1. Introduction and Identity of the Controller
Dorax Investment Company Ltd (registered in Cyprus under number HE 412387), with registered address at Spyrou Kyprianou 61, 4003 Limassol, Cyprus ("Dorax", "we", "us", or "our"), is the data controller responsible for the personal data collected through this website (doraxinvest.com) and in the course of providing trade finance intermediary services.
We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, with whom we share it, and what rights you have in relation to it. This policy is issued in compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Cyprus Law on the Protection of Natural Persons with regard to the Processing of Personal Data and Free Movement of Such Data (Law 125(I)/2018).
2. Data We Collect
We collect personal data in the following categories, depending on your interaction with us:
| Category | Examples | Source |
|---|---|---|
| Identity Data | Full name, title, date of birth, nationality, passport/ID number | Directly from you |
| Contact Data | Email address, telephone number, postal address | Directly from you |
| Business Data | Company name, registration number, country of incorporation, role/position | Directly from you or public registries |
| Financial Data | Transaction amounts, bank details, instrument type, trade counterparties | Directly from you or correspondent banks |
| KYC/AML Data | Source of funds declarations, beneficial ownership information, sanctions screening results | Directly from you or third-party screening providers |
| Technical Data | IP address, browser type and version, time zone, operating system, device identifiers | Automatically via cookies and server logs |
| Usage Data | Pages visited, links clicked, referral source, session duration | Automatically via analytics tools |
| Communication Data | Emails, enquiry form submissions, WhatsApp messages, call records | Directly from you |
We do not intentionally collect special categories of personal data (e.g., health, racial or ethnic origin, political opinions, religious beliefs) unless strictly required by applicable law or with your explicit consent.
3. Legal Bases for Processing
We rely on the following legal bases under Article 6 GDPR:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide our trade finance intermediary services, including structuring Letters of Credit, SBLCs, and Bank Guarantees on your behalf.
- Legal obligation (Art. 6(1)(c)): Processing required to comply with Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations under the EU 4th and 5th AML Directives, Cyprus AML Law (188(I)/2007 as amended), and FATF recommendations.
- Legitimate interests (Art. 6(1)(f)): Processing for fraud prevention, network security, business analytics, and service improvement, where these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): For non-essential cookies and direct marketing communications, where you have given freely given, specific, and informed consent. You may withdraw consent at any time.
4. Purposes of Processing
We process your personal data for the following purposes:
- Responding to enquiries submitted through our website contact form or by email;
- Conducting client onboarding, including Know Your Customer (KYC) and AML due diligence;
- Structuring and facilitating trade finance transactions on your behalf;
- Communicating with correspondent banks, issuing banks, and other financial intermediaries;
- Issuing invoices and processing fees;
- Maintaining statutory records as required by Cyprus law;
- Monitoring and improving website performance and user experience;
- Sending service-related communications and, where consent is given, marketing updates;
- Complying with regulatory reporting obligations to competent authorities.
5. Cookies and Tracking Technologies
Our website uses cookies and similar technologies. A cookie is a small text file placed on your device. We use the following categories:
| Type | Purpose | Retention |
|---|---|---|
| Strictly Necessary | Session management, security, load balancing. Cannot be disabled. | Session / 1 year |
| Analytical / Performance | Anonymous usage statistics via privacy-respecting analytics (Umami). No personal identifiers are transmitted. | 13 months |
| Functional | Remembering your cookie consent preference and language selection. | 12 months |
| Marketing | Not currently used. Any future use will require prior consent. | N/A |
You can manage your cookie preferences at any time via the cookie banner displayed on your first visit, or by adjusting your browser settings. Note that disabling strictly necessary cookies may affect website functionality.
6. Data Sharing and International Transfers
We may share your personal data with the following categories of recipients:
- Correspondent and issuing banks: Necessary to structure and execute trade finance instruments;
- KYC/AML screening providers: Third-party services for sanctions list screening and PEP checks (e.g., Refinitiv World-Check or equivalent);
- Legal and compliance advisors: Lawyers, auditors, and compliance consultants bound by professional confidentiality obligations;
- Regulatory authorities: The Cyprus Securities and Exchange Commission (CySEC), the Financial Intelligence Unit (MOKAS), and other competent authorities where required by law;
- IT service providers: Cloud hosting, email, and CRM providers acting as data processors under GDPR-compliant data processing agreements.
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions. A copy of applicable safeguards is available upon request.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| KYC/AML records | 10 years from end of business relationship | Cyprus AML Law Art. 61 |
| Transaction records | 10 years from transaction date | Cyprus AML Law / EU AML Directives |
| Contractual correspondence | 7 years from contract expiry | Cyprus Contract Law / Limitation Act |
| Website enquiry data | 3 years from last contact | Legitimate interests |
| Cookie consent records | 3 years | GDPR Art. 7(1) |
| Analytical data (anonymised) | Indefinite (no personal data) | N/A |
8. Your Rights Under GDPR
As a data subject, you have the following rights, subject to applicable exceptions:
- Right of access (Art. 15): Obtain a copy of the personal data we hold about you;
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data;
- Right to erasure (Art. 17): Request deletion of your data where there is no legitimate reason for continued processing;
- Right to restriction (Art. 18): Request that we restrict processing in certain circumstances;
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format;
- Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes;
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (www.dataprotection.gov.cy).
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. These include TLS encryption for data in transit, access controls, staff training on data protection, and regular security assessments. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.
10. Children's Privacy
Our services are directed exclusively at corporate clients, professional traders, and business entities. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us immediately at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified via a prominent notice on our website. The "Last Reviewed" date at the top of this page indicates when the policy was most recently updated. Your continued use of our website after any changes constitutes acceptance of the revised policy.
12. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, please contact:
Dorax Investment Company Ltd
Spyrou Kyprianou 61, 4003 Limassol, Cyprus
General enquiries: [email protected]
Data Protection Officer: [email protected]