1. Who we are
Haystack Technology Ltd ("Haystack", "we", "us", "our") is a company registered in England and Wales (Company No. 17157792), with registered office in London, United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller of the personal data described in this policy.
You can contact us at any time by writing to us via the contact form on our site.
2. Personal data we collect
We collect personal data in the following ways:
Information you give us
- Identity and contact data (name, email address, phone number, company).
- Account and profile data (login credentials, preferences, correspondence).
- Investor onboarding data (identity documents, proof of address, self-certification, appropriateness responses, source of funds).
- Transactional data (subscriptions, capital commitments, distributions, secondary transfers, settlement references).
- Communications (messages, enquiry form submissions, support tickets).
Information we collect automatically
- Technical data (IP address, browser type and version, device identifiers, operating system).
- Usage data (pages viewed, time on site, referring URL, session duration).
- Cookies and similar technologies (see our Cookie Policy).
Information we receive from third parties
- KYC / AML verification results from regulated identity providers.
- Sanctions, PEP and adverse-media screening results.
- Information from custodian banks and settlement partners in connection with capital movements.
3. How we use personal data
We process personal data for the following purposes and legal bases:
| Purpose | Legal basis |
|---|---|
| Onboarding, identity verification and suitability assessment | Performance of a contract, legal obligation (MLR 2017, COBS) |
| Operating the platform (subscriptions, capital calls, distributions, transfers, reporting) | Performance of a contract |
| Responding to enquiries and partner communications | Legitimate interests, performance of a contract |
| Preventing financial crime and fraud | Legal obligation, legitimate interests |
| Keeping records for audit, tax and regulatory reporting | Legal obligation |
| Service, security and product improvement | Legitimate interests |
| Direct marketing to existing contacts (where permitted) | Legitimate interests, consent |
4. Who we share personal data with
We share personal data only where we need to. Recipients include:
- KYC/AML providers performing identity, sanctions and PEP checks on our behalf.
- Custodian banks and settlement counterparties where required to process subscriptions, distributions or transfers.
- Professional advisers (lawyers, auditors, tax advisers) under duties of confidentiality.
- Regulators, law enforcement and tax authorities where we are legally required to share information.
- Hosting, infrastructure and analytics providers that support the operation of our platform.
We do not sell personal data. We do not share personal data for third-party advertising.
5. International transfers
Some of our processors operate outside the United Kingdom. Where personal data is transferred outside the UK, we rely on appropriate safeguards - UK adequacy regulations, the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum - and apply additional technical and organisational measures where necessary.
6. How long we keep personal data
We retain personal data only for as long as we need it to fulfil the purpose for which it was collected, including meeting legal, tax and regulatory record-keeping requirements. In most cases this means a minimum of five years from the end of our relationship with you, extended where a longer statutory retention period applies.
7. Your rights
You have the following rights under UK GDPR:
- Access your personal data.
- Request correction of inaccurate or incomplete data.
- Request erasure of your data in certain circumstances.
- Object to processing based on our legitimate interests.
- Request restriction of processing.
- Request portability of data you provided to us.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us through the form on our homepage. If you are unhappy with how we have handled your data, you can complain to the Information Commissioner's Office at ico.org.uk.
8. Security
We apply industry-standard technical and organisational measures to protect personal data - including encryption in transit and at rest, access controls, audit logging, and segregated environments for production systems. No internet-based system can be made entirely secure, and we cannot guarantee absolute security.
9. Changes to this policy
We may update this policy from time to time to reflect changes in our services, legal requirements or operational practice. Material changes will be notified on our site with an updated "last updated" date.
10. Contact
For any questions about this policy or how we handle personal data, please contact us through the enquiry form on our homepage.