Data Protection Policy

This Data Protection Policy explains how Circlworld implements its obligations under applicable data protection law. It complements our Privacy Notice, which describes what data we collect and what we do with it.

This Policy is for users, partners, regulators, and other parties who need to understand the framework within which Circlworld processes personal data — the legal bases, the safeguards, the contractual relationships with data processors, the retention schedules, and the mechanisms by which you can enforce your rights.

1. Scope and application

1.1 Who this Policy applies to

This Policy applies to all personal data processed by:

Circlworld Technology Limited (Jamaica) — for members and treasurer partners ordinarily resident outside the United Kingdom
Circlworld Technology Ltd (England and Wales) — for members and treasurer partners ordinarily resident in the United Kingdom

Together referred to as "Circlworld" or "we" in this Policy.

1.2 Personal data covered

The personal data covered by this Policy includes:

Account identification (name, email, phone, address)
Identity verification data (KYC documents, biometric verification results)
Financial activity data (circle participation, contributions, payouts)
Trust profile data (participation events, endorsements, dispute history)
Device and usage data (IP, device fingerprint, session activity)
Treasurer-specific data (Programme enrollment, earnings, performance metrics)
AI interaction data (queries submitted to AI Assist)
Communication records (support tickets, complaints, in-platform messages)

1.3 Geographic scope

This Policy applies regardless of where in the world you are physically located when interacting with Circlworld. The applicable law is determined by:

Your ordinarily-resident jurisdiction
The Circlworld entity that contracts with you (per Section 1.1)
The location of the processing activity

2. Legal frameworks

Circlworld complies with:

2.1 United Kingdom

UK General Data Protection Regulation (UK GDPR), as retained and modified by the UK Data Protection Act 2018
UK Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003 (PECR), as amended
Information Commissioner's Office (ICO) guidance

2.2 Jamaica

Jamaica Data Protection Act 2020
Office of the Information Commissioner (OIC) regulations and guidance

2.3 Other jurisdictions

As Circlworld expands, we will comply with applicable data protection law in each operating jurisdiction. Current contemplated frameworks include:

California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for US California residents
Other US state laws (Colorado, Virginia, Connecticut, Utah, and emerging others) as US expansion occurs
Brazilian LGPD for any Brazilian users
Caribbean and African data protection frameworks as expansion proceeds

Where multiple frameworks apply to a single user, we apply the highest standard.

3. Our role: Data Controller

3.1 Controller designation

Circlworld is the data controller for personal data processed in connection with the platform. As controller, we determine the purposes and means of processing.

The legal entities acting as controllers are:

Circlworld Technology Limited (Jamaica), for users ordinarily resident outside the UK
Circlworld Technology Ltd (England and Wales), for UK users

3.2 Registration

Each Circlworld entity is registered with its applicable supervisory authority:

Jamaica: Registered with the Office of the Information Commissioner (registration to be completed at incorporation)
United Kingdom: Registered with the Information Commissioner's Office (registration to be completed at incorporation; UK GDPR registration is straightforward)

Registration details are published on our Contact page once finalised.

3.3 Joint controller relationships

In limited cases, we operate as joint controller with third parties:

KYC verification providers (Onfido, Smile ID, Persona, Sumsub) — joint controllership for identity verification data, governed by data processing agreements with each provider
Lender API partners — joint controllership when Trust Reports are shared, with members consenting explicitly to each share

Joint controller agreements specify each party's responsibilities and how data subject rights are exercised.

3.4 Processor relationships

We use a number of data processors acting under our control. The current list is maintained in Section 12 of this Policy.

4. Lawful bases for processing

We process personal data on one or more of the following lawful bases. For each category of data, we identify the specific basis.

