top of page

PRIVACY POLICY
 

LYNSORA LTD
Last updated: 27 February 2026
 

1. Who We Are
 

LYNSORA LTD is a UK-registered boutique regulatory and compliance advisory firm providing B2B services to crypto-asset service providers (CASPs), payment institutions, FinTech companies and related regulated businesses across the EU, United Kingdom and Switzerland.
 

Data Controller
LYNSORA LTD
Company No: 16816940
Registered Office: 128 CITY ROAD, LONDON, EC1V2NX
Email: contact@lynsora.com
 

Unless otherwise specified in a client agreement, LYNSORA LTD acts as an independent data controller for its own business operations.
 

2. Territorial Scope
 

We process personal data in accordance with:

  • EU General Data Protection Regulation (GDPR)

  • UK GDPR and Data Protection Act 2018

  • Swiss Federal Act on Data Protection (revFADP)
     

Depending on the context of processing and the location of the data subject, one or more of these regimes may apply.
 

3. Controller vs Processor
 

LYNSORA LTD acts:
 

As Data Controller for:
 

  • website operation

  • marketing and business development

  • client relationship management

  • accounting and administration

  • recruitment
     

As Data Processor:

​

Where we process personal data strictly on documented client instructions during delivery of compliance services. In such cases, processing is governed by the relevant engagement agreement and data processing terms.

​

4. Categories of Personal Data

​

We may process the following categories:

​

  • Identification data (name, surname, job title)

  • Business contact details (email, phone number, company name)

  • Communication content (emails, calls, meeting notes)

  • Website usage data (IP address, browser type, logs)

  • Billing and accounting information

  • AML/KYC-related data where required (e.g., identity details of authorised representatives or beneficial owners)​

 

We do not intentionally collect special category data unless strictly necessary for a specific engagement.

​

5. Legal Bases for Processing (EU / UK / Switzerland)

​

EU and UK

Under GDPR and UK GDPR, we rely on the following legal bases:

  • Contract – where processing is necessary to enter into or perform a contract

  • Legal obligation – where required under AML or regulatory frameworks

  • Legitimate interests – where necessary for operating, securing and developing our B2B advisory business

  • Consent – where required (e.g., marketing subscriptions, non-essential cookies)

Where we rely on legitimate interests, we conduct internal balancing assessments to ensure that our interests do not override the rights and freedoms of individuals.

​

Switzerland

Under the Swiss Federal Act on Data Protection (revFADP), processing is permitted where:

  • it is necessary for performance of a contract

  • it is required by law

  • it is justified by overriding private interests

  • it is based on valid consent (where applicable)

We apply equivalent transparency, proportionality and data minimisation standards across all jurisdictions.

​

6. Purposes of Processing

​

We process personal data for the following purposes:

  • responding to enquiries

  • client onboarding and engagement management

  • delivery of regulatory and AML advisory services

  • due diligence and compliance assessments (where required)

  • invoicing, accounting and tax compliance

  • website security and system administration

  • business communications and updates (where permitted)

  • recruitment

We do not sell personal data.

​

7. Data Retention

​

We retain personal data only for as long as necessary and in accordance with legal requirements:

  • AML/KYC records: typically 5 years from the end of the business relationship (subject to applicable law)

  • Engagement documentation: duration of contract + up to 6 years

  • Accounting records: minimum 6 years

  • Marketing data: until opt-out or defined inactivity period

  • Technical logs: typically 6–12 months

After expiry of retention periods, data is securely deleted or anonymised.

​

8. International Data Transfers

​

Given the international nature of our operations (EU / UK / Switzerland), personal data may be transferred across jurisdictions.

Where required, we rely on:

  • Adequacy decisions

  • Standard Contractual Clauses (SCCs)

  • UK International Data Transfer mechanisms (IDTA / Addendum)

  • Contractual safeguards recognised under Swiss law

Appropriate technical and organisational safeguards are applied to protect transferred data.

​

9. Data Security

​

We implement appropriate technical and organisational measures, including:

  • access control and role-based permissions

  • secure cloud infrastructure

  • encryption where appropriate

  • confidentiality obligations

  • internal data handling procedures

  • incident response processes

While no system is entirely risk-free, we apply industry-standard safeguards proportionate to the sensitivity of the data processed.

​

10. Personal Data Breaches

​

In the event of a data security incident:

  • we assess the level of risk

  • notify competent supervisory authorities where legally required

  • inform affected individuals where required under applicable law

We maintain internal procedures to ensure timely assessment and response.

​

11. Your Rights

​

Depending on applicable law, individuals may have the right to:

  • access personal data

  • request rectification

  • request deletion (where legally permissible)

  • restrict processing

  • object to processing based on legitimate interests

  • withdraw consent

  • lodge a complaint with a supervisory authority

 

Requests can be submitted to:
contact@lynsora.com

We respond within statutory timeframes applicable to the relevant jurisdiction.

​

12. Marketing Communications

​

Where marketing communications are sent:

  • they are limited to business-related content

  • recipients may unsubscribe at any time

  • opt-out requests are respected promptly

We retain minimal suppression records to ensure compliance with opt-out preferences.

​

13. Cookies and Website Technologies

​

We use cookies in accordance with our Cookie Policy.

Non-essential cookies are activated only after obtaining user consent through our cookie banner and preference tool.

​

14. Children

​

Our services and website are intended exclusively for business use. We do not knowingly collect personal data from children.

​

15. Changes to This Policy

​

We may update this Privacy Policy from time to time. The current version will always be available on our website.

​

16. Contact

​

For privacy-related enquiries:

contact@lynsora.com
LYNSORA LTD
128 CITY ROAD, LONDON, EC1V2NX

bottom of page