PRIVACY POLICY

Sifra Group (“Sifra”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal data processed in the course of its business activities. This Privacy Policy explains how Sifra Group processes personal data and outlines the principles governing such processing in accordance with applicable data protection laws, including Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”).

This Privacy Policy applies to personal data processed by Sifra Group in the context of its professional services, contractual relationships, and business operations, including interactions with customers, business partners, subcontractors, and other professional contacts. It applies to personal data collected through business communications, contractual engagements, and service coordination activities.

Sifra Group operates primarily in a business-to-business context and does not offer consumer-facing services. Accordingly, the personal data processed by Sifra Group is limited in nature and relates predominantly to business contact information and service coordination requirements.

This Privacy Policy is intended to be read together with any applicable contractual terms, data processing agreements, or customer-specific privacy notices. In the event of any inconsistency, the relevant contractual or legally binding terms shall prevail.

1. CATEGORIES OF PERSONAL DATA PROCESSED

1. In the course of its business operations, Sifra Group processes personal data that is necessary for professional, contractual, and administrative purposes. The personal data processed by Sifra Group is limited in scope and relates primarily to business-to-business interactions.
2. The categories of personal data processed may include business contact information such as names, business email addresses, telephone numbers, job titles, organisational affiliations, and other information provided in the context of professional communications or contractual relationships. Where relevant, limited service-related information may also be processed to facilitate service coordination, scheduling, and communication with customers, subcontractors, and business partners.
3. Sifra Group does not intentionally collect or process special categories of personal data as defined under Article 9 of the GDPR, criminal offence data as defined under Article 10 of the GDPR, or personal data relating to children.
4. Personal data is obtained directly from the data subject, from customers or business partners in the context of contractual engagements, or through professional communications carried out in the ordinary course of business.

2. PURPOSES AND LEGAL BASES FOR PROCESSING

1. Sifra Group processes personal data solely for legitimate business purposes connected with the provision of its professional services, contractual engagements, and related operational activities. Personal data is processed only to the extent necessary and in a manner that is consistent with applicable data protection laws.
2. The purposes for which personal data may be processed include, as applicable:
- 2.1. managing contractual and business relationships with customers, vendors, subcontractors, and business partners;
- 2.2. coordinating and administering services, including scheduling, communications, and service-related support;
- 2.3. conducting business communications and responding to enquiries;
- 2.4. fulfilling legal, regulatory, and contractual obligations; and
- 2.5. managing internal administrative, accounting, and compliance functions.
3. Sifra Group processes personal data on one or more of the following legal bases, as appropriate under the GDPR:
- 3.1. where processing is necessary for the performance of a contract or to take steps at the request of the data subject prior to entering into a contract;
- 3.2. where processing is necessary for compliance with a legal obligation to which Sifra Group is subject; and
- 3.3. where processing is necessary for the purposes of Sifra Group’s legitimate interests, provided that such interests are not overridden by the fundamental rights and freedoms of the data subject.
4. Sifra Group does not process personal data for purposes that are incompatible with the purposes described above and does not use personal data for independent profiling, marketing to consumers, or automated decision-making.

3. DATA SHARING AND DISCLOSURE

1. Sifra Group does not sell personal data and does not disclose personal data to third parties except where such disclosure is necessary for legitimate business purposes, the performance of contractual obligations, or compliance with applicable legal requirements.
2. Personal data may be shared, where appropriate, with customers, business partners, and subcontractors engaged by Sifra Group for the purpose of delivering services, coordinating activities, or fulfilling contractual obligations. Any such disclosure is limited to the minimum personal data necessary and is carried out in accordance with applicable data protection laws and contractual arrangements.
3. Sifra Group may also disclose personal data to professional advisers, service providers, or vendors who support its business operations, such as providers of IT systems, communication platforms, accounting, or legal services, where such disclosure is required for operational or compliance purposes.
4. Personal data may be disclosed where required to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, or where necessary to protect the rights, property, or safety of Sifra Group, its customers, or others.
5. Where personal data is shared with third parties, Sifra Group takes appropriate steps to ensure that such parties are subject to confidentiality and data protection obligations consistent with applicable law and the nature of the services provided.

