1. WHO WE ARE
Sternlight Capital Partners LLP and Sternlight Capital Services (UK) Ltd (together "Sternlight Capital", "we", "us", "our") are the data controllers responsible for your personal data.
Registered address: 25 Green Street, London, W1K 7AX, United Kingdom
ICO registration numbers: Sternlight Capital Partners LLP - ZB894612, Sternlight Capital Services (UK) Ltd - ZC097504
Data Protection Officer: Contact at privacy@sternlightcap.com
2. PERSONAL DATA WE COLLECT
Clients and Investors
We collect and process personal data about existing and prospective clients and investors including: ·
- Identity data: full name, date of birth, nationality, passport or ID details · Contact data: address, email address, telephone number ·
- Financial data: bank details, investment objectives, risk appetite ·
- KYC/AML data: source of funds and wealth, PEP status, sanctions screening results ·
- Tax data: tax residency, TIN/UTR, FATCA/CRS classification ·
- Communications: correspondence, meeting notes, and instructions
Employees and Contractors
We collect and process personal data about current, former, and prospective employees and contractors including: ·
- Identity, contact, and right-to-work documentation ·
- Employment records: roles, performance, compensation, and attendance ·
- Payroll and benefits data ·
- IT and communications data generated through use of firm systems (email, calendar, files) ·
- Data processed by our internal AI assistant (see Section 5)
Counterparties and Professional Contacts
Name, job title, business contact details, and records of communications, to the extent necessary to manage business relationships.
Website Visitors
Technical data such as IP address, browser type, and pages visited. See Section 10 (Cookies) for further detail.
3. LAWFUL BASIS FOR PROCESSING
We rely on the following lawful bases under UK GDPR Article 6:
Contract (Art. 6(1)(b)) Entering into or performing a contract with you — e.g. investor onboarding, employment, service agreements.
Legal Obligation (Art. 6(1)(c)) Compliance with FCA rules, AML/KYC obligations, FATCA/CRS, tax reporting, and audit requirements.
Legitimate Interests (Art. 6(1)(f)) Operational efficiency, risk management, fraud prevention, IT security, and internal communications — where not overridden by your rights.
Consent (Art. 6(1)(a))Optional communications or cookies — you may withdraw consent at any time.
Where we process special category data (e.g. health information in an employment context), we rely on Article 9(2)(b) (employment obligations) or Article 9(2)(a) (explicit consent).
4. CRIMINAL OFFENCES DATA
We process criminal offences data only to the extent required or permitted by applicable law and regulation. This arises principally in the context of our regulatory obligations as an FCA-regulated firm and includes: ·
- Personal data obtained as a result of sanctions screening, regulatory and law enforcement list checks carried out as part of our AML and KYC procedures ·
- Details of any criminal convictions or offences (actual or alleged) that are relevant to our assessment of a client, investor, counterparty, or prospective employee ·
- Information received from third-party background screening providers, which may include data obtained from publicly available sources such as government sanctions lists, company registrars, and press databases
The lawful basis for this processing is legal obligation (Article 6(1)(c)) in conjunction with UK GDPR Schedule 1 condition 10 (preventing or detecting unlawful acts), as required under the Money Laundering Regulations 2017, the Proceeds of Crime Act 2002, and related FCA rules.
We do not process criminal offences data for any purpose beyond what is required to meet these obligations.
5. AI-ASSISTED PROCESSING
We operate an internal AI assistant to support employee productivity. This tool is deployed exclusively within our private Microsoft Azure environment, hosted in the UK and EU, and is not connected to any external AI provider. No personal data processed by the assistant is used to train AI models or shared outside our organisation's systems.
The assistant may process the following categories of employee personal data: email content and metadata, calendar entries, files stored on firm systems, and Microsoft Teams messages accessible to the individual employee.
Key safeguards in place: ·
- The assistant operates strictly on behalf of the logged-in employee and cannot access another employee's data ·
- No emails, calendar entries, or files are created or modified without explicit employee confirmation ·
- Conversation history is automatically deleted after 90 days; employees may delete all their data at any time on request ·
- All activity is logged and attributable to the individual employee's identity
6. SHARING PERSONAL DATA
We do not sell personal data. We may share it with regulators and legal authorities where required by law, including the FCA and HMRC, and with the following categories of data processors who act on our instructions:
- Microsoft Corporation: (Azure, Microsoft 365) Cloud infrastructure, email, calendar, file storage, and AI model hosting. All data is held within the EU / UK under contractual restriction.
Regulated fund administrator: NAV calculation, investor register maintenance, subscription and redemption processing, and regulatory reporting to investors. Provided by a regulated fund administrator.
- FCA-regulated prime broker(s): Prime brokerage services including trade settlement, stock lending, margin financing, and custody of assets. Provided by one or more FCA-regulated prime brokers.
- Legal and compliance advisers: Legal advice, regulatory filings, and compliance support, provided by regulated law firms and compliance consultants.
- Payroll and benefits provider: Employee payroll processing, pension administration, and benefits management.
- IT and cybersecurity providers: System monitoring, security operations, and helpdesk support.
All processors are bound by data processing agreements and are required to implement appropriate security measures. We do not routinely transfer personal data outside the UK or EEA. Where any such transfer is necessary, it is protected by appropriate safeguards.
7. HOW LONG WE KEEP PERSONAL DATA
Client / investor records: 5 years after end of relationship
KYC / AML records: 5 years after end of relationship
Employee records: 6 years after employment ends
Email and communications records: 7 years.
8. YOUR RIGHTS
Under UK GDPR you have the right to:
Access — request a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure — ask us to delete your data where there is no longer a lawful basis to retain it.
Restriction — ask us to restrict processing while a complaint or accuracy dispute is resolved.
Portability — receive data you provided to us in a machine-readable format (where processing is based on consent or contract).
Object — object to processing based on legitimate interests, including profiling
Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
Automated decisions — not be subject to solely automated decisions with significant effects without human review.
To exercise any right, contact us at privacy@sternlightcap.com. We will respond within one calendar month. We may need to verify your identity before processing a request.
9. SECURITY
We implement appropriate technical and organisational measures to protect personal data, including:
Encryption of data in transit (TLS) and at rest ·
Role-based access controls and Microsoft 365 identity management ·
Per-user permissions for AI assistant access — no system-wide data access ·
Audit logging of all relevant system activity ·
Managed cloud infrastructure with no exposed public ports beyond HTTPS
In the event of a personal data breach posing a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay.
10. COOKIES
This website uses cookies to analyze website traffic and optimize your website experience. When you first visit this website you will be given the option to accept or decline non-essential cookies. You may change your preferences at any time by clicking the cookie settings link at the bottom of this page. Please note that declining non-essential cookies will not affect your ability to use this website.
11. CONTACT US AND COMPLAINTS
Data Protection Officer can be contacted at:
Sternlight Capital Partners LLP
25 Green Street, London, W1K 7AX, United Kingdom
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would welcome the opportunity to resolve any concern directly before you contact the ICO.
CHANGES TO THIS NOTICE
We may update this Privacy Notice from time to time.