1. Introduction

This Privacy Policy explains how 404 Capital Ltd (“we”, “our”, or “us”) collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

404 Capital Ltd is the data controller for the purposes of UK data protection law.

We do not intentionally collect special category personal data (such as health, biometric, political opinions, religious beliefs) unless required to meet legal or regulatory obligations or unless you choose to provide it to us.

2. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity and contact information, including name, address, email address, and telephone number.
• Professional information, including organisation, role, and business contact details.
• Financial information relevant to investment activities and our business relationship with you.
• Identification and verification documents, including those required for anti-money laundering (AML) and know-your-customer (KYC) purposes.
• Communications and correspondence with us, including emails, messages submitted through our website, and other written communications.
• Technical information (where applicable), such as IP address, device information, browser type, and basic website usage data (for security and operational purposes).

We collect personal data directly from you when you contact us, engage with our services, or enter into a business or investment relationship with us. We may also receive personal data from third parties such as professional advisers, introducers, brokers, counterparties, service providers (including KYC/AML providers), or publicly available sources (for example, company websites and professional networking platforms), where relevant and permitted by law.

Cookies / tracking: We aim to use only essential cookies necessary for the secure and proper functioning of the website. If we use (now or in the future) any non-essential cookies or similar technologies (for example, analytics), we will update this policy and provide appropriate cookie information and choices where required.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

• To respond to enquiries and communicate with you regarding our business and services.
• To establish, administer, and manage investment or business relationships.
• To operate, manage, and improve our business and website (including security).
• To comply with legal, regulatory, and compliance obligations, including AML/KYC requirements and tax or reporting obligations where applicable.
• To prevent fraud, financial crime, and misuse of our services and systems.
• To send marketing communications where permitted by law (see Section 4).

4. Lawful Bases for Processing

We process personal data only where permitted under UK GDPR. Our lawful bases include:

• Performance of a contract – where processing is necessary to provide our services or take steps at your request prior to entering into a contract.
• Legal obligation – where required to meet regulatory, AML/KYC, tax, or other legal requirements.
• Legitimate interests – to manage our business, respond to enquiries, communicate with business contacts, operate and secure our website and systems, prevent fraud and financial crime, and improve our services. Where we rely on legitimate interests, we consider and balance any potential impact on your rights.
• Consent and/or legitimate interests – for marketing communications, where permitted by law.

We only send marketing communications where permitted under the Privacy and Electronic Communications Regulations (PECR).

You may withdraw your consent or opt out of marketing at any time by contacting us or using the unsubscribe option included in emails. You can also object to direct marketing at any time.

5. Sharing Your Personal Data

We may share personal data with:

• Regulatory and supervisory authorities, law enforcement, or courts where required by law or where necessary to protect our legal rights.
• Professional advisers, including lawyers, accountants, auditors, and tax advisers.
• Trusted third-party service providers who support our business operations (for example, IT and cloud hosting providers, email and communications platforms, CRM tools, website hosting providers, and KYC/AML verification providers).

All third parties are required to process personal data securely and in accordance with applicable data protection laws. We do not sell personal data to third parties.

Where third parties act as data processors, we ensure appropriate data processing agreements are in place in accordance with UK GDPR.

6. International Data Transfers

As we work with international clients and may use service providers with international operations, personal data may be transferred outside the UK.

Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, adequacy regulations where applicable, and/or equivalent legal protections, as required to ensure your data remains protected.

7. Data Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. Access to personal data is limited to authorised personnel and relevant service providers on a need-to-know basis.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal and regulatory requirements.

In particular:

• AML and investment-related records may be retained for up to five (5) years after the end of a business relationship, or longer where required by law or where necessary to establish, exercise, or defend legal claims.
• General correspondence and enquiry data is retained for up to 24 months.
• Marketing data is retained until you unsubscribe/withdraw consent, or the data is no longer required.

9. Your Data Protection Rights

Under UK GDPR, you have the right to:

• Access your personal data.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data (in certain circumstances).
• Restrict the processing of your data (in certain circumstances).
• Object to the processing of your data (including an absolute right to object to direct marketing).
• Request data portability (in certain circumstances).
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the Information Commissioner’s Office (ICO).

You are not required to provide personal data by law, however failure to provide certain information (particularly for AML/KYC purposes) may prevent us from entering into or maintaining a business relationship.

To exercise any of your rights, please contact us using the details in Section 12.

Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113

10. Automated Decision-Making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

11. Changes to This Privacy Policy

Last Updated: January 2026

We may update this Privacy Policy from time to time. Any changes will be published on our website and, where appropriate, notified to you by email.

12. Contact Information

We are not required to appoint a Data Protection Officer.

All data protection enquiries should be directed to:

404 Capital Ltd
71–75 Shelton Street
London WC2H 9JQ
United Kingdom
Email: info@404capital.io

‍