We process personal data because it is necessary to perform the contract between you and Circlworld. This applies to:

Account creation and management
Circle participation infrastructure
Trust profile generation
Payment processing and Programme earnings (for treasurer partners)
Customer support

We process personal data because we are required to by law. This applies to:

KYC verification (anti-money-laundering legislation)
Sanctions and PEP screening (anti-money-laundering legislation)
Tax reporting (HMRC, Tax Administration Jamaica, IRS)
Suspicious Transaction Reports / Suspicious Activity Reports (NCA, FID, FinCEN)
Court orders and regulatory directives
Statutory complaints and enforcement processes

We process personal data because it is in our or a third party's legitimate interests, balanced against your rights. This applies to:

Platform security and fraud prevention
Anomaly detection in audit logs
Service improvement and analytics (aggregated, where possible anonymised)
Direct communication with current users about service updates
Defending legal claims
Responding to complaints

For each legitimate interest, we have completed a Legitimate Interests Assessment (LIA) that:

Identifies the specific interest
Demonstrates necessity
Balances the interest against your rights
Documents the assessment

LIAs are available to regulators on request.

We process some personal data only with your explicit consent. This applies to:

Marketing communications (you can opt in or out)
Cross-border AI processing (you can opt out of AI Assist)
Sharing Trust Reports with third parties (each share requires consent)
Optional features that involve additional data processing
Cookies and similar technologies (per our Cookie Policy)

Consent is:

Freely given — you are not penalised for refusing
Specific — separate consent for each purpose
Informed — you receive clear information before consenting
Unambiguous — affirmative action required (not pre-ticked boxes)
Withdrawable — at any time, as easily as it was given

In rare cases, we process data to protect someone's vital interests (life or physical integrity). Examples include:

Responding to a suspected self-harm or imminent threat scenario
Cooperating with emergency services where lives are at risk

Generally not applicable to Circlworld, but may apply in narrow contexts such as cooperation with public health authorities or law enforcement under appropriate legal frameworks.

5. Special category (sensitive) data

We do not collect special category data (sometimes called sensitive personal data) under normal operation. This category includes:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data for unique identification
Health data
Sexual orientation or sex life
Criminal convictions (treated as a special category under UK law)

5.1 Limited exceptions

In two narrowly-defined cases, we do process data that may include or imply special category information:

Biometric data for identity verification. KYC providers (Onfido, Smile ID, Persona, Sumsub) capture biometric data (face matching against ID document) for identity verification. This is:

Processed by the KYC provider, not by Circlworld directly
Performed on the basis of Article 9(2)(g) UK GDPR (substantial public interest — preventing financial crime) and Jamaica DPA equivalent
Retained by the KYC provider per their own retention policy
Not shared with Circlworld beyond a verification result (verified or not)
Subject to your specific consent at the time of KYC

Inference avoidance. Some platform interactions could theoretically reveal special category data (e.g., a circle named "Sunday Worship Pardna" implies religious affiliation). We:

Do not actively process such inferences
Do not include such inferences in algorithms or AI prompts
Do not share such inferences with third parties
Treat any inadvertently-processed inferences as if they were special category data

If you believe we are processing special category data about you, contact privacy@circlworld.com for clarification or correction.

6. Children's data

Circlworld is for users 18 and over. We do not knowingly process the personal data of anyone under 18.

If we identify or suspect that a user is a minor:

We suspend the account pending review
We do not process the minor's data beyond what is necessary for safety review
We delete the data in accordance with applicable legal requirements
We notify the suspected minor's parents/guardians where appropriate and legally permitted
We do not market the platform to minors

If you believe a minor's data has been processed, contact privacy@circlworld.com immediately for prompt resolution.

7. Your rights as a data subject

You have the following rights regarding your personal data. The rights vary slightly between jurisdictions, but Circlworld honours the most generous applicable framework.

7.1 Right to be informed

You have the right to know what data we process, why, and how. This information is provided in our Privacy Notice and through contextual disclosures during platform use.

7.2 Right of access (subject access request)

You have the right to:

Confirm whether we hold personal data about you
Access that data
Receive certain information about how we process it

To request: privacy@circlworld.com or Settings → Privacy → Data Access Request.

We respond within 30 days (extendable to 90 days for complex requests, with notice). Access is free for the first request; subsequent requests may incur a reasonable fee for excessive or repetitive requests.

