Privacy Notice




  1. About Us
  2. About this Notice
  3. Sources of Personal Data Collection
  4. Categories of Personal Data we Collect
  5. How We Use Your Personal Data Lawfully
  6. How We Share Your Personal Data
  7. Cross-Border Transfers of Personal Data
  8. How we Protect and Secure Your Data
  9. Retention and Disposal of Personal Data
  10. Individual Privacy Rights
  11. Contact Us


1. About Us

The ISTARI Group (“we”, “us”, “our”) takes a holistic approach to cyber risk management and aims to build cyber resilience and long-term success for its clients. For the purpose of this notice, the ISTARI Group includes ISTARI Global Limited and certain of its associates whose affairs ISTARI Global Limited oversees and helps to manage, namely its immediate parent company, ISTARI Pte. Limited, and certain of that company’s other wholly-owned subsidiaries being ISTARI Global (Singapore) Pte. Ltd., ISTARI Investments Holdings Pte. Ltd, ISTARI International (US) LLC and ISTARI International (UK) Limited (in all cases including any foreign branches and permanent establishments. For more information about us please visit our website Here.


2. About this Notice

This Data Protection Notice (“Notice”) describes how we collect, process, and protect your Personal Data when you interact with us. It does not form part of any contract between us, but we recommend you read it carefully. The categories of Personal Data we collect about you and how we process such data depends on the nature of our relationship with you and the means through which we interact, including when you visit our website. We take your data protection rights and our legal obligations seriously. All enquiries regarding this Notice including how you can exercise your data subject rights should be directed to the details provided in the Contact Us section below. 

This Notice sets out detailed information regarding how we hold and process Personal Data relating to members of the general public visiting our Website, external job candidates, contractors, nominees, attendees of and/or participants in events and programmes operated by the ISTARI Academy, and other third parties including but not limited to, actual and prospective clients, investee companies, goods and service providers, partners, shareholder nominees, and journalists.

Unless stated otherwise, definitions referred to in this Notice will have the meaning given to them under applicable privacy laws. This Notice is provided by your Data Controller which is responsible for deciding how your Personal Data is used, and for ensuring that your Personal Data is handled in accordance with applicable privacy laws. Your European Data Controller is ISTARI Global Limited, save for activities relating to the ISTARI Academy where ISTARI International (UK) Limited will be the Data Controller. Unless otherwise stated, your United States (“US”) Data Controller is ISTARI International (US) LLC, and your Singapore Data Controller is ISTARI Global (Singapore) Pte Ltd.

Any third-party websites which you may access via our Website are not covered by this Notice. ISTARI accepts no responsibility or liability for the use and protection of any Personal Data which you provide to such third-party websites. You should exercise caution and read the privacy notice of the relevant third party before providing any Personal Data.


3. Sources of Personal Data Collection

We may collect Personal Data about you from several sources, including directly from yourself, from third parties, and through automated means. 

The following provides more information regarding the aforementioned sources: 


4. Categories of Personal Data we collect

We collect different categories of Personal Data about you depending on the nature of our relationship with you and the purposes for which such information is necessary in the context of our relationship. These include personal identification, financial, recruitment, marketing, monitoring, compliance and contract information, government identifiers, online identifiers, and in isolated instances, sensitive information such as dietary preferences and food allergies. 

ISTARI only collects Personal Data that is strictly necessary for the purposes for which it was collected, including:


5. Purposes we use your Personal Data for and Lawful Bases we rely on

We may use your Personal Data for different business purposes and in reliance upon different legal bases, depending on the nature of our relationship with you and in accordance with applicable privacy laws. We do not process your Personal Data for further purposes incompatible to those notified to you through this Notice. ISTARI will only process personal Data for the purposes set out below. In doing so, we rely upon the lawful bases for processing set out detailed in this section, subject to applicable privacy laws

We may use each category of Personal Data we collect in the following ways (in each case, only where the processing is necessary for the purpose):

Wherever there is a business requirement to process your Personal Data for purposes that are incompatible with those described above, we will notify you of the same and obtain your consent where required by applicable privacy laws prior to engaging in any such further processing.  We do not currently sell or intend to sell your Personal Data. Should this change at any point in future we will update this Notice, notify you of any changes, and provide you with the appropriate mechanism to exercise your right to opt-out from the sale of your Personal Data. For further information regarding your privacy rights please refer to Your Individual Privacy Rights set out below.

Please note that in certain circumstances such as when you have entered or are proposing to enter into a contract with us (e.g. to provide us/you with products and/or services), the provision of Personal Data is a requirement of the contract you entered/are proposing to enter into with us. The provision of Personal Data in these circumstances is necessary to enable us to perform pre-contractual steps at your request, to enter into the contract with you, and/or to perform our legal obligations under our contract with you.


6. How We Share Your Personal Data

We may disclose your Personal Data to ISTARI subsidiaries and affiliates, third-party suppliers, service providers and business partners, law enforcement and other government agencies, companies with whom we are involved with in a corporate transaction, or any other third parties. 

