts as a data processor on behalf of our clients.

Enquiry and Contact Data. When you submit a demo request, contact form, or sales enquiry, we collect your name, business email address, company name, telephone number, and the content of your message.

Marketing and Event Data. If you subscribe to our newsletter, attend a webinar, or participate in an event, we collect the information necessary to manage your registration and communicate with you.

Financial and Billing Data. For clients, we collect billing contact details and payment transaction references. We do not store full payment card numbers on our systems — all payment processing is handled by certified third-party payment processors.

3. How We Use Your Information

We use the personal data we collect for the following purposes:

Service Delivery: To provision, maintain, and improve the CSP Software platform for our clients and their authorised users.
Account Management: To create and administer user accounts, manage access controls, and facilitate user authentication including multi-factor authentication.
Customer Support: To respond to support requests, diagnose technical issues, and provide assistance to platform users.
Billing and Invoicing: To process subscription payments, issue invoices, and manage billing relationships with client organisations.
Security and Fraud Prevention: To monitor for unauthorised access, detect security threats, investigate suspicious activity, and maintain the integrity of the platform.
Compliance and Audit: To maintain audit logs, support compliance with legal obligations, and respond to regulatory enquiries or legal proceedings.
Product Development: To analyse aggregated and anonymised usage patterns to improve platform functionality, develop new features, and enhance the user experience.
Marketing Communications: To send newsletters, product updates, regulatory briefings, and event invitations to individuals who have opted in or who are existing contacts, in accordance with applicable law.
Legal Obligations: To comply with our legal and regulatory obligations, including applicable data protection, financial crime prevention, and professional services regulations.

4. Legal Basis for Processing

Where we process personal data subject to the UK GDPR or EU GDPR, we do so on one or more of the following legal bases:

Contract (Article 6(1)(b)): Processing necessary for the performance of a contract with our clients or to take steps at the request of an individual prior to entering a contract — including the provision of platform services and account management.
Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests or those of third parties, including platform security, fraud prevention, product improvement, and direct marketing to existing clients and professional contacts — where such interests are not overridden by the rights and interests of the data subject.
Legal Obligation (Article 6(1)(c)): Processing necessary for compliance with applicable laws and regulations, including tax, corporate, and data protection obligations.
Consent (Article 6(1)(a)): Where we rely on consent — for example, for newsletter subscriptions or the use of non-essential cookies — you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Where we process special categories of personal data (for example, in connection with anti-money laundering or sanctions screening conducted by our clients), we rely on the relevant provisions of Article 9 of the UK GDPR and applicable domestic law.

We do not sell personal data to third parties. We may share personal data in the following circumstances:

Sub-processors and Service Providers: We engage carefully selected third-party service providers who process data on our behalf, including cloud infrastructure providers (hosted in UK and EU data centres), customer relationship management software, payment processors, email delivery platforms, and security monitoring services. All sub-processors are bound by appropriate data processing agreements and are required to maintain adequate security standards.
Client Administrators: Within a client organisation, platform administrators may have access to user data and activity logs for users within their account.
Legal and Regulatory Disclosure: We may disclose personal data where required by law, court order, regulatory authority, or governmental body, including in connection with law enforcement investigations, anti-money laundering obligations, or legal proceedings.
Corporate Transactions: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the relevant counterparty or successor entity, subject to appropriate confidentiality protections.
Professional Advisers: We may disclose data to lawyers, auditors, accountants, and insurers where necessary for the conduct of our business.

6. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting, and reporting obligations.

For active platform accounts, we retain user account data and platform activity logs for the duration of the subscription term plus a period of seven years following termination, to comply with our legal and contractual obligations, including in relation to audit trails and dispute resolution.

Where a client terminates its subscription, we will delete or anonymise client data in accordance with the terms of our Data Processing Agreement, typically within 90 days of the effective termination date, unless we are required by law to retain such data for a longer period.

Marketing contact data is retained until an individual unsubscribes or requests erasure. Enquiry data from website contact forms is retained for 24 months from the date of receipt or until the commercial relationship is concluded.

When personal data is no longer required, we take appropriate steps to delete or anonymise it securely.

7. Your Rights

Subject to applicable law, individuals whose personal data we process may have the following rights:

Right of Access: The right to request a copy of the personal data we hold about you.
Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
Right to Erasure: The right to request deletion of your personal data, subject to our legal and contractual obligations to retain certain records.
Right to Restriction of Processing: The right to request that we limit the processing of your personal data in certain circumstances.
Right to Data Portability: The right to receive your personal data in a structured, commonly used, machine-readable format, where processing is based on consent or contract and carried out by automated means.
Right to Object: The right to object to processing carried out on the basis of legitimate interests, including direct marketing. Where you object to direct marketing, we will cease processing for that purpose immediately.
Rights Related to Automated Decision-Making: The right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, subject to applicable exceptions.

To exercise any of these rights, please contact us at the address set out in Section 11. We will respond to all requests within one calendar month, and will extend that period by a further two months where necessary, notifying you of any extension.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK, or with the relevant supervisory authority in your jurisdiction.

8. Security

CSP Software implements a comprehensive information security programme designed to protect personal data against unauthorised access, disclosure, alteration, and destruction. Our technical and organisational security measures include:

AES-256 encryption for data at rest and TLS 1.3 for data in transit
Role-based access controls and least-privilege access principles
Multi-factor authentication enforced for all platform users
Continuous security monitoring, intrusion detection, and alerting
Regular independent penetration testing and vulnerability assessments
ISO 27001-aligned information security management practices
Disaster recovery and business continuity planning with tested recovery objectives
Staff security awareness training and background screening for personnel with data access

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay where required.

9. International Transfers

CSP Software primarily processes personal data within the United Kingdom and the European Economic Area. Where we transfer personal data to third countries — including to sub-processors or service providers located outside the UK or EEA — we ensure that appropriate safeguards are in place in accordance with applicable data protection law.

Appropriate safeguards for international transfers may include: the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses; the EU Standard Contractual Clauses (Module 2 or Module 3, as applicable); or transfers to countries that benefit from an adequacy decision by the UK Secretary of State or the European Commission.

You may request a copy of the relevant transfer mechanism by contacting us at the address provided in Section 11.

10. Cookies

Our website uses cookies and similar tracking technologies to provide, maintain, and improve our services, and to analyse website traffic.

We use the following categories of cookies:

Strictly Necessary Cookies: Essential for the operation of the website and platform, including session management, security, and authentication. These cookies cannot be disabled.
Analytics Cookies: Used to collect aggregated information about how visitors use our website, including which pages are visited and how long users spend on each page. We use this data to improve our website. These cookies are only set with your consent.
Preference Cookies: Used to remember your choices and settings, such as language preferences and region. Set with your consent.
Marketing Cookies: Used to track the effectiveness of our marketing campaigns and to deliver relevant advertising. Set only with explicit consent.

You can manage your cookie preferences at any time by accessing the cookie settings on our website. Most web browsers also allow you to control cookies through browser settings. Please note that disabling certain cookies may affect the functionality of the website or platform.

11. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about how we handle your personal data, please contact our Data Protection team:

Email: info@cspsoftware.com
Telephone: +971 6 701 1555
Postal address: Ravenstone Advisory (F.Z.C), Ajman Free Zone Authority, Ajman, United Arab Emirates

If you are an authorised user of the platform and your query relates to personal data processed within your organisation's account, please raise the matter with your organisation's account administrator in the first instance, as CSP Software acts as a data processor in relation to that data.

If you are not satisfied with our response to your query or complaint, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk, or with the supervisory authority in your jurisdiction.