7.3 Right to rectification

You have the right to correct inaccurate personal data and complete incomplete data. You can:

Edit most data directly through Settings
Request correction of other data at privacy@circlworld.com

We respond within 30 days. Where the data has been shared with third parties (e.g., a Trust Report shared with a lender), we will notify those parties of the correction.

7.4 Right to erasure (right to be forgotten)

You have the right to request deletion of your personal data. This right is not absolute. We may decline erasure where:

We need the data to perform the contract (your active circle participation)
We have a legal obligation to retain it (KYC records, tax records, audit log)
It is necessary for the establishment, exercise, or defence of legal claims
It would prejudice the rights of other circle members (audit log integrity)

Where we decline erasure, we explain why. Where we proceed, we delete the data and notify third parties that have received it.

7.5 Right to restrict processing

You have the right to request restriction of processing in certain circumstances (e.g., while accuracy is contested or while a legitimate interests balancing is reviewed).

When processing is restricted, we hold the data but do not actively use it.

7.6 Right to data portability

You have the right to receive your personal data in a structured, commonly-used, machine-readable format, and to have it transmitted directly to another controller where technically feasible.

Available in Settings → Privacy → Export My Data. Data is provided in JSON format with documentation. Delivery within 72 hours.

7.7 Right to object

You have the right to object to processing based on legitimate interests or public interest. You can object specifically to direct marketing.

To object: privacy@circlworld.com or Settings → Privacy → Object to Processing.

For marketing: you can also unsubscribe directly from any marketing communication.

You have rights regarding solely-automated decisions that produce legal effects concerning you or similarly significantly affect you. See our AI Usage Policy Section 7 for the detailed framework.

Where we process data on the basis of consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.10 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority:

United Kingdom: Information Commissioner's Office (ICO). Website: ico.org.uk
Jamaica: Office of the Information Commissioner (OIC). Website: oic.gov.jm
Other jurisdictions: the applicable data protection authority

We encourage you to raise concerns with us first via privacy@circlworld.com, but your right to escalate to the supervisory authority is not contingent on doing so.

8. How to exercise your rights

8.1 Channels

Email: privacy@circlworld.com
Platform: Settings → Privacy
Post: To the relevant Circlworld entity

8.2 Identity verification

To protect your data, we verify your identity before fulfilling requests. We may require:

Confirmation of access to your registered email
Authentication via your platform credentials
For sensitive requests, additional verification (e.g., recent KYC re-verification)

8.3 Response times

| Request type | Standard response | Extended response | |--------------|-------------------|-------------------| | Subject access | 30 days | 90 days (complex) | | Rectification | 30 days | 60 days (complex) | | Erasure | 30 days | 60 days (complex) | | Restriction | 30 days | 60 days (complex) | | Portability | 30 days | 60 days (complex) | | Objection | 30 days | 60 days (complex) | | Automated decision review | 20 business days | 40 business days |

We notify you if we need an extension.

8.4 Fees

Standard requests are free. We may charge a reasonable fee or refuse to act for requests that are manifestly unfounded, excessive, or repetitive — in which case we explain why.

9. Data Protection Officer

9.1 Designation

Under UK GDPR Article 37 and Jamaica DPA s.41, certain organisations must designate a Data Protection Officer (DPO).

Circlworld designates a DPO at incorporation. Until then, the founder Drew St'Clair serves as primary point of contact for data protection matters.

9.2 Contact

Email: dpo@circlworld.com
Post: Attention DPO at the relevant Circlworld entity

9.3 Independence

The DPO operates with appropriate independence from operational management, reports to senior leadership, and is supported with the resources needed to perform their function.

10. Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, and as required by applicable law.

