Data Protection Policy

Stratavor is committed to protecting personal data and handling it lawfully, fairly, and transparently. This Data Protection Policy explains the governance, controls, and responsibilities we apply when we collect, use, store, share, and delete personal data across our business and services.

This policy applies to Stratavor personnel, contractors, and approved third parties who process personal data on our behalf. It applies to personal data processed through our website, business operations, customer support workflows, and product and platform services.

Stratavor leadership is accountable for maintaining an effective data protection program. Operational responsibility is assigned to appropriate privacy and security owners who oversee implementation, reviews, and incident coordination. All personnel are responsible for complying with this policy and reporting potential data protection concerns without delay.

We process personal data in line with core principles: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. We only process personal data for defined business purposes and avoid collecting data that is unnecessary for those purposes.

Where required by applicable law, including GDPR, Stratavor relies on appropriate lawful bases for processing personal data, including contractual necessity, legitimate interests, legal obligations, and consent where applicable. We document the relevant basis for key processing activities and review them periodically.

Personal data is handled according to sensitivity and business need. Access is limited to authorized personnel on a least-privilege basis and reviewed regularly. We apply technical and organizational controls including encryption in transit and at rest, role-based access controls, logging, monitoring, secure configuration management, and incident response procedures.

Where applicable, individuals may request access, correction, deletion, restriction, portability, or objection to processing of their personal data. Stratavor has procedures to validate, triage, and respond to rights requests within required legal timelines. Requests can be submitted via privacy@stratavor.com.

We do not sell personal data. Where we engage service providers or sub-processors, we use contractual safeguards and due diligence to ensure appropriate privacy and security standards. Personal data sharing is limited to defined purposes and controlled under written terms. Current approved processors are documented in the Trust Centre's Sub-processor Register.

If personal data is transferred internationally, Stratavor applies legally recognized transfer mechanisms and supplementary safeguards where required. This may include standard contractual clauses and risk-based assessments appropriate to the destination and processing context.

Personal data is retained only as long as necessary for legitimate business, contractual, legal, and compliance purposes. Retention schedules and operational controls support timely deletion or anonymization once data is no longer required. Where deletion is not immediately possible (for example, in backups), data remains protected until secure disposal.

Stratavor maintains incident management procedures for potential personal data breaches. Suspected incidents must be reported immediately. We investigate, contain, remediate, and document incidents, and where legally required, notify customers, affected individuals, and supervisory authorities within applicable timelines.

Data protection is considered during product and process design. For new or materially changed processing activities that may present elevated privacy risk, we conduct proportionate risk assessments and, where required, Data Protection Impact Assessments (DPIAs), and track mitigating actions.

Stratavor provides privacy and security awareness guidance to relevant personnel and reinforces responsibilities through onboarding and periodic refreshers. Staff are expected to follow approved handling procedures and escalate uncertainty promptly.

This policy is reviewed at least annually and updated when legal requirements, processing activities, or risk profiles materially change. Related policies include the Customer Privacy Notice, Cookie Policy, Cyber Security Policy, Responsible AI Policy, and Data Processing Agreement (DPA).

For data protection questions, rights requests, or concerns, contact privacy@stratavor.com. Individuals also have the right to lodge a complaint with their local supervisory authority where permitted by law.