We may share your Personal Data with the categories of recipients described below:


7. Cross-Border Transfers of Personal Data

We may need to transfer your Personal Data from the originating country to another jurisdiction for processing. Where Personal Data is transferred outside the territory where it was collected, we will implement appropriate legal mechanisms to ensure that your Personal Data remains adequately protected upon reaching its destination, as required by applicable privacy laws

Our global operations expand across several jurisdictions including in particular the UK, US, Germany, Norway, Switzerland, and Singapore. In some instances, it may be necessary for us to transfer your Personal Data to an ISTARI entity or to a third party outside the country where it was collected. Third party recipients include organisations with whom we engage to deliver our products and services to you. In doing so, we rely on a number of legal mechanisms to ensure that your data remains protected to a standard equivalent to that afforded to it in the country of origin. Depending on the direction of transfer of Personal Data, this includes European Commission Adequacy Decisions and Standard Contractual Clauses, United Kingdom Adequacy Regulations and Standard Contractual Clauses, and other legally enforceable safeguards in accordance with applicable privacy laws. A copy of the relevant mechanism can be made available upon request by Contacting Us.


8. How we Protect and Secure Your Data

ISTARI has implemented appropriate technological and operational security measures, policies and procedures designed to protect your Personal Data against accidental or unlawful loss, disclosure, misuse, alteration, or use. We limit access to your Personal Data only to those ISTARI employees, other staff and third parties on a business need to know basis. They will only process your Personal Data upon our instructions, and they are subject to a duty of confidentiality. We have implemented procedures to respond appropriately to any suspected personal data breach or security incident and will notify you and relevant data protection regulators where we are legally required to do so.


9. Retention and Disposal of Personal Data

We will generally only retain your Personal Data for as long as is necessary, for the purposes for which such data was collected for and, in line with  legal, regulatory, and legitimate business requirements. This will usually be for the duration of your relationship with us plus the length of any applicable statutory limitation or obligation , as required or permitted by applicable privacy laws. Upon reaching the end of the relevant retention period, ISTARI will take steps to dispose of your Personal Data in a secure and permanent manner, in accordance with applicable privacy laws.


10. Individual Privacy Rights

Individuals whose Personal Data we process are afforded a number of rights in relation to such data, depending on the jurisdiction where they are located. To exercise your data protection rights please Contact Us. We will respond to requests in accordance with applicable privacy laws

The specific data protection rights applicable to you are detailed in the table below, depending on the jurisdiction where you reside or are otherwise are located. Please note that these data protection rights are not absolute and there may be circumstances where we may legitimately deny or limit a request as permitted by applicable privacy laws. You should also note that the specific scope of the rights and their associated exemptions may further vary from one jurisdiction to another.  You will not normally have to pay a fee to access your Personal Data (or to exercise any of the other rights stated above), although we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of the other rights stated below). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in order to clarify your request. We will only collect strictly necessary information to ensure that we only honour requests received from the true Data Subject or their authorised representative, in accordance with the data minimisation principle (see Our Data Protection Values). We strive to respond to all legitimate requests within the relevant deadlines pursuant to applicable privacy laws. Occasionally it may take us longer to respond if your request is particularly complex or you have made a number of different requests. In this case, we will notify you of estimated response timelines.







United States

European Economic Area (EEA) and Switzerland

United Kingdom






Right to Information


The right to receive the information set out in this Notice regarding our processing of your Personal Data.








Right to Object/

Opt Out

The right to opt out of our processing of your Personal Data in certain circumstances (e.g. direct marketing, Personal Data sale, automated decisions, profiling).














Right to Restriction

The right to ask us to suspend the processing of your Personal Data in specific circumstances.







Right to Delete

The right to request us to delete or remove Personal Data where there is no lawful reason for us continuing to process it.








Right to Access

The right to receive a copy of or otherwise access Personal Data we hold about you.








Right of Rectification

The right to request that we correct or complete inaccurate Personal Data we might hold about you.








Right to Portability

The right to obtain and reuse your Personal Data for your own purposes across different services.








Right to Complain/ Appeal

The right to lodge a complaint with a competent supervisory authority and/or appeal directly to us against a decision regarding Personal Data.  








Right to Withdraw Consent

The right to withdraw consent at any time that you may have provided to us for processing your Personal Data (where the Legal Basis we rely on is consent).









   –  Applicable (subject to applicable exemptions)     

   –  Not Applicable     



11. Contact Us

If you have questions, concerns, and/or complaints regarding this Notice or you wish to exercise your data protection rights above, please contact the ISTARI Data Protection Manager by post at ISTARI Global Limited, 8 Cavendish Square, London W1G 0PD, United Kingdom, EC4A 4AB, or by e-mail to [email protected]. You also have the right to lodge a complaint with the data protection authority in the territory where you are located, should your matter remain unsettled or otherwise unsatisfied.


 Last updated May 2022.