10.1 Retention schedule

| Data category | Retention period | Basis | |---------------|------------------|-------| | Account identity (basic) | Until account closure + 6 years | Tax and audit | | KYC verification records | 5 years after relationship ends | AML legislation (UK MLR 2017, Jamaica POCA) | | Audit log (financial activity) | 6 years from event | Tax and AML legislation | | Audit log (non-financial) | 3 years from event | Operational | | Communication records | 3 years from communication | Service quality | | Complaint records | 6 years from resolution (UK) / 7 years (Jamaica) | Regulatory | | Trust Reports (canonical) | Indefinitely | Member-owned credential | | Trust Reports (rendered PDFs) | At member's discretion | Member control | | AI Assist query logs | 90 days for monitoring, then anonymised | Quality and bias review | | Programme earnings records | 7 years from earning | Tax (UK HMRC, JM TAJ, US IRS) | | Treasurer performance metrics | Indefinitely | Trust profile credential | | Cookies | Per Cookie Policy | User configuration | | Marketing consent records | Until withdrawn + 3 years | Audit |

10.2 Deletion process

When data reaches the end of its retention period, we:

Delete it from active systems
Remove it from backups in the next backup cycle
Anonymise data where complete deletion would prejudice other parties (e.g., audit log entries where deletion would distort the historical record of a completed circle)
Document the deletion

10.3 Right to early erasure

You can request earlier deletion. We honour this where legally permissible — see Section 7.4.

11. International data transfers

Personal data may be transferred outside the user's country of residence in the course of Circlworld's operation. Transfers are subject to appropriate safeguards.

11.1 Where data may be transferred

| From | To | Why | |------|-----|-----| | Jamaica | UK | If user becomes UK-resident; cross-border circles | | UK | EU | If user becomes EU-resident; service provider locations | | UK / Jamaica | US | KYC providers (some US-based); Anthropic AI processing; Stripe payments | | Any | Other jurisdictions | As Circlworld expands |

11.2 Transfer mechanisms

For transfers from the UK or Jamaica to countries without "adequacy" status, we rely on:

UK Standard Contractual Clauses (SCCs) with UK Addendum / International Data Transfer Agreement (IDTA) for UK-originating transfers
Equivalent contractual mechanisms for Jamaica-originating transfers (subject to Jamaica DPA implementation)
Specific consent for limited cases (cross-border AI processing, where the user has not used another transfer mechanism)
Necessity for contract performance for transfers to payment providers required to process payments

11.3 Risk assessment

For transfers to countries without strong data protection law, we conduct Transfer Impact Assessments (TIAs) considering:

The destination country's legal framework
Government access risks
Practical safeguards available
Necessity of the transfer

TIAs are reviewed periodically and as country circumstances change.

11.4 Your right to be informed

You can request information about international transfers affecting your data at privacy@circlworld.com.

12. Data processors

We use the following data processors. Each is bound by a Data Processing Agreement specifying purpose, scope, security, subprocessing, audit rights, breach notification, and return/deletion obligations.

12.1 Current processors

| Processor | Function | Location | Transfer mechanism | |-----------|----------|----------|---------------------| | Anthropic | AI processing (Claude) | US | UK IDTA / Equivalent | | Onfido | KYC verification (UK markets) | UK / EU | UK GDPR — within UK/EU | | Smile ID | KYC verification (Caribbean / Africa) | Various | Per regional applicable law | | Persona | KYC verification (US markets) | US | UK IDTA / Equivalent | | Sumsub | KYC verification (international) | EU / Cyprus | UK GDPR — within EU | | Stripe | Payment processing | US, UK, EU | UK IDTA / Equivalent | | GoCardless | Direct debit (UK) | UK | UK GDPR — within UK | | Vercel | Application hosting (frontend) | US, EU regions | UK IDTA / Equivalent | | Railway | Backend hosting | US, EU regions | UK IDTA / Equivalent | | AWS / Cloudflare | Infrastructure | Multiple regions per data residency | Regional | | Postmark / SendGrid | Transactional email | US | UK IDTA / Equivalent | | Sentry | Error monitoring | US, EU regions | UK IDTA / Equivalent | | Wise | International payment rails (treasurer payments) | UK | UK GDPR — within UK |

12.2 Subprocessor changes

We notify members 30 days before adding new processors that materially affect their data, or where required by applicable law. Notification through:

Email to all users
In-platform notification
Update to this Policy

Members can object to new processors via privacy@circlworld.com. Objections are considered in good faith; in some cases, objection may require account closure if the processor is essential to platform operation.