4. DATA RETENTION AND DELETION

1. Sifra Group retains personal data only for as long as is necessary to fulfil the purposes for which it was collected and processed, including the performance of contractual obligations, compliance with legal and regulatory requirements, and the resolution of disputes.
2. Retention periods are determined taking into account the nature of the personal data, the purpose of processing, applicable legal or contractual obligations, and legitimate business requirements. Personal data that is no longer required for these purposes is securely deleted or anonymised in accordance with Sifra Group’s internal data management practices.
3. Where personal data is processed on behalf of customers or in connection with subcontracted services, retention and deletion are carried out in accordance with applicable contractual arrangements and documented instructions, subject to any overriding legal obligations.
4. Sifra Group takes reasonable steps to ensure that personal data is not retained in an identifiable form for longer than necessary and that deletion or anonymisation is performed in a manner appropriate to the systems and platforms used.

5. DATA SECURITY MEASURES

1. Sifra Group implements appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, taking into account the nature of the personal data processed and the risks associated with such processing.
2. Access to personal data is restricted to authorised individuals who require such access for legitimate business purposes. Confidentiality obligations apply to all personnel and subcontractors who may have access to personal data in the course of their engagement with Sifra Group.
3. Technical safeguards are implemented primarily through the enterprise systems and platforms used by Sifra Group for business operations and service coordination. These safeguards include access controls, authentication mechanisms, and security features provided by third-party service providers in accordance with their standard security configurations.
4. Sifra Group does not operate customer production environments or independently manage security controls within customer or end-user systems. Responsibility for system-level security, patching, monitoring, and infrastructure protection within such environments remains with the relevant customer, except where expressly agreed otherwise in writing.
5. Sifra Group reviews its security practices periodically and takes reasonable steps to address identified risks in a manner proportionate to its operating model, service scope, and legal obligations.

6. INTERNATIONAL DATA TRANSFERS

1. Sifra Group processes personal data primarily within the European Economic Area (“EEA”). Where personal data is accessed or processed outside the EEA, such processing occurs only where necessary for legitimate business purposes and in accordance with applicable data protection laws.
2. International transfers of personal data may occur, for example, where subcontractors, service providers, or business partners involved in service delivery are located outside the EEA. In such cases, Sifra Group takes appropriate steps to ensure that personal data is protected by safeguards recognised under applicable data protection law, taking into account the nature of the transfer and the role of the recipient.
3. Sifra Group does not engage in unrestricted or systematic transfers of personal data outside the EEA. Any international access or transfer is limited to what is necessary for the performance of contractual obligations or operational requirements and is subject to appropriate contractual or organisational protections.
4. Where required by law, Sifra Group relies on recognised transfer mechanisms or safeguards to ensure an adequate level of protection for personal data transferred internationally.

7. DATA SUBJECT RIGHTS

1. Data subjects whose personal data is processed by Sifra Group are entitled to exercise the rights available to them under applicable data protection laws, including the GDPR, subject to any limitations or conditions provided by law.
2. Depending on the circumstances, these rights may include the right to request access to personal data, the right to request rectification of inaccurate or incomplete personal data, the right to request erasure of personal data, the right to request restriction of processing, the right to object to certain processing activities, and the right to request data portability.
3. Where Sifra Group processes personal data on behalf of customers or in connection with subcontracted services, requests relating to the exercise of data subject rights may be referred to the relevant customer or data controller, as appropriate, in accordance with applicable contractual arrangements and legal requirements.
4. Sifra Group will respond to data subject requests within the timeframes prescribed by applicable law and may request additional information where necessary to verify the identity of the requesting individual.

8. CONTACT DETAILS AND COMPLAINTS

1. Any questions, requests, or concerns relating to this Privacy Policy or the processing of personal data by Sifra Group may be directed to Sifra Group using the contact details provided below or through the relevant contractual point of contact.
2. Where a data subject considers that the processing of personal data by Sifra Group infringes applicable data protection laws, the data subject has the right to lodge a complaint with the competent supervisory authority in the jurisdiction in which the data subject is habitually resident, works, or where the alleged infringement occurred.
3. Sifra Group encourages data subjects to contact Sifra Group in the first instance in order to address any concerns or queries relating to the processing of personal data.

9. UPDATES TO THIS PRIVACY POLICY

1. Sifra Group may update this Privacy Policy from time to time to reflect changes in its business operations, legal or regulatory requirements, or data protection practices. Any updates will be made available through appropriate channels.
2. Where required by applicable law, Sifra Group will take reasonable steps to notify affected individuals of material changes to this Privacy Policy.