12.3 Audit and verification

We periodically review processors for:

Compliance with contractual obligations
Security certifications (ISO 27001, SOC 2, etc.)
Incident history
Data localisation commitments

We retain audit rights and exercise them where appropriate.

13. Data security

13.1 Technical measures

We implement appropriate technical measures including:

Encryption at rest for personal data in databases
Encryption in transit (TLS 1.3) for all communications
Access controls with role-based permissions and least-privilege principles
Audit logging of all data access by Circlworld staff
WebAuthn / hardware-key authentication for administrative access
Cryptographic signing of Trust Reports and audit log entries (RFC 8785, HMAC-SHA256)
Append-only audit log with three-layer integrity protection (application, database, daily cryptographic checksum)
Backups with encryption and access controls
Security testing including penetration testing and vulnerability scanning

13.2 Organisational measures

Staff training on data protection at hiring and annually
Confidentiality obligations in all staff contracts
Access need-to-know principle
Incident response procedures documented and tested
Quarterly data protection review by senior management
Annual external security assessment (commencing Year 2)

13.3 Breach notification

In the event of a personal data breach, we:

Investigate immediately
Contain the breach
Notify the supervisory authority within 72 hours where required by law
Notify affected individuals without undue delay where the breach is likely to result in high risk to their rights
Document the breach in our internal breach register
Update procedures to prevent recurrence

You can report suspected breaches to security@circlworld.com.

14. Privacy by design and default

We embed data protection considerations into platform design from inception:

14.1 Design principles

Data minimisation — collect only what is necessary
Purpose limitation — process for specified purposes, not beyond
Default privacy — strictest privacy settings as default
Member control — meaningful settings, not buried options
Transparency — clear information at each step
Security by default — strong security without member configuration
Accountability — documentation and audit of design decisions

14.2 Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for processing activities likely to result in high risk to individuals' rights. Examples of activities triggering DPIA:

Introduction of new AI processing categories
Large-scale processing of new data types
Systematic monitoring of users
Combining data from multiple sources
Processing involving vulnerable populations

DPIAs are completed before processing begins. They:

Describe the processing
Assess necessity and proportionality
Identify risks to individuals
Document mitigations
Document the decision to proceed (or not)

DPIAs are reviewed periodically and updated as circumstances change. Available to regulators on request.

15. Data Protection Governance

15.1 Senior accountability

Senior leadership is accountable for data protection compliance:

The Founder (Drew St'Clair) holds ultimate accountability until a CEO is appointed
The Data Protection Officer (when designated) reports independently to senior leadership
The Compliance team operates the operational data protection function

15.2 Documentation

We maintain:

This Policy (public)
Privacy Notice (public)
Records of Processing Activities (ROPA) (internal, available to regulators)
DPIAs (internal, available to regulators)
Legitimate Interests Assessments (internal, available to regulators)
Transfer Impact Assessments (internal, available to regulators)
Breach register (internal, available to regulators)
Subject rights request log (internal, available to regulators)
Staff training records (internal)
Audit and review reports (internal)

15.3 Training

All Circlworld staff complete data protection training:

At onboarding (within 30 days of joining)
Annually thereafter
Whenever material changes occur

Training records are maintained.

15.4 Supervisory engagement

We engage proactively with supervisory authorities:

UK ICO for UK matters
Jamaica OIC for Jamaica matters
Equivalent authorities in other jurisdictions

We seek guidance where novel issues arise. We cooperate fully with investigations and audits.

16. Specific contexts

16.1 Marketing and direct communication

We send transactional communications (account, service, security) as part of platform operation. These are not marketing and do not require separate consent.

For marketing communications (newsletters, feature announcements, promotional content), we obtain separate consent and provide easy unsubscribe.

You can manage marketing preferences at Settings → Privacy → Communication Preferences.

16.2 Cookies and tracking technologies

Our Cookie Policy describes our use of cookies and similar technologies. We use:

Essential cookies (no consent required) for platform operation
Functional cookies for preferences (consent-based)
Analytics cookies in privacy-respecting form (consent-based)

We do not use cross-site tracking cookies for advertising.

16.3 Profiling

We engage in limited profiling for:

Platform security (fraud and abuse detection)
Service quality (identifying users who need help)
Operational analytics (aggregated, anonymised where possible)

We do not profile to make significant decisions about you without human review. See our AI Usage Policy for AI-specific aspects.

16.4 Treasurer-specific data

Treasurer Partners have additional categories of personal data:

Programme enrollment records
Earnings calculations and payments
Performance metrics
Tax forms and income statements

These are processed on the basis of contract performance (Treasurer Partner Agreement) and legal obligation (tax law).

Treasurer data has the same rights as other personal data, with one additional consideration: aggregate metrics may be visible in members' Community Contribution Profiles. This is part of the public credential function of the role, disclosed at enrollment.

16.5 Trust Reports

Trust Reports are member-owned credentials. They contain personal data but the member controls:

Whether to generate them
Whom to share them with
Whether to revoke shares

When you share a Trust Report, you are providing consent for the recipient to process the data within the scope you've granted.

The cryptographic verifiability means that Trust Reports remain verifiable even after Circlworld ceases operation — see our Risk Disclosure for the continuity framework.

16.6 LLP and CLP transactions

When you participate in LLP (within-circle) or CLP (cross-circle) lending coordination, personal data is shared with other circle participants:

Within the borrowing circle
With members of lending circles (in CLP)

The basis is your specific consent at the time of participation, and the necessity of the data for the coordination function.

You can withdraw consent for future transactions but cannot retroactively remove data from completed transactions (audit integrity).

17. Records and accountability

17.1 Records of Processing Activities

Under UK GDPR Article 30 and Jamaica DPA equivalents, we maintain Records of Processing Activities (ROPA) describing:

Categories of personal data
Purposes of processing
Categories of data subjects
Recipients (including processors)
Transfers outside the country
Retention periods
Security measures

ROPA is internal documentation, available to supervisory authorities on request.

17.2 Demonstrable compliance

We can demonstrate compliance through:

This Policy and related documentation
ROPA
DPIAs
Training records
Audit logs
Subject rights request logs
Breach register

Train staff to recognise indicators of vulnerability
Apply enhanced care to interactions with potentially vulnerable users
Avoid pressure tactics in any context
Provide accessibility accommodations (see Accessibility Statement)
Refer to appropriate support services where relevant

If you are a vulnerable user, you have the same data protection rights as any other user. Contact privacy@circlworld.com for any concerns.

19. Cross-border enforcement

19.1 Multiple supervisory authorities

If you are concerned about our data processing, you can complain to:

The supervisory authority of your country of residence
The supervisory authority of the Circlworld entity that processes your data
The supervisory authority where the alleged infringement occurred

We will cooperate with the lead supervisory authority for cross-border investigations.

19.2 Litigation venue

Disputes about data protection compliance can be brought in:

The courts of your country of residence (consumer protection law)
The courts of the Circlworld entity's jurisdiction
Subject to specific terms in your Terms of Service

We do not contract out of consumer protection rights.

20. Updates to this Policy

20.1 Material changes

For material changes affecting your rights or how your data is processed:

30 days' notice
Email notification
In-platform notification
Updated version and date

20.2 Minor changes

For minor changes (clarifications, formatting, additional examples):

Rolling updates
Updated date

General privacy questions: privacy@circlworld.com
DPO contact: dpo@circlworld.com
Security incidents: security@circlworld.com
Platform: Settings → Privacy
Post: To the relevant Circlworld entity

21.2 Supervisory authorities

United Kingdom: Information Commissioner's Office. Website: ico.org.uk. Helpline: 0303 123 1113.
Jamaica: Office of the Information Commissioner. Website: oic.gov.jm. Contact details to be confirmed at incorporation.

This Data Protection Policy is read together with our Privacy Notice, Terms of Service, Cookie Policy, AI Usage Policy, Consumer Protection Policy, and Complaints Handling Policy. Where there is any inconsistency between this Policy and the substantive provisions of those documents, the substantive provisions of the relevant document govern.